automateyournetwork/batfish-config-analysis
workspace/skills/batfish-config-analysis/SKILL.md
Batfish network configuration analysis -- pre-deployment validation, reachability testing, ACL/firewall tracing, differential analysis, compliance checking. Use when validating configs before deployment, testing traffic paths, tracing ACL rules, comparing config versions, or auditing compliance policies. Strictly read-only.
$ install --global
skillsauthnpx skillsauth add automateyournetwork/netclaw batfish-config-analysisInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 3:29 AM4.6s1 file scanned
SKILL.md
- name:
- batfish-config-analysis
- description:
- Batfish network configuration analysis -- pre-deployment validation, reachability testing, ACL/firewall tracing, differential analysis, compliance checking. Use when validating configs before deployment, testing traffic paths, tracing ACL rules, comparing config versions, or auditing compliance policies. Strictly read-only.
- license:
- Apache-2.0
- user-invocable:
- true
- { "openclaw":
- { "requires": { "bins": ["python3", "docker"], "env": ["BATFISH_HOST"] } } }
Batfish Configuration Analysis
MCP Server
- Source: Built-in (mcp-servers/batfish-mcp/)
- Command:
python3 -u mcp-servers/batfish-mcp/batfish_mcp_server.py(stdio transport) - Requires: Batfish Docker container running,
BATFISH_HOSTandBATFISH_PORTenvironment variables - Python: 3.10+
- Dependencies:
pybatfish,mcp[cli],python-dotenv
Available Tools (8)
| Tool | Parameters | What It Does |
|------|-----------|--------------|
| batfish_upload_snapshot | snapshot_name, configs/config_path, network | Upload device configs to Batfish and create a named snapshot |
| batfish_validate_config | snapshot_name, network | Validate configs with per-device pass/fail status, vendor detection, warnings |
| batfish_test_reachability | snapshot_name, src_ip, dst_ip, protocol, dst_port | Test if traffic can flow between two endpoints with full path trace |
| batfish_trace_acl | snapshot_name, device, filter_name, src_ip, dst_ip, protocol, dst_port | Trace a packet through ACL rules to find matching permit/deny rule |
| batfish_diff_configs | reference_snapshot, candidate_snapshot, include_routes, include_reachability | Compare two snapshots for route and reachability differences |
| batfish_check_compliance | snapshot_name, policy_type | Check configs against compliance policies (6 built-in policy types) |
| batfish_list_snapshots | network | List all available snapshots |
| batfish_delete_snapshot | snapshot_name, network | Delete a snapshot |
Workflow: Pre-Change Validation
When a user wants to validate configurations before deployment:
- Upload configs:
batfish_upload_snapshotwith inline configs dict or path to config directory - Validate:
batfish_validate_configto check parse status, vendor detection, warnings/errors - Test reachability:
batfish_test_reachabilityfor critical traffic paths - Check compliance:
batfish_check_complianceagainst organizational policies - Report: Structured pass/fail results with specific findings
- GAIT: All operations automatically logged
Example: Validate Before Deploy
# Upload proposed configs
batfish_upload_snapshot snapshot_name="pre-change-site-a" config_path="/path/to/configs/"
# Validate parse status
batfish_validate_config snapshot_name="pre-change-site-a"
# Test critical path
batfish_test_reachability snapshot_name="pre-change-site-a" src_ip="10.1.1.1" dst_ip="10.2.2.1" protocol="TCP" dst_port=443
# Check compliance
batfish_check_compliance snapshot_name="pre-change-site-a" policy_type="interface_descriptions"
Workflow: Change Impact Analysis
When comparing before/after configurations:
- Upload "before" snapshot:
batfish_upload_snapshotwith current configs - Upload "after" snapshot:
batfish_upload_snapshotwith proposed configs - Diff:
batfish_diff_configsto find route and reachability differences - Investigate: Use
batfish_trace_aclon any newly denied traffic - Report: Structured diff showing added/removed/changed routes and flows
Workflow: ACL Troubleshooting
When investigating access control issues:
- Upload configs:
batfish_upload_snapshotwith device configs - Trace packet:
batfish_trace_aclwith device, ACL name, and packet headers - Review: Identify matching rule, line number, permit/deny action
- Test alternatives: Modify config, re-upload, trace again
Integration with Other Skills
| Skill | Integration | |-------|-------------| | pyats-config-mgmt | Validate configs with Batfish before pushing via pyATS | | gait-session-tracking | All Batfish operations automatically logged | | servicenow-change-workflow | Reference Batfish validation in change request evidence | | fwrule-analyzer | Complement ACL trace with cross-vendor overlap analysis | | cml-lab-lifecycle | Validate CML lab configs with Batfish analysis |
Important Rules
- All operations are strictly read-only -- Batfish analyzes uploaded configs, never modifies network devices
- GAIT audit mandatory -- All operations logged automatically
- Snapshots are ephemeral -- Batfish manages snapshot lifecycle; use GAIT for persistent records
- Multi-vendor -- Supports Cisco IOS/IOS-XE/NX-OS, JunOS, Arista EOS, Palo Alto, F5
Error Handling
- BATFISH_UNREACHABLE: Verify Docker container is running (
docker ps | grep batfish) - SNAPSHOT_NOT_FOUND: Use
batfish_list_snapshotsto see available snapshots - INVALID_INPUT: Check configs dict is non-empty or config_path exists
- DEVICE_NOT_FOUND: Use
batfish_validate_configto list devices in snapshot - FILTER_NOT_FOUND: Verify ACL/filter name exists on the specified device
Environment Variables
BATFISH_HOST-- Batfish hostname (default: localhost)BATFISH_PORT-- Batfish port (default: 9997)BATFISH_NETWORK-- Default network name (default: netclaw)
Related Skills
automateyournetwork/humanrail-escalation
testing
VerifiedTrustedCommunity
Human-in-the-loop escalation via HumanRail — route low-confidence agent decisions, pre-destructive operation approvals, and ambiguous incident tickets to real human engineers. Human answers are verified and returned as structured output. Workers are paid via Lightning Network. Use when the agent is uncertain, when a destructive change needs explicit human sign-off beyond a ServiceNow CR, or when an ambiguous ticket requires human triage before automated handling.
491SKILL.mdUpdated May 12, 2026
automateyournetwork/eve-ng-node-operations
testing
VerifiedTrustedCommunity
Manage EVE-NG node lifecycle. Use when listing nodes, checking runtime state, creating or deleting nodes, starting or stopping nodes or whole labs, verifying node details, or wiping node NVRAM back to factory defaults.
491SKILL.mdUpdated May 12, 2026
automateyournetwork/eve-ng-lab-management
development
VerifiedTrustedCommunity
Manage EVE-NG labs and platform inventory. Use when listing labs, checking lab metadata, creating or deleting labs, importing or exporting lab archives, checking EVE-NG health or auth, or verifying available node images before build work.
491SKILL.mdUpdated May 12, 2026
automateyournetwork/eve-ng-console-ops
tools
VerifiedTrustedCommunity
Execute live CLI commands on running EVE-NG nodes over telnet console. Use when running show commands, making live config changes, verifying protocol state, testing connectivity, checking console readiness, or interacting with IOS, Junos, VPCS, EOS, or NX-OS nodes.
491SKILL.mdUpdated May 12, 2026