Execute threat modeling, vulnerability scanning, and security control validation.
Orchestrates comprehensive security assessments through threat modeling, vulnerability scanning, and control validation. Triggers on commands like "run security review" or "threat model [component]" to generate risk-scored reports with CVSS ratings and remediation guidance.
/plugin marketplace add jmagly/ai-writing-guide/plugin install sdlc@aiwgThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Execute threat modeling, vulnerability scanning, and security control validation.
This skill orchestrates comprehensive security assessment through:
When triggered, this skill:
Determines scope:
Executes threat modeling:
Runs vulnerability patterns:
Validates controls:
Assesses privacy:
Generates report:
| Category | Description | Example |
|---|---|---|
| Spoofing | Impersonating something/someone | Fake user credentials |
| Tampering | Modifying data or code | SQL injection |
| Repudiation | Denying actions | Missing audit logs |
| Information Disclosure | Exposing information | Data leakage |
| Denial of Service | Disrupting availability | Resource exhaustion |
| Elevation of Privilege | Gaining unauthorized access | Broken access control |
┌─────────────────────────────────────────────────────────┐
│ 1. SCOPE IDENTIFICATION │
│ • Define assessment boundary │
│ • Identify assets (data, services, infrastructure) │
│ • Map trust boundaries │
│ • Load existing threat model (if any) │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ 2. THREAT MODELING (Security Architect) │
│ • Data flow analysis │
│ • STRIDE enumeration per component │
│ • Attack vector identification │
│ • Trust boundary crossing analysis │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ 3. VULNERABILITY SCANNING (Security Auditor) │
│ • OWASP Top 10 pattern check │
│ • Secrets exposure scan │
│ • Dependency vulnerability check │
│ • Configuration review │
│ • Code pattern analysis │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ 4. CONTROL VALIDATION (Security Gatekeeper) │
│ • Map security requirements to controls │
│ • Verify control implementation │
│ • Check control effectiveness │
│ • Identify coverage gaps │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ 5. PRIVACY ASSESSMENT (Privacy Officer) [if PII] │
│ • Data inventory review │
│ • Consent mechanism validation │
│ • Data retention compliance │
│ • Cross-border transfer assessment │
└─────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────┐
│ 6. RISK SCORING & REPORTING │
│ • Calculate CVSS scores │
│ • Prioritize by risk (likelihood × impact) │
│ • Generate remediation guidance │
│ • Produce assessment report │
└─────────────────────────────────────────────────────────┘
| # | Category | Patterns Checked |
|---|---|---|
| A01 | Broken Access Control | RBAC, ABAC, path traversal, CORS |
| A02 | Cryptographic Failures | Weak algorithms, key management, TLS |
| A03 | Injection | SQL, NoSQL, LDAP, OS command, XSS |
| A04 | Insecure Design | Threat modeling gaps, missing controls |
| A05 | Security Misconfiguration | Defaults, unnecessary features, verbose errors |
| A06 | Vulnerable Components | Outdated dependencies, known CVEs |
| A07 | Auth Failures | Password policies, MFA, session management |
| A08 | Data Integrity Failures | CI/CD security, unsigned updates |
| A09 | Logging Failures | Missing logs, sensitive data in logs |
| A10 | SSRF | Internal resource access, URL validation |
severity_levels:
critical:
cvss_range: [9.0, 10.0]
description: Immediate remediation required
sla: 24 hours
high:
cvss_range: [7.0, 8.9]
description: Remediation within sprint
sla: 7 days
medium:
cvss_range: [4.0, 6.9]
description: Plan remediation
sla: 30 days
low:
cvss_range: [0.1, 3.9]
description: Address as time permits
sla: 90 days
informational:
cvss_range: [0.0, 0.0]
description: Awareness only
sla: none
# Security Assessment Report
**Date**: 2025-12-08
**Scope**: Full System Assessment
**Assessors**: security-architect, security-auditor, security-gatekeeper
## Executive Summary
| Severity | Count |
