senior-secopsComprehensive SecOps skill for application security, vulnerability management, compliance, and secure development practices. Includes security scanning, vulnerability assessment, compliance checking, and security automation. Use when implementing security controls, conducting security audits, responding to vulnerabilities, or ensuring compliance requirements.
Install via ClawdBot CLI:
clawdbot install alirezarezvani/senior-secopsComplete toolkit for Security Operations including vulnerability management, compliance verification, secure coding practices, and security automation.
Use this skill when you encounter:
| Category | Terms |
|----------|-------|
| Vulnerability Management | CVE, CVSS, vulnerability scan, security patch, dependency audit, npm audit, pip-audit |
| OWASP Top 10 | injection, XSS, CSRF, broken authentication, security misconfiguration, sensitive data exposure |
| Compliance | SOC 2, PCI-DSS, HIPAA, GDPR, compliance audit, security controls, access control |
| Secure Coding | input validation, output encoding, parameterized queries, prepared statements, sanitization |
| Secrets Management | API key, secrets vault, environment variables, HashiCorp Vault, AWS Secrets Manager |
| Authentication | JWT, OAuth, MFA, 2FA, TOTP, password hashing, bcrypt, argon2, session management |
| Security Testing | SAST, DAST, penetration test, security scan, Snyk, Semgrep, CodeQL, Trivy |
| Incident Response | security incident, breach notification, incident response, forensics, containment |
| Network Security | TLS, HTTPS, HSTS, CSP, CORS, security headers, firewall rules, WAF |
| Infrastructure Security | container security, Kubernetes security, IAM, least privilege, zero trust |
| Cryptography | encryption at rest, encryption in transit, AES-256, RSA, key management, KMS |
| Monitoring | security monitoring, SIEM, audit logging, intrusion detection, anomaly detection |
Scan source code for security vulnerabilities including hardcoded secrets, SQL injection, XSS, command injection, and path traversal.
# Scan project for security issues
python scripts/security_scanner.py /path/to/project
# Filter by severity
python scripts/security_scanner.py /path/to/project --severity high
# JSON output for CI/CD
python scripts/security_scanner.py /path/to/project --json --output report.jsonDetects:
Scan dependencies for known CVEs across npm, Python, and Go ecosystems.
# Assess project dependencies
python scripts/vulnerability_assessor.py /path/to/project
# Critical/high only
python scripts/vulnerability_assessor.py /path/to/project --severity high
# Export vulnerability report
python scripts/vulnerability_assessor.py /path/to/project --json --output vulns.jsonScans:
package.json and package-lock.json (npm)requirements.txt and pyproject.toml (Python)go.mod (Go)Output:
Verify security compliance against SOC 2, PCI-DSS, HIPAA, and GDPR frameworks.
# Check all frameworks
python scripts/compliance_checker.py /path/to/project
# Specific framework
python scripts/compliance_checker.py /path/to/project --framework soc2
python scripts/compliance_checker.py /path/to/project --framework pci-dss
python scripts/compliance_checker.py /path/to/project --framework hipaa
python scripts/compliance_checker.py /path/to/project --framework gdpr
# Export compliance report
python scripts/compliance_checker.py /path/to/project --json --output compliance.jsonVerifies:
Complete security assessment of a codebase.
# Step 1: Scan for code vulnerabilities
python scripts/security_scanner.py . --severity medium
# Step 2: Check dependency vulnerabilities
python scripts/vulnerability_assessor.py . --severity high
# Step 3: Verify compliance controls
python scripts/compliance_checker.py . --framework all
# Step 4: Generate combined report
python scripts/security_scanner.py . --json --output security.json
python scripts/vulnerability_assessor.py . --json --output vulns.json
python scripts/compliance_checker.py . --json --output compliance.jsonIntegrate security checks into deployment pipeline.
# .github/workflows/security.yml
name: Security Scan
on:
pull_request:
branches: [main, develop]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Security Scanner
run: python scripts/security_scanner.py . --severity high
- name: Vulnerability Assessment
run: python scripts/vulnerability_assessor.py . --severity critical
- name: Compliance Check
run: python scripts/compliance_checker.py . --framework soc2Respond to a new CVE affecting your application.
1. ASSESS (0-2 hours)
- Identify affected systems using vulnerability_assessor.py
- Check if CVE is being actively exploited
- Determine CVSS environmental score for your context
2. PRIORITIZE
- Critical (CVSS 9.0+, internet-facing): 24 hours
- High (CVSS 7.0-8.9): 7 days
- Medium (CVSS 4.0-6.9): 30 days
- Low (CVSS < 4.0): 90 days
3. REMEDIATE
- Update affected dependency to fixed version
- Run security_scanner.py to verify fix
- Test for regressions
- Deploy with enhanced monitoring
4. VERIFY
- Re-run vulnerability_assessor.py
- Confirm CVE no longer reported
- Document remediation actionsSecurity incident handling procedure.
