V3 Security Overhaul
Run a security-first v3 architecture pass on claude-flow—fix named CVEs, harden auth/crypto defaults, and stand up validation and test patterns.
Overview
V3 Security Overhaul is an agent skill most often used in Ship (also Build) that orchestrates CVE fixes, secure defaults, and validation for claude-flow v3.
Install
npx skills add https://github.com/ruvnet/ruflo --skill v3-security-overhaulWhat is this skill?
- Targets critical CVE-1 (dependencies), CVE-2 (weak hashing), CVE-3 (hardcoded credentials)
- Orchestrates v3-security-architect, security-auditor, and test-architect parallel tasks
- bcrypt (12 rounds) replacement pattern for SHA-256 password hashing
- crypto.randomBytes-based API key generation instead of hardcoded secrets
- Zod-based input validation and TDD London School security testing guidance
- Documents remediation for 3 named critical CVEs (CVE-1, CVE-2, CVE-3)
- bcrypt cost factor 12 rounds for password hashing
- Quick start defines 3 parallel v3 security agent tasks
Adoption & trust: 622 installs on skills.sh; 58.5k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your claude-flow v3 codebase still carries critical CVE-class issues—bad dependencies, weak password hashing, and hardcoded credentials.
Who is it for?
Maintainers executing a deliberate v3 security migration on claude-flow with agent-assisted architecture and audit tasks.
Skip if: Greenfield apps unrelated to claude-flow/v3 or teams wanting a generic OWASP checklist without implementation orchestration.
When should I use this skill?
Security-first claude-flow v3 implementation addressing critical CVEs and secure-by-default patterns.
What do I get? / Deliverables
You get a coordinated remediation plan with updated dependencies, bcrypt hashing, generated secrets, Zod validation hooks, and security-oriented tests.
- CVE remediation changesets with audited dependencies
- Hardened auth/crypto modules and validation schemas
- Security-focused test specifications or suites
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Ship/security is the canonical shelf for CVE remediation, dependency audits, and secure-by-default implementation before release. Security subphase covers threat boundaries, credential handling, hashing upgrades, and input validation called out in the overhaul playbook.
Where it fits
Run parallel security-architect and auditor tasks to close CVE-1 through CVE-3 before tagging a v3 release.
Introduce Zod schemas and bcrypt auth while refactoring agent task APIs.
Stand up London School security tests that specify hostile input and credential behavior.
How it compares
Repo-specific security workflow for claude-flow v3, not a generic dependency scanner skill alone.
Common Questions / FAQ
Who is v3 security overhaul for?
Solo builders and maintainers shipping claude-flow v3 who need structured CVE remediation and secure-by-default TypeScript patterns.
When should I use v3 security overhaul?
During Ship security hardening before release, and during Build backend refactors when introducing auth, APIs, or agent task boundaries in v3.
Is v3 security overhaul safe to install?
Review the Security Audits panel on this Prism page; the skill instructs shell/npm and code changes—apply in a branch and re-run audits after edits.
SKILL.md
READMESKILL.md - V3 Security Overhaul
# V3 Security Overhaul ## What This Skill Does Orchestrates comprehensive security overhaul for claude-flow v3, addressing critical vulnerabilities and establishing security-first development practices using specialized v3 security agents. ## Quick Start ```bash # Initialize V3 security domain (parallel) Task("Security architecture", "Design v3 threat model and security boundaries", "v3-security-architect") Task("CVE remediation", "Fix CVE-1, CVE-2, CVE-3 critical vulnerabilities", "security-auditor") Task("Security testing", "Implement TDD London School security framework", "test-architect") ``` ## Critical Security Fixes ### CVE-1: Vulnerable Dependencies ```bash npm update @anthropic-ai$claude-code@^2.0.31 npm audit --audit-level high ``` ### CVE-2: Weak Password Hashing ```typescript // ❌ Old: SHA-256 with hardcoded salt const hash = crypto.createHash('sha256').update(password + salt).digest('hex'); // ✅ New: bcrypt with 12 rounds import bcrypt from 'bcrypt'; const hash = await bcrypt.hash(password, 12); ``` ### CVE-3: Hardcoded Credentials ```typescript // ✅ Generate secure random credentials const apiKey = crypto.randomBytes(32).toString('hex'); ``` ## Security Patterns ### Input Validation (Zod) ```typescript import { z } from 'zod'; const TaskSchema = z.object({ taskId: z.string().uuid(), content: z.string().max(10000), agentType: z.enum(['security', 'core', 'integration']) }); ``` ### Path Sanitization ```typescript function securePath(userPath: string, allowedPrefix: string): string { const resolved = path.resolve(allowedPrefix, userPath); if (!resolved.startsWith(path.resolve(allowedPrefix))) { throw new SecurityError('Path traversal detected'); } return resolved; } ``` ### Safe Command Execution ```typescript import { execFile } from 'child_process'; // ✅ Safe: No shell interpretation const { stdout } = await execFile('git', [userInput], { shell: false }); ``` ## Success Metrics - **Security Score**: 90/100 (npm audit + custom scans) - **CVE Resolution**: 100% of critical vulnerabilities fixed - **Test Coverage**: >95% security-critical code - **Implementation**: All secure patterns documented and tested