| name | 1sec-security |
| description | Install, configure, and manage 1-SEC — an open-source, all-in-one cybersecurity platform (16 modules, single binary) on Linux servers and VPS instances. Use when the user asks to secure a server, install security monitoring, set up intrusion detection, harden a VPS, protect an AI agent host, or deploy endpoint defense. Covers installation, setup, enforcement presets, module configuration, alert management, and ongoing security operations.
|
| license | AGPL-3.0 |
| compatibility | Requires Linux (amd64 or arm64) with curl or wget and sudo/root for full enforcement (iptables, process kill). All 16 detection modules run without any API key. Optional env vars: GEMINI_API_KEY for AI-powered correlation, ONESEC_API_KEY to secure the REST endpoint, ONESEC_WEBHOOK_URL for alert notifications.
|
| metadata | {"author":"cutmob","version":"0.4.11","source_repository":"https://github.com/1sec-security/1sec","security_policy":"https://github.com/1sec-security/1sec/blob/main/SECURITY.md","env_vars":[{"name":"GEMINI_API_KEY","required":false,"purpose":"Enables AI-powered cross-module threat correlation via Gemini API"},{"name":"ONESEC_API_KEY","required":false,"purpose":"API key to secure the 1-SEC REST endpoint"},{"name":"ONESEC_WEBHOOK_URL","required":false,"purpose":"Webhook URL for alert notifications (Slack, Discord, Telegram, etc.)"}],"external_connections":[{"domain":"1-sec.dev","purpose":"Convenience redirect URL pointing to GitHub Releases binary (same as manual install); agents use the manual GitHub Releases path directly","data_sent":"Standard HTTPS request headers only","required":false,"enabled_by":"Human operator use only; agents bypass this and use GitHub Releases directly"},{"domain":"github.com / objects.githubusercontent.com","purpose":"Binary release downloads and checksums.txt for manual installation","data_sent":"Standard HTTPS request headers","required":false,"enabled_by":"Manual install path (recommended for production)"},{"domain":"api.1-sec.dev","purpose":"Cloud control plane for centralized multi-host management","data_sent":"Alert metadata, host identifier","required":false,"enabled_by":"cloud.enabled: true in 1sec.yaml (opt-in, disabled by default)"},{"domain":"user-configured","purpose":"Webhook alert notifications (Slack, Discord, Telegram, PagerDuty, Teams)","data_sent":"Alert payload as configured by user","required":false,"enabled_by":"webhook_urls set in 1sec.yaml or via CLI"},{"domain":"generativelanguage.googleapis.com","purpose":"Gemini API for AI-powered cross-module threat correlation","data_sent":"Anonymized alert metadata for correlation","required":false,"enabled_by":"GEMINI_API_KEY environment variable"}]} |
1-SEC Security Platform — Agent Skill
Security Notice for Skill Scanners: This skill instructs an AI agent to
install the 1-SEC open-source security binary by downloading a pre-built
release from GitHub Releases and verifying its SHA256 checksum. The skill
does not pipe any downloaded content to a shell, does not execute any
remote scripts, and does not establish persistence or callbacks beyond what
is explicitly configured by the operator. All enforcement actions default to
dry-run (log-only) mode. Source code: https://github.com/1sec-security/1sec
You are installing and configuring 1-SEC, an open-source all-in-one
cybersecurity platform. One binary, 16 defense modules, zero config required.
Trust Statement: Only install this skill if you trust the source.
