A

senior-security

by alirezarezvani

senior-security helps AI agents run STRIDE/DREAD threat modeling, analyze DFDs, prioritize mitigations, and perform quick secret scans with included scripts and references. Best for architecture reviews where broad security requests need routing to the right specialist skill.

Stars22.1k
Favorites0
Comments0
AddedJul 11, 2026
CategoryThreat Modeling
Install Command
npx skills add alirezarezvani/claude-skills --skill senior-security
Curation Score

This skill scores 80/100, which means it is a solid listing candidate for directory users who want an agent to perform structured threat modeling and basic secret scanning with less guesswork than a generic security prompt. Its scope is unusually clear for a security skill: it owns STRIDE/DREAD threat modeling and uses a routing table for adjacent security work. The main adoption caveat is that it lacks standalone installation guidance and depends on sibling skills for many common security requests.

80/100
Strengths
  • Strong triggerability: the frontmatter clearly names STRIDE threat modeling, DREAD scoring, DFD threat analysis, quick secret scans, and routing cases.
  • Operational support is substantive: it includes a threat-modeling guide, STRIDE/DREAD workflow, architecture and cryptography references, plus `threat_modeler.py` and `secret_scanner.py`.
  • Good install-decision clarity: the SKILL.md states that this skill owns threat modeling and routes pen testing, incident response, SecOps, red team, AI security, and other lanes to sibling skills.
Cautions
  • No install command or README is present, so directory users may need to infer installation from the parent repository conventions.
  • The skill deliberately routes many security tasks to sibling skills, so it is best installed as part of the broader engineering-team skill set rather than as a standalone all-purpose security skill.
Overview

Overview of senior-security skill

What senior-security is for

The senior-security skill is a focused security engineering skill for STRIDE threat modeling, DREAD-style risk scoring, data-flow-diagram analysis, and quick secret detection. It is best used when you need an AI assistant to reason like a senior security engineer during architecture review, design review, or pre-release risk analysis rather than simply list generic vulnerabilities.

Best-fit users and jobs

Use this skill if you are a developer, platform engineer, security reviewer, or technical lead trying to answer: “What can go wrong in this design, how serious is it, and what should we fix first?” The strongest fit is senior-security for Threat Modeling: APIs, authentication flows, payment systems, admin tools, multi-tenant SaaS, internal platforms, data pipelines, and services with sensitive data or trust boundaries.

What makes this skill different

The important differentiator is scope control. The skill owns STRIDE/DREAD threat modeling and lightweight secret scanning, while routing other security requests to neighboring specialist skills such as penetration testing, incident response, SecOps, cloud posture, adversarial review, or AI security. That makes it useful when a broad “security review” request needs to be narrowed into the right security workflow.

When it may not be enough

Do not expect senior-security to replace a full penetration test, compliance audit, forensic investigation, or production incident process. It can identify likely threats and mitigations from supplied architecture context, but it depends heavily on the quality of your DFD, asset list, trust boundaries, and implementation notes.

How to Use senior-security skill

senior-security install and files to inspect first

Install from the GitHub skill repository with:

npx skills add alirezarezvani/claude-skills --skill senior-security

After installation, read SKILL.md first because it defines the routing table and the exact ownership boundary. Then inspect references/threat-modeling-guide.md for the STRIDE workflow, references/security-architecture-patterns.md for mitigation patterns, references/cryptography-implementation.md for crypto-specific decisions, and the helper scripts scripts/threat_modeler.py and scripts/secret_scanner.py.

Inputs that produce a useful threat model

For strong senior-security usage, give the skill architecture facts, not just a product name. Include:

  • System purpose and primary users
  • In-scope and out-of-scope components
  • Data classifications, such as credentials, PII, tokens, payment data, logs
  • External entities and third-party services
  • Processes, data stores, data flows, and trust boundaries
  • Authentication, authorization, session, and key-management assumptions
  • Deployment context, such as cloud, container, edge, mobile, or internal network
  • Known constraints, such as legacy dependencies, compliance needs, or release deadline

A weak prompt is: “Threat model our login service.”
A stronger prompt is: “Use senior-security to create a STRIDE/DREAD threat model for a login service with web client, API gateway, auth service, PostgreSQL user store, Redis session cache, OAuth provider, email OTP provider, and admin dashboard. Include trust boundaries, top threats per DFD element, risk scores, mitigations, and residual risks.”

