senior-securitySecurity engineering toolkit for threat modeling, vulnerability analysis, secure architecture, and penetration testing. Includes STRIDE analysis, OWASP guidance, cryptography patterns, and security scanning tools.
Install via ClawdBot CLI:
clawdbot install alirezarezvani/senior-securitySecurity engineering tools for threat modeling, vulnerability analysis, secure architecture design, and penetration testing.
Identify and analyze security threats using STRIDE methodology.
| Category | Description | Security Property | Mitigation Focus |
|----------|-------------|-------------------|------------------|
| Spoofing | Impersonating users or systems | Authentication | MFA, certificates, strong auth |
| Tampering | Modifying data or code | Integrity | Signing, checksums, validation |
| Repudiation | Denying actions | Non-repudiation | Audit logs, digital signatures |
| Information Disclosure | Exposing data | Confidentiality | Encryption, access controls |
| Denial of Service | Disrupting availability | Availability | Rate limiting, redundancy |
| Elevation of Privilege | Gaining unauthorized access | Authorization | RBAC, least privilege |
| DFD Element | S | T | R | I | D | E |
|-------------|---|---|---|---|---|---|
| External Entity | X | | X | | | |
| Process | X | X | X | X | X | X |
| Data Store | | X | X | X | X | |
| Data Flow | | X | | X | X | |
See: references/threat-modeling-guide.md
Design secure systems using defense-in-depth principles.
Layer 1: PERIMETER
WAF, DDoS mitigation, DNS filtering, rate limiting
Layer 2: NETWORK
Segmentation, IDS/IPS, network monitoring, VPN, mTLS
Layer 3: HOST
Endpoint protection, OS hardening, patching, logging
Layer 4: APPLICATION
Input validation, authentication, secure coding, SAST
Layer 5: DATA
Encryption at rest/transit, access controls, DLP, backup| Use Case | Recommended Pattern |
|----------|---------------------|
| Web application | OAuth 2.0 + PKCE with OIDC |
| API authentication | JWT with short expiration + refresh tokens |
| Service-to-service | mTLS with certificate rotation |
| CLI/Automation | API keys with IP allowlisting |
| High security | FIDO2/WebAuthn hardware keys |
See: references/security-architecture-patterns.md
Identify and remediate security vulnerabilities in applications.
| Rank | Vulnerability | Testing Approach |
|------|---------------|------------------|
| A01 | Broken Access Control | Manual IDOR testing, authorization checks |
| A02 | Cryptographic Failures | Algorithm review, key management audit |
| A03 | Injection | SAST + manual payload testing |
| A04 | Insecure Design | Threat modeling, architecture review |
| A05 | Security Misconfiguration | Configuration audit, CIS benchmarks |
| A06 | Vulnerable Components | Dependency scanning, CVE monitoring |
| A07 | Authentication Failures | Password policy, session management review |
| A08 | Software/Data Integrity | CI/CD security, code signing verification |
| A09 | Logging Failures | Log review, SIEM configuration check |
| A10 | SSRF | Manual URL manipulation testing |
| Impact / Exploitability | Easy | Moderate | Difficult |
|-------------------------|------|----------|-----------|
| Critical | Critical | Critical | High |
| High | Critical | High | Medium |
| Medium | High | Medium | Low |
| Low | Medium | Low | Low |
Review code for security vulnerabilities before deployment.
| Category | Check | Risk |
|----------|-------|------|
| Input Validation | All user input validated and sanitized | Injection |
| Output Encoding | Context-appropriate encoding applied | XSS |
| Authentication | Passwords hashed with Argon2/bcrypt | Credential theft |
| Session | Secure cookie flags set (HttpOnly, Secure, SameSite) | Session hijacking |
| Authorization | Server-side permission checks on all endpoints | Privilege escalation |
| SQL | Parameterized queries used exclusively | SQL injection |
| File Access | Path traversal sequences rejected | Path traversal |
| Secrets | No hardcoded credentials or keys | Information disclosure |
| Dependencies | Known vulnerable packages updated | Supply chain |
| Logging | Sensitive data not logged | Information disclosure |
| Pattern | Issue | Secure Alternative |
|---------|-------|-------------------|
| SQL string formatting | SQL injection | Use parameterized queries with placeholders |
| Shell command building | Command injection | Use subprocess with argument lists, no shell |
| Path concatenation | Path traversal | Validate and canonicalize paths |
| MD5/SHA1 for passwords | Weak hashing | Use Argon2id or bcrypt |
| Math.random for tokens | Predictable values | Use crypto.getRandomValues |
Respond to and contain security incidents.
