Xpersona Agent
Complete cybersecurity assessment, threat modeling, and hardening system. Use when conducting security audits, threat modeling, penetration testing, incident response, or building security programs from scratch. Works with any stack โ zero external dependencies. --- name: afrexai-cybersecurity-engine description: Complete cybersecurity assessment, threat modeling, and hardening system. Use when conducting security audits, threat modeling, penetration testing, incident response, or building security programs from scratch. Works with any stack โ zero external dependencies. metadata: {"openclaw":{"emoji":"๐ก๏ธ","os":["linux","darwin","win32"]}} --- Cybersecurity Engine Complete
clawhub skill install skills:1kalin:afrexai-cybersecurity-engineOverall rank
#62
Adoption
No public adoption signal
Trust
Unknown
Freshness
Feb 25, 2026
Freshness
Last checked Feb 25, 2026
Best For
afrexai-cybersecurity-engine is best for an, data, someone workflows where OpenClaw compatibility matters.
Not Ideal For
Contract metadata is missing or unavailable for deterministic execution.
Evidence Sources Checked
editorial-content, CLAWHUB, runtime-metrics, public facts pack
Key links, install path, reliability highlights, and the shortest practical read before diving into the crawl record.
Overview
Complete cybersecurity assessment, threat modeling, and hardening system. Use when conducting security audits, threat modeling, penetration testing, incident response, or building security programs from scratch. Works with any stack โ zero external dependencies. --- name: afrexai-cybersecurity-engine description: Complete cybersecurity assessment, threat modeling, and hardening system. Use when conducting security audits, threat modeling, penetration testing, incident response, or building security programs from scratch. Works with any stack โ zero external dependencies. metadata: {"openclaw":{"emoji":"๐ก๏ธ","os":["linux","darwin","win32"]}} --- Cybersecurity Engine Complete Capability contract not published. No trust telemetry is available yet. Last updated 4/15/2026.
Trust score
Unknown
Compatibility
OpenClaw
Freshness
Feb 25, 2026
Vendor
Openclaw
Artifacts
0
Benchmarks
0
Last release
Unpublished
Install & run
clawhub skill install skills:1kalin:afrexai-cybersecurity-engineSetup complexity is LOW. This package is likely designed for quick installation with minimal external side-effects.
Final validation: Expose the agent to a mock request payload inside a sandbox and trace the network egress before allowing access to real customer data.
Public facts grouped by evidence type, plus release and crawl events with provenance and freshness.
Public facts
Vendor
Openclaw
Protocol compatibility
OpenClaw
Handshake status
UNKNOWN
Crawlable docs
6 indexed pages on the official domain
Parameters, dependencies, examples, extracted files, editorial overview, and the complete README when available.
Captured outputs
Extracted files
0
Examples
6
Snippets
0
Languages
typescript
Parameters
yaml
assessment:
name: "[Project/Org Name] Security Assessment"
date: "YYYY-MM-DD"
assessor: "[Agent/Person]"
scope:
applications:
- name: "[App Name]"
type: "web|api|mobile|desktop|iot"
tech_stack: "[languages, frameworks, DBs]"
hosting: "cloud|on-prem|hybrid"
cloud_provider: "aws|gcp|azure|other"
internet_facing: true|false
handles_pii: true|false
handles_payments: true|false
handles_phi: true|false # health data
infrastructure:
- servers: "[count, OS types]"
containers: true|false
orchestration: "k8s|ecs|nomad|none"
cdn: "[provider or none]"
dns: "[provider]"
third_parties:
- name: "[service]"
data_shared: "[what data]"
criticality: "high|medium|low"
compliance_requirements:
- "SOC 2|ISO 27001|GDPR|HIPAA|PCI DSS|SOX|none"
previous_incidents:
- date: "YYYY-MM-DD"
type: "[breach|vuln|misconfiguration]"
severity: "critical|high|medium|low"
resolution: "[what was done]"
risk_tolerance: "conservative|moderate|aggressive"text
[User] โ [CDN/WAF] โ [Load Balancer] โ [Web Server] โ [App Server] โ [Database]
โ [Cache]
โ [Message Queue] โ [Worker]
โ [Third-party API]
โ [Object Storage]yaml
threats:
- id: "T-001"
component: "[affected component]"
category: "S|T|R|I|D|E"
description: "[specific attack scenario]"
attacker_profile: "external-unauthenticated|external-authenticated|internal|insider"
likelihood: 1-5 # 1=rare, 5=almost certain
impact: 1-5 # 1=negligible, 5=catastrophic
risk_score: 0 # likelihood ร impact
existing_controls: "[what's already in place]"
residual_risk: "accept|mitigate|transfer|avoid"
mitigation: "[specific fix]"
priority: "P0|P1|P2|P3"
owner: "[person/team]"
status: "open|in-progress|mitigated|accepted"text
# Authorization check pattern (every endpoint) 1. Authenticate โ verify identity 2. Authorize โ verify permission for THIS resource 3. Validate โ verify input is within allowed bounds 4. Execute โ perform the action 5. Audit โ log who did what # IDOR prevention - NEVER use sequential IDs in URLs โ use UUIDs - ALWAYS verify resource ownership server-side - Use middleware that auto-checks resource.owner === request.user
text