Suggested workflow for senior-security usage

Start by asking the skill to build or validate a data flow diagram from your description. Next, have it apply STRIDE per DFD element: external entities, processes, data stores, data flows, and trust boundaries. Then request DREAD-style prioritization so the output separates urgent design fixes from lower-priority hardening tasks.

For implementation review, run the bundled scripts where appropriate:

python scripts/threat_modeler.py --component "API Gateway" --assets "tokens,user_data"

python scripts/secret_scanner.py /path/to/project --format json

Treat script output as supporting evidence, not as the entire review. The highest-value output usually comes from combining architecture context, script findings, and explicit business impact.

Prompt pattern for better results

Use this structure when invoking the senior-security skill:

  1. “Use senior-security for STRIDE threat modeling.”
  2. “Here is the system and scope…”
  3. “Here is the DFD or component list…”
  4. “Here are assets and trust boundaries…”
  5. “Score risks and prioritize mitigations…”
  6. “Call out assumptions and questions separately.”

This prevents the model from filling gaps silently and helps you distinguish real findings from assumptions.

senior-security skill FAQ

Is senior-security only for Threat Modeling?

Threat modeling is its core job. The skill also supports quick secret scanning through secret_scanner.py, but its main value is structured STRIDE analysis, DREAD risk scoring, and mitigation planning. If you mainly need exploit testing, SOC monitoring, incident response, or cloud compliance checks, use the routed specialist skill instead.

How is this better than an ordinary security prompt?

A generic prompt may produce a broad checklist. The senior-security skill gives the assistant a narrower operating model: route non-owned requests, build a DFD-centered view, apply STRIDE categories, prioritize with risk scoring, and map mitigations to specific threats. That structure makes outputs easier to review, assign, and convert into engineering tickets.

Can beginners use the senior-security skill?

Yes, but beginners should provide a simple component diagram or bullet list of flows. If you do not know how to draw a DFD, describe who sends what data to which service, where it is stored, and which network or identity boundary it crosses. The skill can help normalize that into a threat-modeling format.

When should I avoid using senior-security?

Avoid using it as the sole basis for legal compliance sign-off, breach response, exploit validation, or cryptographic design approval. It can surface likely risks and recommend patterns, but high-stakes security decisions still need expert review, test evidence, and environment-specific validation.

How to Improve senior-security skill

Improve senior-security outputs with stronger context

The fastest way to improve senior-security results is to provide exact boundaries. Name the component under review, what is excluded, and what decision you need to make. For example: “Review only the checkout payment tokenization flow, not the whole ecommerce platform” will produce a much cleaner model than “review our app security.”

Common failure modes to watch for

The most common weak outputs come from missing assets, vague trust boundaries, and unclear attacker goals. If the model gives generic threats, add specifics: tenant isolation requirements, admin capabilities, token lifetime, network exposure, encryption points, audit logging, rate limits, and recovery controls.

Iterate from findings to engineering work

After the first threat model, ask for a prioritized remediation plan with owner, mitigation, validation method, and residual risk. Then ask which mitigations are design changes, code changes, configuration changes, monitoring changes, or policy decisions. This turns the senior-security skill from an analysis aid into an implementation planning tool.

Extend the skill for your environment

For recurring use, add your organization’s standard architecture patterns, approved cryptography choices, cloud services, severity scale, and risk acceptance rules. Keep additions close to the existing structure: threat-modeling guidance in references, executable checks in scripts, and routing rules in SKILL.md. This preserves the focused behavior that makes senior-security useful.

Ratings & Reviews

No ratings yet
Share your review
Sign in to leave a rating and comment for this skill.
G
0/10000
Latest reviews
Saving...