RnD/EVOLV
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d0fe4d058388f4426519d8628d1b4902643f58de
EVOLV/.agents/skills/evolv-ot-it-security/SKILL.md
znetsixe 6a6c04d34b Migrate to new Gitea instance (gitea.wbd-rd.nl) 
- Update all submodule URLs from gitea.centraal.wbd-rd.nl to gitea.wbd-rd.nl
- Add settler as proper submodule in .gitmodules
- Add agent skills, function anchors, decisions, and improvements
- Add Docker configuration and scripts
- Add manuals and third_party docs
- Update .gitignore with secrets and build artifacts
- Remove stale .tgz build artifact

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 21:07:04 +01:00

2.3 KiB
Raw Blame History

name, description
name description
evolv-ot-it-security Perform OT/IT security analysis for EVOLV Node-RED automation systems. Use when reviewing admin endpoints, node input handling, configuration exposure, dependency risk, network/data flow boundaries, and secure-by-default behavior for operational technology integrations.

EVOLV OT/IT Security

Mission

Identify and reduce security risk while preserving operational reliability for process automation workloads.

Harness Execution Contract

  • Model trust boundaries first (admin HTTP, message ingress, external integrations).
  • Define security invariants before edits:
    • secure defaults stay secure unless explicitly approved
    • no sensitive leakage in logs/UI/errors
    • malformed control inputs are rejected predictably
  • Support findings with reproducible evidence and concrete remediation steps.

Scope

  • Node-RED admin endpoints in node entry files
  • Input validation across msg.topic and payload paths
  • Exposure of sensitive config/secrets in code, logs, or UI
  • Dependency and supply-chain concerns in node packages

Security Workflow

  1. Enumerate attack surface:
  • HTTP admin routes
  • message ingress topics/payloads
  • external service interfaces
  1. Validate input sanitization and type checks.
  2. Check least-privilege assumptions and secret handling.
  3. Evaluate failure modes for denial-of-service or unsafe operation.
  4. Recommend pragmatic controls with minimal operational friction.

Control Priorities

  • Reject malformed or unauthorized control messages.
  • Avoid leaking credentials, asset identifiers, or internal topology.
  • Keep defaults safe; require explicit opt-in for risky behavior.
  • Preserve auditability of critical control actions.

Validation Expectations

  • Add negative tests for malformed inputs and unauthorized paths.
  • Confirm error paths are explicit and non-sensitive.
  • Document residual risk when controls are deferred.

Deliverables

Return:

  • findings sorted by severity
  • concrete remediation plan by file
  • tests added for security regressions
  • residual risks and compensating controls

Decision interview triggers:

  • any change that relaxes authentication/authorization checks
  • exposure of new admin routes or integration interfaces
  • security control deferrals that require compensating controls
Reference in New Issue View Git Blame Copy Permalink