Need to store passwords? โ bcrypt (cost 12+) or Argon2id โ NEVER: MD5, SHA1, SHA256 without salt Need to encrypt data at rest? โ AES-256-GCM (authenticated encryption) โ NEVER: ECB mode, DES, RC4 Need to encrypt in transit? โ TLS 1.2+ (prefer 1.3) โ HSTS with includeSubDomains โ Certificate pinning for mobile apps Need to generate random values? โ crypto.randomBytes() / secrets.token_bytes() โ NEVER: Math.random(), random.random() Need to sign/verify? โ HMAC-SHA256 for symmetric โ Ed25519 or RSA-PSS (2048+ bits) for asymmetric โ NEVER: RSA PKCS#1 v1.5 for new systems
text
# ALWAYS use parameterized queries
โ
db.query("SELECT * FROM users WHERE id = $1", [userId])
โ db.query("SELECT * FROM users WHERE id = " + userId)
# Test payloads (for YOUR code, during testing):
' OR '1'='1
'; DROP TABLE users;--
' UNION SELECT password FROM users--
1; WAITFOR DELAY '0:0:5'--Editorial read
Docs source
CLAWHUB
Editorial quality
ready
Complete cybersecurity assessment, threat modeling, and hardening system. Use when conducting security audits, threat modeling, penetration testing, incident response, or building security programs from scratch. Works with any stack โ zero external dependencies. --- name: afrexai-cybersecurity-engine description: Complete cybersecurity assessment, threat modeling, and hardening system. Use when conducting security audits, threat modeling, penetration testing, incident response, or building security programs from scratch. Works with any stack โ zero external dependencies. metadata: {"openclaw":{"emoji":"๐ก๏ธ","os":["linux","darwin","win32"]}} --- Cybersecurity Engine Complete
Complete methodology for security assessment, threat modeling, vulnerability management, incident response, and security program design. No tools required โ pure agent knowledge that works with any codebase, infrastructure, or organization.
Run through these three tiers:
Tier 1 โ Critical (fix today):
Tier 2 โ High (fix this week):
Tier 3 โ Medium (fix this sprint):
Score: Count failures. 0-2 = solid. 3-5 = needs work. 6+ = stop shipping features, fix security.
assessment:
name: "[Project/Org Name] Security Assessment"
date: "YYYY-MM-DD"
assessor: "[Agent/Person]"
scope:
applications:
- name: "[App Name]"
type: "web|api|mobile|desktop|iot"
tech_stack: "[languages, frameworks, DBs]"
hosting: "cloud|on-prem|hybrid"
cloud_provider: "aws|gcp|azure|other"
internet_facing: true|false
handles_pii: true|false
handles_payments: true|false
handles_phi: true|false # health data
infrastructure:
- servers: "[count, OS types]"
containers: true|false
orchestration: "k8s|ecs|nomad|none"
cdn: "[provider or none]"
dns: "[provider]"
third_parties:
- name: "[service]"
data_shared: "[what data]"
criticality: "high|medium|low"
compliance_requirements:
- "SOC 2|ISO 27001|GDPR|HIPAA|PCI DSS|SOX|none"
previous_incidents:
- date: "YYYY-MM-DD"
type: "[breach|vuln|misconfiguration]"
severity: "critical|high|medium|low"
resolution: "[what was done]"
risk_tolerance: "conservative|moderate|aggressive"
For each application, draw the data flow:
[User] โ [CDN/WAF] โ [Load Balancer] โ [Web Server] โ [App Server] โ [Database]
โ [Cache]
โ [Message Queue] โ [Worker]
โ [Third-party API]
โ [Object Storage]
Identify trust boundaries โ where privilege level changes:
For EACH component crossing a trust boundary:
| Threat | Question | Example Attack | |--------|----------|----------------| | Spoofing | Can an attacker pretend to be someone else? | Stolen JWT, session hijacking, credential stuffing | | Tampering | Can data be modified in transit or at rest? | Man-in-the-middle, SQL injection, parameter manipulation | | Repudiation | Can someone deny they did something? | Missing audit logs, unsigned transactions | | Information Disclosure | Can sensitive data leak? | Error messages, API over-fetching, side channels | | Denial of Service | Can the service be overwhelmed? | DDoS, resource exhaustion, regex DoS | | Elevation of Privilege | Can someone gain unauthorized access? | IDOR, broken access control, privilege escalation |
threats:
- id: "T-001"
component: "[affected component]"
category: "S|T|R|I|D|E"
description: "[specific attack scenario]"
attacker_profile: "external-unauthenticated|external-authenticated|internal|insider"
likelihood: 1-5 # 1=rare, 5=almost certain
impact: 1-5 # 1=negligible, 5=catastrophic
risk_score: 0 # likelihood ร impact
existing_controls: "[what's already in place]"
residual_risk: "accept|mitigate|transfer|avoid"
mitigation: "[specific fix]"
priority: "P0|P1|P2|P3"
owner: "[person/team]"
status: "open|in-progress|mitigated|accepted"
Test checklist:
* with credentials)?Fix patterns:
# Authorization check pattern (every endpoint)
1. Authenticate โ verify identity
2. Authorize โ verify permission for THIS resource
3. Validate โ verify input is within allowed bounds
4. Execute โ perform the action
5. Audit โ log who did what
# IDOR prevention
- NEVER use sequential IDs in URLs โ use UUIDs
- ALWAYS verify resource ownership server-side
- Use middleware that auto-checks resource.owner === request.user
Decision tree:
Need to store passwords?
