PluginBench
Skill
Review
Audit score 70

senior-security

alirezarezvani/claude-skills

How to install senior-security

npx skills add https://github.com/alirezarezvani/claude-skills --skill senior-security
Claude Code
Cursor
Windsurf
Cline
Full instructions (SKILL.md)

Source of truth, from alirezarezvani/claude-skills.


name: "senior-security" description: Use when the user asks for STRIDE threat modeling, DREAD risk scoring, data-flow-diagram threat analysis, or a quick secret scan — or when a security request needs routing to the right specialist skill (pen-testing, incident response, cloud posture, red team, AI security, threat hunting, secure code review). This skill owns threat modeling; everything else routes to a sibling.

Senior Security Engineer — Threat Modeling + Security Router

This skill does exactly one job itself — STRIDE/DREAD threat modeling (plus a quick secret scan) — and routes every other security request to the specialist skill that owns that lane. Do not duplicate sibling content here; route instead.

Routing Table (read this first)

The user wants...Route toWhy that skill owns it
Vulnerability assessment, pen-test methodology, OWASP Top 10 testing../security-pen-testing/Ships vulnerability_scanner.py + dependency_auditor.py with exit-code contracts
Incident triage, SEV classification, forensics, containment../incident-response/SEV1–SEV4 taxonomy, NIST SP 800-61 phases, incident_triage.py
Production outage command (non-security incidents)../incident-commander/Severity classifier + timeline + postmortem tools
Security monitoring, CVE triage SLAs, compliance checks (SOC 2 etc.), security headers../senior-secops/security_scanner.py + compliance_checker.py, CVE SLA table
Hostile/adversarial code review../adversarial-reviewer/3-persona review with BLOCK/CONCERNS/CLEAN verdict
Secure code review as part of general review../code-reviewer/Language dispatch + regression fixtures
Cloud IAM escalation paths, S3 exposure, security groups../cloud-security/cloud_posture_check.py with per-check exit codes
Threat hunting, IOC sweeps, anomaly detection../threat-detection/z-score anomaly + IOC staleness tooling
Red-team engagement planning, ATT&CK kill chains../red-team/engagement_planner.py with authorization gate
LLM/AI attack surface (prompt injection, poisoning)../ai-security/ATLAS-mapped ai_threat_scanner.py

If the request spans lanes (e.g., "secure this new architecture"), do the threat model here first — its output (prioritized threats + mitigations) tells you which siblings to load next. Never bulk-load multiple security skills speculatively.

What This Skill Owns: STRIDE Threat Modeling

Workflow

  1. Scope: assets to protect, trust boundaries, data flows (external entities, processes, data stores, flows).
  2. Generate the threat model per component:
    python3 scripts/threat_modeler.py --component "User Authentication" --assets "credentials,sessions" --json --output threats.json
    
    Output: per-threat STRIDE category, DREAD score (Damage, Reproducibility, Exploitability, Affected users, Discoverability — each 1–10), and suggested mitigations. Repeat per DFD element; --interactive walks scoping questions; --list-threats shows the threat database.
  3. Consume the output: sort threats.json by DREAD score descending; everything ≥ 7 average needs a named mitigation owner before the design ships. Map each mitigation to the responsible sibling lane (e.g., IAM threats → cloud-security, injection threats → code-reviewer).
  4. Quick secret sweep while you have the codebase open:
    python3 scripts/secret_scanner.py /path/to/project --format json --severity high
    
    20+ patterns (AWS keys, GitHub tokens, private keys, generic credentials). Any critical/high finding blocks merge until rotated and moved to a secret manager.
  5. Verification gate: every DFD element has ≥ 1 STRIDE row considered, every threat with DREAD ≥ 7 has an owner + mitigation, and the secret scan exits with zero high/critical findings. Re-run both tools after mitigations land — that re-run is the done signal, not the document.

STRIDE per Element Matrix

DFD ElementSTRIDE
External EntityXX
ProcessXXXXXX
Data StoreXXXX
Data FlowXXX

(S=Spoofing→authn, T=Tampering→integrity, R=Repudiation→audit logs, I=Info Disclosure→encryption/access control, D=DoS→rate limiting/redundancy, E=Elevation→least privilege.)

References (load on demand)

DocumentContent
references/threat-modeling-guide.mdSTRIDE methodology, attack trees, DREAD scoring, DFD creation
references/security-architecture-patterns.mdZero Trust, defense-in-depth, authentication patterns, API security
references/cryptography-implementation.mdAES-GCM, Ed25519, password hashing (Argon2id), key management

The architecture and crypto references are kept because no sibling ships them; for operating those controls (scanning, compliance, monitoring) still route to senior-secops.

Related skills

More from alirezarezvani/claude-skills and the wider catalog.

MA

marketing-skills

alirezarezvani/claude-skills

Directory and router for the marketing skills library. Use when you need to find the right marketing skill for a task, see what marketing capabilities exist, or get oriented in this plugin. 44 specialist skills across 8 pods (content, SEO + AEO, CRO, channels, growth, intelligence, sales enablement, ops), 59 stdlib Python tools. Routes to one skill — it does not execute marketing work itself.

2.1k installs
EN

engineering-skills

alirezarezvani/claude-skills

Index of the engineering-team skills bundle for Claude Code, Codex, Gemini CLI, Cursor, OpenClaw, and 6 more tools. Architecture, frontend, backend, QA, DevOps, security, AI/ML, data engineering, Playwright, Stripe, AWS, MS365 (stdlib-only Python tools). Use when browsing or choosing among engineering-team role skills — load only the one specialist SKILL.md you need, never bulk-load the bundle.

2.1k installs
FI

finance-skills

alirezarezvani/claude-skills

Router/index for the 2 finance skills bundled in this plugin: financial-analyst (ratio analysis, DCF valuation, budget variance, rolling forecasts) and saas-metrics-coach (ARR/MRR, churn, CAC/LTV, NRR, quick ratio). Use when a finance request doesn't obviously match one skill and you need to pick the right one (e.g., 'analyze these financials', 'how healthy are my SaaS metrics').

2.1k installs
BU

business-growth-skills

alirezarezvani/claude-skills

Router/index for the 4 business & growth skills bundled in this plugin: customer-success-manager (health scoring, churn risk, expansion), sales-engineer (RFP analysis, competitive matrices, PoC planning), revenue-operations (pipeline, forecast accuracy, GTM efficiency), and contract-and-proposal-writer. Use when a growth/revenue request doesn't obviously match one skill and you need to pick the right one (e.g., 'which accounts are at risk', 'should we bid on this RFP').

2.0k installs
EN

engineering-advanced-skills

alirezarezvani/claude-skills

Index of 37 advanced engineering agent skills for Claude Code, Codex, Gemini CLI, Cursor, OpenClaw. Use when browsing or choosing among the POWERFUL-tier engineering skills: agent design, RAG, MCP servers, CI/CD, database design, observability, security auditing, changelog/release automation, reliability (SLO/chaos/flags/operators), platform ops.

1.9k installs
PR

product-skills

alirezarezvani/claude-skills

Router/index for the 12 product skills bundled in this plugin (RICE prioritization, OKRs, UX research, design tokens, competitive teardown, analytics, experiments, discovery, roadmaps, spec-to-repo, landing pages, SaaS scaffolding). Use when a product request doesn't obviously match one skill and you need to pick the right one (e.g., 'help me prioritize features', 'plan a product experiment').

1.9k installs