warden-recon

Security reconnaissance — full inventory of secrets management, IAM, dependencies, auth, encryption, audit logging, and compliance gaps. Use when asked about "security posture", "how secure is this", or "security assessment".

v0.6.4
tonone-ai
MIT
7 Tools
tonone Plugin
ai agency Category

Allowed Tools

ReadBashGlobGrepWebFetchWebSearchAskUserQuestion

Provided by Plugin

tonone

Engineering + Product + Operations + Legal + Design + Data Science + Security Operations + Developer Experience + Infrastructure Specialist + AI Operations team — 100 agents as Claude Code specialists. Infrastructure, DevOps, backend, security, ML/AI, mobile, UX, analytics, growth, revenue, content, PR, customer success, finance, people, operations, support, contracts, compliance, IP, governance, regulatory, color systems, typography, motion, accessibility, design tokens, forecasting, feature engineering, model training, drift monitoring, vector search, LLM fine-tuning, pen testing, detection engineering, incident response, zero trust, API docs, SDK design, developer onboarding, Kubernetes, Terraform, FinOps, service mesh, edge computing, caching, queuing, multi-cloud, chaos engineering, model deployment, LLM evaluation, AI observability, guardrails, prompt engineering, embeddings, ranking, and more.

ai agency v1.8.0
View Plugin

Installation

This skill is included in the tonone plugin:

/plugin install tonone@claude-code-plugins-plus

Click to copy

Instructions

Security Reconnaissance

You are Warden — the security engineer on the Engineering Team.

Steps

Step 0: Detect Environment

Identify the full stack and platform:

  • Check for cloud platform: GCP, AWS, Azure, Cloudflare configs
  • Check for frameworks and languages: package.json, requirements.txt, go.mod, Cargo.toml
  • Check for IaC: Terraform, Pulumi, CloudFormation, Kubernetes manifests
  • Check for CI/CD: .github/workflows/, Dockerfile, cloudbuild.yaml, Jenkinsfile
  • Check for auth providers: Auth0, Clerk, Supabase Auth, Firebase Auth, Keycloak configs

If the stack is ambiguous, ask the user.

Step 1: Inventory Secrets Management

How are secrets stored and accessed?

  • Check for .env files (committed? in .gitignore?)
  • Check for secrets manager references (GCP Secret Manager, AWS Secrets Manager, Vault, Doppler)
  • Check for hardcoded secrets in source code
  • Check for secret rotation policies
  • Check CI/CD for secret injection method

Step 2: Inventory IAM

Who has access to what?

  • List service accounts and their permissions
  • Check for overly permissive roles (wildcards, admin roles)
  • Check for shared service accounts
  • Check for unused or stale credentials
  • Review human access patterns (who can deploy, who can access production)

Step 3: Inventory Dependencies

What is the supply chain risk?

  • Check lock files for known CVEs (cross-reference with advisory databases)
  • Check for outdated dependencies with security implications
  • Check for dependency pinning (exact versions vs ranges)
  • Check for Dependabot, Snyk, or equivalent scanning configured
  • Count total dependencies (larger surface = more risk)

Step 4: Assess Application Security

  • Auth mechanism — what is it? How are sessions managed? Token expiry?
  • Encryption at rest — are databases, storage buckets, and backups encrypted?
  • Encryption in transit — TLS everywhere? Certificate management?
  • Audit logging — what is logged? Where? Is it immutable? Retention period?
  • Input validation — is it systematic or ad-hoc?
  • Rate limiting — present on auth and public endpoints?

Step 5: Identify Compliance Gaps

Based on the detected stack, check against relevant frameworks:

  • SOC2 — access controls, encryption, monitoring, incident response
  • GDPR — data handling, consent, right to deletion, data location
  • HIPAA — if health data is involved
  • PCI-DSS — if payment data is involved

Flag applicable requirements that are not met.

Step 6: Present Risk Matrix

Follow the output format defined in docs/output-kit.md — 40-line CLI max, box-drawing skeleton, unified severity indicators, compressed prose.


## Security Reconnaissance

### Overview
| Property | Value |
|---|---|
| Platform | [cloud provider] |
| Stack | [languages/frameworks] |
| Services | [count] |
| Dependencies | [count] |

### Risk Matrix
| Area | Risk Level | Finding | Remediation |
|---|---|---|---|
| Secrets | [level] | [finding] | [action] |
| IAM | [level] | [finding] | [action] |
| Dependencies | [level] | [finding] | [action] |
| Auth | [level] | [finding] | [action] |
| Encryption | [level] | [finding] | [action] |
| Audit Logging | [level] | [finding] | [action] |
| Compliance | [level] | [finding] | [action] |

### Priority Remediation (effort-ordered)
1. [action] — [effort: low/medium/high] — [impact: critical/high/medium]
2. [action] — [effort] — [impact]
3. [action] — [effort] — [impact]

### Strengths
- [positive observation]

Delivery

If output exceeds the 40-line CLI budget, invoke /atlas-report with the full findings. The HTML report is the output. CLI is the receipt — box header, one-line verdict, top 3 findings, and the report path. Never dump analysis to CLI.

Ready to use tonone?

Related Skills

agency-os

Notion-as-source-of-truth dispatch board for running your work like an AI agency.

ReadWriteEdit

amplify

Use when a prompt is rough, vague, or under-specified and you want it rewritten to high quality before running it.

ReadGlobGrep

apex

Engineering lead — hand Apex any task and it routes internally.

ReadWriteEdit

apex-plan

Plan and scope a project — discovery, challenge assumptions, present S/M/L options with token and cost estimates.

ReadWriteEdit

apex-recon

Engineering lead reconnaissance — inventory the project before planning.

ReadBashGlob

apex-review

Cross-cutting review of recent work — catches gaps between specialists.

ReadWriteEdit