# Send Senior Security to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "senior-security", "name": "Senior Security", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/alirezarezvani/senior-security", "canonicalUrl": "https://clawhub.ai/alirezarezvani/senior-security", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/senior-security", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=senior-security", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "SKILL.md", "references/cryptography-implementation.md", "references/security-architecture-patterns.md", "references/threat-modeling-guide.md", "scripts/secret_scanner.py", "scripts/threat_modeler.py" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "slug": "senior-security", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-08T16:43:15.513Z", "expiresAt": "2026-05-15T16:43:15.513Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=senior-security", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=senior-security", "contentDisposition": "attachment; filename=\"senior-security-2.1.1.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "senior-security" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/senior-security" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/senior-security", "downloadUrl": "https://openagent3.xyz/downloads/senior-security", "agentUrl": "https://openagent3.xyz/skills/senior-security/agent", "manifestUrl": "https://openagent3.xyz/skills/senior-security/agent.json", "briefUrl": "https://openagent3.xyz/skills/senior-security/agent.md" } } ``` ## Documentation ### Senior Security Engineer Security engineering tools for threat modeling, vulnerability analysis, secure architecture design, and penetration testing. ### Table of Contents Threat Modeling Workflow Security Architecture Workflow Vulnerability Assessment Workflow Secure Code Review Workflow Incident Response Workflow Security Tools Reference Tools and References ### Threat Modeling Workflow Identify and analyze security threats using STRIDE methodology. ### Workflow: Conduct Threat Model Define system scope and boundaries: Identify assets to protect Map trust boundaries Document data flows Create data flow diagram: External entities (users, services) Processes (application components) Data stores (databases, caches) Data flows (APIs, network connections) Apply STRIDE to each DFD element (see STRIDE per Element Matrix below) Score risks using DREAD: Damage potential (1-10) Reproducibility (1-10) Exploitability (1-10) Affected users (1-10) Discoverability (1-10) Prioritize threats by risk score Define mitigations for each threat Document in threat model report Validation: All DFD elements analyzed; STRIDE applied; threats scored; mitigations mapped ### STRIDE Threat Categories CategorySecurity PropertyMitigation FocusSpoofingAuthenticationMFA, certificates, strong authTamperingIntegritySigning, checksums, validationRepudiationNon-repudiationAudit logs, digital signaturesInformation DisclosureConfidentialityEncryption, access controlsDenial of ServiceAvailabilityRate limiting, redundancyElevation of PrivilegeAuthorizationRBAC, least privilege ### STRIDE per Element Matrix DFD ElementSTRIDEExternal EntityXXProcessXXXXXXData StoreXXXXData FlowXXX See: references/threat-modeling-guide.md ### Security Architecture Workflow Design secure systems using defense-in-depth principles. ### Workflow: Design Secure Architecture Define security requirements: Compliance requirements (GDPR, HIPAA, PCI-DSS) Data classification (public, internal, confidential, restricted) Threat model inputs Apply defense-in-depth layers: Perimeter: WAF, DDoS protection, rate limiting Network: Segmentation, IDS/IPS, mTLS Host: Patching, EDR, hardening Application: Input validation, authentication, secure coding Data: Encryption at rest and in transit Implement Zero Trust principles: Verify explicitly (every request) Least privilege access (JIT/JEA) Assume breach (segment, monitor) Configure authentication and authorization: Identity provider selection MFA requirements RBAC/ABAC model Design encryption strategy: Key management approach Algorithm selection Certificate lifecycle Plan security monitoring: Log aggregation SIEM integration Alerting rules Document architecture decisions Validation: Defense-in-depth layers defined; Zero Trust applied; encryption strategy documented; monitoring planned ### Defense-in-Depth Layers Layer 1: PERIMETER WAF, DDoS mitigation, DNS filtering, rate limiting Layer 2: NETWORK Segmentation, IDS/IPS, network monitoring, VPN, mTLS Layer 3: HOST Endpoint protection, OS hardening, patching, logging Layer 4: APPLICATION