From b7603ed5be24f6e1ac166986f53a5d7d638d626b Mon Sep 17 00:00:00 2001 From: Gale W Date: Tue, 14 Jul 2026 14:46:15 -0400 Subject: [PATCH 1/7] docs: plan cybersecurity skills plugin --- ROADMAP.md | 38 +++ .../cybersecurity-skills-plugin-plan.md | 259 ++++++++++++++++++ 2 files changed, 297 insertions(+) create mode 100644 docs/maintainers/cybersecurity-skills-plugin-plan.md diff --git a/ROADMAP.md b/ROADMAP.md index a97d2039..4c98ded7 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -27,6 +27,7 @@ - [Milestone 24: Apple system integration, runtime evidence, and distribution workflows](#milestone-24-apple-system-integration-runtime-evidence-and-distribution-workflows) - [Milestone 25: Apple Creator Studio operator workflows](#milestone-25-apple-creator-studio-operator-workflows) - [Milestone 26: Messaging collaboration skills plugin](#milestone-26-messaging-collaboration-skills-plugin) +- [Milestone 27: Cybersecurity skills plugin](#milestone-27-cybersecurity-skills-plugin) - [Small Tickets](#small-tickets) - [Backlog Candidates](#backlog-candidates) - [History](#history) @@ -67,6 +68,7 @@ - Milestone 24: Apple system integration, runtime evidence, and distribution workflows - Planned - Milestone 25: Apple Creator Studio operator workflows - Planned - Milestone 26: Messaging collaboration skills plugin - Completed +- Milestone 27: Cybersecurity skills plugin - Planned ## Milestone 5: SwiftASB skills plugin @@ -861,6 +863,42 @@ Completed - [x] The root documentation, marketplace, plan, and validation agree on the shipped inventory. - [x] Apple requests route to an explicit system contract or app-owned responsibility without claiming undocumented macOS default messaging/calling, Apple Messages access, or Phone automation. +## Milestone 27: Cybersecurity skills plugin + +### Status + +Planned + +### Scope + +- [ ] Add a dedicated Socket-hosted `cybersecurity-skills` child plugin for suspicious-content triage, malware analysis, safe isolation, macOS defense, vulnerability validation, authorized security testing, incident response, detection content, and understandable defensive advice. +- [ ] Keep the first release guidance-only: no bundled scanners, malware or exploit samples, privileged helper, daemon, hook, MCP server, VM/container image, remote-sandbox credential, or autonomous active-testing runtime. +- [ ] Keep `reverse-engineering-skills` focused on compiled artifacts and binary internals; use explicit handoffs instead of absorbing reverse engineering into the new plugin. +- [ ] Route repository-wide and diff-based source scanning to Codex Security when it is available rather than duplicating its scan pipeline. +- [ ] Make the suspicious-content-to-macOS-defense path the first installable release, with vulnerability and incident-response expansion built on the same evidence, confidence, isolation, and reporting records. + +### Tickets + +- [x] Record the architecture, ownership, safety, source, validation, and phased implementation plan in [`docs/maintainers/cybersecurity-skills-plugin-plan.md`](./docs/maintainers/cybersecurity-skills-plugin-plan.md). +- [ ] Create `plugins/cybersecurity-skills/` with `.codex-plugin/plugin.json`, `AGENTS.md`, authored `skills/`, assets, and focused child validation. +- [ ] Add the root marketplace entry as unavailable while the plugin is a placeholder; switch it to installable only after a usable skill slice exists. +- [ ] Add shared routing, evidence preservation, confidence/explanation, isolation selection, and agentic-security-tool workflows. +- [ ] Add suspicious-content triage, privacy-aware reputation, static/dynamic malware analysis, suspicious script/document, YARA-X, and behavior-mapping workflows. +- [ ] Add macOS threat assessment, persistence, runtime activity, Objective-See adapter, containment/recovery, and hardening workflows. +- [ ] Add authorized-test scoping, vulnerability triage/validation/exposure, web/API and network testing, and security-assessment reporting in fixture-validated slices. +- [ ] Add incident triage, containment, recovery, threat hunting, and detection-content workflows after the first defensive analysis release is stable. +- [ ] Forward-test benign lookalikes, malicious simulations, isolation failures, macOS VM workflows, scanner false positives, reachable/unreachable vulnerabilities, and non-specialist advice. +- [ ] Export portable skills through the Hermes tap and validate each host-specific or future MCP/runtime decision explicitly. +- [ ] Update root README inventory text, marketplace metadata, architecture metadata, and validation when the plugin becomes installable. + +### Exit Criteria + +- [ ] An agent can move from an ambiguous suspicious artifact or activity report to preserved evidence, an appropriate isolation boundary, a confidence-calibrated assessment, and clear immediate advice. +- [ ] macOS workflows distinguish signing, notarization, quarantine, XProtect, Gatekeeper, TCC, SIP, process/file/network behavior, persistence, containment, and verified recovery. +- [ ] Vulnerability and authorized-testing workflows require explicit scope and validate exploitability and exposure rather than treating scanner output, CVSS, or an exploit template as proof. +- [ ] Deep binary