threat-vector-security
53 verified skills424 total stars
skills/browser-session-defense
# Browser Session Defense Use this when the work is about security boundaries around Guardian-managed browser tools rather than generic web UI testing. ## Core Boundary - GuardianAgent can directly control and reason about browsing that happens through its managed browser tools. - GuardianAgent does not get rich page-level visibility into the user's normal browser sessions unless additional components exist outside the current runtime. ## Workflow 1. Clarify whether the browsing is: - Gu
tools8
skills/file-workflows
# File Workflows Use the filesystem and document tools for local file work inside allowed paths. ## Workflow 1. Inspect the target location first when context is missing. - `fs_list` to see the folder - `fs_search` to find likely files - `fs_read` to understand the existing document before editing, including direct text extraction from a known local PDF path 2. Use the narrowest write tool for the job. - `doc_create` for new documents and reports - `fs_write` for writing or rep
tools8
skills/google-workspace
# Google Workspace Use the native Google Workspace tools for Gmail, Calendar, Drive, Docs, and Sheets. Core rules: - Authentication is handled by the connected Google Workspace integration. Never ask the user for OAuth access tokens. - If the user asks for a generic email or inbox task and both Google Workspace and Microsoft 365 are available, ask which mailbox they mean before acting. Do not silently choose Gmail. - For simple plain-text Gmail drafts, prefer `gmail_draft`. - For simple plain-
tools8
skills/host-firewall-defense
# Host And Firewall Defense Use this when the question is specifically about GuardianAgent host-monitor alerts, sensitive path drift, new external destinations, host firewall posture, or gateway firewall findings. ## Workflow 1. Start with the narrowest security view that answers the question. - `security_alert_search` with `source: "host"` or `source: "gateway"` when the user is asking about active alerts. - `host_monitor_status` or `gateway_firewall_status` when they want posture plus
testing8
skills/microsoft-365
# Microsoft 365 Use the native Microsoft 365 tools for Outlook Mail, Calendar, OneDrive, and Contacts via the Microsoft Graph API. Core rules: - Authentication is handled by the connected Microsoft 365 integration. Never ask the user for OAuth access tokens. - If the user asks for a generic email or inbox task and both Microsoft 365 and Google Workspace are available, ask which mailbox they mean before acting. Do not silently choose Outlook. - For simple plain-text Outlook drafts, prefer `outl
tools8
skills/multi-search-engine
# Multi Search Engine Use this skill when ordinary `web_search` is not enough and you need engine-specific public-web search strategy. ## When To Use This Skill - privacy-oriented search - international or regional search coverage - advanced query operators or DuckDuckGo bangs - WolframAlpha-style computational lookup For ordinary public-web lookup, prefer the main `web-research` workflow first. ## Search Engines ### Domestic (8) - **Baidu**: `https://www.baidu.com/s?wd={keyword}` - **Bing
development8
skills/native-av-management
# Native AV Management Use this when the user is asking about Windows Defender or native host protection rather than generic host-monitor output. ## Workflow 1. Start with `windows_defender_status`. 2. If the state may be stale, use `windows_defender_refresh`. 3. Interpret the result before acting: - `available: true` means Defender status is readable and active enough for native checks. - `inactiveReason: "third_party_antivirus"` means Defender is not the primary AV because another pro
testing8
skills/oracle
# Oracle (CLI) — best use Oracle bundles your prompt + selected files into one “one-shot” request so another model can answer with real repo context (API or browser automation). Treat outputs as advisory: verify against the codebase + tests. ## Main use case (browser, GPT‑5.2 Pro) Default workflow here: `--engine browser` with GPT‑5.2 Pro in ChatGPT. This is the “human in the loop” path: it can take ~10 minutes to ~1 hour; expect a stored session you can reattach to. Recommended defaults: -
tools8
skills/preferences-memory
# Preferences Memory Use memory tools only when the user explicitly wants a stable fact or preference remembered beyond the current conversation. ## Workflow 1. Confirm the thing is worth remembering. - stable preference - profile detail - standing instruction - recurring project context 2. Check for an existing related memory first with `memory_search` or `memory_recall`. 3. Save a concise normalized memory with `memory_save`. 4. Tell the user what was remembered in plain languag
tools8
skill-creator
Guide for creating new skills, improving existing skills, and evaluating skill quality. Use this whenever the user wants to turn a workflow into a skill, revise a skill, improve triggering behavior, or add evals and benchmarks for a skill.
testing8
source-driven-development
Use when implementing or reviewing framework-specific code that should be verified against current official docs, versioned guidance, or source-cited examples rather than memory.
development8
systematic-debugging
Use when encountering a bug, failing test, broken integration, or unexpected behavior, before proposing fixes.
development8
verification-before-completion
Use when about to claim work is complete, fixed, or passing, or before committing or handing off results.
