security-assessment
Execute threat modeling, vulnerability scanning, and security control validation. Use when relevant to the task.
Best use case
security-assessment is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Execute threat modeling, vulnerability scanning, and security control validation. Use when relevant to the task.
Teams using security-assessment should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-assessment/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How security-assessment Compares
| Feature / Agent | security-assessment | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Execute threat modeling, vulnerability scanning, and security control validation. Use when relevant to the task.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# security-assessment
Execute threat modeling, vulnerability scanning, and security control validation.
## Triggers
- "run security review"
- "security assessment"
- "threat model [component]"
- "validate security controls"
- "security scan"
- "check vulnerabilities"
## Purpose
This skill orchestrates comprehensive security assessment through:
- STRIDE threat modeling
- Vulnerability pattern detection
- Security control validation
- Compliance verification
- Risk scoring and prioritization
## Behavior
When triggered, this skill:
1. **Determines scope**:
- Component-level, system-level, or full assessment
- Identify assets and trust boundaries
- Load existing threat model if available
2. **Executes threat modeling**:
- Dispatch Security Architect for STRIDE analysis
- Enumerate threats per component
- Identify attack vectors
3. **Runs vulnerability patterns**:
- Dispatch Security Auditor for pattern scanning
- Check OWASP Top 10
- Identify secrets exposure risks
- Review dependency vulnerabilities
4. **Validates controls**:
- Dispatch Security Gatekeeper
- Map controls to threats
- Verify implementation
- Check coverage gaps
5. **Assesses privacy**:
- Dispatch Privacy Officer (if PII involved)
- Check data handling
- Verify consent mechanisms
6. **Generates report**:
- Risk-ranked findings
- CVSS scores where applicable
- Remediation guidance
- Compliance status
## STRIDE Threat Categories
| Category | Description | Example |
|----------|-------------|---------|
| **S**poofing | Impersonating something/someone | Fake user credentials |
| **T**ampering | Modifying data or code | SQL injection |
| **R**epudiation | Denying actions | Missing audit logs |
| **I**nformation Disclosure | Exposing information | Data leakage |
| **D**enial of Service | Disrupting availability | Resource exhaustion |
| **E**levation of Privilege | Gaining unauthorized access | Broken access control |
## Assessment Flow
```
┌─────────────────────────────────────────────────────────┐
│ 1. SCOPE IDENTIFICATION │
│ • Define assessment boundary │
│ • Identify assets (data, services, infrastructure) │
│ • Map trust boundaries │
│ • Load existing threat model (if any) │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ 2. THREAT MODELING (Security Architect) │
│ • Data flow analysis │
│ • STRIDE enumeration per component │
│ • Attack vector identification │
│ • Trust boundary crossing analysis │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ 3. VULNERABILITY SCANNING (Security Auditor) │
│ • OWASP Top 10 pattern check │
│ • Secrets exposure scan │
│ • Dependency vulnerability check │
│ • Configuration review │
│ • Code pattern analysis │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ 4. CONTROL VALIDATION (Security Gatekeeper) │
│ • Map security requirements to controls │
│ • Verify control implementation │
│ • Check control effectiveness │
│ • Identify coverage gaps │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ 5. PRIVACY ASSESSMENT (Privacy Officer) [if PII] │
│ • Data inventory review │
│ • Consent mechanism validation │
│ • Data retention compliance │
│ • Cross-border transfer assessment │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ 6. RISK SCORING & REPORTING │
│ • Calculate CVSS scores │
│ • Prioritize by risk (likelihood × impact) │
│ • Generate remediation guidance │
│ • Produce assessment report │
└─────────────────────────────────────────────────────────┘
```
## OWASP Top 10 Checks
| # | Category | Patterns Checked |
|---|----------|-----------------|
| A01 | Broken Access Control | RBAC, ABAC, path traversal, CORS |
| A02 | Cryptographic Failures | Weak algorithms, key management, TLS |
| A03 | Injection | SQL, NoSQL, LDAP, OS command, XSS |
| A04 | Insecure Design | Threat modeling gaps, missing controls |