work, repository source scanning, Apple implementation, and stack-specific fixes have explicit owner handoffs with no duplicate catch-all workflows. +- [ ] Root documentation, marketplace wiring, Codex/Hermes compatibility, plugin metadata, and validation agree on the shipped skill inventory. + ## Small Tickets - [ ] Record issue-sized fixes, TODO/FIXME imports, and cleanup work that is too small or too unplanned for a milestone. diff --git a/docs/maintainers/cybersecurity-skills-plugin-plan.md b/docs/maintainers/cybersecurity-skills-plugin-plan.md new file mode 100644 index 00000000..a728ef3a --- /dev/null +++ b/docs/maintainers/cybersecurity-skills-plugin-plan.md @@ -0,0 +1,259 @@ +# Cybersecurity Skills Plugin Plan + +## Intent + +`cybersecurity-skills` helps an agent turn an ambiguous security concern into an evidence-backed assessment, a safe next action, and an explanation that a non-specialist can understand. Its center is the real-world question "is this actually dangerous, how does it work, and what should I do now?" rather than a scanner inventory or a collection of exploit recipes. + +The plugin covers suspicious artifacts and messages, malware analysis, macOS endpoint investigation, safe isolation, vulnerability validation, authorized security testing, incident containment and recovery, detection content, and practical defensive advice. It should work for a friend asking about a strange installer, a developer validating a vulnerability report, or an operator investigating suspicious host behavior without pretending those are the same workflow. + +The first release is a guidance-only Socket child plugin. It does not bundle scanners, malware samples, exploit code, a privileged helper, a background daemon, hooks, an MCP server, VM images, container images, or cloud-analysis credentials. That shape unlocks immediate use of trusted local and external tools while keeping permissions, sample handling, and network access visible to the operator. + +## Architecture Decision + +Create `cybersecurity-skills` as a dedicated plugin. Do not expand `reverse-engineering-skills` into the broader owner. + +This is a durable building-block change. It creates one owner for the security decision lifecycle across artifacts, hosts, services, identities, and incidents. It removes repeated confidence, evidence, isolation, scope, containment, and communication logic from future specialist skills. Afterward, malware, macOS, vulnerability, pentest, and incident workflows can share the same assessment record and hand off deep binary work without duplicating reverse-engineering guidance. + +The simpler extension path was to add malware and defensive skills to `reverse-engineering-skills`. That path was rejected because reverse engineering correctly owns compiled artifacts, disassembly, decompilation, symbols, and binary behavior. It should not also own account compromise, network exposure, incident response, endpoint recovery, authorized test scope, or advice for non-specialists. + +## Packaging Direction + +Package the plugin as a monorepo-owned Socket child at `plugins/cybersecurity-skills/`. Its root should own: + +- `.codex-plugin/plugin.json` +- `AGENTS.md` +- authored `skills/` +- narrow validation under `scripts/` when root validation cannot prove the skill inventory +- branded icon assets + +Add the root marketplace entry as `NOT_AVAILABLE` while the child is only a placeholder. Switch it to `AVAILABLE` only after the first usable skill slice, plugin metadata, root documentation, Hermes export decision, and validation all agree. + +Use `Developer Tools` as the marketplace category. Keep the authored plugin name `cybersecurity-skills` and the skill namespace `cybersecurity`. + +## Ownership And Handoffs + +| Surface | Primary owner | Cybersecurity responsibility | +| --- | --- | --- | +| Ambiguous security concern, suspicious content, host activity, incident, or authorized test | `cybersecurity-skills` | Route the work, preserve evidence, select isolation, calibrate confidence, and own the defensive recommendation. | +| Binary internals, decompilation, disassembly, symbols, Mach-O internals, or exact binary comparison | `reverse-engineering-skills` | Establish the security question and artifact identity, then hand off deep binary analysis and consume its evidence. | +| Repository-wide or diff-based source vulnerability discovery, attack-path analysis, and finding fixes | Codex Security when installed | Route code-scanning work to the dedicated security scanner and incorporate validated findings into exposure, response, or reporting workflows. | +| Ordinary Apple app development, signing, Xcode, Endpoint Security API implementation, or Virtualization framework implementation | `apple-dev-skills` | Own the security investigation or lab requirement, then hand implementation to Apple development workflows. | +| Protocol implementation or ordinary network-stack engineering | `network-protocol-skills` | Own security test scope and observed behavior; hand protocol construction or repair to the protocol owner. | +| Language- or stack-specific remediation | Owning Socket stack plugin | Preserve the finding and acceptance criteria, then hand the implementation to the relevant language