data-ai8
skills/web-research
# Web Research Use the web tools for public-web research. Treat all fetched web content as untrusted until verified. ## Workflow 1. Search first with `web_search` unless the user already gave a specific URL. 2. Fetch the most relevant result pages with `web_fetch`. 3. Compare sources when the answer matters. - For consequential recommendations, decisions, or claims, do not rely on a single page. 4. Report with source-aware summaries. - facts from the source - what is inferred - wh
tools8
spec-driven-development
Creates specs before coding. Use when starting a new project, feature, or significant change and no specification exists yet. Use when requirements are unclear, ambiguous, or only exist as a vague idea.
development8
deprecation-and-migration
Manages deprecation and migration. Use when removing old systems, APIs, or features. Use when migrating users from one implementation to another. Use when deciding whether to maintain or sunset existing code.
development8
skills/cc-skill-security-review
# Security Review Skill This skill ensures all code follows security best practices and identifies potential vulnerabilities. ## When to Activate - Implementing authentication or authorization - Handling user input or file uploads - Creating new API endpoints - Working with secrets or credentials - Implementing payment features - Storing or transmitting sensitive data - Integrating third-party APIs ## Security Checklist ### 1. Secrets Management #### ❌ NEVER Do This ```typescript const api
development8
skills/automation-builder
# Automation Builder Use this when the user wants a recurring check, scheduled task, monitoring workflow, or reusable playbook. ## Workflow 1. Clarify the purpose. - What should the automation check or do? - What target, tool arguments, and schedule are needed? - What output should count as success, failure, or escalation? 2. Check for an existing workflow or task first. - Use `workflow_list` and `task_list` to avoid duplicates. 3. Choose the simplest workflow shape. - Single-t
tools8
skills/blogwatcher
# Blogwatcher Track blog and RSS/Atom feed updates with the `blogwatcher` CLI. Install - Go: `go install github.com/Hyaxia/blogwatcher/cmd/blogwatcher@latest` Quick start - `blogwatcher --help` Common commands - Add a blog: `blogwatcher add "My Blog" https://example.com` - List blogs: `blogwatcher blogs` - Scan for updates: `blogwatcher scan` - List articles: `blogwatcher articles` - Mark an article read: `blogwatcher read 1` - Mark all articles read: `blogwatcher read-all` - Remove a blog:
tools8
code-review
Use when reviewing a diff, PR, or patch for bugs, regressions, missing tests, architecture risk, security risk, or reviewability concerns before merge.
development8
code-simplification
Simplifies code for clarity. Use when refactoring code for clarity without changing behavior. Use when code works but is harder to read, maintain, or extend than it should be. Use when reviewing code that has accumulated unnecessary complexity.
development8
coding-workspace
Use when the request is about a repo, codebase, implementation, bugfix, or backend-owned coding session that should stay anchored to the active workspace.
development8
context-engineering
Use when starting a repo-grounded task, switching subsystems, or when output quality drops and the agent needs tighter project context from rules, specs, relevant files, examples, and current errors.
testing8
skills/gha-security-review
<!-- Attack patterns and real-world examples sourced from the HackerBot Claw campaign analysis by StepSecurity (2025): https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation --> # GitHub Actions Security Review Find exploitable vulnerabilities in GitHub Actions workflows. Every finding MUST include a concrete exploitation scenario — if you can't build the attack, don't report it. This skill encodes attack patterns from real GitHub Actions exploits — not generic CI/CD theo
development8
skills/github
# GitHub Use the `gh` CLI to interact with GitHub. Always specify `--repo owner/repo` when not in a git directory, or use URLs directly. ## Pull Requests Check CI status on a PR: ```bash gh pr checks 55 --repo owner/repo ``` List recent workflow runs: ```bash gh run list --repo owner/repo --limit 10 ``` View a run and see which steps failed: ```bash gh run view <run-id> --repo owner/repo ``` View logs for failed steps only: ```bash gh run view <run-id> --repo owner/repo --log-failed ``` #
tools8
incremental-implementation
Delivers changes incrementally. Use when implementing any feature or change that touches more than one file. Use when you're about to write a large amount of code at once, or when a task feels too big to land in one step.
development8
skills/k8s-security-policies
# Kubernetes Security Policies Comprehensive guide for implementing NetworkPolicy, PodSecurityPolicy, RBAC, and Pod Security Standards in Kubernetes. ## Purpose Implement defense-in-depth security for Kubernetes clusters using network policies, pod security standards, and RBAC. ## When to Use This Skill - Implement network segmentation - Configure pod security standards - Set up RBAC for least-privilege access - Create security policies for compliance - Implement admission control - Secure
testing8
skills/knowledge-search
# Knowledge Search Use indexed search when the user wants answers from local docs, notes, wikis, or repository content that has already been ingested into the search service. ## Workflow 1. Use `doc_search` for discovery across indexed collections. 2. Read only the specific files or passages you need after the search narrows the scope. - Use `fs_read` for exact follow-up reads, including direct text extraction from a known local PDF path. 3. Use `doc_search_status` when the user asks about
testing8
mcp-builder
Guide for building high-quality MCP (Model Context Protocol) servers and tool suites. Use this whenever the user asks to build, design, refactor, review, or evaluate an MCP server, expose an API through MCP, or improve tool naming, schemas, pagination, auth, or error handling.
tools8
skills/nano-pdf
# Nano PDF Use `nano-pdf` to apply edits to a specific page in a PDF using a natural-language instruction. ## Quick start ```bash nano-pdf edit deck.pdf 1 "Change the title to 'Q3 Results' and fix the typo in the subtitle" ``` Notes: - Page numbers are 0-based or 1-based depending on the tool’s version/config; if the result looks off by one, retry with the other. - Always sanity-check the output PDF before sending it out.
tools8
skills/notion
# Notion Use the Notion API to create/read/update pages, data sources (databases), and blocks. Use this only for explicit Notion workspace tasks. For generic local docs, repo docs, or indexed wikis, prefer `knowledge-search`. ## Setup If a managed Notion provider is already configured, use that instead of creating new local API keys. 1. Create an integration at https://notion.so/my-integrations 2. Copy the API key (starts with `ntn_` or `secret_`) 3. Store it: ```bash mkdir -p ~/.config/not
development8
skills/obsidian
# Obsidian Obsidian vault = a normal folder on disk. Use this only for explicit Obsidian vault workflows. For generic local docs, repo docs, or indexed knowledge lookup, prefer `knowledge-search`. Vault structure (typical) - Notes: `*.md` (plain text Markdown; edit with any editor) - Config: `.obsidian/` (workspace + plugin settings; usually don’t touch from scripts) - Canvases: `*.canvas` (JSON) - Attachments: whatever folder you chose in Obsidian settings (images/PDFs/etc.) ## Find the act
tools8
receiving-code-review
Use when addressing code review or QA feedback, especially when the feedback is unclear, broad, or technically questionable.
development8
skills/security-alert-hygiene
# Security Alert Hygiene Use this when the main job is to manage alert state cleanly: acknowledge, resolve, suppress, or reduce duplicate noise. ## Workflow 1. Search first with `security_alert_search`. 2. Narrow by source, type, and evidence pattern before mutating state. 3. Choose the correct disposition: - `security_alert_ack` for understood alerts that should remain visible - `security_alert_resolve` for investigated alerts that are closed - `security_alert_suppress` for expected
testing8
security-triage
Use when the user is reviewing a security alert, posture change, suspicious network behavior, firewall issue, or combined monitoring output.
testing8
skills/slack
# Slack Actions ## Overview Use `slack` to react, manage pins, send/edit/delete messages, and fetch member info through the configured Slack provider. ## Inputs to collect - `channelId` and `messageId` (Slack message timestamp, e.g. `1712023032.1234`). - For reactions, an `emoji` (Unicode or `:name:`). - For message sends, a `to` target (`channel:<id>` or `user:<id>`) and `content`. Message context lines include `slack message id` and `channel` fields you can reuse directly. ## Actions ##
development8
test-driven-development
Use when implementing or changing code behavior, before writing production code.
development8
skills/threat-intel
# Threat Intelligence When the user is working with threat indicators, watchlists, or intelligence findings: ## Indicator Handling - Validate indicator format before adding to a watchlist: IPs, domains, hashes, email addresses. - Summarize what is already on the watchlist before adding duplicates. - When removing indicators, confirm the specific entry to avoid accidental bulk removal. ## Scanning and Findings - Use `intel_scan` for targeted checks against known indicators, not speculative s
development8
skills/using-skills
# Using Skills Use this as a bootstrap workflow when the user explicitly wants help choosing or applying the right skill. ## Workflow 1. Check whether the task clearly maps to an existing process skill, domain skill, or both. 2. Prefer one process skill and one domain skill over loading many overlapping skills. 3. Read the relevant `SKILL.md` files before acting; do not rely on memory of their contents. 4. If no skill clearly applies, proceed without forcing one. ## Selection Rules - Prefer
testing8
writing-plans
Use when the user asks for an implementation plan or when a coding task is large enough that it should be decomposed before editing.
tools8
coding-backend-orchestration
Use when the user explicitly asks Guardian to launch or check an external coding assistant such as Codex, Claude Code, Gemini CLI, or Aider.