Input validation, authentication, secure coding, SAST Layer 5: DATA Encryption at rest/transit, access controls, DLP, backup ### Authentication Pattern Selection Use CaseRecommended PatternWeb applicationOAuth 2.0 + PKCE with OIDCAPI authenticationJWT with short expiration + refresh tokensService-to-servicemTLS with certificate rotationCLI/AutomationAPI keys with IP allowlistingHigh securityFIDO2/WebAuthn hardware keys See: references/security-architecture-patterns.md ### Vulnerability Assessment Workflow Identify and remediate security vulnerabilities in applications. ### Workflow: Conduct Vulnerability Assessment Define assessment scope: In-scope systems and applications Testing methodology (black box, gray box, white box) Rules of engagement Gather information: Technology stack inventory Architecture documentation Previous vulnerability reports Perform automated scanning: SAST (static analysis) DAST (dynamic analysis) Dependency scanning Secret detection Conduct manual testing: Business logic flaws Authentication bypass Authorization issues Injection vulnerabilities Classify findings by severity: Critical: Immediate exploitation risk High: Significant impact, easier to exploit Medium: Moderate impact or difficulty Low: Minor impact Develop remediation plan: Prioritize by risk Assign owners Set deadlines Verify fixes and document Validation: Scope defined; automated and manual testing complete; findings classified; remediation tracked For OWASP Top 10 vulnerability descriptions and testing guidance, refer to owasp.org/Top10. ### Vulnerability Severity Matrix Impact \\ ExploitabilityEasyModerateDifficultCriticalCriticalCriticalHighHighCriticalHighMediumMediumHighMediumLowLowMediumLowLow ### Secure Code Review Workflow Review code for security vulnerabilities before deployment. ### Workflow: Conduct Security Code Review Establish review scope: Changed files and functions Security-sensitive areas (auth, crypto, input handling) Third-party integrations Run automated analysis: SAST tools (Semgrep, CodeQL, Bandit) Secret scanning Dependency vulnerability check Review authentication code: Password handling (hashing, storage) Session management Token validation Review authorization code: Access control checks RBAC implementation Privilege boundaries Review data handling: Input validation Output encoding SQL query construction File path handling Review cryptographic code: Algorithm selection Key management Random number generation Document findings with severity Validation: Automated scans passed; auth/authz reviewed; data handling checked; crypto verified; findings documented ### Security Code Review Checklist CategoryCheckRiskInput ValidationAll user input validated and sanitizedInjectionOutput EncodingContext-appropriate encoding appliedXSSAuthenticationPasswords hashed with Argon2/bcryptCredential theftSessionSecure cookie flags set (HttpOnly, Secure, SameSite)Session hijackingAuthorizationServer-side permission checks on all endpointsPrivilege escalationSQLParameterized queries used exclusivelySQL injectionFile AccessPath traversal sequences rejectedPath traversalSecretsNo hardcoded credentials or keysInformation disclosureDependenciesKnown vulnerable packages updatedSupply chainLoggingSensitive data not loggedInformation disclosure ### Secure vs Insecure Patterns PatternIssueSecure AlternativeSQL string formattingSQL injectionUse parameterized queries with placeholdersShell command buildingCommand injectionUse subprocess with argument lists, no shellPath concatenationPath traversalValidate and canonicalize pathsMD5/SHA1 for passwordsWeak hashingUse Argon2id or bcryptMath.random for tokensPredictable valuesUse crypto.getRandomValues ### Inline Code Examples SQL Injection — insecure vs. secure (Python): # ❌ Insecure: string formatting allows SQL injection query = f"SELECT * FROM users WHERE username = '{username}'" cursor.execute(query) # ✅ Secure: parameterized query — user input never interpreted as SQL query = "SELECT * FROM users WHERE username = %s" cursor.execute(query, (username,)) Password Hashing with Argon2id (Python): from argon2 import PasswordHasher ph = PasswordHasher() # uses secure defaults (time_cost, memory_cost) # On registration hashed = ph.hash(plain_password) # On login — raises argon2.exceptions.VerifyMismatchError on failure ph.verify(hashed, plain_password) Secret Scanning — core pattern matching (Python): import re, pathlib SECRET_PATTERNS = { "aws_access_key": re.compile(r"AKIA[0-9A-Z]{16}"), "github_token": re.compile(r"ghp_[A-Za-z0-9]{36}"), "private_key": re.compile(r"-----BEGIN (RSA |EC )?PRIVATE KEY-----"), "generic_secret": re.compile(r'(?i)(password|secret|api_key)\\s*=\\s*["\\']?