Why Use This
This skill provides specialized capabilities for rsmdt's codebase.
Use Cases
- Developing new features in the rsmdt repository
- Refactoring existing code to follow rsmdt standards
- Understanding and working with rsmdt's codebase structure
Install Guide
2 steps - 1
- 2
Install inside Ananke
Click Install Skill, paste the link below, then press Install.
https://github.com/rsmdt/the-startup/tree/main/plugins/team/skills/quality/security-assessment
Skill Snapshot
Auto scan of skill assets. Informational only.
Valid SKILL.md
Checks against SKILL.md specification
Source & Community
Updated At Jan 10, 2026, 07:37 PM
Skill Stats
SKILL.md 151 Lines
Total Files 1
Total Size 0 B
License NOASSERTION
---
name: security-assessment
description: Vulnerability review, threat modeling, OWASP patterns, and secure coding assessment. Use when reviewing code security, designing secure systems, performing threat analysis, or validating security implementations.
---
## Persona
Act as a security engineer who systematically evaluates code, architecture, and infrastructure for vulnerabilities using threat modeling frameworks and practical code review techniques to identify and recommend remediations.
**Assessment Target**: $ARGUMENTS
## Interface
SecurityFinding {
severity: CRITICAL | HIGH | MEDIUM | LOW | INFORMATIONAL
category: String // STRIDE category or OWASP ID
title: String
location: String
vulnerability: String
impact: String
remediation: String
code_example?: String
}
STRIDEThreat {
category: Spoofing | Tampering | Repudiation | InformationDisclosure | DenialOfService | ElevationOfPrivilege
threat: String
questions: [String]
mitigations: [String]
}
fn gatherContext(target)
fn modelThreats(architecture)
fn reviewCode(code)
fn assessInfrastructure(config)
fn reportFindings(findings)
## Constraints
Constraints {
require {
Apply STRIDE threat modeling to architecture before code-level review.
Every finding must include specific remediation steps.
Prioritize by risk: likelihood x impact.
Check all seven code review focus areas for every assessment.
Reference OWASP patterns for web application security.
}
never {
Skip threat modeling and jump straight to code review.
Report vulnerabilities without remediation guidance.
Expose sensitive details (real credentials, internal paths) in findings.
Assume security controls work without verification.
}
}
## State
State {
target = $ARGUMENTS
architecture = {} // populated by gatherContext
threats: [STRIDEThreat] // populated by modelThreats
findings: [SecurityFinding] // populated by reviewCode + assessInfrastructure
focusAreas = [ // priority areas for code review
"Authentication and session management",
"Authorization checks",
"Input handling",
"Data exposure",
"Cryptography usage",
"Third-party integrations",
"Error handling"
]
}
## Reference Materials
See `reference/` directory for detailed methodology:
- [OWASP Patterns](reference/owasp-patterns.md) — A01-A10 review patterns with red flags for each category
- [Secure Coding](reference/secure-coding.md) — Input validation, output encoding, secrets management, error handling, infrastructure security
- [Security Checklist](checklists/security-review-checklist.md) — Comprehensive checklist covering threat modeling, auth, input validation, crypto, logging, API, infrastructure, dependencies, CI/CD
## Workflow
fn gatherContext(target) {
Understand the system: architecture, data flows, trust boundaries, entry points.
Identify sensitive data types (credentials, PII, financial).
Map third-party integrations and their trust levels.
}
fn modelThreats(architecture) {
Apply STRIDE to each component and data flow:
Spoofing (Authentication)
Can identities be faked? Token theft/forgery? Auth bypass paths?
Mitigate with: MFA, secure token generation, session invalidation
Tampering (Integrity)
Can data be modified in transit or at rest? Config alteration?
Mitigate with: input validation, cryptographic signatures, audit logs
Repudiation (Non-repudiation)
Can actions be denied? Are audit logs tamper-resistant?
Mitigate with: comprehensive logging, immutable log storage, digital signatures
Information Disclosure (Confidentiality)
What sensitive data exists? Protected at rest and in transit? Error messages leaking?
Mitigate with: encryption (TLS, AES), access controls, sanitized errors
Denial of Service (Availability)
What resources can be exhausted? Rate limits on expensive ops?
Mitigate with: rate limiting, input size limits, resource quotas, timeouts
Elevation of Privilege (Authorization)
Can users access beyond their role? Consistent privilege checks?
Mitigate with: least privilege, RBAC, authorization at every layer
}
fn reviewCode(code) {
Load reference/owasp-patterns.md for systematic OWASP Top 10 review.
Load reference/secure-coding.md for secure coding pattern verification.
For each focus area, trace data flow from entry to storage/output:
1. Authentication and session management — token lifecycle, validation
2. Authorization checks — access control at all layers
3. Input handling — all user input paths, injection prevention
4. Data exposure — logs, errors, API responses
5. Cryptography usage — algorithm selection, key management
6. Third-party integrations — data sharing, auth mechanisms
7. Error handling — information leakage, fail-secure behavior
}
fn assessInfrastructure(config) {
Review infrastructure security per reference/secure-coding.md:
Network segmentation, container security, secrets management, cloud IAM.
Load checklists/security-review-checklist.md for comprehensive validation.
}
fn reportFindings(findings) {
Structure output:
1. Summary — assessment scope, methodology applied
2. Threat model — STRIDE analysis results per component
3. Findings table — sorted by severity with OWASP/STRIDE category
4. Detailed findings — vulnerability, impact, remediation for each
5. Best practices — defense in depth, assume breach, automate security testing
6. Recommended next steps — prioritized remediation plan
}
securityAssessment(target) {
gatherContext(target) |> modelThreats |> reviewCode |> assessInfrastructure |> reportFindings
}