โ bcrypt (cost 12+) or Argon2id
โ NEVER: MD5, SHA1, SHA256 without salt
Need to encrypt data at rest?
โ AES-256-GCM (authenticated encryption)
โ NEVER: ECB mode, DES, RC4
Need to encrypt in transit?
โ TLS 1.2+ (prefer 1.3)
โ HSTS with includeSubDomains
โ Certificate pinning for mobile apps
Need to generate random values?
โ crypto.randomBytes() / secrets.token_bytes()
โ NEVER: Math.random(), random.random()
Need to sign/verify?
โ HMAC-SHA256 for symmetric
โ Ed25519 or RSA-PSS (2048+ bits) for asymmetric
โ NEVER: RSA PKCS#1 v1.5 for new systems
SQL Injection prevention:
# ALWAYS use parameterized queries
โ
db.query("SELECT * FROM users WHERE id = $1", [userId])
โ db.query("SELECT * FROM users WHERE id = " + userId)
# Test payloads (for YOUR code, during testing):
' OR '1'='1
'; DROP TABLE users;--
' UNION SELECT password FROM users--
1; WAITFOR DELAY '0:0:5'--
XSS prevention:
# Output encoding rules:
HTML body โ HTML entity encode (< > & " ')
HTML attr โ Attribute encode + always quote attributes
JavaScript โ JavaScript encode (\\xHH)
URL โ Percent encode (%HH)
CSS โ CSS encode (\\HHHHHH)
# CSP header (strong baseline):
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' https://api.yourdomain.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'
Command injection prevention:
# NEVER pass user input to shell
โ
execFile('convert', ['-resize', size, inputFile, outputFile])
โ exec('convert -resize ' + size + ' ' + inputFile + ' ' + outputFile)
# If you MUST use shell:
- Whitelist allowed characters (alphanumeric only)
- Use library wrappers, never string concatenation
Secure design checklist:
Server hardening checklist:
web_server:
- remove_default_pages: true
- disable_directory_listing: true
- remove_server_version_header: true
- disable_TRACE_method: true
- custom_error_pages: true # no stack traces
application:
- debug_mode: false # NEVER in production
- verbose_errors: false
- default_accounts_removed: true
- unnecessary_features_disabled: true
- admin_panel_ip_restricted: true
cloud:
- public_buckets: none
- security_groups_least_privilege: true
- imds_v2_enforced: true # AWS
- logging_enabled: true
- mfa_on_root: true
- billing_alerts: true
| Vuln | Test | Fix |
|------|------|-----|
| A06: Vulnerable Components | npm audit, pip-audit, trivy fs . | Update, pin versions, automate scanning in CI |
| A07: Auth Failures | Brute force test, password policy audit, MFA coverage | Rate limit + lockout, enforce MFA, bcrypt/Argon2 |
| A08: Data Integrity | Can unsigned data modify app behavior? | Sign all serialized data, verify checksums, SRI for CDN |
| A09: Logging Gaps | Do you log auth events, access changes, failures? | Structured logging, SIEM integration, alert on anomalies |
| A10: SSRF | Can user input trigger server-side requests? | Allowlist URLs, block internal IPs, no redirects to internal |
network_hardening:
firewall:
default_policy: "deny-all"
allowed_inbound:
- port: 443
source: "0.0.0.0/0"
service: "HTTPS"
- port: 22
source: "[admin_ip_range]"
service: "SSH"
rules:
- "No direct database access from internet"
- "Internal services communicate on private subnet"
- "Egress filtering โ block unnecessary outbound"
ssh:
password_auth: false
root_login: false
key_type: "ed25519"
port: "[non-standard recommended]"
fail2ban: true
max_auth_tries: 3
dns:
dnssec: true
caa_records: true # restrict who can issue TLS certs
no_zone_transfer: true
tls:
min_version: "1.2"
preferred: "1.3"
cipher_suites: "ECDHE+AESGCM:ECDHE+CHACHA20"
hsts: "max-age=31536000; includeSubDomains; preload"
certificate_monitoring: true
auto_renewal: true
container_hardening:
image:
- base: "distroless or alpine (minimal)"
- user: "non-root (USER 1000:1000)"
- scan: "trivy image before push"
- sign: "cosign or Notary"
- pins: "use SHA256 digests, not :latest"
- secrets: "NEVER in Dockerfile or image layers"
- layers: "multi-stage builds, minimal final image"
runtime:
- read_only_rootfs: true
- no_new_privileges: true
- drop_all_capabilities: true
- add_only: ["NET_BIND_SERVICE"] # if needed
- resource_limits: true
- seccomp_profile: "default"
