Skills

security-posture-analyzer

Installation
SKILL.md
Contains Hooks

This skill uses Claude hooks which can execute code automatically in response to events. Review carefully before installing.

Security Posture Analyzer Skill

Purpose

Analyze the organization's security posture by examining security headers, Content Security Policy, HSTS configuration, security.txt file, and other security indicators.

Input

Raw signals from Phase 2:

  • http_signals - Security headers, CSP, HSTS
  • dns_signals - DMARC, SPF, DKIM records
  • html_signals - Meta tags for security policies
  • repository_signals - Security configurations

Security Categories

HTTP Security Headers

Header Purpose Strength Indicator
Strict-Transport-Security HTTPS enforcement max-age value, includeSubDomains
Content-Security-Policy XSS prevention Policy complexity
X-Frame-Options Clickjacking prevention DENY vs SAMEORIGIN
X-Content-Type-Options MIME sniffing prevention nosniff
X-XSS-Protection XSS filter (legacy) 1; mode=block
Referrer-Policy Referrer leakage control strict-origin-when-cross-origin
Permissions-Policy Feature restrictions Comprehensive vs minimal
Cross-Origin-Opener-Policy Cross-origin isolation same-origin
Cross-Origin-Embedder-Policy Embedding restrictions require-corp
Cross-Origin-Resource-Policy Resource sharing control same-origin

Content Security Policy Analysis

Directive Security Implication
default-src 'self' Restrictive baseline
script-src 'unsafe-inline' XSS vulnerability
script-src 'unsafe-eval' Code injection risk
upgrade-insecure-requests Mixed content handling
report-uri / report-to Active monitoring

Email Security (DNS)

Record Purpose
SPF (TXT) Email sender validation
DKIM Email signing
DMARC Email authentication policy
MTA-STS Email transport security

Security Discovery Files

File Purpose
/.well-known/security.txt Security contact info
/security.txt Security contact info
/.well-known/change-password Password change endpoint
/humans.txt Team information

Analysis Logic

def analyze_security_posture(signals):
    results = {
        "security_headers": [],
        "csp_analysis": None,
        "email_security": [],
        "security_files": [],
        "overall_score": 0,
        "technologies_detected": []
    }

    # Security Header Analysis
    for header in SECURITY_HEADERS:
        if header.name in signals.http_signals.headers:
            value = signals.http_signals.headers[header.name]
            score, analysis = analyze_header(header.name, value)
            results["security_headers"].append({
                "header": header.name,
                "value": value,
                "present": True,
                "score": score,
                "analysis": analysis
            })
            results["overall_score"] += score
        else:
            results["security_headers"].append({
                "header": header.name,
                "present": False,
                "recommendation": header.recommendation
            })

    # CSP Deep Analysis
    if 'Content-Security-Policy' in signals.http_signals.headers:
        csp = signals.http_signals.headers['Content-Security-Policy']
        results["csp_analysis"] = analyze_csp(csp)

        # Extract third-party domains from CSP
        third_parties = extract_csp_domains(csp)
        for domain in third_parties:
            results["technologies_detected"].append({
                "name": identify_service(domain),
                "source": "CSP allowed domain",
                "domain": domain
            })

    # Email Security Analysis
    for record_type in ['SPF', 'DMARC', 'DKIM']:
        for txt in signals.dns_signals.txt_records:
            if record_type.lower() in txt.lower() or is_record_type(txt, record_type):
                score, analysis = analyze_email_record(record_type, txt)
                results["email_security"].append({
                    "type": record_type,
                    "value": txt,
                    "score": score,
                    "analysis": analysis
                })

    # Security File Discovery
    security_files = [
        "/.well-known/security.txt",
        "/security.txt"
    ]
    for file_url in security_files:
        # Check if file exists in signals
        if file_exists_in_signals(signals, file_url):
            content = get_file_content(signals, file_url)
            results["security_files"].append({
                "path": file_url,
                "exists": True,
                "content_analysis": analyze_security_txt(content)
            })

    return results

CSP Analysis Function

def analyze_csp(csp_value):
    directives = parse_csp(csp_value)

    analysis = {
        "directives_count": len(directives),
        "security_level": "Unknown",
        "issues": [],
        "strengths": [],
        "third_party_domains": []
    }

    # Check for unsafe directives
    if "'unsafe-inline'" in csp_value:
        analysis["issues"].append({
            "severity": "High",
            "issue": "unsafe-inline allows inline scripts",
            "recommendation": "Use nonces or hashes instead"
        })

    if "'unsafe-eval'" in csp_value:
        analysis["issues"].append({
            "severity": "High",
            "issue": "unsafe-eval allows dynamic code execution",
            "recommendation": "Refactor to avoid eval()"
        })