or framework workflow. | +| GitHub repository settings and project security documents | `productivity-skills` | Provide the security requirement or finding; use the repository-maintenance owners for settings and policy-file changes. | + +Do not copy Codex Security's repository scan phases into this plugin. The new plugin should remain useful when Codex Security is unavailable, but its fallback is bounded manual validation of a supplied concern, not a second full repository scanner. + +## Common Security Record + +Every investigative workflow should be able to produce or extend one shared record with these fields: + +- question, affected person or system, and requested decision +- artifact, host, account, service, or target identity +- authorization and active-test scope when applicable +- acquisition source, timestamps, hashes, versions, OS build, hardware, and relevant tool versions +- preservation status and transformations performed +- observed facts, external intelligence, hypotheses, and disproven hypotheses kept separate +- indicators and behaviors with source and confidence +- threat classification, confidence, impact, and remaining uncertainty +- immediate containment advice, recovery advice, and longer-term hardening kept separate +- plain-language explanation suitable for the affected person +- reproducible commands, outputs, screenshots, or logs when they are safe to retain + +Use calibrated conclusions rather than a binary scanner verdict: + +- confirmed malicious +- likely malicious +- suspicious but unresolved +- likely benign or expected +- confirmed benign for the tested question +- insufficient evidence + +A conclusion must say what evidence would change it. A clean reputation lookup, valid signature, successful notarization, or zero scanner findings is never proof that an artifact or system is safe. + +## Safety And Analysis Boundaries + +### Local-First Intake + +- Start with metadata, hashes, signatures, archive listings, text extraction, and other non-executing checks. +- Preserve the original input and inspect a working copy. +- Do not upload a file, URL, document, log, token, customer artifact, or private binary to a third-party reputation or sandbox service without explicit approval after explaining what will leave the machine. +- Treat URLs, QR codes, documents, archives, profiles, packages, scripts, browser extensions, and chat/email content as potentially active inputs even when they are not native executables. + +### Isolation Selection + +- Use a disposable container for untrusted Linux user-space tooling only when the threat model does not require a macOS guest, kernel boundary, device access, or privileged execution. +- Prefer a disposable VM for untrusted execution, dynamic behavior, installers, services, or content that needs a full operating system. +- Use a macOS VM or disposable physical Mac for macOS-specific payloads; a Linux container cannot reproduce macOS code signing, TCC, LaunchServices, Endpoint Security, XProtect, Gatekeeper, or native persistence behavior. +- Default shared folders, clipboard sharing, host sockets, credentials, developer signing identities, cloud tokens, browser profiles, and SSH agents to absent. +- Default network access to off, simulated, or narrowly mediated. Record DNS, routes, packet capture, and any allowed destinations when network behavior matters. +- Revert or destroy disposable environments after exporting only the intended evidence. + +### Agentic Tool Operation + +- Discover the installed tool, version, permissions, data flow, and output location before using it. +- Give an agent only the files, network reachability, credentials, and host capabilities required for the current step. +- Separate read-only discovery, active probing, exploit validation, containment, and remediation into visible operator decisions. +- Keep destructive, persistence-changing, credential-touching, protection-disabling, or production-impacting actions approval-gated. +- Treat tool output as evidence to validate, not as an authoritative conclusion. +- Preserve command lines and machine-readable output where practical so another analyst can reproduce the result. + +### Authorized Testing + +- Require an explicit scope record before active probing: owner, targets, excluded targets, dates, source addresses, accounts, allowed techniques, rate limits, data handling, stop conditions, and notification contacts. +- Stop when target identity changes, a third party enters the path, production stability degrades, sensitive data is exposed beyond the minimum proof, or a test would require destructive impact, persistence, lateral movement, credential harvesting, or denial of service not already authorized. +- Prefer the smallest proof that establishes exploitability and impact. Preserve a non-destructive reproduction whenever possible. + +### Containment And Recovery + +- Distinguish evidence preservation from immediate harm reduction; state plainly when urgent containment may destroy volatile evidence. +- Do not casually disable Gatekeeper, XProtect, SIP, TCC, App Sandbox, endpoint protection, or automatic security updates to make analysis easier. +- Do not claim a host is clean merely because a suspicious process stopped or