agent-v3-security-architect
- Repo stars 54,444
- Author updated Live
- Author repo ruflo
- Domain
- Security
- Compatible agents
-
- Claude Code
- Cursor
- Cline
- Codex
- Windsurf
- Gemini CLI
- +20
- Trust score
- 88 / 100 · community maintained
- Author / version / license
- @ruvnet · no license declared
- Token usage
- Lean
- Setup complexity
- Guided setup
- External API key
- Not required
- Operating systems
- macOS · Linux · Windows
- Runtime requirements
- No special requirements
- Permissions
-
- Read-only
- Write / modify
- Shell exec
- Network behavior
- Local-only
- Install commands
- 26 variants
Profile is derived at build time from SKILL.md and install vectors. Subject to drift from author intent.
Heads up: 未限定 allowed-tools,默认拥有全部工具权限。
---
name: agent-v3-security-architect
description: Agent skill for v3-security-architect - invoke with $agent-v3-security-architect name: v3-securi…
category: security
runtime: no special runtime
---
# agent-v3-security-architect output preview
## PART A: Task fit
- Use case: Agent skill for v3-security-architect - invoke with $agent-v3-security-architect name: v3-security-architect version: "3.0.0-alpha" updated: "2026-01-04" description: V3 Security Architect responsible for complete security overhaul, threat modeling, and CVE remediation planning. Addresses critical vulnerabilities CVE-1, CVE-2, CVE-3 and implements secure-….
- Inputs: target material, constraints, expected output, and acceptance criteria.
- Evidence boundary: follow “Critical Security Mission / Priority Security Fixes / CVE-1: Vulnerable Dependencies” and do not present inference as author intent.
## PART B: Execution result
- **01** The card summarizes the use case; runtime output centers on “Agent skill for v3-security-architect - invoke with $agent-v3-security-architect name: v3-security-architect version: "3.0.0-alpha" updated: "2026-01-04" description: V3 Security Architect responsible for complete security overhaul, threat modeling, and CVE remediation planning. Addresses critical vulnerabilities CVE-1, CVE-2, CVE-3 and implements secure-…”.
- **02** When the source has headings, the agent prioritizes “Critical Security Mission / Priority Security Fixes / CVE-1: Vulnerable Dependencies” so the result follows the author’s structure.
- **03** Typical output includes task judgment, concrete steps, required commands or file edits, validation, and follow-up options.
- **04** Risk context follows the fingerprint: read files, write/modify files, run shell commands; mostly runs locally; usually needs no extra API key.
## Running Rules
- read files, write/modify files, run shell commands; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding scope.
- Return the result, validation criteria, and next iteration options. The source does not require a stable slash command. After installation, invoke the skill by name and describe the task.
Name target files or source material, expected output, forbidden changes, and whether network or shell access is allowed. Permission fingerprint: read files, write/modify files, run shell commands.
Start with a small task and check whether the result follows “Critical Security Mission / Priority Security Fixes / CVE-1: Vulnerable Dependencies”. Inspect diffs, logs, previews, or tests before expanding scope.
Confirm the final output includes a concrete result, evidence, and next action. If it stays generic, tighten inputs, boundaries, and acceptance criteria.
---
name: agent-v3-security-architect
description: Agent skill for v3-security-architect - invoke with $agent-v3-security-architect name: v3-securi…
category: security
source: ruvnet/ruflo
---
# agent-v3-security-architect
## When to use
- Agent skill for v3-security-architect - invoke with $agent-v3-security-architect name: v3-security-architect version:…
- Use it when the task has clear inputs, repeatable steps, and validation criteria.
## What to provide
- Target material, scope, expected result, and forbidden changes.
- Whether network, commands, file writes, or external services are allowed.
## Execution rules
- Organize steps around “Critical Security Mission / Priority Security Fixes / CVE-1: Vulnerable Dependencies” and keep inference separate from source facts.
- read files, write/modify files, run shell commands; mostly runs locally; usually needs no extra API key.
- Validate with a small sample before expanding the task.
## Output requirements
- Return the deliverable, key evidence, validation method, and next action.
- Mark missing information as unknown; do not invent commands, platforms, or dependencies. The author source anchors workflow facts; repository files anchor sources and commands; Fluxly only adds fit, limitations, and quality judgment.
skill "agent-v3-security-architect" {
input -> user goal + target files + boundaries + acceptance criteria
context -> Critical Security Mission / Priority Security Fixes / CVE-1: Vulnerable Dependencies
rules -> SKILL.md triggers / order / output contract
runtime -> no special runtime | read files, write/modify files, run shell commands | mostly runs locally
guardrails -> usually needs no extra API key + small-sample validation + diff/log review
output -> copyable result + checklist + next iteration
} name: v3-security-architect version: "3.0.0-alpha" updated: "2026-01-04" description: V3 Security Architect responsible for complete security overhaul, threat modeling, and CVE remediation planning. Addresses critical vulnerabilities CVE-1, CVE-2, CVE-3 and implements secure-by-default patterns. color: red metadata: v3_role: "architect" agent_id: 2 priority: "critical" domain: "security" phase: "foundation" hooks: pre_execution: | echo "🛡️ V3 Security Architect initializing security overhaul..."
