陌讯skills聚合平台

security-architect

📁 oimiragieo/agent-studio 📅 Jan 27, 2026
32
总安装量
4
周安装量
#11568
全站排名
安装命令
npx skills add https://github.com/oimiragieo/agent-studio --skill security-architect

Agent 安装分布

github-copilot 3
opencode 2
kilo 2
gemini-cli 2
claude-code 2
codex 2

Skill 文档

Security Architect Skill

Step 1: Threat Modeling (STRIDE)

Analyze threats using STRIDE:

Threat Description Example
Spoofing Impersonating users/systems Stolen credentials
Tampering Modifying data SQL injection
Repudiation Denying actions Missing audit logs
Information Disclosure Data leaks Exposed secrets
Denial of Service Blocking access Resource exhaustion
Elevation of Privilege Gaining unauthorized access Broken access control

Step 2: OWASP Top 10 Analysis

Check for common vulnerabilities:

  1. A01: Broken Access Control

    • Verify authorization on every endpoint
    • Deny by default

  2. A02: Cryptographic Failures

    • Use strong algorithms (AES-256, SHA-256+)
    • Never store plaintext passwords

  3. A03: Injection

    • Parameterize all queries
    • Validate/sanitize inputs

  4. A04: Insecure Design

    • Threat model early
    • Use secure design patterns

  5. A05: Security Misconfiguration

    • Harden defaults
    • Remove unnecessary features

  6. A06: Vulnerable Components

    • Keep dependencies updated
    • Monitor CVE databases

  7. A07: Authentication Failures

    • Implement MFA
    • Use secure session management

  8. A08: Software/Data Integrity

    • Verify dependencies (SRI, signatures)
    • Protect CI/CD pipelines

  9. A09: Logging Failures

    • Log security events
    • Protect log integrity

  10. A10: SSRF

    • Validate/sanitize URLs
    • Use allowlists

Step 3: Security Code Review

Look for common issues:

// BAD: SQL Injection
const query = `SELECT * FROM users WHERE id = ${userId}`;

// GOOD: Parameterized query
const query = `SELECT * FROM users WHERE id = $1`;
await db.query(query, [userId]);

// BAD: Hardcoded secrets
const apiKey = 'sk-abc123...';

// GOOD: Environment variables
const apiKey = process.env.API_KEY;

Step 4: Authentication/Authorization Review

Verify:

  • Strong password requirements
  • Secure session management
  • JWT validation (signature, expiry, audience)
  • Role-based access control (RBAC)
  • API authentication (OAuth 2.0, API keys)

Step 5: Generate Security Report

Create findings report:

## Security Assessment Report

### Critical Findings

1. SQL injection in /api/users endpoint
   - Risk: Data breach
   - Fix: Use parameterized queries

### High Findings

2. Missing rate limiting on login
   - Risk: Brute force attacks
   - Fix: Implement rate limiting

### Recommendations

- Enable HTTPS everywhere
- Implement CSP headers
- Add security logging

</execution_process>

<best_practices>

  1. Defense in Depth: Layer security controls
  2. Least Privilege: Minimal permissions
  3. Fail Securely: Default to deny
  4. Validate Everything: Never trust input
  5. Keep Secrets Secret: Use secret managers

</best_practices> 

Review the authentication flow in src/auth/ for security issues

Example Response:

## Security Review: src/auth/

### Findings

#### CRITICAL: Weak Password Hashing

- File: src/auth/password.js:23
- Issue: Using MD5 for password hashing
- Fix: Use bcrypt with cost factor >= 12

#### HIGH: No Rate Limiting

- File: src/auth/login.js
- Issue: Login endpoint has no rate limiting
- Fix: Add rate limiting (5 attempts/minute)

#### MEDIUM: Session Not Invalidated

- File: src/auth/logout.js
- Issue: Logout doesn't invalidate server-side session
- Fix: Clear session from store on logout

### Recommendations

1. Implement bcrypt for password hashing
2. Add rate limiting middleware
3. Use secure session configuration

</usage_example>

Rules

  • Always prioritize findings by severity
  • Provide specific remediation steps
  • Consider business context when assessing risk

Related Skills

Related Workflow

For comprehensive security audits requiring multi-phase threat analysis, vulnerability scanning, and remediation planning, see the corresponding workflow:

  • Workflow File: .claude/workflows/security-architect-skill-workflow.md
  • When to Use: For structured security audits requiring OWASP Top 10 analysis, dependency CVE checks, penetration testing, and remediation planning
  • Phases: 5 phases (Threat Modeling, Security Code Review, Dependency Audit, Penetration Testing, Remediation Planning)
  • Coverage: Full OWASP Top 10, STRIDE threat modeling, CVE database checks, automated and manual penetration testing

Key Features:

  • Multi-agent orchestration (security-architect, code-reviewer, developer, devops)
  • Security gates for pre-release blocking
  • Severity classification (CRITICAL/HIGH/MEDIUM/LOW)
  • Automated ticket generation
  • Compliance-ready reporting (SOC2, GDPR, HIPAA)

See also: Feature Development Workflow for integrating security reviews into the development lifecycle.

Memory Protocol (MANDATORY)

Before starting:

cat .claude/context/memory/learnings.md

After completing:

  • New pattern -> .claude/context/memory/learnings.md
  • Issue found -> .claude/context/memory/issues.md
  • Decision made -> .claude/context/memory/decisions.md

ASSUME INTERRUPTION: Your context may reset. If it’s not in memory, it didn’t happen.

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台
本页面由 陌讯 Skills 聚合平台 收录整理,数据定期更新。