    # Check for good practices
    if "upgrade-insecure-requests" in csp_value:
        analysis["strengths"].append("Upgrades HTTP to HTTPS")

    if "report-uri" in csp_value or "report-to" in csp_value:
        analysis["strengths"].append("CSP violation reporting enabled")

    if "default-src 'self'" in csp_value:
        analysis["strengths"].append("Restrictive default policy")

    # Extract allowed domains
    domains = re.findall(r'https?://([^\s;\'\"]+)', csp_value)
    analysis["third_party_domains"] = list(set(domains))

    # Calculate security level
    if len(analysis["issues"]) == 0 and len(analysis["strengths"]) >= 3:
        analysis["security_level"] = "Strong"
    elif len(analysis["issues"]) <= 1:
        analysis["security_level"] = "Moderate"
    else:
        analysis["security_level"] = "Weak"

    return analysis

Output

{
  "skill": "security_posture_analyzer",
  "results": {
    "security_headers": [
      {
        "header": "Strict-Transport-Security",
        "value": "max-age=31536000; includeSubDomains; preload",
        "present": true,
        "score": 10,
        "analysis": {
          "max_age": 31536000,
          "include_subdomains": true,
          "preload": true,
          "assessment": "Strong - HSTS preload eligible"
        }
      },
      {
        "header": "Content-Security-Policy",
        "value": "default-src 'self'; script-src 'self' https://cdn.example.com; ...",
        "present": true,
        "score": 8,
        "analysis": "See csp_analysis"
      },
      {
        "header": "X-Frame-Options",
        "present": false,
        "recommendation": "Add 'X-Frame-Options: DENY' to prevent clickjacking"
      }
    ],
    "csp_analysis": {
      "directives_count": 8,
      "security_level": "Moderate",
      "issues": [
        {
          "severity": "Medium",
          "issue": "Script sources include external CDN",
          "domain": "cdn.example.com"
        }
      ],
      "strengths": [
        "Restrictive default policy",
        "CSP violation reporting enabled"
      ],
      "third_party_domains": [
        "cdn.example.com",
        "analytics.example.com",
        "api.stripe.com"
      ]
    },
    "email_security": [
      {
        "type": "SPF",
        "value": "v=spf1 include:_spf.google.com ~all",
        "score": 7,
        "analysis": "Good - SPF configured with softfail"
      },
      {
        "type": "DMARC",
        "value": "v=DMARC1; p=reject; rua=mailto:dmarc@example.com",
        "score": 10,
        "analysis": "Strong - DMARC reject policy with reporting"
      }
    ],
    "security_files": [
      {
        "path": "/.well-known/security.txt",
        "exists": true,
        "content_analysis": {
          "contact": "security@example.com",
          "encryption_key": true,
          "bug_bounty": "https://example.com/bug-bounty",
          "expires": "2025-12-31"
        }
      }
    ],
    "overall_score": {
      "score": 72,
      "max_score": 100,
      "grade": "B",
      "assessment": "Good security posture with some improvements needed"
    },
    "technologies_detected": [
      {
        "name": "Google Workspace",
        "source": "SPF include",
        "confidence": 90
      },
      {
        "name": "Stripe",
        "source": "CSP allowed domain: api.stripe.com",
        "confidence": 95
      }
    ],
    "recommendations": [
      {
        "priority": "High",
        "item": "Add X-Frame-Options header",
        "current": "Missing",
        "recommended": "DENY"
      },
      {
        "priority": "Medium",
        "item": "Enable HSTS preload",
        "current": "Not preloaded",
        "recommended": "Submit to HSTS preload list"
      }
    ]
  }
}

Third-Party Detection from Security Headers

CSP Domain Pattern Service
*.stripe.com Stripe Payments
*.google-analytics.com Google Analytics
*.googletagmanager.com Google Tag Manager
*.facebook.com Facebook SDK
*.intercom.io Intercom
*.zendesk.com Zendesk
*.sentry.io Sentry Error Tracking
.datadog.com Datadog
*.newrelic.com New Relic

Error Handling

  • Missing headers: Note as finding, provide recommendations
  • Malformed CSP: Parse what's possible, flag errors
  • DNS lookup failures: Continue with HTTP-based analysis
Related skills

More from transilienceai/communitytools

Installs
12
Repository
transilienceai/…itytools
GitHub Stars
250
First Seen
Mar 3, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykWarn