Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

overthinkos/k3s-agent

Name: k3s-agent
Author: overthinkos

ov-layers/skills/k3s-agent/SKILL.md

npx skillsauth add overthinkos/overthink-plugins k3s-agent

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

k3s-agent -- k3s worker node

Layer Properties

| Property | Value | |----------|-------| | Install files | layer.yml, tasks:, service:, secret_requires:, env_requires: | | Depends on | /ov-layers:k3s | | Service | k3s-agent.service (system scope, enabled) |

What this layer does

Reads K3S_CLUSTER_TOKEN from the credential store (same secret the server consumes).
Requires K3S_SERVER_URL from deploy.yml env (e.g., https://k3s-srv.lan:6443).
Writes /etc/rancher/k3s/config.yaml with server: and token:.
Emits /etc/systemd/system/k3s-agent.service running k3s agent.

No join-token handoff, no kubeconfig retrieval — agents only need the server URL (declarative, known at author time) and the pre-shared token (from the credential store).

Usage

# overthink.yml (assumes k3s-srv already up; see /ov-layers:k3s-server)
vm:
  k3s-ag1:
    source: { kind: cloud_image, url: "…" }
    disposable: true
    ram: 4G
    cpus: 2

deployments:
  images:
    "vm:k3s-ag1":
      target: vm
      vm_source: k3s-ag1
      add_layers: [k3s-agent]
      env:
        - K3S_SERVER_URL=https://k3s-srv.lan:6443
        # K3S_CLUSTER fed in for the agent-joined test below — must
        # match the cluster profile name registered by the server.
        - K3S_CLUSTER=k3s-srv

ov deploy add vm:k3s-ag1
# agent registers; ov test k8s wait-nodes on server confirms the join.
ov test k8s wait-nodes --cluster k3s-srv --count 2 --timeout 3m

Tests

Build-scope:

/etc/rancher/k3s/config.yaml exists, mode 0600.
/etc/systemd/system/k3s-agent.service exists.

Deploy-scope (uses /ov:test-k8s):

k8s: wait-nodes name=${HOSTNAME} — this node reaches Ready on the server.

Related Layers

/ov-layers:k3s — Base layer installing the k3s binary (required dep)
/ov-layers:k3s-server — Control-plane node this agent joins
/ov:test-k8s — Test verb used by the agent-joined check

overthinkos/k3s-agent

ov-layers/skills/k3s-agent/SKILL.md

k3s worker (agent) node — joins an existing k3s-server via pre-shared token. Fully declarative: same ov secrets set once + env K3S_SERVER_URL per agent deploy.

devops

Updated Apr 24, 2026

$ install --global

skillsauth

npx skillsauth add overthinkos/overthink-plugins k3s-agent

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 24, 2026, 8:34 PM0.5s1 file scanned

SKILL.md

name:: k3s-agent
description:: |
Fully declarative:: same ov secrets set once + env K3S_SERVER_URL per agent deploy.

k3s-agent -- k3s worker node

Layer Properties

What this layer does

Reads K3S_CLUSTER_TOKEN from the credential store (same secret the server consumes).
Requires K3S_SERVER_URL from deploy.yml env (e.g., https://k3s-srv.lan:6443).
Writes /etc/rancher/k3s/config.yaml with server: and token:.
Emits /etc/systemd/system/k3s-agent.service running k3s agent.

No join-token handoff, no kubeconfig retrieval — agents only need the server URL (declarative, known at author time) and the pre-shared token (from the credential store).

Usage

# overthink.yml (assumes k3s-srv already up; see /ov-layers:k3s-server)
vm:
  k3s-ag1:
    source: { kind: cloud_image, url: "…" }
    disposable: true
    ram: 4G
    cpus: 2

deployments:
  images:
    "vm:k3s-ag1":
      target: vm
      vm_source: k3s-ag1
      add_layers: [k3s-agent]
      env:
        - K3S_SERVER_URL=https://k3s-srv.lan:6443
        # K3S_CLUSTER fed in for the agent-joined test below — must
        # match the cluster profile name registered by the server.
        - K3S_CLUSTER=k3s-srv

ov deploy add vm:k3s-ag1
# agent registers; ov test k8s wait-nodes on server confirms the join.
ov test k8s wait-nodes --cluster k3s-srv --count 2 --timeout 3m

Tests

Build-scope:

/etc/rancher/k3s/config.yaml exists, mode 0600.
/etc/systemd/system/k3s-agent.service exists.

Deploy-scope (uses /ov:test-k8s):

k8s: wait-nodes name=${HOSTNAME} — this node reaches Ready on the server.

Related Layers

/ov-layers:k3s — Base layer installing the k3s binary (required dep)
/ov-layers:k3s-server — Control-plane node this agent joins
/ov:test-k8s — Test verb used by the agent-joined check

Related Skills

overthinkos/charly

tools

VerifiedTrustedCommunity

OpenCharly CLI (charly) binary installed into container/VM images for in-container use. Use when working with charly binary deployment inside containers, native D-Bus support, or the full charly toolchain (charly binary + virtualization + gocryptfs + socat).

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-cachyos

development

VerifiedTrustedCommunity

Operator CachyOS workstation profile — a kind:local template + target:local deploy that installs the full dev stack (30 candies) onto a CachyOS host via ShellExecutor. Lives in the overthinkos/cachyos submodule. MUST be invoked before editing or applying the charly-cachyos workstation profile.

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-cachyos

overthinkos/charly-fedora

tools

VerifiedTrustedCommunity

Fedora box with the full charly toolchain using shared candies. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Same candy list as charly-arch. Includes NVIDIA GPU runtime. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-fedora box.

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-fedora

overthinkos/charly-arch

tools

VerifiedTrustedCommunity

Arch Linux box with the full charly toolchain. Rootless-first — runs as uid=1000 with passwordless sudo (no root, no cap_add: ALL). Composes /charly-coder:charly-mcp so the box is reachable as an MCP gateway on port 18765. NVIDIA GPU runtime composed in. MUST be invoked before building, deploying, configuring, or troubleshooting the charly-arch box.

SKILL.mdUpdated Jun 10, 2026

overthinkos/charly-arch

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/overthinkos/overthink-plugins.git

# Copy into Claude Code skills folder (global)
cp -r overthink-plugins/ov-layers/skills/k3s-agent ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

overthinkos/overthink-plugins

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT