backbay-labs/examples/bb-edr/skills/edr-triage
examples/bb-edr/skills/edr-triage/SKILL.md
# bb-edr: Triage Skill Use this skill to turn clawdstrike audit logs into an incident report and a minimal response plan. ## Inputs - `.hush/audit.jsonl` (JSONL) — clawdstrike audit events (allowed/denied, guard, reason). - `policy.yaml` — the active security policy. ## Task 1. Read and summarize the last ~50 audit events. 2. Focus on **denied** events first: - Group by `guard` (e.g., `forbidden_path`, `egress`, `patch_integrity`) - Identify likely intent (misconfiguration vs. suspici
$ install --global
skillsauthnpx skillsauth add backbay-labs/clawdstrike examples/bb-edr/skills/edr-triageInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 3:04 AM272.3s1 file scanned
SKILL.md
bb-edr: Triage Skill
Use this skill to turn clawdstrike audit logs into an incident report and a minimal response plan.
Inputs
.hush/audit.jsonl(JSONL) — clawdstrike audit events (allowed/denied, guard, reason).policy.yaml— the active security policy.
Task
- Read and summarize the last ~50 audit events.
- Focus on denied events first:
- Group by
guard(e.g.,forbidden_path,egress,patch_integrity) - Identify likely intent (misconfiguration vs. suspicious)
- Group by
- Produce a short incident report:
- What happened (timeline + key indicators)
- Impact assessment (what was attempted, what was blocked)
- Recommended response (least-privilege)
- If you propose any response action (writing files, changing config), use
policy_checkfirst and keep changes scoped to this project directory.
Output
- Write
./reports/incident.mdcontaining the final report.
Notes (important)
- clawdstrike enforces at the tool boundary. It is not an OS sandbox.
- If an operation is denied, treat it as a strong indicator of suspicious behavior or incorrect policy assumptions.
Related Skills
backbay-labs/hello-secure
testing
VerifiedTrustedCommunity
A simple skill demonstrating clawdstrike security
273SKILL.mdUpdated Apr 3, 2026
backbay-labs/examples/openclaw-plugin/skills/hello
tools
VerifiedTrustedCommunity
# Hello Skill A simple greeting skill that demonstrates secure agent operation. ## Description This skill allows the agent to greet users and perform basic file operations within the allowed workspace. ## Capabilities - Generate personalized greetings - Read files from the workspace - Write greeting logs to the output directory ## Usage Ask the agent: - "Say hello to Alice" - "Read the welcome message from data/welcome.txt" - "Log a greeting for Bob" ## Examples ### Basic Greeting **Us
273SKILL.mdUpdated Apr 3, 2026
backbay-labs/cursor-plugin/skills/threat-hunt
tools
VerifiedTrustedCommunity
Threat hunting and security event investigation
273SKILL.mdUpdated Apr 3, 2026
backbay-labs/cursor-plugin/skills/security-review
tools
VerifiedTrustedCommunity
Security review for risky code changes
273SKILL.mdUpdated Apr 3, 2026