PHASE 1: DETECT & IDENTIFY (0-15 min)
- Alert received and acknowledged
- Initial severity assessment (SEV-1 to SEV-4)
- Incident commander assigned
- Communication channel established
PHASE 2: CONTAIN (15-60 min)
- Affected systems identified
- Network isolation if needed
- Credentials rotated if compromised
- Preserve evidence (logs, memory dumps)
PHASE 3: ERADICATE (1-4 hours)
- Root cause identified
- Malware/backdoors removed
- Vulnerabilities patched (run security_scanner.py)
- Systems hardened
PHASE 4: RECOVER (4-24 hours)
- Systems restored from clean backup
- Services brought back online
- Enhanced monitoring enabled
- User access restored
PHASE 5: POST-INCIDENT (24-72 hours)
- Incident timeline documented
- Root cause analysis complete
- Lessons learned documented
- Preventive measures implemented
- Stakeholder report delivered| Option | Description |
|--------|-------------|
| target | Directory or file to scan |
| --severity, -s | Minimum severity: critical, high, medium, low |
| --verbose, -v | Show files as they're scanned |
| --json | Output results as JSON |
| --output, -o | Write results to file |
Exit Codes:
0: No critical/high findings1: High severity findings2: Critical severity findings| Option | Description |
|--------|-------------|
| target | Directory containing dependency files |
| --severity, -s | Minimum severity: critical, high, medium, low |
| --verbose, -v | Show files as they're scanned |
| --json | Output results as JSON |
| --output, -o | Write results to file |
Exit Codes:
0: No critical/high vulnerabilities1: High severity vulnerabilities2: Critical severity vulnerabilities| Option | Description |
|--------|-------------|
| target | Directory to check |
| --framework, -f | Framework: soc2, pci-dss, hipaa, gdpr, all |
| --verbose, -v | Show checks as they run |
| --json | Output results as JSON |
| --output, -o | Write results to file |
Exit Codes:
0: Compliant (90%+ score)1: Non-compliant (50-69% score)2: Critical gaps (<50% score)| Vulnerability | Prevention |
|--------------|------------|
| A01: Broken Access Control | Implement RBAC, deny by default, validate permissions server-side |
| A02: Cryptographic Failures | Use TLS 1.2+, AES-256 encryption, secure key management |
| A03: Injection | Parameterized queries, input validation, escape output |
| A04: Insecure Design | Threat modeling, secure design patterns, defense in depth |
| A05: Security Misconfiguration | Hardening guides, remove defaults, disable unused features |
| A06: Vulnerable Components | Dependency scanning, automated updates, SBOM |
| A07: Authentication Failures | MFA, rate limiting, secure password storage |
| A08: Data Integrity Failures | Code signing, integrity checks, secure CI/CD |
| A09: Security Logging Failures | Comprehensive audit logs, SIEM integration, alerting |
| A10: SSRF | URL validation, allowlist destinations, network segmentation |
## Input Validation
- [ ] Validate all input on server side
- [ ] Use allowlists over denylists
- [ ] Sanitize for specific context (HTML, SQL, shell)
## Output Encoding
- [ ] HTML encode for browser output
- [ ] URL encode for URLs
- [ ] JavaScript encode for script contexts
## Authentication
- [ ] Use bcrypt/argon2 for passwords
- [ ] Implement MFA for sensitive operations
- [ ] Enforce strong password policy
## Session Management
- [ ] Generate secure random session IDs
- [ ] Set HttpOnly, Secure, SameSite flags
- [ ] Implement session timeout (15 min idle)
## Error Handling
- [ ] Log errors with context (no secrets)
- [ ] Return generic messages to users
- [ ] Never expose stack traces in production
## Secrets Management
- [ ] Use environment variables or secrets manager
- [ ] Never commit secrets to version control
- [ ] Rotate credentials regularly| Control | Category | Description |
|---------|----------|-------------|
| CC1 | Control Environment | Security policies, org structure |
| CC2 | Communication | Security awareness, documentation |
| CC3 | Risk Assessment | Vulnerability scanning, threat modeling |
| CC6 | Logical Access | Authentication, authorization, MFA |
| CC7 | System Operations | Monitoring, logging, incident response |
| CC8 | Change Management | CI/CD, code review, deployment controls |
| Requirement | Description |
|-------------|-------------|
| Req 3 | Protect stored cardholder data (encryption at rest) |
| Req 4 | Encrypt transmission (TLS 1.2+) |
| Req 6 | Secure development (input validation, secure coding) |
| Req 8 | Strong authentication (MFA, password policy) |
| Req 10 | Audit logging (all access to cardholder data) |