- network_policy: "deny by default"
registry:
- private: true
- vulnerability_scanning: true
- image_signing: true
- tag_immutability: true
cloud_security_baseline:
identity:
- root_account_mfa: true
- no_root_access_keys: true
- least_privilege_iam: true
- service_accounts_scoped: true
- temporary_credentials: true # assume role, not long-lived keys
- sso_enforced: true
data:
- encryption_at_rest: "default on all storage"
- encryption_in_transit: "TLS everywhere"
- backup_encryption: true
- key_management: "cloud KMS, not self-managed"
- data_classification: true
network:
- vpc_flow_logs: true
- private_subnets_for_databases: true
- nat_gateway_for_outbound: true
- waf_on_public_endpoints: true
- ddos_protection: true
monitoring:
- cloudtrail_enabled: true # or equivalent
- config_rules: true
- guardduty_enabled: true # or equivalent
- cost_alerts: true
- unused_resource_alerts: true
storage:
- no_public_buckets: true
- versioning_on_critical: true
- lifecycle_policies: true
- access_logging: true
Discovery โ Triage โ Prioritize โ Remediate โ Verify โ Close
โ โ โ โ โ
Scan/ Confirm CVSS + Fix or Retest
Report real? context compensate
| Severity | CVSS | Remediation SLA | Escalation | |----------|------|-----------------|------------| | Critical | 9.0-10.0 | 24 hours | CTO/CISO immediately | | High | 7.0-8.9 | 7 days | Team lead + security | | Medium | 4.0-6.9 | 30 days | Sprint backlog | | Low | 0.1-3.9 | 90 days | Track, fix when convenient | | Info | 0 | No SLA | Document for awareness |
vulnerability:
id: "VULN-YYYY-NNN"
title: "[descriptive title]"
discovered: "YYYY-MM-DD"
discoverer: "[scanner/person/bounty]"
severity: "critical|high|medium|low|info"
cvss_score: 0.0
cvss_vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
cve: "[if applicable]"
affected:
- component: "[app/service/library]"
version: "[affected versions]"
environment: "production|staging|dev"
description: "[what the vulnerability is]"
impact: "[what an attacker could do]"
proof_of_concept: "[steps to reproduce]"
remediation:
fix: "[specific fix]"
workaround: "[temporary mitigation]"
compensating_control: "[if fix isn't immediate]"
status: "open|in-progress|fixed|accepted|false-positive"
fixed_date: "YYYY-MM-DD"
verified_by: "[person who confirmed fix]"
| Scan Type | Frequency | Tool Examples | |-----------|-----------|---------------| | Dependency scan | Every CI build | npm audit, pip-audit, trivy | | SAST (code) | Every PR | Semgrep, CodeQL, Bandit | | Secret scanning | Every commit | GitLeaks, truffleHog, GitHub secret scanning | | Container scan | Every image build | Trivy, Grype, Snyk Container | | DAST (runtime) | Weekly | OWASP ZAP, Burp Suite, Nuclei | | Cloud config | Daily | ScoutSuite, Prowler, CloudSploit | | Penetration test | Quarterly | Manual + automated | | Red team | Annually | External firm |
| Level | Definition | Response Time | Team | |-------|-----------|---------------|------| | SEV-1 | Active breach, data exfiltration, service down | 15 min | All hands + management + legal | | SEV-2 | Vulnerability actively exploited, partial compromise | 1 hour | Security + affected team leads | | SEV-3 | Suspicious activity, potential compromise indicators | 4 hours | Security team | | SEV-4 | Low-risk finding, policy violation, failed attack | Next business day | Assigned engineer |
Phase 1 โ Detection & Triage (first 15 minutes)
1. Confirm incident is real (not false positive)
2. Classify severity (SEV-1 through SEV-4)
3. Assign incident commander
4. Open incident channel (Slack/Teams)
5. Start incident log with timestamps
6. Notify stakeholders per severity
Phase 2 โ Containment (first hour)
SHORT-TERM (stop the bleeding):
- Isolate affected systems (network segmentation)
- Revoke compromised credentials immediately
- Block attacking IP/user agent
- Enable enhanced logging on affected systems
- Preserve forensic evidence (DON'T reboot/wipe yet)
LONG-TERM (prevent spread):
- Patch the vulnerability that was exploited
- Rotate ALL credentials that may be compromised
- Update firewall/WAF rules
- Deploy additional monitoring
Phase 3 โ Eradication
1. Identify root cause
