jmagly/security-engineering-quickref
plugins/security-engineering/skills/security-engineering-quickref/SKILL.md
Security-engineering framework quick reference — decision domains and curated discovery phrases for crypto primitives, chain-of-trust, auth factors, degraded modes, supply-chain trust, and physical-threat modeling
$ install --global
skillsauthnpx skillsauth add jmagly/aiwg security-engineering-quickrefInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 10, 2026, 6:27 AM130.8s1 file scanned
SKILL.md
- name:
- security-engineering-quickref
- namespace:
- aiwg
- platforms:
- [all]
- kernel:
- true
- description:
- Security-engineering framework quick reference — decision domains and curated discovery phrases for crypto primitives, chain-of-trust, auth factors, degraded modes, supply-chain trust, and physical-threat modeling
Security Engineering Framework — Quick Reference
This is your always-loaded directory for the AIWG security-engineering framework. It does not list every skill. Instead, it teaches the framework's decision domains and gives you curated search phrases that map to aiwg discover lookups.
Canonical access pattern: discover → show
When you find a candidate via aiwg discover, fetch its body with aiwg show <type> <name>. Never use find, ls, Glob, or direct Read on <provider>/skills/ paths — those reflect the kernel-pivot deploy state, not the full surface.
aiwg discover "<phrase>" # find — returns ranked candidates
aiwg show skill <name> # fetch — streams the SKILL.md body
If your platform's Skill tool errors on a non-kernel skill (expected — most aren't kernel), the fallback is aiwg show, never filesystem browsing. Last-resort if aiwg itself is broken: read directly from $AIWG_ROOT/agentic/code/... (the canonical corpus, always present).
How to use this quickref
- Identify the decision domain the user is working through (this framework is decision-aid, not audit)
- Pick a curated phrase from that domain
- Run
aiwg discover "<phrase>"and surface the top match to the user
Do not enumerate skills from memory. Discovery is the lookup surface.
What this framework is for
Decision-aid skills for applied security, distinct from the SDLC framework's broader security review (flow-security-review-cycle). Each skill in this framework forces explicit reasoning about a narrow class of security decisions and identifies anti-patterns the operator should reject before implementation.
This is not a vulnerability scanner or pen-test framework. It is a thinking-discipline framework for cryptographic and trust-boundary decisions that get baked into a system early and become hard to change.
Decision domains
| Domain | The decision being made | |---|---| | Cryptographic primitives | Choosing AEAD / KDF / MAC / signature algorithms | | Chain of trust | Designing the boot/bootstrap verification chain | | Authentication factors | Architecting have/know/are factor stack | | Degraded modes | Fail-closed vs fail-open behavior matrices | | Supply chain trust | Beyond CVE/SBOM — pinning depth, reproducible builds, vendor+hash locks | | Runtime secret hygiene | fd passing, scratch surface verification, error-path safety | | Physical threats | Threats STRIDE and OWASP Top 10 don't cover |
Curated discovery phrases
Cryptographic primitives
aiwg discover "crypto primitive selection" # → crypto-primitive-selection
aiwg discover "choose AEAD" # → crypto-primitive-selection
aiwg discover "ad-hoc KDF" # → crypto-primitive-selection
Chain of trust
aiwg discover "chain of trust" # → chain-of-trust-design
aiwg discover "secure bootstrap" # → chain-of-trust-design
aiwg discover "signed boot" # → chain-of-trust-design
Authentication factors
aiwg discover "auth factor design" # → auth-factor-design (score 0.59)
aiwg discover "FIDO2 PIN UV policy" # → auth-factor-design
aiwg discover "coercion-resistance" # → auth-factor-design
Degraded modes
aiwg discover "degraded mode design" # → degraded-mode-design
aiwg discover "fail closed fail open" # → degraded-mode-design
Supply chain trust
aiwg discover "supply chain trust" # → supply-chain-trust (score 0.67)