one artifact was removed. +- Keep containment, eradication, recovery, credential reset, notification, and hardening as separate decisions with their own verification. + +## Phase 0: Plugin Foundation + +- Scaffold `plugins/cybersecurity-skills/` with a valid manifest, local `AGENTS.md`, `skills/`, and assets. +- Add the root marketplace placeholder and update the root plugin inventory. +- Define the common security record, isolation decision matrix, active-test scope record, threat-confidence vocabulary, and report shapes as directly linked references. +- Add child validation that proves folder/frontmatter names, `agents/openai.yaml`, reference targets, machine-local path safety, and the expected skill inventory if no shared validator already covers those checks. +- Record the Codex and Hermes decision for every skill and update generated Hermes exports only for portable guidance. + +## Phase 1: Shared Defensive Foundation + +- `cybersecurity:route-security-work`: classify suspicious content, malware analysis, endpoint investigation, vulnerability validation, authorized testing, incident response, detection, or specialist handoff before tools run. +- `cybersecurity:preserve-security-evidence`: create the shared record, preserve originals, capture volatile-versus-durable evidence, hash artifacts, and document transformations and custody without pretending to provide legal-forensics certification. +- `cybersecurity:assess-and-explain-threat`: separate observations, hypotheses, reputation, behaviors, impact, confidence, and uncertainty; give immediate and long-term advice in language a non-specialist can act on. +- `cybersecurity:select-analysis-isolation`: choose among local read-only inspection, disposable container, Linux VM, macOS VM, remote sandbox, or spare physical device based on the actual threat model. +- `cybersecurity:operate-agentic-security-tools`: constrain agent permissions, mounts, network, secrets, approvals, logging, and cleanup for local CLIs, GUIs, MCP tools, browser tools, and remote analysis services. + +Phase 1 exit criteria: an ambiguous concern can be routed, preserved, isolated, assessed, and explained before a specialist workflow is selected. + +## Phase 2: Suspicious Content And Malware Analysis + +- `cybersecurity:triage-suspicious-content`: inspect files, archives, installers, packages, scripts, documents, profiles, extensions, URLs, QR codes, and messages without executing active content. +- `cybersecurity:check-artifact-reputation`: use hashes, signer/provenance information, vendor sources, threat intelligence, and optionally approved third-party services while recording privacy and sample-upload boundaries. +- `cybersecurity:perform-static-malware-analysis`: inspect metadata, strings, imports, embedded content, configuration, signatures, rules, and likely capabilities; hand binary internals to `reverse-engineering-skills`. +- `cybersecurity:perform-dynamic-malware-analysis`: prepare a disposable environment, establish a baseline, observe process/file/network/persistence behavior, collect evidence, and tear the environment down. +- `cybersecurity:analyze-suspicious-script-or-document`: decode and inspect shell, AppleScript, JavaScript, Python, Office/PDF content, shortcuts, configuration profiles, and staged payload chains without triggering them. +- `cybersecurity:author-yara-x-rules`: write, test, scope, document, and regression-check YARA-X rules against positive and negative fixtures while avoiding brittle family claims. +- `cybersecurity:map-malware-behavior`: map observed behavior to current MITRE ATT&CK techniques without treating ATT&CK labels as proof of actor, campaign, or malware-family identity. + +Phase 2 exit criteria: a suspicious artifact can move from safe intake through static or isolated dynamic analysis to a confidence-calibrated explanation and reusable detection evidence. + +## Phase 3: macOS Defense And Investigation + +- `cybersecurity:assess-macos-threat`: collect exact macOS build, hardware, user context, security-update state, Gatekeeper/quarantine/signing/notarization evidence, XProtect events, and relevant TCC or system-policy context. +- `cybersecurity:inspect-macos-persistence`: inspect login items, launch agents and daemons, system extensions, configuration profiles, shell startup files, browser extensions, scheduled behavior, and other current persistence surfaces without deleting evidence. +- `cybersecurity:inspect-macos-runtime-activity`: correlate processes, ancestry, open files, network connections, unified logs, Endpoint Security or `eslogger` evidence, and user actions with clear permission limits. +- `cybersecurity:use-objective-see-tools`: use the installed Objective-See tools as thin adapters, record the exact tool/version and permissions, and keep domain conclusions in the owning investigation skill. +- `cybersecurity:contain-and-recover-macos`: choose network isolation, process containment, account and credential actions, persistence removal, rebuild/restore, and verification steps proportionate to the evidence. +- `cybersecurity:harden-macos`: improve update posture, FileVault, firewalling, sharing and remote access, browser/extensions, login items, permissions, backups, and user habits