Audit host and service security posture through concrete admin evidence such as users and groups, sudo, listening sockets, firewall state, certificate expiry, secret exposure, package or vulnerability posture, and config drift. Use when CTOX needs to inspect rights, certificates, network exposure, secret handling, or basic hardening state before recommending or applying narrow fixes.
Use this skill for exposure, privilege, certificate, secret, firewall, and service-hardening questions.
Do not use it for generic health review or broad inventory:
discovery_graph when scope is unclearreliability_ops for health and saturationchange_lifecycle for actual remediation that mutates auth, firewall, TLS, or config stateThis skill uses the shared SQLite kernel via skill_key=security_posture.
Preferred helper scripts under scripts/:
security_collect.pysecurity_capture_run.pysecurity_store.pysecurity_query.pysecurity_bootstrap.pyThese scripts are open helper resources. Read them before relying on them in a tricky case.
security.capture_rawsecurity.store_capturesecurity.store_graphsecurity.querysecurity.bootstrap_findingscompliance_snapshot, concrete security_finding rows, and a remediation_plan.change_lifecycle.Answer for the operator first.
Use these exact headings:
**Status****State****Scope****Autonomous Actions****Escalation****Current Findings****Next Step**State must be one of:
proposedpreparedexecutedblockedSecurity review usually ends in proposed or prepared. Do not imply hardening was applied unless a real mutation happened and was verified.
Do not finish the reply until all of the following are true:
Current Findings is tied to concrete evidenceEscalation or handed off to change_lifecycle