2. Remove all attacker artifacts (backdoors, malware, new accounts)
3. Patch all instances of the vulnerability
4. Verify no lateral movement occurred
5. Confirm all compromised credentials rotated
Phase 4 โ Recovery
1. Restore from clean backups (verify backup integrity first)
2. Rebuild compromised systems from scratch (don't trust cleanup)
3. Monitor restored systems with enhanced logging
4. Gradual return to production (staged rollback)
5. Confirm normal operations for 48 hours
Phase 5 โ Post-Incident
post_mortem:
incident_id: "INC-YYYY-NNN"
date: "YYYY-MM-DD"
severity: "SEV-1|2|3|4"
duration: "[detection to resolution]"
impact:
users_affected: 0
data_compromised: "[type and volume]"
financial_impact: "$0"
regulatory_notification_required: true|false
timeline:
- time: "HH:MM"
event: "[what happened]"
action: "[what we did]"
root_cause: "[specific technical cause]"
contributing_factors:
- "[what made it possible or worse]"
what_went_well:
- "[detection, response, communication]"
what_went_poorly:
- "[gaps, delays, confusion]"
action_items:
- action: "[specific improvement]"
owner: "[person]"
due: "YYYY-MM-DD"
status: "open|done"
lessons_learned:
- "[distilled insight]"
Internal notification (SEV-1/2):
๐จ SECURITY INCIDENT โ [severity]
What: [brief description]
Impact: [what's affected]
Status: [containment/investigation/resolved]
Incident Commander: [name]
Channel: #incident-[id]
Next update: [time]
DO NOT discuss outside this channel.
Customer notification (if required):
Subject: Security Notice โ [Company Name]
We're writing to inform you of a security incident that [may have|affected] your account.
What happened: [brief, honest description]
When: [date range]
What data was involved: [specific data types]
What we've done: [remediation steps]
What you should do: [password reset, monitor accounts, etc.]
Contact: [security team email/phone]
We take the security of your data seriously and have [specific improvements].
# Copy-paste baseline for production:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=()
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
X-XSS-Protection: 0 # Disabled โ CSP handles this; old header can cause issues
Set-Cookie: session=<token>;
Secure; # HTTPS only
HttpOnly; # No JavaScript access
SameSite=Lax; # CSRF protection (Strict if no cross-site navigation needed)
Path=/; # Scope appropriately
Max-Age=3600; # 1 hour (adjust per use case)
Domain=.yourdomain.com; # Explicit domain
password_policy:
minimum_length: 12 # NIST minimum is 8, 12+ recommended
maximum_length: 128 # Must support long passwords
complexity_rules: false # NIST says don't require special chars
check_against_breached: true # HaveIBeenPwned API
no_password_hints: true
no_security_questions: true # Easy to social engineer
allow_paste: true # For password managers
rate_limit_attempts: "5 per 15 minutes"
lockout_duration: "progressive (1min, 5min, 15min, 1hr)"
mfa_required: "all accounts"
mfa_methods:
preferred: "TOTP or WebAuthn/passkeys"
acceptable: "push notification"
discouraged: "SMS (SIM swap risk)"
storage: "Argon2id or bcrypt cost 12+"
jwt_security:
signing:
algorithm: "RS256 or EdDSA" # NEVER HS256 with shared secrets in distributed systems
key_rotation: "quarterly"
verify_algorithm: true # Reject alg=none
claims:
exp: "required โ 15 min for access, 7d for refresh"
iss: "required โ validate on every request"
aud: "required โ validate matches expected service"
iat: "required"
jti: "recommended โ for revocation"
nbf: "recommended"
storage:
access_token: "memory only (never localStorage)"
refresh_token: "httpOnly secure cookie"
revocation:
method: "token blacklist with Redis TTL matching exp"
on_password_change: "revoke all tokens"
on_permission_change: "revoke all tokens"
state parameter to prevent CSRFnonce for OIDC to prevent replayQuarter 1 โ Foundation:
Week 1-2: Asset inventory (what do we have?)
Week 3-4: Risk assessment (what matters most?)
Week 5-6: Critical controls (authentication, secrets, backups)
Week 7-8: Basic scanning (dependencies, secrets in code)
Week 9-10: Incident response plan (what if something happens?)
Week 11-12: Security awareness basics (phishing, passwords)
Quarter 2 โ Automation:
- CI/CD security scanning (SAST, dependency audit)
- Automated secret detection (pre-commit hooks)
- Centralized logging and basic alerting
- Access reviews (quarterly)
- Vulnerability management process
Quarter 3 โ Maturity:
- Penetration testing (first external assessment)
- Security architecture review
- Data classification and handling policies
- Vendor security assessments
- Bug bounty program (start small)
Quarter 4 โ Optimization:
- Compliance framework alignment (SOC 2, ISO 27001)
- Red team exercise
- Security metrics dashboard
- Security champion program (devs with security training)
- Supply chain security (SBOM, signed artifacts)
security_dashboard:
vulnerability_management:
- open_critical: 0 # Target: always 0
- open_high: 0 # Target: < 5
- mean_time_to_remediate:
critical: "24h" # Target
high: "7d"
medium: "30d"
- scan_coverage: "100%" # % of repos with automated scanning
incident_management:
- incidents_this_quarter: 0
- mean_time_to_detect: "< 1h"
- mean_time_to_respond: "< 4h"
- mean_time_to_recover: "< 24h"
access_control:
- mfa_adoption: "100%"
- privileged_accounts: 0 # Count, minimize
- stale_accounts: 0 # Accounts unused > 90 days
- access_reviews_completed: "on schedule"
code_security:
- repos_with_sast: "100%"
- repos_with_dependency_scanning: "100%"
- secret_detection_coverage: "100%"
- security_review_for_critical_changes: "100%"
training:
- security_awareness_completion: "100%"
- phishing_simulation_click_rate: "< 5%"
- security_champions_per_team: ">= 1"
PASSIVE (no direct interaction with target):
1. DNS enumeration: subdomains, MX, TXT, CNAME
- Tools: subfinder, amass, crt.sh, dnsdumpster
2. Technology fingerprinting
- Check: Wappalyzer, BuiltWith, HTTP headers
3. Public exposure
- Shodan/Censys for open ports/services
- GitHub/GitLab for leaked code/secrets
- Wayback Machine for old endpoints
4. Employee OSINT (for social engineering scope)
- LinkedIn for tech stack clues
- Job postings reveal internal tools
ACTIVE (interacting with target โ requires permission):
1. Port scanning: full TCP + top 1000 UDP
2. Service enumeration: version detection
3. Web crawling: sitemap, robots.txt, directory brute-force
4. API discovery: /api, /v1, /graphql, /swagger, /openapi
Phase 1 โ Authentication Testing
- Credential stuffing resistance (rate limiting)
- Password reset flow (token guessability, expiry, reuse)
- Account enumeration (different responses for valid/invalid users)
- Session management (token entropy, fixation, timeout)
- MFA bypass attempts (backup codes, race conditions)
- OAuth flow attacks (redirect URI manipulation, scope escalation)
Phase 2 โ Authorization Testing
- Horizontal privilege escalation (access other users' data)
- Vertical privilege escalation (user โ admin)
- Missing function-level access control (direct API calls)
- IDOR on every resource endpoint (change IDs systematically)
- GraphQL introspection + unauthorized field access
- Mass assignment (send extra fields in requests)
Phase 3 โ Injection Testing
- SQL injection on all user inputs (including headers, cookies)
- XSS (reflected, stored, DOM-based) on all output points
- Command injection on any server-side execution
- SSRF on any URL input or file fetch
- Template injection (if server-side templating)
- LDAP/XML/XXE injection where applicable
Phase 4 โ Business Logic Testing
- Price manipulation (change prices in requests)
- Quantity manipulation (negative numbers, decimals, MAX_INT)
- Race conditions (concurrent requests for same resource)
- Workflow bypass (skip steps in multi-step processes)
- Coupon/discount abuse (reuse, stacking)
- Rate limit bypass (header rotation, distributed requests)
report:
executive_summary:
overall_risk: "critical|high|medium|low"
critical_findings: 0
high_findings: 0
medium_findings: 0
low_findings: 0
key_recommendations:
- "[top 3 fixes by impact]"
scope:
targets: "[URLs, IPs, apps tested]"
methodology: "OWASP Testing Guide v4.2 + PTES"
dates: "YYYY-MM-DD to YYYY-MM-DD"
type: "black-box|grey-box|white-box"
exclusions: "[what was out of scope]"
findings:
- id: "F-001"
