Skills
skills/oimiragieo/agent-studio/security-architect

security-architect

SKILL.md

Security Architect Skill

Step 1: Threat Modeling (STRIDE)

Analyze threats using STRIDE:

Threat Description Example
Spoofing Impersonating users/systems Stolen credentials
Tampering Modifying data SQL injection
Repudiation Denying actions Missing audit logs
Information Disclosure Data leaks Exposed secrets
Denial of Service Blocking access Resource exhaustion
Elevation of Privilege Gaining unauthorized access Broken access control

For AI/agentic systems, extend STRIDE with:

  • Goal Hijacking (Spoofing + Tampering): Adversarial prompts redirect agent objectives
  • Memory Poisoning (Tampering + Information Disclosure): Persistent context corruption
  • Tool Misuse (Elevation of Privilege): Legitimate tools abused beyond intended scope

Step 2: OWASP Top 10 2025 Analysis

IMPORTANT: The OWASP Top 10 was updated in 2025 with two new categories and significant ranking shifts. Use this updated list, not the 2021 version.

Rank ID Vulnerability Key Change from 2021
1 A01 Broken Access Control Stable at #1; SSRF consolidated here
2 A02 Security Misconfiguration Up from #5
3 A03 Software Supply Chain Failures NEW — replaces Vulnerable Components
4 A04 Cryptographic Failures Down from #2
5 A05 Injection Down from #3
6 A06 Insecure Design Down from #4
7 A07 Authentication Failures Stable (renamed)
8 A08 Software or Data Integrity Failures Stable
9 A09 Security Logging and Alerting Failures Stable
10 A10 Mishandling of Exceptional Conditions NEW

Check for each vulnerability:

  1. A01: Broken Access Control (includes SSRF from 2021)

    • Verify authorization on every endpoint; deny by default
    • Check for IDOR (Insecure Direct Object Reference) vulnerabilities
    • Validate/sanitize all URLs; use allowlists for outbound requests (absorbed SSRF)
    • Enforce CORS policies; restrict cross-origin requests

  2. A02: Security Misconfiguration (up from #5 — now #2, affects ~3% of tested apps)

    • Harden defaults; disable unnecessary features, ports, services
    • Remove sample/default credentials and example content
    • Ensure consistent security settings across all environments (dev/staging/prod)
    • Review cloud storage ACLs, IAM policies, and network security groups

  3. A03: Software Supply Chain Failures (NEW — highest avg exploit/impact scores)

    • Maintain an SBOM (Software Bill of Materials) for all dependencies
    • Enforce lockfiles (package-lock.json, yarn.lock, poetry.lock) and verify integrity
    • Use private registry scoping to prevent dependency confusion attacks
    • Audit postinstall scripts; disable or allowlist explicitly
    • Pin dependencies to exact versions and verify hashes/signatures
    • Monitor CVE databases and security advisories (Dependabot, Snyk, Socket.dev)
    • Harden CI/CD pipelines; enforce separation of duty (no single actor: write → deploy)
    • Block exotic transitive dependencies (git URLs, direct tarballs) in production

  4. A04: Cryptographic Failures (down from #2)

    • Use strong algorithms: AES-256-GCM, SHA-256+, bcrypt/scrypt/Argon2 for passwords
    • Never store plaintext passwords; enforce TLS 1.2+ everywhere
    • Rotate secrets and keys; use envelope encryption for data at rest

  5. A05: Injection (down from #3)

    • Parameterize all queries (SQL, NoSQL, LDAP, OS commands)
    • Validate and sanitize all inputs; apply output encoding for XSS prevention

  6. A06: Insecure Design (down from #4)

    • Threat model early in SDLC; use secure design patterns
    • Apply principle of least privilege at design time

  7. A07: Authentication Failures

    • Implement MFA; prefer phishing-resistant methods (WebAuthn/Passkeys)
    • Use OAuth 2.1 (mandatory PKCE, remove implicit/ROPC grants)
    • Enforce secure session management; invalidate sessions on logout

  8. A08: Software or Data Integrity Failures

    • Verify dependencies with SRI hashes and cryptographic signatures
    • Protect CI/CD pipelines; require signed commits and artifacts

  9. A09: Security Logging and Alerting Failures

    • Log all security events (auth failures, access control violations, input validation failures)
    • Protect log integrity; never log secrets or PII
    • Alert on anomalous patterns