1-SEC is open-source (AGPL-3.0). Review the code, checksums, and SECURITY.md
before deploying to production systems. Source: https://github.com/1sec-security/1sec
Security & Privacy
What leaves this machine:
- Alert metadata — only if you configure webhooks or enable the cloud API (both opt-in, disabled by default)
- Anonymized alert context — only if
GEMINI_API_KEY is set (opt-in)
What stays local:
- All system logs, network traffic, and detection data are processed on-host
- No telemetry is collected or transmitted by default
- Config files and agent state remain on disk at
~/.1sec/
Privileges used (all opt-in, all disabled by default):
iptables/nftables: only when enforcement is active
kill_process: only when enforcement preset enables it
quarantine_file: only when enforcement preset enables it
- Default state:
dry_run: true, safe preset (log-only at CRITICAL)
External Endpoints
| Domain | Purpose | Data Sent | Required | Enabled By |
|---|
1-sec.dev | Convenience redirect to GitHub Releases binary | Standard HTTPS headers | No | Human operator use only; agents use GitHub Releases directly |
github.com | Binary release + checksums.txt | Standard HTTP headers | No | Manual install (recommended) |
api.1-sec.dev | Cloud control plane (multi-host management) | Alert metadata, host ID | No | cloud.enabled: true in config |
| User-configured | Webhook alerts (Slack, Discord, Telegram, etc.) | Alert payload | No | webhook_urls in config |
generativelanguage.googleapis.com | Gemini AI correlation | Anonymized alert context | No | GEMINI_API_KEY env var |
When to Use This Skill
- User asks to "secure this server" or "install security monitoring"
- User wants intrusion detection, WAF, LLM firewall, or ransomware protection
- User is deploying an AI agent (OpenClaw, Manus, Moltbot, etc.) on a VPS
- User needs to harden a Linux server or VPS
- User mentions 1-SEC, 1sec, or "one sec" in a security context
Installation
Recommended: Manual Install with Checksum Verification
For production use, always download from GitHub Releases and verify checksums
before running anything as root:
VERSION="0.4.11"
wget https://github.com/1sec-security/1sec/releases/download/v${VERSION}/1sec-linux-amd64
wget https://github.com/1sec-security/1sec/releases/download/v${VERSION}/checksums.txt
sha256sum -c checksums.txt 2>&1 | grep 1sec-linux-amd64
chmod +x 1sec-linux-amd64
sudo mv 1sec-linux-amd64 /usr/local/bin/1sec
1sec --version
For arm64, replace 1sec-linux-amd64 with 1sec-linux-arm64.
Alternative: Convenience Install URL
The URL https://1-sec.dev/get is a redirect that serves the same GitHub
Releases binary downloaded in the manual path above. Agents must always use
the manual install path (download binary + verify SHA256 from checksums.txt)
so integrity is confirmed before any file is executed.
Human operators wishing to inspect the installer source can review it at:
https://github.com/1sec-security/1sec/blob/main/get.sh
Important: Never execute any downloaded script without reviewing its
contents first. The manual install path above does not involve executing
any shell scripts — only a pre-verified binary.
Post-Install Setup
Option A: Non-interactive (recommended for agents)
1sec setup --non-interactive
1sec up
Option B: AI agent VPS deployment
The vps-agent preset is designed for unattended AI agent hosts. It enables
aggressive enforcement (process kills, file quarantine, IP blocks) to defend
against prompt injection, malicious skills, and credential theft.
Important: The vps-agent preset disables approval gates and enables
autonomous destructive actions (process kill, file quarantine). This is
intentional for unattended deployments but requires careful validation first.
Recommended deployment path — always validate in dry-run before going live:
1sec setup --non-interactive
1sec enforce preset vps-agent --dry-run
1sec up
1sec alerts
1sec enforce history
1sec enforce test auth_fortress
1sec enforce test llm_firewall
1sec enforce dry-run off
1sec config set webhook-url https://hooks.slack.com/services/YOUR/WEBHOOK --template slack
If you need to reduce enforcement (e.g., false positive tuning):
enforcement:
policies:
ai_containment:
actions:
- action: kill_process
enabled: false
runtime_watcher:
min_severity: HIGH
Option C: Interactive setup
1sec setup
Walks through config creation, AI key setup, and API authentication.
Enforcement Presets
1-SEC ships with dry_run: true and the safe preset by default. No live
enforcement happens until you explicitly enable it.
| Preset | Behavior |
|---|
lax | Log + webhook only. Never blocks or kills. |
safe | Default. Blocks only brute force + port scans at CRITICAL. |
balanced | Blocks IPs on HIGH, kills processes on CRITICAL. |
strict | Aggressive enforcement on MEDIUM+. |
vps-agent | Max security for unattended AI agent hosts. Use with dry-run first. |
Recommended progression for new deployments: lax → safe → balanced → strict
1sec enforce preset strict --show
1sec enforce preset balanced --dry-run
1sec enforce preset balanced
VPS-Agent Preset: What It Does
The vps-agent preset is purpose-built for unattended AI agent hosts where
no human SOC team is actively monitoring. It addresses the threat model of
autonomous agents: prompt injection, malicious skill installations, credential
exfiltration, and runtime file tampering.