\\S{8,}'), } def scan_file(path: pathlib.Path) -> list[dict]: findings = [] for lineno, line in enumerate(path.read_text(errors="replace").splitlines(), 1): for name, pattern in SECRET_PATTERNS.items(): if pattern.search(line): findings.append({"file": str(path), "line": lineno, "type": name}) return findings ### Incident Response Workflow Respond to and contain security incidents. ### Workflow: Handle Security Incident Identify and triage: Validate incident is genuine Assess initial scope and severity Activate incident response team Contain the threat: Isolate affected systems Block malicious IPs/accounts Disable compromised credentials Eradicate root cause: Remove malware/backdoors Patch vulnerabilities Update configurations Recover operations: Restore from clean backups Verify system integrity Monitor for recurrence Conduct post-mortem: Timeline reconstruction Root cause analysis Lessons learned Implement improvements: Update detection rules Enhance controls Update runbooks Document and report Validation: Threat contained; root cause eliminated; systems recovered; post-mortem complete; improvements implemented ### Incident Severity Levels LevelResponse TimeEscalationP1 - Critical (active breach/exfiltration)ImmediateCISO, Legal, ExecutiveP2 - High (confirmed, contained)1 hourSecurity Lead, IT DirectorP3 - Medium (potential, under investigation)4 hoursSecurity TeamP4 - Low (suspicious, low impact)24 hoursOn-call engineer ### Incident Response Checklist PhaseActionsIdentificationValidate alert, assess scope, determine severityContainmentIsolate systems, preserve evidence, block accessEradicationRemove threat, patch vulnerabilities, reset credentialsRecoveryRestore services, verify integrity, increase monitoringLessons LearnedDocument timeline, identify gaps, update procedures ### Recommended Security Tools CategoryToolsSASTSemgrep, CodeQL, Bandit (Python), ESLint security pluginsDASTOWASP ZAP, Burp Suite, NiktoDependency ScanningSnyk, Dependabot, npm audit, pip-auditSecret DetectionGitLeaks, TruffleHog, detect-secretsContainer SecurityTrivy, Clair, AnchoreInfrastructureCheckov, tfsec, ScoutSuiteNetworkWireshark, Nmap, MasscanPenetrationMetasploit, sqlmap, Burp Suite Pro ### Cryptographic Algorithm Selection Use CaseAlgorithmKey SizeSymmetric encryptionAES-256-GCM256 bitsPassword hashingArgon2idN/A (use defaults)Message authenticationHMAC-SHA256256 bitsDigital signaturesEd25519256 bitsKey exchangeX25519256 bitsTLSTLS 1.3N/A See: references/cryptography-implementation.md ### Scripts ScriptPurposethreat_modeler.pySTRIDE threat analysis with DREAD risk scoring; JSON and text output; interactive guided modesecret_scanner.pyDetect hardcoded secrets and credentials across 20+ patterns; CI/CD integration ready For usage, see the inline code examples in Secure Code Review Workflow and the script source files directly. ### References DocumentContentsecurity-architecture-patterns.mdZero Trust, defense-in-depth, authentication patterns, API securitythreat-modeling-guide.mdSTRIDE methodology, attack trees, DREAD scoring, DFD creationcryptography-implementation.mdAES-GCM, RSA, Ed25519, password hashing, key management ### Security Headers Checklist HeaderRecommended ValueContent-Security-Policydefault-src self; script-src selfX-Frame-OptionsDENYX-Content-Type-OptionsnosniffStrict-Transport-Securitymax-age=31536000; includeSubDomainsReferrer-Policystrict-origin-when-cross-originPermissions-Policygeolocation=(), microphone=(), camera=() For compliance framework requirements (OWASP ASVS, CIS Benchmarks, NIST CSF, PCI-DSS, HIPAA, SOC 2), refer to the respective official documentation. ### Related Skills SkillIntegration Pointsenior-devopsCI/CD security, infrastructure hardeningsenior-secopsSecurity monitoring, incident responsesenior-backendSecure API developmentsenior-architectSecurity architecture decisions ## Trust - Source: tencent - Verification: Indexed source record - Publisher: alirezarezvani - Version: 2.1.1 ## Source health - Status: healthy - Item download looks usable. - Yavira can redirect you to the upstream package for this item. - Health scope: item - Reason: direct_download_ok - Checked at: 2026-05-08T16:43:15.513Z - Expires at: 2026-05-15T16:43:15.513Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/senior-security) - [Send to Agent page](https://openagent3.xyz/skills/senior-security/agent) - [JSON manifest](https://openagent3.xyz/skills/senior-security/agent.json) - [Markdown brief](https://openagent3.xyz/skills/senior-security/agent.md) - [Download page](https://openagent3.xyz/downloads/senior-security)