liauw-media/system-architect
skills/safety/system-architect/SKILL.md
Use when performing security audits or system hardening. Teaches security assessment principles and prioritization.
$ install --global
skillsauthnpx skillsauth add liauw-media/codeassist system-architectInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 6, 2026, 9:40 PM22.3s1 file scanned
SKILL.md
- name:
- system-architect
- description:
- Use when performing security audits or system hardening. Teaches security assessment principles and prioritization.
System Architect
Principles for security auditing and system hardening. Platform-specific commands in docs/security-audit/.
When to Use
- Setting up a new server
- Security audit before deployment
- After major configuration changes
- Periodic security checkups
- Investigating a breach
Core Principles
1. Defense in Depth
No single security measure is sufficient. Layer multiple controls.
Network → Firewall → Service → Application → Data
↓ ↓ ↓ ↓ ↓
Block Filter Harden Validate Encrypt
2. Least Privilege
Grant minimum access required. Remove what's not needed.
3. Fail Secure
When things break, they should fail closed, not open.
4. Audit Everything
If you can't see it, you can't secure it. Log all access.
Priority Levels
All findings must be rated by severity:
| Level | Meaning | Action | |-------|---------|--------| | CRITICAL | Active exploitation possible | Fix NOW | | HIGH | Significant risk | Fix within 24h | | MEDIUM | Best practice violation | Fix within 1 week | | LOW | Minor improvement | Fix when convenient |
Audit Phases
Phase 1: Network Exposure
What can attackers reach?
- List all listening ports
- Check for services bound to 0.0.0.0
- Verify firewall is enabled and configured
- Identify unnecessary exposed services
Phase 2: Authentication
How do users and services authenticate?
- SSH: Key-based only, no root login
- Passwords: Strong policy, no empty passwords
- Services: No default credentials
- 2FA: Enabled where possible
Phase 3: Authorization
What can authenticated users do?
- Principle of least privilege
- No unnecessary sudo access
- Service accounts restricted
- File permissions reviewed
Phase 4: Data Protection
How is sensitive data protected?
- Encryption at rest
- Encryption in transit (TLS)
- Secrets management (not in code)
- Backup encryption
Phase 5: Monitoring
Can you detect attacks?
- Logging enabled
- Log aggregation
- Alerting configured
- Intrusion detection
Quick Audit Checklist
Network
- [ ] Firewall enabled
- [ ] Only necessary ports exposed
- [ ] Services bound to localhost where possible
- [ ] SSL/TLS properly configured
Authentication
- [ ] SSH key-based auth only
- [ ] Root login disabled
- [ ] Strong password policy
- [ ] fail2ban or similar installed
Services
- [ ] Running as non-root users
- [ ] Unnecessary services disabled
- [ ] Configurations hardened
- [ ] Auto-updates enabled
Docker (if applicable)
- [ ] Containers not privileged
- [ ] Ports bound to localhost
- [ ] No secrets in environment
- [ ] Images from trusted sources
Security Scanning
Public Tools (No Setup Required)
| Tool | Purpose | Usage |
|------|---------|-------|
| composer audit | PHP vulnerabilities | composer audit |
| npm audit | Node vulnerabilities | npm audit |
| pip-audit | Python vulnerabilities | pip-audit -r requirements.txt |
| Trivy | Multi-language scanner | docker run aquasec/trivy fs . |
| Gitleaks | Secrets in code | docker run zricethezav/gitleaks detect |
CI Integration
Add to your pipeline:
GitLab CI:
security:
image: aquasec/trivy:latest
script: trivy fs --exit-code 0 --severity HIGH,CRITICAL .
allow_failure: true
GitHub Actions:
- name: Security scan
run: |
docker run aquasec/trivy:latest fs --severity HIGH,CRITICAL .
continue-on-error: true
Output Format
================================================================================
SECURITY AUDIT REPORT
Date: YYYY-MM-DD
Host: hostname
================================================================================
CRITICAL (0)
------------
None found.
HIGH (2)
--------
[HIGH] Issue description
Location: where
Fix: how to fix
MEDIUM (1)
----------
[MEDIUM] Issue description
Fix: how to fix
================================================================================
SUMMARY: 0 Critical | 2 High | 1 Medium | 0 Low
================================================================================
Documentation Integration
After completing an audit:
# Log summary
docchange "Security audit completed - X critical, Y high, Z medium issues"
# Log fixes
docchange "FIXED: Disabled SSH root login"
Reference Commands
Platform-specific audit commands:
| Platform | Location |
|----------|----------|
| Linux | docs/security-audit/linux.md |
| Windows | docs/security-audit/windows.md |
| Docker | docs/security-audit/docker.md |
Common Fixes
| Issue | Fix |
|-------|-----|
| SSH root login | PermitRootLogin no in sshd_config |
| SSH password auth | PasswordAuthentication no in sshd_config |
| No firewall | Enable ufw/firewalld/Windows Firewall |
| Database exposed | Bind to 127.0.0.1 |
| No fail2ban | Install and enable fail2ban |
| Docker privileged | Remove --privileged flag |
| Ports on 0.0.0.0 | Bind to 127.0.0.1:port:port |
Integration
Works with:
server-documentationskill for loggingdefense-in-depthskill for layered securityci-templatesskill for security scanning in CI
Related Skills
liauw-media/subagent-driven-development
development
VerifiedTrustedCommunity
Use when decomposing complex work. Dispatch fresh subagent per task, review between tasks. Flow: Load plan → Dispatch task → Review output → Apply feedback → Mark complete → Next task. No skipping reviews, no parallel dispatch.
3SKILL.mdUpdated Apr 6, 2026
liauw-media/skills/workflow/server-documentation
development
VerifiedTrustedCommunity
# Server Documentation System Set up a documentation system that tracks changes and maintains server/project documentation with Claude Code hooks. ## When to Use - Setting up a new server or development environment - Need to track configuration changes over time - Want automatic documentation of work sessions - Maintaining changelog for infrastructure ## Directory Structure ``` ~/docs/ # User home directory (cross-platform) ├── changelog.md # Global over
3SKILL.mdUpdated Apr 6, 2026
liauw-media/remote-code-agents
development
VerifiedTrustedCommunity
Delegate tasks to remote Claude Code agent containers for parallel execution, long-running analysis, or resource-intensive operations.
3SKILL.mdUpdated Apr 6, 2026
liauw-media/git-worktrees
development
VerifiedTrustedCommunity
Use when working on multiple features simultaneously. Creates isolated workspaces without branch switching, enabling parallel development.
3SKILL.mdUpdated Apr 6, 2026