| name | adversarial-security |
| description | Usar cuando se necesita auditar la seguridad de un proyecto con pipeline Red Team / Blue Team. |
| summary | Pipeline Red Team + Blue Team + Auditor independiente.
Scoring CVSS, mapeo STRIDE, gap analysis.
Output: informe con score 0-100 y recomendaciones.
|
| maturity | stable |
| context | fork |
| context_cost | medium |
| agent | security-attacker |
| category | governance |
| tags | ["security","adversarial","red-team","blue-team"] |
| priority | high |
| trigger | {"type":"keyword","keywords":["vulnerabilidad","pentest","sql injection","xss","inyeccion","security audit","red team","blue team"]} |
Subagent Scope Guard
If you were dispatched as a subagent to execute a specific delegated task,
skip this skill's full orchestration workflow. Execute only the assigned
task, report result (DONE / DONE_WITH_CONCERNS / BLOCKED), and return.
This guard prevents runaway skill activation in nested agent contexts.
Adversarial Security Skill
§0 Prerequisitos (gate de arranque)
Doble opt-in (SPEC-186): → si no: ❌ ABORT
bash scripts/savia-double-optin-check.sh \
--skill adversarial-security --confirm-autonomous
Requiere AMBOS: ADVERSARIAL_SECURITY_ENABLED=true Y flag explicito.
§1 Vulnerability Scoring
CVSS simplificado para proyectos internos:
| Factor | Peso | Valores |
|---|
| Attack Vector | 0.3 | Network (1.0), Adjacent (0.7), Local (0.5), Physical (0.2) |
| Complexity | 0.2 | Low (1.0), High (0.5) |
| Privileges | 0.2 | None (1.0), Low (0.6), High (0.3) |
| Impact | 0.3 | High (1.0), Medium (0.6), Low (0.3) |
score = sum(factor × peso) × 10 → escala 0-10
§2 STRIDE Mapping
| Categoría | Pregunta clave | Controles típicos |
|---|
| Spoofing | ¿Puedo suplantar a otro? | Auth, MFA, tokens |
| Tampering | ¿Puedo modificar datos? | Integridad, signing, HMAC |
| Repudiation | ¿Puedo negar una acción? | Audit logs, timestamps |
| Info Disclosure | ¿Puedo acceder a datos? | Encryption, access control |
| DoS | ¿Puedo tumbar el servicio? | Rate limiting, WAF |
| Elevation | ¿Puedo escalar privilegios? | RBAC, least privilege |
§3 OWASP Top 10 Checklist
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable Components
- Auth Failures
- Software/Data Integrity Failures
- Logging Failures
- SSRF
§4 Dependency Audit
npm audit --json 2>/dev/null | jq '.vulnerabilities | length'
pip-audit --format=json 2>/dev/null
dotnet list package --vulnerable --format json 2>/dev/null
§5 Security Score Formula
score = 100 - (critical×25 + high×10 + medium×3 + low×1)
Cada fix verificado recupera los puntos. Floor: 0.