| A05 | Security Misconfiguration | Defaults, unnecessary features, verbose errors |
| A06 | Vulnerable Components | Outdated dependencies, known CVEs |
| A07 | Auth Failures | Password policies, MFA, session management |
| A08 | Data Integrity Failures | CI/CD security, unsigned updates |
| A09 | Logging Failures | Missing logs, sensitive data in logs |
| A10 | SSRF | Internal resource access, URL validation |
## Severity Scoring
### CVSS Base Metrics
```yaml
severity_levels:
critical:
cvss_range: [9.0, 10.0]
description: Immediate remediation required
sla: 24 hours
high:
cvss_range: [7.0, 8.9]
description: Remediation within sprint
sla: 7 days
medium:
cvss_range: [4.0, 6.9]
description: Plan remediation
sla: 30 days
low:
cvss_range: [0.1, 3.9]
description: Address as time permits
sla: 90 days
informational:
cvss_range: [0.0, 0.0]
description: Awareness only
sla: none
```
## Assessment Report Format
```markdown
# Security Assessment Report
**Date**: 2025-12-08
**Scope**: Full System Assessment
**Assessors**: security-architect, security-auditor, security-gatekeeper
## Executive Summary
| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 2 |
| Medium | 5 |
| Low | 8 |
| Informational | 3 |
**Overall Risk Level**: MEDIUM
**Recommendation**: Address high-severity findings before production deployment
## Threat Model Summary
### Trust Boundaries
1. External → API Gateway
2. API Gateway → Internal Services
3. Services → Database
### STRIDE Analysis
| Component | S | T | R | I | D | E | Total |
|-----------|---|---|---|---|---|---|-------|
| API Gateway | 2 | 1 | 0 | 1 | 1 | 1 | 6 |
| Auth Service | 3 | 1 | 1 | 2 | 0 | 2 | 9 |
| Data Service | 1 | 2 | 1 | 3 | 1 | 1 | 9 |
## Findings
### HIGH-001: Insufficient Input Validation
- **Severity**: High (CVSS 7.5)
- **Component**: API Gateway
- **Category**: A03 Injection
- **Description**: User input not sanitized before database query
- **Impact**: SQL injection possible, data exfiltration risk
- **Remediation**: Implement parameterized queries, add input validation
- **Status**: Open
### HIGH-002: Missing Rate Limiting
- **Severity**: High (CVSS 7.2)
- **Component**: API Gateway
- **Category**: A05 Denial of Service
- **Description**: No rate limiting on authentication endpoints
- **Impact**: Brute force attacks, credential stuffing
- **Remediation**: Implement rate limiting, add account lockout
- **Status**: Open
### MEDIUM-001: Verbose Error Messages
...
## Control Assessment
| Control | Requirement | Status | Gap |
|---------|-------------|--------|-----|
| Authentication | MFA for privileged users | ✅ Implemented | None |
| Authorization | RBAC with least privilege | ⚠️ Partial | Admin role too broad |
| Encryption | TLS 1.2+ for transit | ✅ Implemented | None |
| Encryption | AES-256 at rest | ⚠️ Partial | Logs not encrypted |
| Logging | Security event logging | ✅ Implemented | None |
| Monitoring | Real-time alerting | ❌ Missing | Not configured |
## Compliance Status
| Framework | Status | Gaps |
|-----------|--------|------|
| OWASP Top 10 | 7/10 compliant | A03, A05, A09 |
| SOC 2 | Partial | Monitoring, encryption |
| GDPR | Compliant | None identified |
## Remediation Roadmap
### Immediate (24-48 hours)
- [ ] Fix SQL injection vulnerability (HIGH-001)
- [ ] Implement rate limiting (HIGH-002)
### Short-term (1-2 weeks)
- [ ] Reduce admin role permissions
- [ ] Encrypt log storage
- [ ] Configure monitoring alerts
### Medium-term (1 month)
- [ ] Address medium-severity findings
- [ ] Complete SOC 2 gap remediation
## Next Assessment
Recommended: 30 days or after major changes
```
## Usage Examples
### Full Assessment
```
User: "Run security review"
Skill orchestrates:
1. Load current architecture
2. Run STRIDE analysis
3. Scan for OWASP patterns
4. Validate controls
5. Generate report
Output:
"Security Assessment Complete
Findings: 0 Critical, 2 High, 5 Medium, 8 Low
Risk Level: MEDIUM
Blocking Issues:
- HIGH-001: SQL injection risk
- HIGH-002: Missing rate limiting
Report: .aiwg/security/assessment-20251208.md"
```
### Component Assessment
```
User: "Threat model the authentication service"
Skill focuses on:
- Auth service components only
- STRIDE for auth flows
- Auth-specific vulnerabilities
- Control validation for auth
Output: Targeted threat model and findings
```
### Control Validation Only
```
User: "Validate security controls"
Skill runs:
- Control mapping
- Implementation verification
- Gap analysis
Output: Control assessment summary
```
## Integration
This skill uses:
- `parallel-dispatch`: Launch security agents concurrently