  10. A10: Mishandling of Exceptional Conditions (NEW)

    • Ensure errors fail securely — never "fail open" (default to deny on error)
    • Validate logic for edge cases: timeouts, partial responses, unexpected nulls
    • Return generic error messages to clients; log detailed context server-side
    • Test error handling paths explicitly (chaos/fault injection testing)

Step 3: OWASP Agentic AI Top 10 (ASI01-ASI10) — For AI/Agent Systems

When the codebase involves AI agents, LLMs, or autonomous systems, perform this additional assessment. Released December 2025 by OWASP GenAI Security Project.

ASI Risk Core Attack Vector
ASI01 Agent Goal Hijack Prompt injection redirects agent objectives
ASI02 Tool Misuse Legitimate tools abused beyond intended scope
ASI03 Identity & Privilege Abuse Credential inheritance/delegation without scoping
ASI04 Supply Chain Vulnerabilities Malicious tools, MCP servers, agent registries
ASI05 Unexpected Code Execution Agent-generated code bypasses security controls
ASI06 Memory & Context Poisoning Persistent corruption of agent memory/embeddings
ASI07 Insecure Inter-Agent Communication Weak agent-to-agent protocol validation
ASI08 Cascading Failures Error propagation across chained agents
ASI09 Human-Agent Trust Exploitation Agents manipulate users into unsafe approvals
ASI10 Rogue Agents Agents act outside authorized scope

ASI01 — Agent Goal Hijack: Attackers manipulate planning logic via prompt injection in user input, RAG documents, emails, or calendar invites.

  • Mitigations: Validate all inputs against expected task scope; enforce task boundary checks in routing layer; use system prompts that resist goal redirection; log unexpected task deviations for review.

ASI02 — Tool Misuse: Agents use tools beyond intended scope (e.g., file deletion when only file read was authorized).

  • Mitigations: Whitelist/blacklist tools per agent role; validate tool parameters before execution; enforce principle of least privilege for tool access; monitor tool usage patterns for anomalies.

ASI03 — Identity & Privilege Abuse: Agents inherit or delegate credentials without proper scoping, creating attribution gaps.

  • Mitigations: Assign each agent a distinct, scoped identity; never reuse human credentials for agents; audit all credential delegation chains; enforce short-lived tokens for agent actions.

ASI04 — Supply Chain Vulnerabilities (Agentic): Malicious MCP servers, agent cards, plugin registries, or tool packages poison the agent ecosystem.

  • Mitigations: Verify integrity of all tool/plugin sources; use registry allowlists; audit MCP server provenance; apply same supply chain controls as A03 to agent tooling.

ASI05 — Unexpected Code Execution: Agent-generated or "vibe-coded" code executes without traditional security controls (sandboxing, review).

  • Mitigations: Sandbox code execution environments; review agent-generated code before execution in production; apply static analysis to generated code; never execute code from memory/context without validation.

ASI06 — Memory & Context Poisoning: Attackers embed malicious instructions in documents, web pages, or RAG corpora that persist in agent memory and influence future actions.

  • Mitigations: Sanitize all data written to memory (learnings, vector stores, embeddings); validate memory entries before use; never execute commands sourced from memory without explicit approval; implement memory rotation and auditing (see ADR-102).

ASI07 — Insecure Inter-Agent Communication: Agent-to-agent messages lack authentication, integrity checks, or semantic validation, enabling injection attacks between agents.

  • Mitigations: Authenticate all agent-to-agent messages; validate message schemas; use signed inter-agent payloads; apply semantic validation (not just structural) to delegated instructions.

ASI08 — Cascading Failures: Errors or attacks in one agent propagate uncontrolled through multi-agent pipelines.

  • Mitigations: Define error boundaries between agents; implement circuit breakers; require human-in-the-loop checkpoints for high-impact actions; never auto-retry destructive operations on failure.

ASI09 — Human-Agent Trust Exploitation: Agents present misleading information to manipulate users into approving unsafe actions.

  • Mitigations: Display agent reasoning and provenance transparently; require explicit human confirmation for irreversible actions; detect urgency/fear manipulation patterns; maintain audit trails of all user-agent interactions.

