Explore AI Agent Skills & Claude Prompts

Fixture that intentionally omits the capability guardrail contract.

agent-bom

Open security scanner for agentic infrastructure — agents, MCP, packages, blast radius, runtime, and trust across MCP servers, skills, packages, and agents in Cortex Code.

agent-bom

Open security scanner for agentic infrastructure — agents, MCP, packages, blast radius, runtime, and trust across MCP discovery, CVEs, SBOMs, CIS benchmarks (AWS, Azure, GCP, Snowflake), OWASP/NIST/MITRE compliance, AISVS v1.0, MAESTRO layer tagging, and vector database security checks. Use when the user mentions vulnerability scanning, MCP server trust, compliance, SBOM generation, CIS benchmarks, blast radius, or AI supply chain risk.

schedule Updated 20 days ago

agent-bom-scan

Open security scanner for agentic infrastructure — agents, MCP, packages, blast radius, runtime, and trust for package CVEs (OSV, NVD, EPSS, KEV), container images, provenance, filesystems, and SBOMs. Use when: "check package", "scan image", "verify", "is this safe", "scan dependencies", "CVE lookup", "blast radius".

schedule Updated 20 days ago

detect-web-broken-access-control

Detect OWASP Top 10 A01:2021 (Broken Access Control) signals in HTTP access logs. Reads OCSF 1.8 HTTP Activity (class 4002) records and fires when one of two deterministic patterns appears: (1) the resource path embeds a user / account / object id that does not match the actor's authenticated subject claim (IDOR — horizontal privilege escalation), or (2) a 4XX response from one principal is followed inside a short window by a 2XX response on the exact same URL after an Authorization header swap (the "auth-swap flip" — typical privilege bypass via stolen / forged token). Emits OCSF Detection Finding 2004 tagged OWASP A01 + MITRE ATT&CK T1212. Use when an ingestion pipeline normalizes web-server / WAF / API-gateway logs into OCSF 4002 and you want a deterministic, no-LLM authz-violation detector. Do NOT use as a WAF, as a posture check on IAM policies (different surface — see CSPM benchmarks), for service-mesh L7 authorisation (Envoy / Istio emit a different log shape), or as a substitute for application-layer

detect-databricks-cluster-init-script-abuse

Detect Databricks cluster init scripts being attached or modified to point at remote (off-DBFS) URLs or unsafe S3 paths. Reads OCSF 1.8 API Activity (class 6003) records normalized from Databricks audit logs whose `api.operation` is `clusters.create` or `clusters.edit` and whose `unmapped.databricks.cluster_config.init_scripts[].destination` falls outside the operator-tuned `DATABRICKS_INIT_SCRIPT_ALLOWED_PATHS` regex (default `^(dbfs:/databricks/init/|s3://databricks-workspace-[a-z0-9-]+-internal/)`) or matches the `\b(curl|wget|http|https|nc|netcat)\b` shell-command pattern. Emits OCSF 1.8 Detection Finding (class 2004) tagged with MITRE ATT&CK T1059.004 (Unix Shell) and T1546 (Boot or Logon Initialization Scripts). Init scripts run on every cluster node at boot under the Databricks-managed service identity, so a remote-fetched script is a workspace-wide RCE primitive. Use when you suspect a Databricks user is wiring an attacker-controlled bootstrap into a workspace cluster. Do NOT use on raw Databricks aud

remediate-aws-sg-revoke

Revoke an AWS Security Group ingress rule flagged as open to the internet. Consumes an OCSF 1.8 Detection Finding (class 2004) emitted by detect-aws-open-security-group (T1190 Exploit Public-Facing Application) and calls EC2 RevokeSecurityGroupIngress to delete just the offending IpPermissions (the specific cidr+port combination, not the whole SG). Every action is dry-run by default, deny-listed against `default*` SG names, any SG carrying the `intentionally-open` tag, and any sg id in AWS_SG_REVOKE_PROTECTED_IDS. Apply requires AWS_SG_REVOKE_INCIDENT_ID + AWS_SG_REVOKE_APPROVER plus an explicit allowed-account binding via AWS_SG_REVOKE_ALLOWED_ACCOUNT_IDS. Dual audit (DynamoDB + KMS-encrypted S3). Reverify re-reads the SG via DescribeSecurityGroups and emits VERIFIED if no offending IpPermissions remain, DRIFT (+ paired OCSF Detection Finding via the shared remediation_verifier contract) if the rule came back, UNREACHABLE if the EC2 API throws. Use when the user mentions "revoke open security group," "close

