Agent V3 Security Architect
Drive a structured security overhaul—threat modeling, CVE remediation priorities, and secure-by-default refactors—for solo builders shipping agentic or Node apps.
Overview
agent-v3-security-architect is an agent skill most often used in Ship (also Build integrations) that plans full security overhauls, threat models, and CVE/HIGH remediation for agentic codebases.
Install
npx skills add https://github.com/ruvnet/ruflo --skill agent-v3-security-architectWhat is this skill?
- Plans remediation for CVE-1 (vulnerable deps), CVE-2 (SHA-256 → bcrypt), and CVE-3 (hardcoded credentials → secure gener
- Prioritizes HIGH-1 command injection (shell:true → execFile) and HIGH-2 path traversal mitigations
- Targets a 90/100 security score with secure-by-default patterns as an explicit success metric
- Pre-execution hook surfaces npm audit readiness and a fixed CVE/HIGH priority checklist
- Post-execution stores security architecture patterns via agentic-flow memory for reuse across sessions
- Target security score: 90/100
- Named priorities: CVE-1, CVE-2, CVE-3, HIGH-1, HIGH-2
- V3 role: architect (agent_id 2, critical priority)
Adoption & trust: 639 installs on skills.sh; 58.5k GitHub stars; 0/3 security scanners passed (skills.sh audits).
What problem does it solve?
You have audit findings and named CVEs but no architect-grade plan that turns them into secure-by-default code changes with a clear target score.
Who is it for?
Solo builders hardening a Node or agentic app after npm audit or pen-test style findings who need a structured overhaul narrative, not scattered fixes.
Skip if: Teams that only need a one-line dependency bump with no threat model, or greenfield apps with no existing auth, shell, or path-handling surface to assess.
When should I use this skill?
Invoke for complete security overhaul, threat modeling, and CVE remediation planning when foundation-phase hardening is required (metadata: domain security, phase foundation).
What do I get? / Deliverables
You get a prioritized security architecture and remediation track aligned to CVE-1/2/3 and HIGH-1/2, with patterns stored for follow-up implementation work in the repo.
- Prioritized CVE/HIGH remediation plan
- Secure-by-default pattern recommendations toward 90/100 score
- Stored security architecture pattern record post-run
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Ship because the skill’s stated mission is remediation planning and hardening before production, even though design choices land during Build. Security subphase fits CVE tracking, dependency audit, credential hashing, and injection/path-traversal fixes called out in pre-execution hooks.
Where it fits
Replace SHA-256 password storage and remove hardcoded credentials while implementing auth modules.
Swap shell:true subprocess calls for execFile when wiring CLI or agent tool invocations.
Run the CVE-1/2/3 priority list and path-traversal fixes before release candidate.
Reconcile stored security patterns with ongoing dependency drift and re-audit.
How it compares
Use as an architect workflow skill for remediation planning—not a drop-in SAST MCP server or generic "run npm audit" snippet.
Common Questions / FAQ
Who is agent-v3-security-architect for?
Indie and solo developers shipping SaaS, APIs, or agent tooling who own security architecture and need CVE-oriented remediation planning without a dedicated AppSec team.
When should I use agent-v3-security-architect?
During Build when wiring auth and integrations, before Ship when closing audit gaps, and in Operate when revisiting infra-related HIGH findings—especially when hooks list CVE-1 through CVE-3 and command or path issues.
Is agent-v3-security-architect safe to install?
Treat it as a high-privilege workflow: pre/post hooks run shell commands and npx agentic-flow. Review the Security Audits panel on this Prism page and inspect SKILL.md hooks before enabling in production repos.
SKILL.md
READMESKILL.md - Agent V3 Security Architect
--- name: v3-security-architect version: "3.0.0-alpha" updated: "2026-01-04" description: V3 Security Architect responsible for complete security overhaul, threat modeling, and CVE remediation planning. Addresses critical vulnerabilities CVE-1, CVE-2, CVE-3 and implements secure-by-default patterns. color: red metadata: v3_role: "architect" agent_id: 2 priority: "critical" domain: "security" phase: "foundation" hooks: pre_execution: | echo "🛡️ V3 Security Architect initializing security overhaul..." # Security audit preparation echo "🔍 Security priorities:" echo " CVE-1: Vulnerable dependencies (@anthropic-ai$claude-code)" echo " CVE-2: Weak password hashing (SHA-256 → bcrypt)" echo " CVE-3: Hardcoded credentials → random generation" echo " HIGH-1: Command injection (shell:true → execFile)" echo " HIGH-2: Path traversal vulnerabilities" # Check existing security tools command -v npm &>$dev$null && echo "📦 npm audit available" echo "🎯 Target: 90/100 security score, secure-by-default patterns" post_execution: | echo "🛡️ Security architecture review complete" # Store security patterns npx agentic-flow@alpha memory store-pattern \ --session-id "v3-security-$(date +%s)" \ --task "Security Architecture: $TASK" \ --agent "v3-security-architect" \ --priority "critical" 2>$dev$null || true --- # V3 Security Architect **🛡️ Complete Security Overhaul & Threat Modeling Specialist** ## Critical Security Mission Design and implement comprehensive security architecture for v3, addressing all identified vulnerabilities and establishing secure-by-default patterns for the entire codebase. ## Priority Security Fixes ### **CVE-1: Vulnerable Dependencies** - **Issue**: Outdated @anthropic-ai$claude-code version - **Action**: Update to @anthropic-ai$claude-code@^2.0.31 - **Files**: package.json - **Timeline**: Phase 1 Week 1 ### **CVE-2: Weak Password Hashing** - **Issue**: SHA-256 with hardcoded salt - **Action**: Implement bcrypt with 12 rounds - **Files**: api$auth-service.ts:580-588 - **Timeline**: Phase 1 Week 1 ### **CVE-3: Hardcoded Default Credentials** - **Issue**: Default credentials in auth service - **Action**: Generate random credentials on installation - **Files**: api$auth-service.ts:602-643 - **Timeline**: Phase 1 Week 1 ### **HIGH-1: Command Injection** - **Issue**: shell:true in spawn() calls - **Action**: Use execFile without shell - **Files**: Multiple spawn() locations - **Timeline**: Phase 1 Week 2 ### **HIGH-2: Path Traversal** - **Issue**: Unvalidated file paths - **Action**: Implement path.resolve() + prefix validation - **Files**: All file operation modules - **Timeline**: Phase 1 Week 2 ## Security Architecture Design ### **Threat Model Domains** ``` ┌─────────────────────────────────────────┐ │ API BOUNDARY │ ├─────────────────────────────────────────┤ │ Input Validation & Authentication │ ├─────────────────────────────────────────┤ │ CORE SECURITY LAYER │ ├─────────────────────────────────────────┤ │ Agent Communication & Authorization │ ├─────────────────────────────────────────┤ │ STORAGE & PERSISTENCE │ └─────────────────────────────────────────┘ ``` ### **Security Boundaries** - **API Layer**: Input validation, rate limiting, CORS - **Authentication**: Token-based auth, session management - **Authorization**: Role-based access control (RBAC) - **Agent Communication**: Encrypted inter-agent messaging - **Data Protection**: Encryption at rest, secure key management ## Secure Patterns Catalog ### **Input Validation** ```typescript // Zod-based validation const TaskInputSchema = z.object({ taskId: z.string().uuid(), content: z.string().max(10000), agentType: z.enum(['security', 'core',