without promising perfect prevention. + +Phase 3 exit criteria: an affected Mac can be investigated and contained without weakening platform protections or confusing signature, notarization, quarantine, runtime access, and observed behavior. + +## Phase 4: Vulnerability Research And Authorized Testing + +- `cybersecurity:scope-authorized-security-test`: create the active-test scope record, define rules of engagement, select safe techniques, and identify approvals and stop conditions. +- `cybersecurity:triage-vulnerability-report`: normalize scanner output, advisories, bug reports, CVEs, PoCs, or researcher notes; identify affected assets and missing evidence; route source review to Codex Security when appropriate. +- `cybersecurity:validate-vulnerability`: reproduce the smallest safe proof, distinguish vulnerable code from reachable/exploitable behavior, challenge scanner assumptions, and retain negative results. +- `cybersecurity:assess-exposure-and-impact`: combine affected versions, deployed configuration, reachable attack surface, privileges, data, mitigations, exploit maturity, vendor guidance, CISA KEV status, and business context instead of ranking by CVSS alone. +- `cybersecurity:test-web-and-api-security`: use current OWASP testing guidance, browser/proxy evidence, API schemas, and bounded automated checks against an explicitly authorized target. +- `cybersecurity:test-network-services`: inventory and validate exposed services with bounded discovery and protocol-aware checks; hand protocol implementation questions to `network-protocol-skills`. +- `cybersecurity:report-security-assessment`: produce reproducible findings with evidence, impact, confidence, remediation, retest steps, and a non-specialist executive explanation. + +Phase 4 exit criteria: a supplied or discovered vulnerability can be validated and prioritized without treating a CVE, severity score, scanner match, or exploit template as proof of exposure. + +## Phase 5: Incident Response, Hunting, And Detection + +- `cybersecurity:triage-security-incident`: establish what happened, affected scope, urgency, evidence sources, communication owner, and immediate harm-reduction decisions using the current NIST incident-response lifecycle. +- `cybersecurity:contain-security-incident`: select host, identity, service, network, or application containment while documenting business impact and volatile-evidence tradeoffs. +- `cybersecurity:recover-security-incident`: plan eradication, restore or rebuild, credential rotation, monitoring, validation, return to service, and follow-up hardening. +- `cybersecurity:hunt-security-indicators`: search scoped hosts, logs, files, identities, and network records for supplied indicators or behaviors while recording coverage gaps and false-positive controls. +- `cybersecurity:author-detection-content`: turn validated behavior into YARA-X, Sigma, osquery, or platform-native detection logic with provenance, fixtures, expected telemetry, and regression tests. + +Phase 5 exit criteria: an incident can move from initial report through containment and verified recovery, and validated behaviors can become reusable detections without overstating coverage. + +## Tool And Integration Strategy + +Keep tools behind capability discovery and thin adapters. Do not make installation of every candidate tool a plugin prerequisite. + +### First-Party macOS surfaces + +- `file`, `shasum`, `xattr`, `codesign`, `spctl`, `pkgutil`, `plutil`, `otool`, `lsof`, `nettop`, unified logging, and `eslogger` +- Gatekeeper, notarization, XProtect, quarantine, TCC, SIP, App Sandbox, FileVault, and the application firewall as distinct evidence and protection layers +- Apple Virtualization framework and macOS guests for full-system isolation +- Apple's `container` tool for disposable Linux workloads, with exact-version and network/mount capability checks + +### Malware and endpoint candidates + +- YARA-X for local pattern matching and detection rules +- Objective-See tools for macOS persistence, process, file, network, signing, and blocking workflows +- osquery for reproducible host-state and event queries when its permissions and Endpoint Security support are present +- ClamAV only as one signature engine, never as a safety verdict +- VirusTotal or another remote reputation/sandbox service only after explicit data-egress approval + +### Vulnerability and authorized-test candidates + +- Codex Security for repository and diff scanning when available +- OSV-Scanner for dependency and image advisory matching, with package identity and reachability validation +- OWASP ZAP or an operator-approved intercepting proxy for web/API evidence +- Nuclei for narrowly selected, reviewed templates against authorized targets; never default to broad template execution +- Nmap, Wireshark, and mitmproxy when their exact target, capture, and network boundaries are explicit + +Tool-specific skills should be added only when a tool has a distinct repeated workflow that cannot stay concise in a domain skill. The first planned exception is the Objective-See adapter because its separate macOS apps share an operator workflow but produce different evidence. + +## Realistic Forward Tests + +Forward-test with redistributable, locally