securitylisted

Threat-modeled security audit using STRIDE + OWASP, scanning code from multiple attacker perspectives, with optional red-team discovery loop and an autoresearch-style fix loop. Use for defensive security review, vulnerability discovery, threat modeling, and authorized remediation. Triggers: 'security audit', 'STRIDE', 'OWASP', 'find vulnerabilities', 'threat model', 'red-team this', 'is this secure'.
vanducng/skills · ★ 0 · AI & Automation · score 76

Install: claude install-skill vanducng/skills

# security > STRIDE + OWASP, from multiple attacker perspectives → severity-ranked findings, optionally auto-fixed. ## Scope & posture **Defensive / authorized use only.** Run against code you own or are authorized to audit. This skill performs review and authorized remediation; it does **not** produce weaponized exploits, mass-targeting tooling, or detection-evasion for malicious use. **Credential masking is mandatory** — even when the secret *is* the finding. Mask per the table in `vd:optimize-loop`'s SKILL.md (API keys → `<REDACTED_TOKEN>`, connection strings → `…:<REDACTED_PASSWORD>@…`, env values → reference the name). No report or PoC may contain a live secret or a copy-paste-ready exploit with real credentials — write PoCs as templates the user fills in. ## What this is — and isn't This is an LLM-driven threat-modeled review + bounded fix loop — **not** a replacement for a SAST scanner, dependency CVE database, or pentest engagement. Use it to reason about *this codebase's* threat surface and remediate findings; pair with real scanners for breadth. ## Modes | Mode | Behaviour | |---|---| | _(default)_ | One-shot scan: STRIDE + OWASP pass over `<scope>` → severity-ranked findings report. | | `--red-team` | Iterative persona-driven discovery loop — see [`references/red-team-personas.md`](references/red-team-personas.md). | | `--fix` | Remediate findings using the autoresearch loop (below). | ## Workflow 1. **Scope** — resolve `<scope>` glob (or `full` = whole r