carloseberhardt/security-monitor
skills/security-monitor/SKILL.md
Periodically checks for security threats by reviewing recent security events, access patterns, and potential indicators of compromise.
testing
Updated Apr 3, 2026
$ install --global
skillsauthnpx skillsauth add carloseberhardt/agent-skill-poc security-monitorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 4, 2026, 2:46 AM20.1s2 files scanned
SKILL.md
- name:
- security-monitor
- description:
- Periodically checks for security threats by reviewing recent security events, access patterns, and potential indicators of compromise.
Check for security threats. This is a proactive monitor — look for issues even if nothing has been explicitly reported.
Step 1 — Gather information:
- Ask the security agent for the current threat assessment and any critical findings — recent alerts, suspicious access patterns, unfamiliar IPs, or privilege escalations.
- Use the employee lookup tool to identify affected users, their roles, departments, and managers.
Step 2 — Assess and present findings: Choose ONE of the following based on your assessment:
A) Clear security risk detected (data exfiltration, unauthorized access, unfamiliar IP, etc.):
- Recommend a specific action and indicate which agent should handle it. The recommendation should include notifying the discord channel.
- You MUST include the exact string [EMIT:incident_correlation] in your response. The runtime scans for this literal token to trigger cross-domain correlation. If you found a security threat and omit it, correlation will not run.
B) No threats found (informational findings only):
- Present findings as a summary without recommending action.
- Do NOT include [EMIT:incident_correlation].
IMPORTANT:
- Only use the security agent and employee lookup tool. Do NOT call the data agent — data access monitoring is handled separately.
- Do NOT use the Discord notification tool or execute any remediation actions during this investigation. Only gather data and make a recommendation. Actions will be taken after human approval.
Related Skills
carloseberhardt/publish-cost-report
business
VerifiedTrustedCommunity
create and share a cost report on discord
SKILL.mdUpdated Apr 3, 2026
carloseberhardt/incident-correlation-data-security
testing
VerifiedTrustedCommunity
Checks whether security and data signals are connected. Produces a correlation report if both domains show issues, or a brief summary if only one does.
SKILL.mdUpdated Apr 3, 2026
carloseberhardt/data-access-monitor
development
VerifiedTrustedCommunity
Periodically checks for data access anomalies — unusual query patterns, after-hours PII access, or bulk extractions that deviate from baseline behavior.
SKILL.mdUpdated Apr 3, 2026
carloseberhardt/chat
tools
VerifiedTrustedCommunity
Conversational interface to the agent runtime. Can call tools and agents directly, trigger skills, and synthesize answers from recent skill output.
SKILL.mdUpdated Apr 3, 2026