automateyournetwork/protocol-participation
workspace/skills/protocol-participation/SKILL.md
Live BGP and OSPF control-plane participation — peer with real routers, inject/withdraw routes, query RIB/LSDB, adjust metrics, GRE tunnel status. Use when injecting or withdrawing BGP routes, checking BGP peer state, querying the OSPF LSDB, or testing route advertisement in a lab.
$ install --global
skillsauthnpx skillsauth add automateyournetwork/netclaw protocol-participationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 10:34 PM3.2s1 file scanned
SKILL.md
- name:
- protocol-participation
- description:
- Live BGP and OSPF control-plane participation — peer with real routers, inject/withdraw routes, query RIB/LSDB, adjust metrics, GRE tunnel status. Use when injecting or withdrawing BGP routes, checking BGP peer state, querying the OSPF LSDB, or testing route advertisement in a lab.
- license:
- Apache-2.0
- user-invocable:
- true
- { "openclaw":
- { "requires": { "bins": ["python3"], "env": ["NETCLAW_ROUTER_ID"] } } }
Protocol Participation — BGP + OSPF + GRE
MCP Server
| Property | Value |
|----------|-------|
| Source | WontYouBeMyNeighbour BGP/OSPFv3/GRE modules |
| Transport | stdio |
| Tools | 10 |
| Protocol modules | BGP (20 files), OSPFv3 (8 files), GRE (4 files), Connectors (2 files) |
| Dependencies | scapy, networkx, mcp, fastmcp |
Tools
BGP Tools
bgp_get_peers
List BGP peer sessions with state, AS, IP, uptime, and prefix counts.
| Parameter | Type | Default | Description | |-----------|------|---------|-------------| | (none) | — | — | No parameters |
Returns: { peers: [{peer, peer_as, state, local_addr, is_ibgp, uptime, prefixes_received, prefixes_sent}], count }
bgp_get_rib
Query the Loc-RIB (best routes). Optionally filter by prefix.
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| prefix | string | null | Optional CIDR filter (e.g. 10.0.0.0/24) |
Returns: { routes: [{network, next_hop, as_path, local_pref, med, origin, communities}], count }
bgp_inject_route
Inject a route into the BGP RIB and advertise to peers.
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| network | string | required | CIDR prefix (e.g. 192.168.1.0/24) |
| next_hop | string | null | Next-hop IP (defaults to self) |
| as_path | string | null | Comma-separated AS path (e.g. 65001,65002) |
| local_pref | int | 100 | LOCAL_PREF value |
Returns: { success, network, route_info }
bgp_withdraw_route
Withdraw a route from the BGP RIB and send withdrawal to peers.
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| network | string | required | CIDR prefix to withdraw |
Returns: { success, network }
bgp_adjust_local_pref
Change the LOCAL_PREF for a route in the RIB.
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| network | string | required | CIDR prefix |
| local_pref | int | required | New LOCAL_PREF (higher = more preferred) |
Returns: { success, network, old_local_pref, new_local_pref }
OSPF Tools
ospf_get_neighbors
List OSPF neighbors with state, address, priority, and router ID.
| Parameter | Type | Default | Description | |-----------|------|---------|-------------| | (none) | — | — | No parameters |
Returns: { neighbors: [{neighbor_id, state, address, priority}], count }
ospf_get_lsdb
Query the OSPF Link State Database.
| Parameter | Type | Default | Description | |-----------|------|---------|-------------| | (none) | — | — | No parameters |
Returns: { lsdb: [{type, advertising_router, ls_id, sequence, age}], count }
ospf_adjust_cost
Change the OSPF cost on an interface.
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| interface | string | required | Interface name (e.g. gre-netclaw) |
| cost | int | required | New OSPF cost (1-65535) |
Returns: { success, interface, old_cost, new_cost }
GRE Tools
gre_tunnel_status
Check GRE tunnel status via system commands (ip tunnel show, ip addr show).
| Parameter | Type | Default | Description | |-----------|------|---------|-------------| | (none) | — | — | No parameters |
Returns: { tunnels: [...], addresses: [...], count }
Meta Tools
protocol_summary
Consolidated BGP + OSPF + GRE state summary in a single call.