aiwg discover "reproducible build" # → supply-chain-trust
aiwg discover "dependency pinning" # → supply-chain-trust
Runtime secret hygiene
aiwg discover "secret handling runtime" # → secret-handling-runtime
aiwg discover "fd passing secrets" # → secret-handling-runtime
aiwg discover "scratch surface verification" # → secret-handling-runtime
Physical threats
aiwg discover "physical threat modeling" # → physical-threat-modeling
aiwg discover "evil-maid attack" # → physical-threat-modeling
aiwg discover "DMA attack" # → physical-threat-modeling
Anti-patterns each skill rejects
| Skill | Anti-patterns it identifies |
|---|---|
| crypto-primitive-selection | CBC-without-MAC, ad-hoc KDF, key reuse, PBKDF2 on high-entropy input, openssl enc without explicit flags |
| chain-of-trust-design | Circular trust roots, signing-key custody confusion, missing measured-boot anchors |
| auth-factor-design | Python deps in PRF hot paths, missing coercion-resistance, FIDO2 PIN/UV policy gaps |
| degraded-mode-design | "Type Y to override" prompts, missing degraded-mode matrix, fail-open by accident |
| supply-chain-trust | Dependency pinning by version (not hash), reproducible-build gaps, firmware version-not-locked |
| secret-handling-runtime | SECRETS_ENV aggregation, missing scratch-surface verification, identifier reuse |
| physical-threat-modeling | evil-maid, DMA, hostile peripheral, travel-host, coercion, cold-boot, supply-chain implant, side-channel |
When to use this framework vs the SDLC security flow
| Use this framework | Use flow-security-review-cycle (SDLC) |
|---|---|
| Deciding the primitive (which AEAD?) | Reviewing whether the implementation uses any AEAD correctly |
| Designing the boot chain | Threat-modeling the application boundary |
| Picking an MFA scheme | Auditing existing auth code |
| Defining degraded-mode behavior | Vulnerability scan + STRIDE on a feature |
The SDLC's flow-security-review-cycle is the broader periodic audit. The skills here are pinpoint decision aids — invoke them when the decision is being made, not after.
Rules deployed
This framework ships 4 applied-cryptography rules into the rules index:
no-unauthenticated-encryptionno-key-reuse-across-purposesno-adhoc-kdfcrypto-flag-verification
These deploy via the standard rules-index pipeline.
When the curated phrases don't fit
aiwg discover "<your need, paraphrased>" --limit 5
For asks outside the seven listed skills (e.g., "audit a TLS config", "review a JWT implementation"), the SDLC framework's flow-security-review-cycle is the right surface.
Anti-pattern: don't enumerate
If a user asks "what security skills are available?", do not list from this skill. Run:
aiwg discover --type skill --limit 20 "<their interest area>"
Related Skills
jmagly/radar-status
data-ai
VerifiedTrustedCommunity
Report which research-corpus radar sidecars are overdue for refresh. Computes staleness (days since last refresh vs the cadence window) for every radar, sorted most-overdue-first. Runs via `aiwg corpus radar-status`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-report
data-ai
VerifiedTrustedCommunity
Aggregate research-corpus radar sidecars into a corpus or per-cluster freshness report — totals, overdue count, per-cluster / per-GRADE / per-trajectory breakdowns, an overdue table, and per-radar rationale snippets. Runs via `aiwg corpus radar-report`.
140SKILL.mdUpdated May 28, 2026
jmagly/radar-init
testing
VerifiedTrustedCommunity
Scaffold radar/freshness sidecars for research-corpus REFs. Pulls title/authors from the citation sidecar and GRADE from the analysis doc, defaults the refresh cadence from GRADE and the cluster from a corpus-local map, and stamps documentation/radar/REF-XXX-radar.md. Runs via `aiwg corpus radar-init`.
140SKILL.mdUpdated May 28, 2026
jmagly/profile-temporal
data-ai
VerifiedTrustedCommunity
Compute an entity's publication trajectory — per-year paper counts, topic drift, hot-streak detection (≥3 consecutive A-grade years), and career phase. Runs via `aiwg corpus profile-temporal`.
140SKILL.mdUpdated May 28, 2026