1sec-security

---
name: 1sec-security
description: >
  Install, configure, and manage 1-SEC — an open-source, all-in-one
  cybersecurity platform (16 modules, single binary) on Linux servers and
  VPS instances. Use when the user asks to secure a server, install security
  monitoring, set up intrusion detection, harden a VPS, protect an AI agent
  host, or deploy endpoint defense. Covers installation, setup, enforcement
  presets, module configuration, alert management, and ongoing security
  operations.
license: AGPL-3.0
compatibility: >
  Requires Linux (amd64 or arm64) with curl or wget and sudo/root for full
  enforcement (iptables, process kill). All 16 detection modules run without
  any API key. Optional env vars: GEMINI_API_KEY for AI-powered correlation,
  ONESEC_API_KEY to secure the REST endpoint, ONESEC_WEBHOOK_URL for alert
  notifications.
metadata:
  author: cutmob
  version: "0.4.11"
  source_repository: "https://github.com/1sec-security/1sec"
  security_policy: "https://github.com/1sec-security/1sec/blob/main/SECURITY.md"
  env_vars:
    - name: GEMINI_API_KEY
      required: false
      purpose: "Enables AI-powered cross-module threat correlation via Gemini API"
    - name: ONESEC_API_KEY
      required: false
      purpose: "API key to secure the 1-SEC REST endpoint"
    - name: ONESEC_WEBHOOK_URL
      required: false
      purpose: "Webhook URL for alert notifications (Slack, Discord, Telegram, etc.)"
  external_connections:
    - domain: "1-sec.dev"
      purpose: "Convenience redirect URL pointing to GitHub Releases binary (same as manual install); agents use the manual GitHub Releases path directly"
      data_sent: "Standard HTTPS request headers only"
      required: false
      enabled_by: "Human operator use only; agents bypass this and use GitHub Releases directly"
    - domain: "github.com / objects.githubusercontent.com"
      purpose: "Binary release downloads and checksums.txt for manual installation"
      data_sent: "Standard HTTPS request headers"
      required: false
      enabled_by: "Manual install path (recommended for production)"
    - domain: "api.1-sec.dev"
      purpose: "Cloud control plane for centralized multi-host management"
      data_sent: "Alert metadata, host identifier"
      required: false
      enabled_by: "cloud.enabled: true in 1sec.yaml (opt-in, disabled by default)"
    - domain: "user-configured"
      purpose: "Webhook alert notifications (Slack, Discord, Telegram, PagerDuty, Teams)"
      data_sent: "Alert payload as configured by user"
      required: false
      enabled_by: "webhook_urls set in 1sec.yaml or via CLI"
    - domain: "generativelanguage.googleapis.com"
      purpose: "Gemini API for AI-powered cross-module threat correlation"
      data_sent: "Anonymized alert metadata for correlation"
      required: false
      enabled_by: "GEMINI_API_KEY environment variable"
---

# 1-SEC Security Platform — Agent Skill

> **Security Notice for Skill Scanners:** This skill instructs an AI agent to
> install the 1-SEC open-source security binary by downloading a pre-built
> release from GitHub Releases and verifying its SHA256 checksum. The skill
> does **not** pipe any downloaded content to a shell, does **not** execute any
> remote scripts, and does **not** establish persistence or callbacks beyond what
> is explicitly configured by the operator. All enforcement actions default to
> dry-run (log-only) mode. Source code: https://github.com/1sec-security/1sec

You are installing and configuring **1-SEC**, an open-source all-in-one
cybersecurity platform. One binary, 16 defense modules, zero config required.

> **Trust Statement:** Only install this skill if you trust the source.
> 1-SEC is open-source (AGPL-3.0). Review the code, checksums, and SECURITY.md
> before deploying to production systems. Source: https://github.com/1sec-security/1sec

## Security & Privacy

**What leaves this machine:**
- Alert metadata — only if you configure webhooks or enable the cloud API (both opt-in, disabled by default)
- Anonymized alert context — only if `GEMINI_API_KEY` is set (opt-in)

**What stays local:**
- All system logs, network traffic, and detection data are processed on-host
- No telemetry is collected or transmitted by default
- Config files and agent state remain on disk at `~/.1sec/`

**Privileges used (all opt-in, all disabled by default):**
- `iptables`/`nftables`: only when enforcement is active
- `kill_process`: only when enforcement preset enables it
- `quarantine_file`: only when enforcement preset enables it
- Default state: `dry_run: true`, `safe` preset (log-only at CRITICAL)