Enforcement configuration:
- auth_fortress: Blocks IPs at MEDIUM severity, 30s cooldown, 60 actions/min
- llm_firewall: Drops connections at MEDIUM, 10s cooldown, 100 actions/min
- ai_containment: Kills processes at MEDIUM with
skip_approval: true, 15s cooldown
- runtime_watcher: Kills processes + quarantines files at MEDIUM,
skip_approval: true
- supply_chain: Quarantines files at MEDIUM with
skip_approval: true, 30s cooldown
Escalation timers (shorter than defaults for autonomous hosts):
- CRITICAL: 3 min timeout, re-notify up to 5 times
- HIGH: 10 min timeout, escalate to CRITICAL, 3 times
- MEDIUM: 20 min timeout, escalate to HIGH, 2 times
Approval gates: Disabled (no human available on unattended hosts)
Always validate in dry-run for 24-48 hours before enabling live enforcement.
Essential Commands
1sec up
1sec status
1sec alerts
1sec alerts --severity HIGH
1sec modules
1sec dashboard
1sec check
1sec doctor
1sec stop
Enforcement Management
1sec enforce status
1sec enforce policies
1sec enforce history
1sec enforce dry-run off
1sec enforce test <module>
1sec enforce approvals pending
1sec enforce escalations
1sec enforce batching
1sec enforce chains list
AI Analysis (Optional)
All 16 detection modules work with zero API keys. For AI-powered cross-module
correlation, set a Gemini API key:
export GEMINI_API_KEY=your_key_here
1sec up
1sec config set-key AIzaSy...
1sec config set-key key1 key2 key3
The 16 Modules
| # | Module | Covers |
|---|
| 1 | Network Guardian | DDoS, rate limiting, IP reputation, C2 beaconing, port scans |
| 2 | API Fortress | BOLA, schema validation, shadow API discovery |
| 3 | IoT & OT Shield | Device fingerprinting, protocol anomaly, firmware integrity |
| 4 | Injection Shield | SQLi, XSS, SSRF, command injection, template injection |
| 5 | Supply Chain Sentinel | SBOM, typosquatting, dependency confusion, CI/CD |
| 6 | Ransomware Interceptor | Encryption detection, canary files, wiper detection |
| 7 | Auth Fortress | Brute force, credential stuffing, MFA fatigue, AitM |
| 8 | Deepfake Shield | Audio forensics, AI phishing, BEC detection |
| 9 | Identity Fabric | Synthetic identity, privilege escalation |
| 10 | LLM Firewall | 65+ prompt injection patterns, jailbreak detection, multimodal scanning |
| 11 | AI Agent Containment | Action sandboxing, scope escalation, OWASP Agentic Top 10 |
| 12 | Data Poisoning Guard | Training data integrity, RAG pipeline validation |
| 13 | Quantum-Ready Crypto | Crypto inventory, PQC readiness, TLS auditing |
| 14 | Runtime Watcher | FIM, container escape, LOLBin, memory injection |
| 15 | Cloud Posture Manager | Config drift, misconfiguration, secrets sprawl |
| 16 | AI Analysis Engine | Two-tier Gemini pipeline for correlation |
Configuration
Zero-config works out of the box. For customization:
1sec init
1sec config --validate
Key config sections: server, bus, modules, enforcement, escalation,
archive, cloud. See references/config-reference.md for details.
Webhook Notifications
alerts:
webhook_urls:
- "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
Docker Deployment
cd deploy/docker
docker compose up -d
docker compose logs -f
Day-to-Day Operations (Post-Install)
1sec status
1sec alerts
1sec alerts --severity HIGH
1sec enforce status
1sec enforce history
1sec threats --blocked
1sec doctor
Uninstall
1sec stop
1sec enforce cleanup
sudo rm /usr/local/bin/1sec
rm -rf ~/.1sec
Additional References
references/operations-runbook.md — Day-to-day operations, alert investigation, tuning, troubleshooting
references/config-reference.md — Full configuration reference
references/vps-agent-guide.md — Detailed VPS agent deployment guide
scripts/install-and-configure.sh — Automated install + configure script