title: "[descriptive title]"
severity: "critical|high|medium|low|info"
cvss: 0.0
location: "[URL/endpoint/component]"
description: "[what the vulnerability is]"
impact: "[what an attacker could do]"
evidence: "[screenshots, request/response pairs]"
reproduction_steps:
- "[step by step]"
remediation: "[specific fix with code examples]"
references:
- "[OWASP, CWE, CVE links]"
positive_observations:
- "[security controls that were effective]"
supply_chain:
dependencies:
- lock_files: "always commit (package-lock.json, poetry.lock, go.sum)"
- pin_versions: "exact versions, not ranges"
- audit_frequency: "every CI build"
- auto_update: "Dependabot/Renovate with auto-merge for patch, review for minor/major"
- review_new_deps:
check: "maintainer count, last update, download count, known issues"
rule: "no single-maintainer deps for critical paths"
- sbom: "generate SPDX or CycloneDX on every release"
build_pipeline:
- reproducible_builds: true
- artifact_signing: true
- build_provenance: true # SLSA Level 2+
- no_curl_pipe_bash: true # Never pipe internet scripts to shell
- verify_checksums: true
ci_cd:
- pin_action_versions: "use SHA, not tags (actions/checkout@SHA)"
- least_privilege_tokens: true
- no_secrets_in_logs: true
- protected_branches: true
- required_reviews: true
- signed_commits: "recommended"
Rate any application/system 0-100:
| Dimension | Weight | 0 (Critical) | 5 (Adequate) | 10 (Excellent) | |-----------|--------|---------------|---------------|-----------------| | Authentication & Access | 20% | No auth or default creds | Password + basic RBAC | MFA + ABAC + zero trust | | Data Protection | 15% | Plaintext secrets, no encryption | Encryption at rest + transit | E2E encryption, key rotation, classification | | Vulnerability Management | 15% | No scanning, known CVEs | Automated scanning, SLAs met | Full coverage, MTTD < 1h, bug bounty | | Infrastructure Security | 15% | Open ports, no firewall | Hardened baseline, least privilege | Zero trust, microsegmentation, IaC | | Logging & Monitoring | 10% | No security logging | Centralized logs, basic alerts | SIEM, anomaly detection, 24/7 SOC | | Incident Response | 10% | No plan | Documented plan, tested annually | Automated response, < 1h MTTR | | Code Security | 10% | No reviews, injection vulns | SAST in CI, peer review | Full pipeline, threat modeling, security champions | | Supply Chain | 5% | No dependency management | Lock files, automated scanning | SBOM, signed artifacts, SLSA |
Score interpretation:
"Audit security of [project/repo]" โ Full assessment (Phase 1-4)
"Threat model [system/feature]" โ STRIDE analysis (Phase 2)
"Check OWASP top 10 for [app]" โ Application security review (Phase 3)
"Harden [server/container/cloud]" โ Infrastructure checklist (Phase 4)
"Create incident response plan" โ IR playbook (Phase 6)
"Design security program" โ Phased program build (Phase 9)
"Pentest methodology for [target]" โ Testing phases (Phase 10)
"Score security of [system]" โ 100-point rubric (Phase 12)
"Review auth implementation" โ Auth deep dive (Phase 8)
"Check security headers" โ Header audit (Phase 7)
"Vulnerability report for [finding]" โ Report template (Phase 5)
"Supply chain security review" โ Dependency audit (Phase 11)
Machine endpoints, contract coverage, trust signals, runtime metrics, benchmarks, and guardrails for agent-to-agent use.
Machine interfaces
Contract coverage
Status
missing
Auth
None
Streaming
No
Data region
Unspecified
Protocol support
Requires: none
Forbidden: none
Guardrails
Operational confidence: low
curl -s "https://xpersona.co/api/v1/agents/clawhub-skills-1kalin-afrexai-cybersecurity-engine/snapshot"
curl -s "https://xpersona.co/api/v1/agents/clawhub-skills-1kalin-afrexai-cybersecurity-engine/contract"
curl -s "https://xpersona.co/api/v1/agents/clawhub-skills-1kalin-afrexai-cybersecurity-engine/trust"
Operational fit
Trust signals
Handshake
UNKNOWN
Confidence
unknown
Attempts 30d
unknown
Fallback rate
unknown
Runtime metrics
Observed P50
unknown
Observed P95
unknown
Rate limit
unknown
Estimated cost
unknown
Do not use if
Raw contract, invocation, trust, capability, facts, and change-event payloads for machine-side inspection.