| Req 11 | Security testing (SAST, DAST, penetration testing) |
| Safeguard | Requirement |
|-----------|-------------|
| 164.312(a)(1) | Unique user identification for PHI access |
| 164.312(b) | Audit trails for PHI access |
| 164.312(c)(1) | Data integrity controls |
| 164.312(d) | Person/entity authentication (MFA) |
| 164.312(e)(1) | Transmission encryption (TLS) |
| Article | Requirement |
|---------|-------------|
| Art 25 | Privacy by design, data minimization |
| Art 32 | Security measures, encryption, pseudonymization |
| Art 33 | Breach notification (72 hours) |
| Art 17 | Right to erasure (data deletion) |
| Art 20 | Data portability (export capability) |
# BAD: Hardcoded secret
API_KEY = "sk-1234567890abcdef"
# GOOD: Environment variable
import os
API_KEY = os.environ.get("API_KEY")
# BETTER: Secrets manager
from your_vault_client import get_secret
API_KEY = get_secret("api/key")# BAD: String concatenation
query = f"SELECT * FROM users WHERE id = {user_id}"
# GOOD: Parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))// BAD: Direct innerHTML assignment is vulnerable
// GOOD: Use textContent (auto-escaped)
element.textContent = userInput;
// GOOD: Use sanitization library for HTML
import DOMPurify from 'dompurify';
const safeHTML = DOMPurify.sanitize(userInput);// Password hashing
const bcrypt = require('bcrypt');
const SALT_ROUNDS = 12;
// Hash password
const hash = await bcrypt.hash(password, SALT_ROUNDS);
// Verify password
const match = await bcrypt.compare(password, hash);// Express.js security headers
const helmet = require('helmet');
app.use(helmet());
// Or manually set headers:
app.use((req, res, next) => {
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('X-XSS-Protection', '1; mode=block');
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.setHeader('Content-Security-Policy', "default-src 'self'");
next();
});| Document | Description |
|----------|-------------|
| references/security_standards.md | OWASP Top 10, secure coding, authentication, API security |
| references/vulnerability_management_guide.md | CVE triage, CVSS scoring, remediation workflows |
| references/compliance_requirements.md | SOC 2, PCI-DSS, HIPAA, GDPR requirements |
Security Scanning:
Secrets Management:
Authentication:
Logging & Monitoring:
Compliance:
Generated Mar 1, 2026
A bank needs to conduct a comprehensive security audit of its online banking platform to ensure compliance with PCI-DSS and SOC 2 frameworks. The skill scans for vulnerabilities like SQL injection and XSS, assesses dependencies for CVEs, and verifies encryption and access controls to prevent breaches.
A healthcare startup developing a patient portal must verify HIPAA compliance before launch. The skill checks for secure coding practices, secrets management, and audit logging to protect sensitive health data and avoid regulatory penalties.
An e-commerce company integrates the skill into its CI/CD pipeline to automatically scan for OWASP Top 10 vulnerabilities and dependency CVEs during pull requests. This ensures secure deployments and reduces risk of attacks like CSRF or data exposure.
A SaaS provider preparing for SOC 2 certification uses the skill to assess security controls, including authentication strength with MFA and encryption standards. It generates compliance reports to streamline audit processes and demonstrate security posture to clients.
A tech firm adopting DevSecOps leverages the skill to automate security scanning and compliance checks across its Kubernetes and containerized environments. It helps enforce least privilege IAM policies and monitor for anomalies in real-time.
Offer the skill as a SaaS platform where companies pay a monthly fee for continuous security scanning, vulnerability assessments, and compliance reporting. This model provides recurring revenue and scales with client security needs.
Provide professional services to customize and integrate the skill into clients' existing workflows, such as CI/CD pipelines or security audits. Charge per project or hourly for setup, training, and ongoing support.
License the skill to large enterprises for internal use, with pricing based on the number of users, codebases, or compliance frameworks. Include premium features like advanced reporting and dedicated support for higher-tier licenses.
💬 Integration Tip
Integrate the skill into CI/CD pipelines using provided GitHub Actions examples to automate security gates and ensure vulnerabilities are caught early in development.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.