ASI10 — Rogue Agents: Agents operate outside authorized scope, take unsanctioned actions, or resist human override.

  • Mitigations: Enforce hard authorization boundaries at the infrastructure level (not just prompt level); implement kill-switch mechanisms; log all agent actions with human-reviewable audit trail; test override/shutdown paths regularly.

Step 4: Supply Chain Security Review

Perform this check for all projects with external dependencies:

# Check for known vulnerabilities
npm audit --audit-level=high
# or
pnpm audit

# Verify lockfile integrity (ensure lockfile is committed and not bypassed)
# Check that package-lock.json / yarn.lock / pnpm-lock.yaml exists and is current

# Scan for malicious packages (behavioral analysis)
# Tools: Socket.dev, Snyk, Aikido, Safety (Python)

Dependency Confusion Defense:

  • Scope all internal packages under a private namespace (e.g., @company/package-name)
  • Configure registry resolution order to prefer private registry
  • Use publishConfig and registry scoping to prevent public registry fallback for private packages
  • Block exotic transitive dependencies (git URLs, direct tarball URLs)

Typosquatting Defense:

  • Audit all npm install / pip install commands for misspellings
  • Use allowlists for permitted packages in automated environments
  • Delay new dependency version installs by 24+ hours (minimumReleaseAge) to allow malware detection

CI/CD Pipeline Hardening:

  • Enforce separation of duty: no single actor writes code AND promotes to production
  • Sign all build artifacts and verify signatures before deployment
  • Pin action versions in GitHub Actions (use commit SHA, not floating tags)
  • Restrict pipeline secrets to minimum required scope

Step 5: Modern API Authentication Review

OAuth 2.1 (current standard — replaces OAuth 2.0 for new implementations):

OAuth 2.1 removes insecure grants:
  - Implicit grant (response_type=token) — REMOVED: tokens in URL fragments leak
  - Resource Owner Password Credentials (ROPC) — REMOVED: breaks delegated auth model

OAuth 2.1 mandates:
  - PKCE (Proof Key for Code Exchange) for ALL authorization code flows
  - Exact redirect URI matching (no wildcards)
  - Sender-constraining tokens (DPoP recommended)

DPoP — Demonstrating Proof of Possession (RFC 9449):

  • Binds access/refresh tokens cryptographically to the client's key pair
  • Prevents token replay attacks even if tokens are intercepted
  • Implement for all public clients (SPAs, mobile apps) where bearer token theft is a concern
// DPoP proof JWT structure (sent in DPoP header with each request)
// Header: { "typ": "dpop+jwt", "alg": "ES256", "jwk": { client_public_key } }
// Payload: { "jti": nonce, "htm": "POST", "htu": "https://api.example.com/token", "iat": timestamp }
// Signed with client private key — server verifies binding to issued token

Passkeys / WebAuthn (FIDO2) — for user-facing authentication:

  • Phishing-resistant: credentials are origin-bound and never transmitted
  • Replaces passwords and SMS OTP for high-security contexts
  • Major platforms (Windows, macOS, iOS, Android) support cross-device sync as of 2026
  • Implementation: use navigator.credentials.create() (registration) and navigator.credentials.get() (authentication)
  • Store only the public key and credential ID server-side (never the private key)
// WebAuthn registration (simplified)
const credential = await navigator.credentials.create({
  publicKey: {
    challenge: serverChallenge, // random bytes from server
    rp: { name: 'My App', id: 'myapp.example.com' },
    user: { id: userId, name: userEmail, displayName: userName },
    pubKeyCredParams: [{ alg: -7, type: 'public-key' }], // ES256
    authenticatorSelection: { residentKey: 'preferred', userVerification: 'required' },
  },
});
// Send credential.id and credential.response to server for verification

Step 6: Security Code Review

Look for common issues:

// BAD: SQL Injection
const query = `SELECT * FROM users WHERE id = ${userId}`;

// GOOD: Parameterized query
const query = `SELECT * FROM users WHERE id = $1`;
await db.query(query, [userId]);

// BAD: Hardcoded secrets
const apiKey = 'sk-abc123...';

// GOOD: Environment variables / secret manager
const apiKey = process.env.API_KEY;

// BAD: shell: true (shell injection vector)
const { exec } = require('child_process');
exec(`git commit -m "${userMessage}"`);