| Parameter | Type | Default | Description | |-----------|------|---------|-------------| | (none) | — | — | No parameters |
Returns: { router_id, local_as, lab_mode, bgp: {configured, peer_count, peers, rib_size}, ospf: {configured, neighbor_count, neighbors}, gre: {tunnels, addresses, count} }
Environment Variables
| Variable | Example | Description |
|----------|---------|-------------|
| NETCLAW_ROUTER_ID | 4.4.4.4 | BGP/OSPF router ID |
| NETCLAW_LOCAL_AS | 65001 | BGP local autonomous system number |
| NETCLAW_BGP_PEERS | [{"ip":"172.16.0.1","as":65000}] | JSON array of BGP peers |
| NETCLAW_OSPF_AREAS | ["0.0.0.0"] | JSON array of OSPF area IDs |
| NETCLAW_GRE_TUNNELS | [{"name":"gre-netclaw","local":"...","remote":"..."}] | JSON array of GRE tunnels |
| NETCLAW_LAB_MODE | true | Relaxes CR requirement for lab testing |
FRR Lab Testbed
A Docker-based 3-router FRR topology is provided in lab/frr-testbed/ for testing:
NetClaw (AS 65001) ──GRE── Edge1 (AS 65000) ──OSPF── Core (RR) ──OSPF── Edge2
host/WSL 1.1.1.1 2.2.2.2 3.3.3.3
172.16.0.2 172.16.0.1
eBGP iBGP→Core iBGP hub iBGP→Core
# Start lab
cd lab/frr-testbed && docker compose up -d
# Create GRE tunnel (requires sudo)
sudo bash scripts/setup-gre.sh
# Verify
bash scripts/verify.sh
Workflows
1. Route Injection with Change Control
servicenow-change-workflow → CR approved
→ bgp_inject_route(network, next_hop, local_pref)
→ bgp_get_rib(prefix) → verify route in table
→ pyats-routing → verify on remote devices
→ gait-session-tracking → record change
2. Traffic Engineering via LOCAL_PREF
bgp_get_rib() → current routes
→ bgp_adjust_local_pref(network, local_pref)
→ bgp_get_peers() → verify advertisement
→ gait-session-tracking
3. OSPF Cost Manipulation
ospf_get_neighbors() → verify adjacencies
→ ospf_adjust_cost(interface, cost)
→ ospf_get_lsdb() → verify LSA update
→ pyats-routing → verify SPF reconvergence
→ gait-session-tracking
4. Protocol Health Check
protocol_summary() → full state snapshot
→ bgp_get_peers() → check all Established
→ ospf_get_neighbors() → check all Full
→ gre_tunnel_status() → check all tunnels up
→ gait-session-tracking
5. Controlled Route Withdrawal
servicenow-change-workflow → CR approved
→ bgp_get_rib(prefix) → verify route exists
→ bgp_withdraw_route(network)
→ bgp_get_rib(prefix) → verify withdrawal
→ pyats-routing → verify removal on peers
→ gait-session-tracking
6. Lab Testing (no CR required)
NETCLAW_LAB_MODE=true
→ bgp_inject_route / bgp_withdraw_route
→ bgp_get_rib → verify
→ ospf_adjust_cost → test convergence
→ protocol_summary → snapshot
Integration with Other Skills
| Skill | Integration | |-------|-------------| | servicenow-change-workflow | MUST gate all route inject/withdraw/cost changes in production | | gait-session-tracking | Record every protocol mutation in the audit trail | | pyats-routing | Cross-verify protocol state from the device CLI side | | uml-diagram | Generate BGP state machines and OSPF area diagrams | | markmap-viz | Visualise RIB hierarchy and OSPF LSDB as mind maps | | netbox-reconcile | Cross-reference peering with NetBox IPAM/circuits | | drawio-diagram | Topology diagrams showing GRE underlay + BGP/OSPF overlay | | cml-topology-builder | Provision lab topologies that NetClaw can then peer with |
Safety Rules
- NEVER inject or withdraw routes without an approved ServiceNow CR — unless
NETCLAW_LAB_MODE=true - ALWAYS verify current RIB (
bgp_get_rib) before injecting to prevent routing loops - ALWAYS verify peer state (
bgp_get_peers) before advertising — only to Established peers - ALWAYS record protocol changes in GAIT (
gait-session-tracking) - GRE tunnels require sudo — the install wizard handles initial setup; runtime queries via
gre_tunnel_statusdo not require elevated privileges - Lab mode (
NETCLAW_LAB_MODE=true) relaxes the CR requirement for the FRR testbed — never set this in production
Guardrails
- Route mutations are gated — ServiceNow CR approval required in production
- Read operations are always safe —
bgp_get_peers,bgp_get_rib,ospf_get_neighbors,ospf_get_lsdb,gre_tunnel_status,protocol_summary - GRE is the default tunnel transport — native Linux kernel support, every major vendor supports it (Cisco, Juniper, Arista, FRR, Nokia), RFC 2784/2890 compliant
- Raw sockets require root for protocol speakers — BGP (TCP/179), OSPF (IP/89), GRE (IP/47)
- No secrets in protocol state — RIB/LSDB queries return routing information, not credentials
Related Skills
automateyournetwork/humanrail-escalation
testing
VerifiedTrustedCommunity
Human-in-the-loop escalation via HumanRail — route low-confidence agent decisions, pre-destructive operation approvals, and ambiguous incident tickets to real human engineers. Human answers are verified and returned as structured output. Workers are paid via Lightning Network. Use when the agent is uncertain, when a destructive change needs explicit human sign-off beyond a ServiceNow CR, or when an ambiguous ticket requires human triage before automated handling.
491SKILL.mdUpdated May 12, 2026
automateyournetwork/eve-ng-node-operations
testing
VerifiedTrustedCommunity
Manage EVE-NG node lifecycle. Use when listing nodes, checking runtime state, creating or deleting nodes, starting or stopping nodes or whole labs, verifying node details, or wiping node NVRAM back to factory defaults.
491SKILL.mdUpdated May 12, 2026
automateyournetwork/eve-ng-lab-management
development
VerifiedTrustedCommunity
Manage EVE-NG labs and platform inventory. Use when listing labs, checking lab metadata, creating or deleting labs, importing or exporting lab archives, checking EVE-NG health or auth, or verifying available node images before build work.
491SKILL.mdUpdated May 12, 2026
automateyournetwork/eve-ng-console-ops
tools
VerifiedTrustedCommunity
Execute live CLI commands on running EVE-NG nodes over telnet console. Use when running show commands, making live config changes, verifying protocol state, testing connectivity, checking console readiness, or interacting with IOS, Junos, VPCS, EOS, or NX-OS nodes.
491SKILL.mdUpdated May 12, 2026