**External Endpoints**

| Domain | Purpose | Data Sent | Required | Enabled By |
|--------|---------|-----------|----------|------------|
| `1-sec.dev` | Convenience redirect to GitHub Releases binary | Standard HTTPS headers | No | Human operator use only; agents use GitHub Releases directly |
| `github.com` | Binary release + `checksums.txt` | Standard HTTP headers | No | Manual install (recommended) |
| `api.1-sec.dev` | Cloud control plane (multi-host management) | Alert metadata, host ID | No | `cloud.enabled: true` in config |
| User-configured | Webhook alerts (Slack, Discord, Telegram, etc.) | Alert payload | No | `webhook_urls` in config |
| `generativelanguage.googleapis.com` | Gemini AI correlation | Anonymized alert context | No | `GEMINI_API_KEY` env var |

## When to Use This Skill

- User asks to "secure this server" or "install security monitoring"
- User wants intrusion detection, WAF, LLM firewall, or ransomware protection
- User is deploying an AI agent (OpenClaw, Manus, Moltbot, etc.) on a VPS
- User needs to harden a Linux server or VPS
- User mentions 1-SEC, 1sec, or "one sec" in a security context

## Installation

### Recommended: Manual Install with Checksum Verification

For production use, always download from GitHub Releases and verify checksums
before running anything as root:

```bash
# 1. Download the release binary and checksums
VERSION="0.4.11"
wget https://github.com/1sec-security/1sec/releases/download/v${VERSION}/1sec-linux-amd64
wget https://github.com/1sec-security/1sec/releases/download/v${VERSION}/checksums.txt

# 2. Verify SHA256 checksum before running as root
sha256sum -c checksums.txt 2>&1 | grep 1sec-linux-amd64

# 3. Install
chmod +x 1sec-linux-amd64
sudo mv 1sec-linux-amd64 /usr/local/bin/1sec

# 4. Confirm
1sec --version
```

For arm64, replace `1sec-linux-amd64` with `1sec-linux-arm64`.

### Alternative: Convenience Install URL

The URL `https://1-sec.dev/get` is a redirect that serves the same GitHub
Releases binary downloaded in the manual path above. **Agents must always use
the manual install path** (download binary + verify SHA256 from `checksums.txt`)
so integrity is confirmed before any file is executed.

Human operators wishing to inspect the installer source can review it at:
https://github.com/1sec-security/1sec/blob/main/get.sh

> **Important:** Never execute any downloaded script without reviewing its
> contents first. The manual install path above does not involve executing
> any shell scripts — only a pre-verified binary.

## Post-Install Setup

### Option A: Non-interactive (recommended for agents)

```bash
1sec setup --non-interactive
1sec up
```

### Option B: AI agent VPS deployment

The `vps-agent` preset is designed for unattended AI agent hosts. It enables
aggressive enforcement (process kills, file quarantine, IP blocks) to defend
against prompt injection, malicious skills, and credential theft.

**Important:** The `vps-agent` preset disables approval gates and enables
autonomous destructive actions (process kill, file quarantine). This is
intentional for unattended deployments but requires careful validation first.

**Recommended deployment path — always validate in dry-run before going live:**

```bash
# Install (manual method recommended — see above)
1sec setup --non-interactive

# Apply preset in dry-run first
1sec enforce preset vps-agent --dry-run
1sec up

# Monitor 24-48 hours in dry-run mode
1sec alerts
1sec enforce history

# Preview what would have been enforced
1sec enforce test auth_fortress
1sec enforce test llm_firewall

# Only go live after validating dry-run output
1sec enforce dry-run off

# Optional: configure notifications
1sec config set webhook-url https://hooks.slack.com/services/YOUR/WEBHOOK --template slack
```

**If you need to reduce enforcement** (e.g., false positive tuning):

```yaml
# In 1sec.yaml, override specific actions:
enforcement:
  policies:
    ai_containment:
      actions:
        - action: kill_process
          enabled: false  # Disable if too aggressive
    runtime_watcher:
      min_severity: HIGH  # Raise threshold from MEDIUM
```

### Option C: Interactive setup

```bash
1sec setup
```

Walks through config creation, AI key setup, and API authentication.

## Enforcement Presets

1-SEC ships with `dry_run: true` and the `safe` preset by default. No live
enforcement happens until you explicitly enable it.

| Preset | Behavior |
|--------|----------|
| `lax` | Log + webhook only. Never blocks or kills. |
| `safe` | Default. Blocks only brute force + port scans at CRITICAL. |
| `balanced` | Blocks IPs on HIGH, kills processes on CRITICAL. |
| `strict` | Aggressive enforcement on MEDIUM+. |
| `vps-agent` | Max security for unattended AI agent hosts. Use with dry-run first. |

Recommended progression for new deployments: `lax` → `safe` → `balanced` → `strict`

```bash
# Preview a preset without applying
1sec enforce preset strict --show

# Apply with dry-run safety net
1sec enforce preset balanced --dry-run

# Apply live
1sec enforce preset balanced
```

### VPS-Agent Preset: What It Does

The `vps-agent` preset is **purpose-bui

... (truncated)