| Level | Description | Response Time | Escalation |
|-------|-------------|---------------|------------|
| P1 - Critical | Active breach, data exfiltration | Immediate | CISO, Legal, Executive |
| P2 - High | Confirmed compromise, contained | 1 hour | Security Lead, IT Director |
| P3 - Medium | Potential compromise, under investigation | 4 hours | Security Team |
| P4 - Low | Suspicious activity, low impact | 24 hours | On-call engineer |
| Phase | Actions |
|-------|---------|
| Identification | Validate alert, assess scope, determine severity |
| Containment | Isolate systems, preserve evidence, block access |
| Eradication | Remove threat, patch vulnerabilities, reset credentials |
| Recovery | Restore services, verify integrity, increase monitoring |
| Lessons Learned | Document timeline, identify gaps, update procedures |
| Category | Tools |
|----------|-------|
| SAST | Semgrep, CodeQL, Bandit (Python), ESLint security plugins |
| DAST | OWASP ZAP, Burp Suite, Nikto |
| Dependency Scanning | Snyk, Dependabot, npm audit, pip-audit |
| Secret Detection | GitLeaks, TruffleHog, detect-secrets |
| Container Security | Trivy, Clair, Anchore |
| Infrastructure | Checkov, tfsec, ScoutSuite |
| Network | Wireshark, Nmap, Masscan |
| Penetration | Metasploit, sqlmap, Burp Suite Pro |
| Use Case | Algorithm | Key Size |
|----------|-----------|----------|
| Symmetric encryption | AES-256-GCM | 256 bits |
| Password hashing | Argon2id | N/A (use defaults) |
| Message authentication | HMAC-SHA256 | 256 bits |
| Digital signatures | Ed25519 | 256 bits |
| Key exchange | X25519 | 256 bits |
| TLS | TLS 1.3 | N/A |
See: references/cryptography-implementation.md
| Script | Purpose | Usage |
|--------|---------|-------|
| threat_modeler.py | STRIDE threat analysis with risk scoring | python threat_modeler.py --component "Authentication" |
| secret_scanner.py | Detect hardcoded secrets and credentials | python secret_scanner.py /path/to/project |
Threat Modeler Features:
Secret Scanner Features:
| Document | Content |
|----------|---------|
| security-architecture-patterns.md | Zero Trust, defense-in-depth, authentication patterns, API security |
| threat-modeling-guide.md | STRIDE methodology, attack trees, DREAD scoring, DFD creation |
| cryptography-implementation.md | AES-GCM, RSA, Ed25519, password hashing, key management |
| Framework | Focus | Applicable To |
|-----------|-------|---------------|
| OWASP ASVS | Application security | Web applications |
| CIS Benchmarks | System hardening | Servers, containers, cloud |
| NIST CSF | Risk management | Enterprise security programs |
| PCI-DSS | Payment card data | Payment processing |
| HIPAA | Healthcare data | Healthcare applications |
| SOC 2 | Service organization controls | SaaS providers |
| Header | Recommended Value |
|--------|-------------------|
| Content-Security-Policy | default-src self; script-src self |
| X-Frame-Options | DENY |
| X-Content-Type-Options | nosniff |
| Strict-Transport-Security | max-age=31536000; includeSubDomains |
| Referrer-Policy | strict-origin-when-cross-origin |
| Permissions-Policy | geolocation=(), microphone=(), camera=() |
| Skill | Integration Point |
|-------|-------------------|
| senior-devops | CI/CD security, infrastructure hardening |
| senior-secops | Security monitoring, incident response |
| senior-backend | Secure API development |
| senior-architect | Security architecture decisions |
Generated Mar 1, 2026
A fintech company needs to assess a new mobile banking app for security vulnerabilities before launch. The Senior Security skill guides through threat modeling using STRIDE to identify risks like spoofing and tampering, followed by vulnerability assessment with SAST/DAST tools to ensure compliance with PCI-DSS and protect sensitive financial data.
A healthcare provider is designing a cloud-based patient portal to store electronic health records. Using the skill, they apply defense-in-depth layers and Zero Trust principles to secure data flows, implement encryption strategies for HIPAA compliance, and configure authentication with MFA to prevent unauthorized access to confidential information.
An online retailer wants to test their e-commerce website for vulnerabilities during a major sale event. The skill facilitates penetration testing workflows, including automated scanning for OWASP Top 10 issues like injection flaws, manual testing for business logic errors, and incident response planning to mitigate denial-of-service attacks.
A manufacturing firm develops IoT sensors for industrial monitoring and requires a security audit. The skill helps conduct threat modeling on data flows between devices and servers, assess vulnerabilities in firmware using static analysis, and design secure architecture with mTLS for service-to-service communication to prevent tampering.
A software-as-a-service startup is building a multi-tenant application and needs to ensure secure coding practices. The skill guides through secure code review workflows, identifying common vulnerabilities like information disclosure, implementing cryptography patterns for data encryption, and using secret scanning to prevent credential leaks in the codebase.
Offer specialized security assessments and architecture design for clients in regulated industries like finance or healthcare. Use the skill's workflows for threat modeling and vulnerability assessments to deliver detailed reports, helping clients meet compliance standards and reduce risk, with revenue generated from project-based fees or retainer contracts.
Provide ongoing security monitoring and penetration testing as a subscription service. Leverage the skill's tools for automated scanning and incident response to offer continuous protection, attracting small to medium businesses that lack in-house expertise, with revenue from monthly or annual subscriptions.
Develop and sell training courses or workshops based on the skill's methodologies, such as STRIDE analysis and secure architecture design. Target IT professionals and developers seeking to upskill, generating revenue through course fees, certification exams, and corporate training packages.
💬 Integration Tip
Integrate this skill into CI/CD pipelines for automated security scanning and use it alongside existing monitoring tools like SIEMs to enhance threat detection and response capabilities.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.