- `project-awareness`: Get architecture and component info
- `artifact-metadata`: Track assessment artifacts
## Agent Orchestration
```yaml
agents:
threat_modeling:
agent: security-architect
focus: STRIDE analysis, attack vectors, trust boundaries
vulnerability_scanning:
agent: security-auditor
focus: OWASP patterns, secrets, dependencies, configuration
control_validation:
agent: security-gatekeeper
focus: Control mapping, implementation, effectiveness
privacy_assessment:
agent: privacy-officer
focus: PII handling, consent, retention, transfers
condition: has_pii == true
```
## Output Locations
- Assessment report: `.aiwg/security/assessment-{date}.md`
- Threat model: `.aiwg/security/threat-model.md`
- Control matrix: `.aiwg/security/control-matrix.md`
- Findings tracker: `.aiwg/security/findings/`
## References
- STRIDE methodology: Microsoft Threat Modeling
- OWASP Top 10: https://owasp.org/Top10/
- CVSS Calculator: https://www.first.org/cvss/calculator/3.1
- Security templates: templates/security/Related Skills
security-scanning-security-hardening
Coordinate multi-layer security scanning and hardening across application, infrastructure, and compliance controls.
security-scanning-security-dependencies
You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across ecosystems to identify vulnerabilities, ass...
security-scan
Comprehensive security scanning for CVE vulnerabilities, OWASP Top 10 code patterns, and dependency audits. Use when the user wants to check code security, find vulnerabilities, or audit dependencies.
security-reviewer
Use when conducting security audits, reviewing code for vulnerabilities, or analyzing infrastructure security. Invoke for SAST scans, penetration testing, DevSecOps practices, cloud security reviews.
security-review
Run a targeted security audit on specified files or modules. Uses OWASP-informed checks, dependency vulnerability scanning, and auth/input validation review. Use for security audits, vulnerability checks, or before deploying sensitive code. Keywords: security, audit, vulnerability, OWASP, CVE, secrets, injection, XSS, auth, authentication, authorization
security-review-pr
PR/branch security review focused on HIGH-CONFIDENCE vulnerabilities with minimal false positives. Uses git diff analysis and sub-task parallelization.
security-review-audit
Full codebase security audit with OWASP Top 10 guidance, language-specific patterns, checklists, and fix examples. Use for comprehensive audits split by module/area.
security-requirement-extraction
Derive security requirements from threat models and business context. Use when translating threats into actionable requirements, creating security user stories, or building security test cases.
security
Information security expertise for cybersecurity frameworks (NIST, ISO 27001), security architecture, incident response, vulnerability management, identity management, and cloud security. Use when designing security programs, responding to incidents, or assessing vulnerabilities.
security-hardening
World-class application security - OWASP Top 10, secure coding patterns, and the battle scars from security incidents that could have been preventedUse when "security, secure, vulnerability, injection, xss, csrf, authentication, authorization, owasp, encryption, secret, password, token, sanitize, validate, escape, encode, harden, security, owasp, injection, xss, csrf, authentication, authorization, encryption, secrets, hardening" mentioned.
Security Engineer
Implement security best practices across the application stack. Use when securing APIs, implementing authentication, preventing vulnerabilities, or conducting security reviews. Covers OWASP Top 10, auth patterns, input validation, encryption, and security monitoring.
security-core
Comprehensive application security expertise covering authentication, authorization, OWASP Top 10, and security best practices. Use when (1) Implementing authentication (JWT, OAuth2, sessions, OAuth for CLI/TUI/desktop apps), (2) Adding authorization (RBAC, ABAC, RLS with Supabase/PostgreSQL), (3) Security auditing code or infrastructure, (4) Setting up security infrastructure (headers, CORS, CSP, rate limiting), (5) Managing secrets and credentials, (6) Preventing OWASP Top 10 vulnerabilities (injection, XSS, CSRF, etc.), (7) Reviewing code for security issues, (8) Configuring secure web applications in TypeScript, Python, or Rust. Automatically triggered when working with authentication/authorization systems, security reviews, or addressing security vulnerabilities.