security-ask-questions-if-underspecified
Ask Questions When Underspecified
When to Use
- A security review request lacks context about the threat model
- The scope of an audit or assessment is ambiguous
- Assumptions about trust boundaries need validation
- The deployment environment or architecture is unclear
- Risk tolerance or compliance requirements are not stated
When NOT to Use
- Context is already sufficient to proceed with analysis
- The task is purely mechanical (run a scan, parse output)
- Questions would block urgent incident response
Key Questions to Ask
Before Any Security Review
- What is the threat model? Who are the adversaries?
- What are the trust boundaries? What input is untrusted?
- What is the deployment environment (cloud, on-prem, edge)?
- What compliance requirements apply (PCI, HIPAA, SOC2)?
- What is the risk tolerance? (startup MVP vs. banking app)
Before Code Audit
- What changed recently? What is the scope of review?
- Are there known vulnerabilities or areas of concern?
- What authentication/authorization model is used?
- What sensitive data does the application handle?
- Has there been a previous audit? What was found?
Before Architecture Review
- What are the data flow paths for sensitive information?
- Where are secrets stored and how are they rotated?
- What is the blast radius if a single component is compromised?
- What monitoring and alerting is in place?
Why This Matters
Security analysis with wrong assumptions is worse than no analysis — it creates false confidence. A SQL injection review is useless if the real risk is an exposed admin panel. Asking the right questions up front ensures effort is directed at actual risks.
Anti-Patterns to Avoid
| Anti-Pattern | Problem |
|---|---|
| Assuming scope | Missing critical attack surface |
| Skipping threat model | Defending against wrong adversary |
| Not asking about data sensitivity | Misjudging impact severity |
| Assuming deployment environment | Missing environment-specific risks |
| Not clarifying "secure enough" | Over- or under-engineering defenses |
More from elizaos/eliza
nano-pdf
Edits PDF files using natural-language instructions via the nano-pdf CLI. Supports modifying text, changing titles, fixing typos, and updating content on specific pages. Use when the user wants to edit a PDF, modify PDF content, update PDF text, fix a typo in a PDF, change a PDF title, or rewrite part of a PDF page.
30wacli
Send WhatsApp messages to other people or search/sync WhatsApp history via the wacli CLI (not for normal user chats). Use when the user asks to send a WhatsApp message, text someone on WhatsApp, search WhatsApp chat history, sync WhatsApp conversations, backfill message history, or forward a file via WhatsApp to a third party.
27nano-banana-pro
Generate or edit images via Gemini 3 Pro Image (Nano Banana Pro). Use when the user asks to create an image, generate a picture, produce AI-generated artwork, edit a photo, compose multiple images, or upscale an image to higher resolution. Supports text-to-image generation, single-image editing, and multi-image composition using the Gemini API.
27session-logs
Search and analyze session logs (older/parent conversations) stored as JSONL files using jq and rg. Use when the user asks about prior chats, previous conversations, conversation history, what was said before, session costs, token usage, or tool usage breakdown across past sessions.
24discord
Use when you need to control Discord from Otto via the discord tool: send messages, react, post or upload stickers, upload emojis, run polls, manage threads/pins/search, create/edit/delete channels and categories, fetch permissions or member/role/channel info, set bot presence/activity, or handle moderation actions in Discord DMs or channels.
241password
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
22