// GOOD: shell: false with array arguments
const { spawn } = require('child_process');
spawn('git', ['commit', '-m', userMessage], { shell: false });

// BAD: Fail open on error (dangerous for auth/authz)
try {
  const isAuthorized = await checkPermission(user, resource);
  if (isAuthorized) return next();
} catch (err) {
  return next(); // WRONG: allows access on error
}

// GOOD: Fail securely (deny on error — A10:2025)
try {
  const isAuthorized = await checkPermission(user, resource);
  if (!isAuthorized) return res.status(403).json({ error: 'Forbidden' });
  return next();
} catch (err) {
  logger.error('Permission check failed', { err, user, resource });
  return res.status(403).json({ error: 'Forbidden' }); // Default deny
}

Step 7: Authentication/Authorization Review

Verify:

  • Strong password requirements OR passkey/WebAuthn (preferred in 2026)
  • Secure session management (HTTPOnly, Secure, SameSite=Strict cookies)
  • JWT validation (signature, expiry, audience, issuer)
  • Role-based access control (RBAC) enforced server-side
  • API authentication: OAuth 2.1 + PKCE (not OAuth 2.0 implicit/ROPC)
  • DPoP sender-constraining for public clients handling sensitive data
  • Phishing-resistant MFA (WebAuthn preferred over SMS OTP)

Step 8: Generate Security Report

Create findings report:

## Security Assessment Report

### Critical Findings

1. SQL injection in /api/users endpoint
   - Risk: Data breach
   - Fix: Use parameterized queries

### High Findings

2. Missing rate limiting on login
   - Risk: Brute force attacks
   - Fix: Implement rate limiting

3. OAuth 2.0 implicit grant in use (deprecated)
   - Risk: Access token exposure in URL fragments / browser history
   - Fix: Migrate to Authorization Code + PKCE (OAuth 2.1)

### Medium Findings

4. No lockfile committed for npm dependencies
   - Risk: Supply chain attack via dependency resolution drift
   - Fix: Commit package-lock.json; add lockfile verification to CI

### Recommendations

- Enable HTTPS everywhere; enforce HSTS
- Implement CSP headers
- Add security logging for auth events
- Migrate to OAuth 2.1 (remove implicit/ROPC grants)
- Implement passkey/WebAuthn for phishing-resistant authentication
- Run `npm audit` / `pnpm audit` in CI with failure on high/critical

</execution_process>

<best_practices>

  1. Defense in Depth: Layer security controls; no single control is sufficient
  2. Least Privilege: Minimal permissions for users, services, and AI agents
  3. Fail Securely: Default to deny — especially on errors (A10:2025)
  4. Validate Everything: Never trust input from any source, including agent memory
  5. Keep Secrets Secret: Use secret managers; rotate regularly; never commit credentials
  6. Supply Chain Hygiene: Lock dependencies, verify integrity, monitor for compromise
  7. Human-in-the-Loop for Agents: Require explicit approval for irreversible agentic actions
  8. Modern Auth Standards: OAuth 2.1 + PKCE, DPoP, and Passkeys/WebAuthn over legacy flows

</best_practices> 

Review the authentication flow in src/auth/ for security issues

Example Response:

## Security Review: src/auth/

### Findings

#### CRITICAL: Weak Password Hashing

- File: src/auth/password.js:23
- Issue: Using MD5 for password hashing
- Fix: Use bcrypt with cost factor >= 12

#### HIGH: No Rate Limiting

- File: src/auth/login.js
- Issue: Login endpoint has no rate limiting
- Fix: Add rate limiting (5 attempts/minute)

#### HIGH: OAuth 2.0 Implicit Grant in Use

- File: src/auth/oauth.js:45
- Issue: Using response_type=token (implicit grant, deprecated in OAuth 2.1)
- Fix: Migrate to Authorization Code flow with PKCE

#### MEDIUM: Session Not Invalidated

- File: src/auth/logout.js
- Issue: Logout doesn't invalidate server-side session
- Fix: Clear session from store on logout

### Recommendations

1. Implement bcrypt for password hashing (cost factor >= 12)
2. Add rate limiting middleware (5 req/min on /login)
3. Migrate OAuth flows to Authorization Code + PKCE (OAuth 2.1)
4. Consider passkeys/WebAuthn for phishing-resistant authentication
5. Use secure session configuration (HTTPOnly, Secure, SameSite=Strict)