Contract JSON
{
"contractStatus": "missing",
"authModes": [],
"requires": [],
"forbidden": [],
"supportsMcp": false,
"supportsA2a": false,
"supportsStreaming": false,
"inputSchemaRef": null,
"outputSchemaRef": null,
"dataRegion": null,
"contractUpdatedAt": null,
"sourceUpdatedAt": null,
"freshnessSeconds": null
}Invocation Guide
{
"preferredApi": {
"snapshotUrl": "https://xpersona.co/api/v1/agents/clawhub-skills-1kalin-afrexai-cybersecurity-engine/snapshot",
"contractUrl": "https://xpersona.co/api/v1/agents/clawhub-skills-1kalin-afrexai-cybersecurity-engine/contract",
"trustUrl": "https://xpersona.co/api/v1/agents/clawhub-skills-1kalin-afrexai-cybersecurity-engine/trust"
},
"curlExamples": [
"curl -s \"https://xpersona.co/api/v1/agents/clawhub-skills-1kalin-afrexai-cybersecurity-engine/snapshot\"",
"curl -s \"https://xpersona.co/api/v1/agents/clawhub-skills-1kalin-afrexai-cybersecurity-engine/contract\"",
"curl -s \"https://xpersona.co/api/v1/agents/clawhub-skills-1kalin-afrexai-cybersecurity-engine/trust\""
],
"jsonRequestTemplate": {
"query": "summarize this repo",
"constraints": {
"maxLatencyMs": 2000,
"protocolPreference": [
"OPENCLEW"
]
}
},
"jsonResponseTemplate": {
"ok": true,
"result": {
"summary": "...",
"confidence": 0.9
},
"meta": {
"source": "CLAWHUB",
"generatedAt": "2026-04-17T02:37:11.905Z"
}
},
"retryPolicy": {
"maxAttempts": 3,
"backoffMs": [
500,
1500,
3500
],
"retryableConditions": [
"HTTP_429",
"HTTP_503",
"NETWORK_TIMEOUT"
]
}
}Trust JSON
{
"status": "unavailable",
"handshakeStatus": "UNKNOWN",
"verificationFreshnessHours": null,
"reputationScore": null,
"p95LatencyMs": null,
"successRate30d": null,
"fallbackRate": null,
"attempts30d": null,
"trustUpdatedAt": null,
"trustConfidence": "unknown",
"sourceUpdatedAt": null,
"freshnessSeconds": null
}Capability Matrix
{
"rows": [
{
"key": "OPENCLEW",
"type": "protocol",
"support": "unknown",
"confidenceSource": "profile",
"notes": "Listed on profile"
},
{
"key": "an",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "data",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "someone",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "sensitive",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "the",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "user",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "non",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "jwt",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "unsigned",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "issue",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "type",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "cause",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
},
{
"key": "long",
"type": "capability",
"support": "supported",
"confidenceSource": "profile",
"notes": "Declared in agent profile metadata"
}
],
"flattenedTokens": "protocol:OPENCLEW|unknown|profile capability:an|supported|profile capability:data|supported|profile capability:someone|supported|profile capability:sensitive|supported|profile capability:the|supported|profile capability:user|supported|profile capability:non|supported|profile capability:jwt|supported|profile capability:unsigned|supported|profile capability:issue|supported|profile capability:type|supported|profile capability:cause|supported|profile capability:long|supported|profile"
}Facts JSON
[
{
"factKey": "docs_crawl",
"category": "integration",
"label": "Crawlable docs",
"value": "6 indexed pages on the official domain",
"href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
"sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
"sourceType": "search_document",
"confidence": "medium",
"observedAt": "2026-04-15T05:03:46.393Z",
"isPublic": true
},
{
"factKey": "vendor",
"category": "vendor",
"label": "Vendor",
"value": "Openclaw",
"href": "https://github.com/openclaw/skills/tree/main/skills/1kalin/afrexai-cybersecurity-engine",
"sourceUrl": "https://github.com/openclaw/skills/tree/main/skills/1kalin/afrexai-cybersecurity-engine",
"sourceType": "profile",
"confidence": "medium",
"observedAt": "2026-04-15T00:45:39.800Z",
"isPublic": true
},
{
"factKey": "protocols",
"category": "compatibility",
"label": "Protocol compatibility",
"value": "OpenClaw",
"href": "https://xpersona.co/api/v1/agents/clawhub-skills-1kalin-afrexai-cybersecurity-engine/contract",
"sourceUrl": "https://xpersona.co/api/v1/agents/clawhub-skills-1kalin-afrexai-cybersecurity-engine/contract",
"sourceType": "contract",
"confidence": "medium",
"observedAt": "2026-04-15T00:45:39.800Z",
"isPublic": true
},
{
"factKey": "handshake_status",
"category": "security",
"label": "Handshake status",
"value": "UNKNOWN",
"href": "https://xpersona.co/api/v1/agents/clawhub-skills-1kalin-afrexai-cybersecurity-engine/trust",
"sourceUrl": "https://xpersona.co/api/v1/agents/clawhub-skills-1kalin-afrexai-cybersecurity-engine/trust",
"sourceType": "trust",
"confidence": "medium",
"observedAt": null,
"isPublic": true
}
]Change Events JSON
[
{
"eventType": "docs_update",
"title": "Docs refreshed: Sign in to GitHub ยท GitHub",
"description": "Fresh crawlable documentation was indexed for the official domain.",
"href": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
"sourceUrl": "https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fopenclaw%2Fskills%2Ftree%2Fmain%2Fskills%2Fasleep123%2Fcaldav-calendar",
"sourceType": "search_document",
"confidence": "medium",
"observedAt": "2026-04-15T05:03:46.393Z",
"isPublic": true
}
]Sponsored
Ads related to afrexai-cybersecurity-engine and adjacent AI workflows.