security_posture_analyzer_skill

This skill analyzes an organization's security posture by evaluating headers, CSP, HSTS, security.txt, and email security signals to identify gaps.
  • Python

42

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill transilienceai/communitytools --skill security_posture_analyzer

  • SKILL.md10.0 KB

Overview

This skill analyzes a web application’s security posture by inspecting HTTP security headers, Content Security Policy (CSP), HSTS, WAF presence, and security discovery files like security.txt. It combines header presence, CSP parsing, DNS email records, and discovered security files to produce actionable findings and an overall grade. The output highlights missing controls, risky directives, third-party services, and prioritized recommendations.

How this skill works

The analyzer ingests HTTP, DNS, HTML, and repository signals to evaluate security headers and policies. It parses CSP to identify unsafe directives and allowed third-party domains, inspects HSTS and other headers for correct configuration, checks TXT DNS records for SPF/DMARC/DKIM, and looks for security.txt and related discovery files. Results include per-header analysis, CSP strengths/weaknesses, email security checks, detected technologies, and a composite score with recommendations.

When to use it

  • During reconnaissance for penetration testing or bug bounty triage
  • Before launching a web application or after major deployments
  • When auditing third-party integrations and CDN usage
  • To validate email authentication and anti-phishing posture
  • For periodic security posture reviews and compliance checks

Best practices

  • Enforce strict HSTS with includeSubDomains and preload where appropriate
  • Use CSP nonces or hashes instead of 'unsafe-inline' or 'unsafe-eval'
  • Add defensive headers like X-Frame-Options and X-Content-Type-Options if missing
  • Enable CSP reporting (report-uri/report-to) to detect violations
  • Publish and maintain a security.txt with accurate contact and disclosure info

Example use cases

  • Scan a target during a bug bounty engagement to prioritize attack paths from misconfigured headers
  • Verify CSP changes after a frontend refactor to ensure no unsafe directives were introduced
  • Assess email domain records before security awareness phishing tests
  • Detect third-party services (analytics, payment providers, error trackers) from CSP and headers
  • Produce an executive summary and prioritized remediation list for dev and security teams

FAQ

The score aggregates per-header and policy scores to give a single health indicator; it’s a guide, not a guarantee of safety.

How are third-party domains identified?

The skill extracts domains from CSP directives and known header patterns, then maps them against a service signature list to infer technologies.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational