security-analysis
Security assessment using STRIDE threat modeling, OWASP Top 10, and CVSS scoring. Use for security reviews, threat modeling, and secure coding guidance.
Install
npx skillscat add kimasplund/clawdbot-skills-pack/security-analysis Install via the SkillsCat registry.
SKILL.md
Security Analysis
Comprehensive security assessment framework.
Frameworks Included
STRIDE Threat Modeling
Categorize threats by type:
| Threat | Description | Example |
|---|---|---|
| Spoofing | Impersonating something/someone | Fake login page |
| Tampering | Modifying data/code | SQL injection |
| Repudiation | Denying actions | Missing audit logs |
| Information Disclosure | Exposing data | Error message leaks |
| Denial of Service | Disrupting availability | Resource exhaustion |
| Elevation of Privilege | Gaining unauthorized access | Broken access control |
OWASP Top 10 (2021)
Check for common vulnerabilities:
- A01: Broken Access Control
- A02: Cryptographic Failures
- A03: Injection
- A04: Insecure Design
- A05: Security Misconfiguration
- A06: Vulnerable Components
- A07: Auth Failures
- A08: Integrity Failures
- A09: Logging Failures
- A10: SSRF
CVSS Scoring
Rate vulnerability severity:
| Score | Severity | Action |
|---|---|---|
| 9.0-10.0 | Critical | Fix immediately |
| 7.0-8.9 | High | Fix within days |
| 4.0-6.9 | Medium | Fix within weeks |
| 0.1-3.9 | Low | Fix when convenient |
Security Review Process
Phase 1: Attack Surface Mapping
Identify all entry points:
- API endpoints
- User inputs
- File uploads
- External integrations
- Authentication flows
Phase 2: STRIDE Analysis
For each entry point, check all STRIDE categories.
Phase 3: OWASP Checklist
Verify protection against Top 10.
Phase 4: Risk Scoring
Apply CVSS to findings.
Phase 5: Remediation Plan
Prioritize fixes by severity.
Output Template
## Security Analysis: [Component/Feature]
### Attack Surface
| Entry Point | Type | Trust Level |
|-------------|------|-------------|
| [endpoint] | API | Untrusted |
| [input] | User | Untrusted |
### STRIDE Assessment
#### Spoofing
- Risk: [description]
- Mitigation: [control]
- Status: [Mitigated/Open]
#### Tampering
...
### OWASP Top 10 Check
| Category | Status | Notes |
|----------|--------|-------|
| A01 Broken Access Control | ✓/✗ | |
| A02 Crypto Failures | ✓/✗ | |
| A03 Injection | ✓/✗ | |
...
### Vulnerabilities Found
| ID | Description | CVSS | Severity |
|----|-------------|------|----------|
| V1 | [description] | X.X | High |
| V2 | [description] | X.X | Medium |
### Remediation Plan
1. **[V1]**: [fix] - Priority: Immediate
2. **[V2]**: [fix] - Priority: This sprint
### Security Posture
**Overall Risk: [Low/Medium/High/Critical]**Quick Security Checklist
For rapid review:
- Input validation on all user data
- Output encoding to prevent XSS
- Parameterized queries (no SQL concatenation)
- Authentication on sensitive endpoints
- Authorization checks (not just auth)
- HTTPS everywhere
- Secrets not in code
- Error messages don't leak info
- Logging without sensitive data
- Dependencies updated
Secure Coding Patterns
Input Validation
# Always validate and sanitize
def process_input(user_input):
if not isinstance(user_input, str):
raise ValueError("Invalid input type")
if len(user_input) > MAX_LENGTH:
raise ValueError("Input too long")
sanitized = escape_html(user_input)
return sanitizedSQL Injection Prevention
# NEVER concatenate
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}") # BAD
# ALWAYS parameterize
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,)) # GOODCategories
Install
npx skillscat add kimasplund/clawdbot-skills-pack/security-analysis Install via the SkillsCat registry.