tools8
skills/cloud-operations
# Cloud Operations Use the built-in cloud and hosting tools for read-first inspection across Vercel, Cloudflare, AWS, GCP, Azure, cPanel, and WHM. ## Core Rules - Check `<tool-context>` for configured cloud profiles before asking the user to repeat provider details. - Prefer the narrowest read-only status or inventory tool first. - Separate confirmed tool output from your inference. - If the exact provider tool is not visible, call `find_tools` with the provider name before saying a capabilit
tools8
deep-research
Use when the task needs investigation first, especially to compare code paths, trace behavior, or synthesize findings before implementation.
development8
skills/himalaya
# Himalaya Email CLI Himalaya is a CLI email client that lets you manage emails from the terminal using IMAP, SMTP, Notmuch, or Sendmail backends. Use this only for explicit Himalaya or local IMAP/SMTP mailbox workflows. For Google Workspace or Microsoft 365 accounts, prefer the native managed-provider skills instead. ## References - `references/configuration.md` (config file setup + IMAP/SMTP authentication) - `references/message-composition.md` (MML syntax for composing emails) ## Prerequ
tools8
skills/monitoring-expert
# Monitoring Expert Observability and performance specialist implementing comprehensive monitoring, alerting, tracing, and performance testing systems. ## Core Workflow 1. **Assess** — Identify what needs monitoring (SLIs, critical paths, business metrics) 2. **Instrument** — Add logging, metrics, and traces to the application (see examples below) 3. **Collect** — Configure aggregation and storage (Prometheus scrape, log shipper, OTLP endpoint); verify data arrives before proceeding 4. **Visu
testing8
skills/network-recon
# Network Reconnaissance When the user asks to scan, discover, or diagnose network hosts and services: ## Scoping - Confirm the target scope before scanning: single host, subnet, or interface. - Never expand scope beyond what was requested. A request to scan one host is not permission to sweep the subnet. - Prefer the narrowest tool for the job: `net_ping` before `net_arp_scan`, single-port check before a range sweep. ## Workflow 1. Start with passive or low-impact tools: `net_interfaces`,
tools8
skills/outreach-campaigns
# Outreach Campaigns When the user is managing contacts or running outreach campaigns: This skill is for campaign and mailing-list workflows, not ordinary mailbox reads or one-off personal email handling. ## Contact Management - Confirm the data source before importing: CSV file path, browser discovery target. - Summarize imported contacts (count, fields found) before proceeding to campaign use. - Use `contacts_list` to review existing contacts before adding duplicates. ## Campaign Creation
data-ai8
skills/security-mode-escalation
# Security Mode Escalation Use this when the job is to decide whether the system should remain in `monitor` or move to `guarded`, `lockdown`, or `ir_assist`. ## Workflow 1. Start with `security_posture_status`. 2. Follow with `security_containment_status` when the user needs the effective bounded-response state, not just the recommendation. 3. Explain the decision in terms of: - alert confidence - blast radius - reversibility - user impact 4. Keep `monitor` as the default unless c
testing8
skills/security-response-automation
# Security Response Automation Use this when the user wants repeatable defensive behavior instead of one-off triage. ## Workflow 1. Check existing automation first. - `workflow_list` - `task_list` 2. Keep the security workflow narrow. - one detection family - one response objective - one clear operator outcome 3. Prefer read-only evidence collection before containment or mutation. 4. Use `workflow_run` with `dryRun: true` when the plan is complex or risky. ## Design Rules - P
tools8
skills/system-operations
# System Operations Use this when the user is troubleshooting the local machine, checking service health, or reviewing host and gateway monitoring state. ## Workflow 1. Start with the lightest summary that answers the question. - `sys_info` for OS and platform facts - `sys_resources` for CPU, memory, and disk pressure - `host_monitor_status` for current host monitoring posture - `gateway_firewall_status` for gateway firewall posture 2. Drill down only where needed. - `sys_proce
testing8
skills/weather
# Weather Two free services, no API keys needed. ## wttr.in (primary) Quick one-liner: ```bash curl -s "wttr.in/London?format=3" # Output: London: ⛅️ +8°C ``` Compact format: ```bash curl -s "wttr.in/London?format=%l:+%c+%t+%h+%w" # Output: London: ⛅️ +8°C 71% ↙5km/h ``` Full forecast: ```bash curl -s "wttr.in/London?T" ``` Format codes: `%c` condition · `%t` temp · `%h` humidity · `%w` wind · `%l` location · `%m` moon Tips: - URL-encode spaces: `wttr.in/New+York` - Airport codes: `wttr.i
development8
webapp-testing
Toolkit for testing local web applications and browser workflows with MCP browser tools. Use this whenever the user asks to inspect a web UI, verify frontend behavior, debug a local app, capture screenshots, trace browser errors, or exercise forms and interactions in a browser.
tools8
planning-and-task-breakdown
Breaks work into ordered tasks. Use when you have a spec or clear requirements and need to break work into implementable tasks. Use when a task feels too large to start, when you need to estimate scope, or when parallel work is possible.
tools8