.claude/skills/evolv-ot-it-security/SKILL.md

---
name: evolv-ot-it-security
description: Perform OT/IT security analysis for EVOLV Node-RED automation systems. Use when reviewing admin endpoints, node input handling, configuration exposure, dependency risk, network/data flow boundaries, and secure-by-default behavior for operational technology integrations.
---

# EVOLV OT/IT Security

## Mission
Identify and reduce security risk while preserving operational reliability for process automation workloads.

## Harness Execution Contract
- Model trust boundaries first (admin HTTP, message ingress, external integrations).
- Define security invariants before edits:
  - secure defaults stay secure unless explicitly approved
  - no sensitive leakage in logs/UI/errors
  - malformed control inputs are rejected predictably
- Support findings with reproducible evidence and concrete remediation steps.

## Scope
- Node-RED admin endpoints in node entry files
- Input validation across `msg.topic` and payload paths
- Exposure of sensitive config/secrets in code, logs, or UI
- Dependency and supply-chain concerns in node packages

## Security Workflow
1. Enumerate attack surface:
- HTTP admin routes
- message ingress topics/payloads
- external service interfaces
2. Validate input sanitization and type checks.
3. Check least-privilege assumptions and secret handling.
4. Evaluate failure modes for denial-of-service or unsafe operation.
5. Recommend pragmatic controls with minimal operational friction.

## Control Priorities
- Reject malformed or unauthorized control messages.
- Avoid leaking credentials, asset identifiers, or internal topology.
- Keep defaults safe; require explicit opt-in for risky behavior.
- Preserve auditability of critical control actions.

## Validation Expectations
- Add negative tests for malformed inputs and unauthorized paths.
- Confirm error paths are explicit and non-sensitive.
- Document residual risk when controls are deferred.

## Deliverables
Return:
- findings sorted by severity
- concrete remediation plan by file
- tests added for security regressions
- residual risks and compensating controls

Decision interview triggers:
- any change that relaxes authentication/authorization checks
- exposure of new admin routes or integration interfaces
- security control deferrals that require compensating controls
added skills etc 2026-02-12 10:48:20 +01:00			`---`
			`name: evolv-ot-it-security`
			`description: Perform OT/IT security analysis for EVOLV Node-RED automation systems. Use when reviewing admin endpoints, node input handling, configuration exposure, dependency risk, network/data flow boundaries, and secure-by-default behavior for operational technology integrations.`
			`---`

			`# EVOLV OT/IT Security`

			`## Mission`
			`Identify and reduce security risk while preserving operational reliability for process automation workloads.`

Migrate to new Gitea instance (gitea.wbd-rd.nl) - Update all submodule URLs from gitea.centraal.wbd-rd.nl to gitea.wbd-rd.nl - Add settler as proper submodule in .gitmodules - Add agent skills, function anchors, decisions, and improvements - Add Docker configuration and scripts - Add manuals and third_party docs - Update .gitignore with secrets and build artifacts - Remove stale .tgz build artifact Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-04 21:07:04 +01:00			`## Harness Execution Contract`
			`- Model trust boundaries first (admin HTTP, message ingress, external integrations).`
			`- Define security invariants before edits:`
			`- secure defaults stay secure unless explicitly approved`
			`- no sensitive leakage in logs/UI/errors`
			`- malformed control inputs are rejected predictably`
			`- Support findings with reproducible evidence and concrete remediation steps.`

added skills etc 2026-02-12 10:48:20 +01:00			`## Scope`
			`- Node-RED admin endpoints in node entry files`
			- Input validation across `msg.topic` and payload paths
			`- Exposure of sensitive config/secrets in code, logs, or UI`
			`- Dependency and supply-chain concerns in node packages`

			`## Security Workflow`
			`1. Enumerate attack surface:`
			`- HTTP admin routes`
			`- message ingress topics/payloads`
			`- external service interfaces`
			`2. Validate input sanitization and type checks.`
			`3. Check least-privilege assumptions and secret handling.`
			`4. Evaluate failure modes for denial-of-service or unsafe operation.`
			`5. Recommend pragmatic controls with minimal operational friction.`

			`## Control Priorities`
			`- Reject malformed or unauthorized control messages.`
			`- Avoid leaking credentials, asset identifiers, or internal topology.`
			`- Keep defaults safe; require explicit opt-in for risky behavior.`
			`- Preserve auditability of critical control actions.`

			`## Validation Expectations`
			`- Add negative tests for malformed inputs and unauthorized paths.`
			`- Confirm error paths are explicit and non-sensitive.`
			`- Document residual risk when controls are deferred.`

			`## Deliverables`
			`Return:`
			`- findings sorted by severity`
			`- concrete remediation plan by file`
			`- tests added for security regressions`
			`- residual risks and compensating controls`
Migrate to new Gitea instance (gitea.wbd-rd.nl) - Update all submodule URLs from gitea.centraal.wbd-rd.nl to gitea.wbd-rd.nl - Add settler as proper submodule in .gitmodules - Add agent skills, function anchors, decisions, and improvements - Add Docker configuration and scripts - Add manuals and third_party docs - Update .gitignore with secrets and build artifacts - Remove stale .tgz build artifact Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-04 21:07:04 +01:00
			`Decision interview triggers:`
			`- any change that relaxes authentication/authorization checks`
			`- exposure of new admin routes or integration interfaces`
			`- security control deferrals that require compensating controls`