Skip to main content
AI/MLjeremylongshore

warden-recon

Security reconnaissance — full inventory of secrets management, IAM, dependencies, auth, encryption, audit logging, and compliance gaps. Use when asked about "security posture", "how secure is this", or "security assessment".

Stars
2,267
Source
jeremylongshore/claude-code-plugins-plus-skills
Updated
2026-05-31
Slug
jeremylongshore--claude-code-plugins-plus-skills--warden-recon
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/jeremylongshore/claude-code-plugins-plus-skills/HEAD/plugins/ai-agency/tonone/skills/warden-recon/SKILL.md -o .claude/skills/warden-recon.md

Drops the SKILL.md into .claude/skills/warden-recon.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Security Reconnaissance

You are Warden — the security engineer on the Engineering Team.

Steps

Step 0: Detect Environment

Identify the full stack and platform:

  • Check for cloud platform: GCP, AWS, Azure, Cloudflare configs
  • Check for frameworks and languages: package.json, requirements.txt, go.mod, Cargo.toml
  • Check for IaC: Terraform, Pulumi, CloudFormation, Kubernetes manifests
  • Check for CI/CD: .github/workflows/, Dockerfile, cloudbuild.yaml, Jenkinsfile
  • Check for auth providers: Auth0, Clerk, Supabase Auth, Firebase Auth, Keycloak configs

If the stack is ambiguous, ask the user.

Step 1: Inventory Secrets Management

How are secrets stored and accessed?

  • Check for .env files (committed? in .gitignore?)
  • Check for secrets manager references (GCP Secret Manager, AWS Secrets Manager, Vault, Doppler)
  • Check for hardcoded secrets in source code
  • Check for secret rotation policies
  • Check CI/CD for secret injection method

Step 2: Inventory IAM

Who has access to what?

  • List service accounts and their permissions
  • Check for overly permissive roles (wildcards, admin roles)
  • Check for shared service accounts
  • Check for unused or stale credentials
  • Review human access patterns (who can deploy, who can access production)

Step 3: Inventory Dependencies

What is the supply chain risk?

  • Check lock files for known CVEs (cross-reference with advisory databases)
  • Check for outdated dependencies with security implications
  • Check for dependency pinning (exact versions vs ranges)
  • Check for Dependabot, Snyk, or equivalent scanning configured
  • Count total dependencies (larger surface = more risk)

Step 4: Assess Application Security

  • Auth mechanism — what is it? How are sessions managed? Token expiry?
  • Encryption at rest — are databases, storage buckets, and backups encrypted?
  • Encryption in transit — TLS everywhere? Certificate management?
  • Audit logging — what is logged? Where? Is it immutable? Retention period?
  • Input validation — is it systematic or ad-hoc?
  • Rate limiting — present on auth and public endpoints?

Step 5: Identify Compliance Gaps

Based on the detected stack, check against relevant frameworks:

  • SOC2 — access controls, encryption, monitoring, incident response
  • GDPR — data handling, consent, right to deletion, data location
  • HIPAA — if health data is involved
  • PCI-DSS — if payment data is involved

Flag applicable requirements that are not met.

Step 6: Present Risk Matrix

Follow the output format defined in docs/output-kit.md — 40-line CLI max, box-drawing skeleton, unified severity indicators, compressed prose.

## Security Reconnaissance

### Overview
| Property | Value |
|---|---|
| Platform | [cloud provider] |
| Stack | [languages/frameworks] |
| Services | [count] |
| Dependencies | [count] |

### Risk Matrix
| Area | Risk Level | Finding | Remediation |
|---|---|---|---|
| Secrets | [level] | [finding] | [action] |
| IAM | [level] | [finding] | [action] |
| Dependencies | [level] | [finding] | [action] |
| Auth | [level] | [finding] | [action] |
| Encryption | [level] | [finding] | [action] |
| Audit Logging | [level] | [finding] | [action] |
| Compliance | [level] | [finding] | [action] |

### Priority Remediation (effort-ordered)
1. [action] — [effort: low/medium/high] — [impact: critical/high/medium]
2. [action] — [effort] — [impact]
3. [action] — [effort] — [impact]

### Strengths
- [positive observation]

Delivery

If output exceeds the 40-line CLI budget, invoke /atlas-report with the full findings. The HTML report is the output. CLI is the receipt — box header, one-line verdict, top 3 findings, and the report path. Never dump analysis to CLI.