|----------|-------|
| Critical | 0 |
| High | 2 |
| Medium | 5 |
| Low | 8 |
| Informational | 3 |
**Overall Risk Level**: MEDIUM
**Recommendation**: Address high-severity findings before production deployment
## Threat Model Summary
### Trust Boundaries
1. External → API Gateway
2. API Gateway → Internal Services
3. Services → Database
### STRIDE Analysis
| Component | S | T | R | I | D | E | Total |
|-----------|---|---|---|---|---|---|-------|
| API Gateway | 2 | 1 | 0 | 1 | 1 | 1 | 6 |
| Auth Service | 3 | 1 | 1 | 2 | 0 | 2 | 9 |
| Data Service | 1 | 2 | 1 | 3 | 1 | 1 | 9 |
## Findings
### HIGH-001: Insufficient Input Validation
- **Severity**: High (CVSS 7.5)
- **Component**: API Gateway
- **Category**: A03 Injection
- **Description**: User input not sanitized before database query
- **Impact**: SQL injection possible, data exfiltration risk
- **Remediation**: Implement parameterized queries, add input validation
- **Status**: Open
### HIGH-002: Missing Rate Limiting
- **Severity**: High (CVSS 7.2)
- **Component**: API Gateway
- **Category**: A05 Denial of Service
- **Description**: No rate limiting on authentication endpoints
- **Impact**: Brute force attacks, credential stuffing
- **Remediation**: Implement rate limiting, add account lockout
- **Status**: Open
### MEDIUM-001: Verbose Error Messages
...
## Control Assessment
| Control | Requirement | Status | Gap |
|---------|-------------|--------|-----|
| Authentication | MFA for privileged users | ✅ Implemented | None |
| Authorization | RBAC with least privilege | ⚠️ Partial | Admin role too broad |
| Encryption | TLS 1.2+ for transit | ✅ Implemented | None |
| Encryption | AES-256 at rest | ⚠️ Partial | Logs not encrypted |
| Logging | Security event logging | ✅ Implemented | None |
| Monitoring | Real-time alerting | ❌ Missing | Not configured |
## Compliance Status
| Framework | Status | Gaps |
|-----------|--------|------|
| OWASP Top 10 | 7/10 compliant | A03, A05, A09 |
| SOC 2 | Partial | Monitoring, encryption |
| GDPR | Compliant | None identified |
## Remediation Roadmap
### Immediate (24-48 hours)
- [ ] Fix SQL injection vulnerability (HIGH-001)
- [ ] Implement rate limiting (HIGH-002)
### Short-term (1-2 weeks)
- [ ] Reduce admin role permissions
- [ ] Encrypt log storage
- [ ] Configure monitoring alerts
### Medium-term (1 month)
- [ ] Address medium-severity findings
- [ ] Complete SOC 2 gap remediation
## Next Assessment
Recommended: 30 days or after major changes
User: "Run security review"
Skill orchestrates:
1. Load current architecture
2. Run STRIDE analysis
3. Scan for OWASP patterns
4. Validate controls
5. Generate report
Output:
"Security Assessment Complete
Findings: 0 Critical, 2 High, 5 Medium, 8 Low
Risk Level: MEDIUM
Blocking Issues:
- HIGH-001: SQL injection risk
- HIGH-002: Missing rate limiting
Report: .aiwg/security/assessment-20251208.md"
User: "Threat model the authentication service"
Skill focuses on:
- Auth service components only
- STRIDE for auth flows
- Auth-specific vulnerabilities
- Control validation for auth
Output: Targeted threat model and findings
User: "Validate security controls"
Skill runs:
- Control mapping
- Implementation verification
- Gap analysis
Output: Control assessment summary
This skill uses:
parallel-dispatch: Launch security agents concurrentlyproject-awareness: Get architecture and component infoartifact-metadata: Track assessment artifactsagents:
threat_modeling:
agent: security-architect
focus: STRIDE analysis, attack vectors, trust boundaries
vulnerability_scanning:
agent: security-auditor
focus: OWASP patterns, secrets, dependencies, configuration
control_validation:
agent: security-gatekeeper
focus: Control mapping, implementation, effectiveness
privacy_assessment:
agent: privacy-officer
focus: PII handling, consent, retention, transfers
condition: has_pii == true
.aiwg/security/assessment-{date}.md.aiwg/security/threat-model.md.aiwg/security/control-matrix.md.aiwg/security/findings/This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.