remediate-azure-nsg-revoke

Use when the user mentions "revoke open Azure NSG rule," "close Azure NSG public exposure," "respond to detect-azure-open-nsg," or "re-verify Azure NSG revoke." Surgical revoke of an Azure Network Security Group inbound rule flagged as open to `*` / `Internet` / `0.0.0.0/0` / `::/0` by detect-azure-open-nsg (T1190 Exploit Public-Facing Application). Default mode is `delete` — calls `NetworkManagementClient.security_rules.begin_delete()` against the specific rule (the cleanest reversible op since NSG rule definitions are versioned by Azure Resource Manager). Opt-in `--mode patch` rewrites `access: Deny` for the same priority+source+destination tuple via `begin_create_or_update()`. Every action is dry-run by default, deny-listed against `default*`/`Default*` rule names, NSG names ending `-protected`, the parent NSG's `intentionally-open` tag, and any rule-fully-qualified-id in AZURE_NSG_REVOKE_DENY_RULE_IDS. Apply requires AZURE_NSG_REVOKE_INCIDENT_ID + AZURE_NSG_REVOKE_APPROVER plus an explicit allowed-subscri

remediate-container-escape-k8s

Contain a Kubernetes container-escape signal by planning, applying, or re-verifying a namespace-scoped deny-all NetworkPolicy for the targeted pod or workload selector. Consumes an OCSF 1.8 Detection Finding (class 2004) emitted by detect-container-escape-k8s and resolves the live selector from the Kubernetes API before emitting a native remediation plan or action record. Every action is dry-run by default, deny-listed for protected namespaces, gated behind an incident ID plus approver plus an explicit cluster allow-list for --apply, and dual-audited (DynamoDB + KMS-encrypted S3). The low-risk default remains reversible quarantine; explicit destructive follow-ups are also supported via `--approve-pod-kill` and `--approve-node-drain`, with the node-drain path requiring a second approver. Use when the user mentions "quarantine a suspicious Kubernetes pod," "contain container escape in Kubernetes," "apply deny-all NetworkPolicy after escape finding," "re-verify K8s quarantine policy," "kill the compromised pod,"

remediate-entra-credential-revoke

Contain a Microsoft Entra credential-addition or app-role-grant escalation by disabling the targeted service principal (accountEnabled=false) and emitting a triage payload that lists the SP's current keyCredentials, passwordCredentials, appRoleAssignments, and oauth2PermissionGrants for operator selective revocation. Consumes OCSF 1.8 Detection Findings (class 2004) from detect-entra-credential-addition (T1098.001) or detect-entra-role-grant-escalation (T1098.003) via Microsoft Graph v1.0. Every action is dry-run by default, deny-listed against tenant-bootstrap and break-glass principals (display-name prefix + ENTRA_PROTECTED_OBJECT_IDS env list), gated behind an incident ID plus approver for --apply, bound to an explicit tenant allow-list via ENTRA_REVOKE_ALLOWED_TENANT_IDS, and dual-audited (DynamoDB + KMS-encrypted S3). Re-verify confirms the SP is still disabled and emits a paired OCSF Detection Finding via the shared remediation_verifier contract on DRIFT (the SP was re-enabled). Use when the user mentio

remediate-gcp-firewall-revoke

Use when a GCP VPC firewall rule has been flagged as opening 0.0.0.0/0 or ::/0 to risky admin / DB / cache ports and you need to contain it. Consumes an OCSF 1.8 Detection Finding (class 2004) emitted by detect-gcp-open-firewall (T1190 Exploit Public-Facing Application) and surgically disables the offending firewall rule via Compute Engine `firewalls.patch` (default safe action: `disabled: true`) or, opt-in via `--mode delete`, removes it via `firewalls.delete`. Every action is dry-run by default, deny-listed against rule names matching `default-*`, rules whose `description` contains `intentionally-open`, and any rule name in GCP_FIREWALL_REVOKE_DENY_RULE_NAMES. Apply requires GCP_FIREWALL_REVOKE_INCIDENT_ID + GCP_FIREWALL_REVOKE_APPROVER plus an explicit allowed-project binding via GCP_FIREWALL_REVOKE_ALLOWED_PROJECT_IDS. Dual audit (DynamoDB + KMS-encrypted S3, same shared infra as the AWS pair, with `provider: "gcp"`). Reverify re-reads the rule via `firewalls.get` and emits VERIFIED if the rule is gone or

remediate-k8s-rbac-revoke

Revoke a Kubernetes RoleBinding or ClusterRoleBinding flagged by an RBAC self-grant finding. Consumes an OCSF 1.8 Detection Finding (class 2004) emitted by detect-privilege-escalation-k8s and plans, applies, or re-verifies deletion of the offending binding identified by the detector's binding.type and binding.name observables. Every action is dry-run by default, deny-listed for protected namespaces (kube-system, kube-public, istio-system, linkerd*) and protected binding names (any binding whose name starts with system:), gated behind an incident ID plus approver plus an explicit cluster allow-list for --apply, and dual-audited (DynamoDB + KMS-encrypted S3). Use when the user mentions "revoke a Kubernetes RoleBinding," "remove a ClusterRoleBinding after privilege escalation," "respond to RBAC self-grant alert," or "re-verify a K8s RBAC revocation." Do NOT use for NetworkPolicy quarantine, pod deletion, node drain, or cloud-IAM revocation — those belong to their own remediation skills. Out of scope for this ski