</usage_example>

<usage_example> AI Agent Security Review Request:

Review the LLM agent pipeline in src/agents/ for agentic AI security risks

Example Response:

## Agentic AI Security Review: src/agents/

### ASI01 — Agent Goal Hijack (HIGH)

- File: src/agents/email-processor.js
- Issue: User email content passed directly to agent system prompt without sanitization
- Fix: Sanitize email content; enforce task boundary validation in routing layer

### ASI06 — Memory & Context Poisoning (HIGH)

- File: src/agents/memory-store.js:78
- Issue: Web-fetched content written to persistent memory without validation
- Fix: Validate and sanitize all external content before writing to memory; never
  execute commands retrieved from memory without explicit human approval

### ASI02 — Tool Misuse (MEDIUM)

- File: src/agents/tools/file-tool.js
- Issue: Agent has both read and delete file permissions; delete scope too broad
- Fix: Split into read-only and write tools; apply least privilege per agent role

### ASI10 — Rogue Agent Risk (MEDIUM)

- Issue: No kill-switch or hard resource limits on agent execution
- Fix: Implement max-steps limit, timeout, and human override checkpoint for
  operations affecting production data

</usage_example>

Iron Laws

  1. NEVER approve production deployment for code handling auth, PII, or external data without a completed security review
  2. ALWAYS run both OWASP Top 10 2025 AND ASI01-ASI10 assessments for AI/agentic systems
  3. ALWAYS fail securely — design all error paths to deny by default, never allow
  4. NEVER trust any input without validation, including data from internal services
  5. ALWAYS prioritize findings by severity (CRITICAL > HIGH > MEDIUM > LOW) with specific remediation steps and code examples

Anti-Patterns

Anti-Pattern Why It Fails Correct Approach
Approving code without full security review Partial reviews miss exploitable paths in auth/PII/external data flows Complete all STRIDE + OWASP phases before approving production deployment
Using OWASP 2021 for AI/agentic systems AI-specific threats (ASI01-ASI10) are not covered by the standard web list Always run both OWASP Top 10 2025 and ASI01-ASI10 for any agentic component
Failing open on security errors Error paths become exploitable bypass conditions Design every failure mode to deny access by default
Providing vague remediation guidance Developers cannot act without specifics Provide exact code examples and parameterized fix patterns for every finding
Missing severity prioritization Critical findings are buried in noise with informational findings Triage all findings as CRITICAL > HIGH > MEDIUM > LOW before delivery

Related Skills

Related Workflow

For comprehensive security audits requiring multi-phase threat analysis, vulnerability scanning, and remediation planning, see the corresponding workflow:

  • Workflow File: .claude/workflows/security-architect-skill-workflow.md
  • When to Use: For structured security audits requiring OWASP Top 10 2025 analysis, dependency CVE checks, penetration testing, and remediation planning
  • Phases: 5 phases (Threat Modeling, Security Code Review, Dependency Audit, Penetration Testing, Remediation Planning)
  • Coverage: Full OWASP Top 10 2025, OWASP Agentic AI Top 10 (ASI01-ASI10), STRIDE threat modeling, CVE database checks, automated and manual penetration testing

Key Features:

  • Multi-agent orchestration (security-architect, code-reviewer, developer, devops)
  • Security gates for pre-release blocking
  • Severity classification (CRITICAL/HIGH/MEDIUM/LOW)
  • Automated ticket generation
  • Compliance-ready reporting (SOC2, GDPR, HIPAA)

See also: Feature Development Workflow for integrating security reviews into the development lifecycle.

Memory Protocol (MANDATORY)

Before starting:

cat .claude/context/memory/learnings.md

After completing:

  • New pattern -> .claude/context/memory/learnings.md
  • Issue found -> .claude/context/memory/issues.md
  • Decision made -> .claude/context/memory/decisions.md

ASSUME INTERRUPTION: Your context may reset. If it's not in memory, it didn't happen.

Weekly Installs
53
Repository
oimiragieo/agent-studio
GitHub Stars
16
First Seen
Jan 27, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
github-copilot52
gemini-cli51
opencode50
codex50
kimi-cli50
cursor50