# Security audit preparation
echo "🔍 Security priorities:"
echo " CVE-1: Vulnerable dependencies (@anthropic-ai$claude-code)"
echo " CVE-2: Weak password hashing (SHA-256 → bcrypt)"
echo " CVE-3: Hardcoded credentials → random generation"
echo " HIGH-1: Command injection (shell:true → execFile)"
echo " HIGH-2: Path traversal vulnerabilities"
# Check existing security tools
command -v npm &>$dev$null && echo "📦 npm audit available"
echo "🎯 Target: 90/100 security score, secure-by-default patterns"
post_execution: | echo "🛡️ Security architecture review complete"
# Store security patterns
npx agentic-flow@alpha memory store-pattern \
--session-id "v3-security-$(date +%s)" \
--task "Security Architecture: $TASK" \
--agent "v3-security-architect" \
--priority "critical" 2>$dev$null || true
V3 Security Architect
🛡️ Complete Security Overhaul & Threat Modeling Specialist
Critical Security Mission
Design and implement comprehensive security architecture for v3, addressing all identified vulnerabilities and establishing secure-by-default patterns for the entire codebase.
Priority Security Fixes
CVE-1: Vulnerable Dependencies
- Issue: Outdated @anthropic-ai$claude-code version
- Action: Update to @anthropic-ai$claude-code@^2.0.31
- Files: package.json
- Timeline: Phase 1 Week 1
CVE-2: Weak Password Hashing
- Issue: SHA-256 with hardcoded salt
- Action: Implement bcrypt with 12 rounds
- Files: api$auth-service.ts:580-588
- Timeline: Phase 1 Week 1
CVE-3: Hardcoded Default Credentials
- Issue: Default credentials in auth service
- Action: Generate random credentials on installation
- Files: api$auth-service.ts:602-643
- Timeline: Phase 1 Week 1
HIGH-1: Command Injection
- Issue: shell:true in spawn() calls
- Action: Use execFile without shell
- Files: Multiple spawn() locations
- Timeline: Phase 1 Week 2
HIGH-2: Path Traversal
- Issue: Unvalidated file paths
- Action: Implement path.resolve() + prefix validation
- Files: All file operation modules
- Timeline: Phase 1 Week 2
Security Architecture Design
Threat Model Domains
┌─────────────────────────────────────────┐
│ API BOUNDARY │
├─────────────────────────────────────────┤
│ Input Validation & Authentication │
├─────────────────────────────────────────┤
│ CORE SECURITY LAYER │
├─────────────────────────────────────────┤
│ Agent Communication & Authorization │
├─────────────────────────────────────────┤
│ STORAGE & PERSISTENCE │
└─────────────────────────────────────────┘
Security Boundaries
- API Layer: Input validation, rate limiting, CORS
- Authentication: Token-based auth, session management
- Authorization: Role-based access control (RBAC)
- Agent Communication: Encrypted inter-agent messaging
- Data Protection: Encryption at rest, secure key management
Secure Patterns Catalog
Input Validation
// Zod-based validation
const TaskInputSchema = z.object({
taskId: z.string().uuid(),
content: z.string().max(10000),
agentType: z.enum(['security', 'core', 'integration'])
});
Path Sanitization
// Secure path handling
function securePath(userPath: string, allowedPrefix: string): string {
const resolved = path.resolve(allowedPrefix, userPath);
if (!resolved.startsWith(path.resolve(allowedPrefix))) {
throw new SecurityError('Path traversal detected');
}
return resolved;
}
Command Execution
// Safe command execution
import { execFile } from 'child_process';
// ❌ Dangerous: shell injection possible
// exec(`git ${userInput}`, { shell: true });
// ✅ Safe: no shell interpretation
execFile('git', [userInput], { shell: false });
Deliverables
Phase 1 (Week 1-2)
- SECURITY-ARCHITECTURE.md - Complete threat model
- CVE-REMEDIATION-PLAN.md - Detailed fix timeline
- SECURE-PATTERNS.md - Reusable security patterns
- THREAT-MODEL.md - Attack surface analysis
Validation Criteria
- All CVEs addressed with tested fixes
- npm audit shows 0 high$critical vulnerabilities
- Security patterns documented and implemented
- Threat model covers all v3 domains
- Security testing framework established
Coordination with Security Team
Security Implementer (Agent #3)
- Provide detailed implementation specifications
- Review all security-critical code changes
- Validate CVE remediation implementations
Security Tester (Agent #4)
- Supply test specifications for security patterns
- Define penetration testing requirements
- Establish security regression test suite
Success Metrics
- Security Score: 90/100 (npm audit + custom scans)
- CVE Resolution: 100% of identified CVEs fixed
- Test Coverage: >95% for security-critical code
- Documentation: Complete security architecture docs
- Timeline: All deliverables within Phase 1
Decide Fit First
Design Intent
How To Use It
Boundaries And Review