generated, or explicitly approved fixtures. Include blocked and uncertain outcomes as first-class results. + +1. A fake signed macOS app bundle with benign but suspicious-looking network and persistence strings. +2. A notarized benign utility whose behavior still warrants a privacy warning. +3. An unsigned script chain inside an archive that downloads a harmless local test payload. +4. A document or shortcut containing obfuscated but non-executed commands. +5. A YARA-X rule with positive fixtures, near-miss negatives, packed/noisy content, and a regression corpus. +6. A disposable Linux container with restricted mounts and networking, plus a test proving that the chosen isolation is insufficient for a macOS payload. +7. A disposable macOS VM with no personal accounts, shared clipboard, host folders, developer identities, or cloud credentials. +8. A deliberately vulnerable local web/API fixture exercised under a written scope record with passive, active, and stop-condition cases. +9. A scanner-reported dependency vulnerability that is present but unreachable, and one that is reachable despite a lower raw severity score. +10. A simulated macOS incident with persistence, process, file, network, and log evidence, including a false-positive lookalike. +11. A non-specialist advice test where the agent must give immediate steps without panic, certainty inflation, or jargon. + +## Documentation And Validation + +- Keep `SKILL.md` procedural and concise. Put tool matrices, output schemas, current platform behavior, and larger examples in directly linked `references/`. +- Give each frontmatter description concrete inputs and user requests that should trigger it. +- Generate matching `agents/openai.yaml` metadata from the final skill content. +- Use official vendor documentation, current tool help, checked-out source, and observed local behavior before community summaries. +- Date version-sensitive platform, threat-intelligence, scanner, and beta claims. Require live confirmation when they affect a conclusion. +- Do not embed malware, exploit payloads, private samples, VM images, tool databases, cloud keys, machine-local paths, or copied proprietary intelligence in the plugin. +- Validate every skill with the skill-authoring validator and run `uv run scripts/validate_socket_metadata.py` after marketplace or manifest changes. +- Export portable skills through the Hermes tap in the same pass and update `skills.sh.json`; document any host-specific tool or Computer Use workflow instead of pretending the Codex manifest is portable. +- Add a checked-in Hermes `mcp_servers` translation only if a later approved `.mcp.json` exists. A guidance-only first release needs no MCP translation or native Hermes plugin. +- Update root README inventory text, `ROADMAP.md`, architecture metadata, marketplace metadata, and version surfaces together when the plugin becomes installable. + +## Source Baseline + +Recheck these sources during implementation; the list was verified on 2026-07-14. + +- [Apple Platform Security: Protecting against malware in macOS](https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/web) +- [Apple Virtualization framework](https://developer.apple.com/documentation/virtualization) +- [Apple container technical overview](https://github.com/apple/container/blob/main/docs/technical-overview.md) +- [YARA-X documentation](https://virustotal.github.io/yara-x/docs/) +- [Objective-See tools](https://objective-see.org/tools.html) +- [osquery documentation](https://osquery.readthedocs.io/) +- [MITRE ATT&CK macOS matrix](https://attack.mitre.org/matrices/enterprise/macos/) +- [NIST SP 800-61 Rev. 3](https://csrc.nist.gov/pubs/sp/800/61/r3/final) +- [NIST SP 800-115](https://csrc.nist.gov/pubs/sp/800/115/final) +- [OWASP Web Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) +- [OWASP ZAP documentation](https://www.zaproxy.org/docs/) +- [FIRST CVSS v4.0 specification](https://www.first.org/cvss/v4.0/specification-document) +- [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) +- [OSV-Scanner documentation](https://google.github.io/osv-scanner/) +- [ProjectDiscovery Nuclei documentation](https://docs.projectdiscovery.io/tools/nuclei/overview) + +## Release Decision + +Implement Phases 0 through 3 as the first installable release so the plugin delivers the complete suspicious-content-to-macOS-defense path that motivated it. Include the Phase 4 scope, validation, exposure, and reporting foundations in that release if they validate cleanly; keep broad web/API and network test adapters out rather than rushing unsafe automation. + +Treat the first installable `cybersecurity-skills` release as a Socket minor version. Phases 4 and 5 may land in later minor releases after fixture-driven validation. Any privileged runtime, bundled scanner, MCP server, remote sandbox integration, or autonomous active-testing surface requires a separate explicit architecture and release decision. From e75469bad7ca2e11d4c9aec4d1c7ef8fe4b096ad Mon Sep 17 00:00:00 2001 From: Gale W Date: Tue, 14 Jul 2026 15:00:38 -0400 Subject: [PATCH 2/7] plugin: add cybersecurity skills foundation --- .agents/plugins/marketplace.json | 12 ++ README.md | 1 + .../.codex-plugin/plugin.json | 48 +++++ plugins/cybersecurity-skills/AGENTS.md | 36 ++++ .../assets/cybersecurity-icon.svg | 23 +++ .../scripts/validate_repo_metadata.py | 175 ++++++++++++++++++ .../skills/assess-and-explain-threat/SKILL.md | 42 +++++ .../agents/openai.yaml | 4 + .../references/confidence-and-advice.md | 22 +++ .../operate-agentic-security-tools/SKILL.md | 45 +++++ .../agents/openai.yaml | 4 + .../references/agent-tool-controls.md | 29 +++ .../preserve-security-evidence/SKILL.md | 45 +++++ .../agents/openai.yaml | 4 + .../references/security-record.md | 44 +++++ .../skills/route-security-work/SKILL.md | 42 +++++ .../route-security-work/agents/openai.yaml | 4 + .../references/routing-map.md | 15 ++ .../skills/select-analysis-isolation/SKILL.md | 42 +++++ .../agents/openai.yaml | 4 + .../references/isolation-matrix.md | 14 ++ 21 files changed, 655 insertions(+) create mode 100644 plugins/cybersecurity-skills/.codex-plugin/plugin.json create mode 100644 plugins/cybersecurity-skills/AGENTS.md create mode 100644 plugins/cybersecurity-skills/assets/cybersecurity-icon.svg create mode 100755 plugins/cybersecurity-skills/scripts/validate_repo_metadata.py create mode 100644 plugins/cybersecurity-skills/skills/assess-and-explain-threat/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/assess-and-explain-threat/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/assess-and-explain-threat/references/confidence-and-advice.md create mode 100644 plugins/cybersecurity-skills/skills/operate-agentic-security-tools/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/operate-agentic-security-tools/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/operate-agentic-security-tools/references/agent-tool-controls.md create mode 100644 plugins/cybersecurity-skills/skills/preserve-security-evidence/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/preserve-security-evidence/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/preserve-security-evidence/references/security-record.md create mode 100644 plugins/cybersecurity-skills/skills/route-security-work/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/route-security-work/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/route-security-work/references/routing-map.md create mode 100644 plugins/cybersecurity-skills/skills/select-analysis-isolation/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/select-analysis-isolation/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/select-analysis-isolation/references/isolation-matrix.md diff --git a/.agents/plugins/marketplace.json b/.agents/plugins/marketplace.json index 0abc5f9e..b66b02b4 100644 --- a/.agents/plugins/marketplace.json +++ b/.agents/plugins/marketplace.json @@ -298,6 +298,18 @@ "authentication": "ON_INSTALL" }, "category": "Developer Tools" + }, + { + "name": "cybersecurity-skills", + "source": { + "source": "local", + "path": "./plugins/cybersecurity-skills" + }, + "policy": { + "installation": "NOT_AVAILABLE", + "authentication": "ON_INSTALL" + }, + "category": "Developer Tools" } ] } diff --git a/README.md b/README.md index c55c1565..d0a39312 100644 --- a/README.md +++ b/README.md @@ -153,6 +153,7 @@ Current Socket catalog shape: Placeholder directories for future plugins (not available for install): +- `cybersecurity-skills` - `spotify` ## Development diff --git a/plugins/cybersecurity-skills/.codex-plugin/plugin.json b/plugins/cybersecurity-skills/.codex-plugin/plugin.json new file mode 100644 index 00000000..1bd61e9c --- /dev/null +++ b/plugins/cybersecurity-skills/.codex-plugin/plugin.json @@ -0,0 +1,48 @@ +{ + "name": "cybersecurity-skills", + "version": "9.11.0", + "description": "Defensive cybersecurity, suspicious-content, malware-analysis, macOS, vulnerability, pentest, and incident-response workflows.", + "skills": "./skills/", + "author": { + "name": "Gale", + "email": "mail@galewilliams.com", + "url": "https://github.com/gaelic-ghost" + }, + "homepage": "https://github.com/gaelic-ghost/socket/tree/main/plugins/cybersecurity-skills", + "repository": "https://github.com/gaelic-ghost/socket", + "license": "Apache-2.0", + "keywords": [ + "cybersecurity", + "malware-analysis", + "macos-security", + "incident-response", + "vulnerability-research", + "penetration-testing", + "threat-hunting", + "yara-x", + "defense", + "codex", + "plugin", + "skills" + ], + "interface": { + "displayName": "Cybersecurity Skills", + "shortDescription": "Defensive analysis and authorized security testing workflows.", + "longDescription": "Guide agents from an ambiguous suspicious artifact, host behavior, vulnerability report, or incident to preserved evidence, appropriate isolation, validated findings, proportionate containment, and an understandable defensive explanation. Includes malware analysis, macOS defense, authorized testing, incident response, hunting, and detection content with explicit handoffs to specialist Socket plugins.", + "defaultPrompt": [ + "Help me safely determine whether this suspicious artifact is dangerous.", + "Investigate this Mac without destroying evidence or weakening protections.", + "Validate this vulnerability within an explicitly authorized test scope." + ], + "developerName": "Gale", + "category": "Developer Tools", + "capabilities": [ + "Read", + "Write" + ], + "websiteURL": "https://github.com/gaelic-ghost/socket/tree/main/plugins/cybersecurity-skills", + "brandColor": "#22D3EE", + "composerIcon": "./assets/cybersecurity-icon.svg", + "logo": "./assets/cybersecurity-icon.svg" + } +} diff --git a/plugins/cybersecurity-skills/AGENTS.md b/plugins/cybersecurity-skills/AGENTS.md new file mode 100644 index 00000000..153edfda --- /dev/null +++ b/plugins/cybersecurity-skills/AGENTS.md @@ -0,0 +1,36 @@ +# AGENTS.md + +This file is the Cybersecurity Skills child-repo override for work done from `socket`. Follow the root `socket` guidance for general Git, documentation, release, branch, dependency-provenance, and maintainer workflow rules. + +## Scope + +- `cybersecurity-skills` is a monorepo-owned Socket child and the canonical source of truth for defensive cybersecurity workflow skills. +- Root [`skills/`](./skills/) is the authored workflow surface. +- The repo root is the Codex plugin root through [`.codex-plugin/plugin.json`](./.codex-plugin/plugin.json). +- Keep the first-party payload guidance-only. Do not bundle scanners, malware or exploit samples, privileged helpers, daemons, hooks, MCP servers, VM/container images, tool databases, or remote-service credentials without a separately approved architecture decision. + +## Evidence And Safety Rules + +- Preserve original artifacts and volatile evidence before transformation when practical. Record hashes, versions, timestamps, commands, tool versions, and transformations that support a conclusion. +- Separate observed facts, external intelligence, hypotheses, conclusions, confidence, and unresolved questions. +- Treat signatures, notarization, reputation, severity scores, vulnerability databases, and scanner output as evidence inputs rather than safety or exploitability verdicts. +- Default suspicious-content work to local, non-executing inspection. Require explicit approval before sending private artifacts, URLs, logs, or identifiers to third-party services. +- Choose containers, VMs, remote sandboxes, or spare devices from the actual threat model. Do not present a Linux container as a sufficient macOS malware-analysis environment. +- Keep shared folders, clipboards, host sockets, signing identities, browser profiles, SSH agents, cloud credentials, and unrestricted networking absent from disposable analysis environments unless the task requires and records them. +- Require explicit target authorization and a written scope record before active security testing. Stop on target drift, third-party impact, instability, unexpected sensitive data, or techniques outside the approved rules of engagement. +- Keep containment, eradication, recovery, credential response, notification, hardening, and verification as distinct decisions. +- Give non-specialists direct, calm advice that distinguishes immediate action, remaining uncertainty, and longer-term protection without minimizing or inflating the evidence. + +## Ownership Boundaries + +- Use `reverse-engineering-skills` for binary internals, decompilation, disassembly, symbols, and exact binary comparison after this plugin establishes the security question and artifact identity. +- Use Codex Security for repository-wide or diff-based source vulnerability scanning when installed. Do not duplicate its full scan pipeline here. +- Use `apple-dev-skills` for ordinary Apple app, Endpoint Security, Virtualization, signing, or Xcode implementation after this plugin defines the defensive requirement. +- Use `network-protocol-skills` for protocol construction and repair; keep authorized test scope and observed security behavior here. +- Hand stack-specific remediation to the owning language or framework plugin while retaining the finding, evidence, and acceptance criteria. + +## Validation + +- Keep `SKILL.md` procedural and concise, with tool matrices, schemas, version-sensitive facts, and larger examples in directly linked `references/`. +- Keep every skill portable unless a concrete host-specific tool contract requires otherwise. Update the Hermes export and grouping in the same pass as any portable skill change. +- Run `uv run scripts/validate_repo_metadata.py` from this child root and `uv run scripts/validate_socket_metadata.py` from the Socket root before review. diff --git a/plugins/cybersecurity-skills/assets/cybersecurity-icon.svg b/plugins/cybersecurity-skills/assets/cybersecurity-icon.svg new file mode 100644 index 00000000..668fa19b --- /dev/null +++ b/plugins/cybersecurity-skills/assets/cybersecurity-icon.svg @@ -0,0 +1,23 @@ + + + + + + + + + + + + + + + + + + + + + + + diff --git a/plugins/cybersecurity-skills/scripts/validate_repo_metadata.py b/plugins/cybersecurity-skills/scripts/validate_repo_metadata.py new file mode 100755 index 00000000..157b41f7 --- /dev/null +++ b/plugins/cybersecurity-skills/scripts/validate_repo_metadata.py @@ -0,0 +1,175 @@ +#!/usr/bin/env -S uv run --script +# /// script +# requires-python = ">=3.11" +# dependencies = [ +# "pyyaml>=6.0.2,<7", +# ] +# /// +"""Validate the Cybersecurity Skills authored and packaged surfaces.""" + +from __future__ import annotations + +import json +import re +import sys +from dataclasses import dataclass +from pathlib import Path + +import yaml + + +REPO_ROOT = Path(__file__).resolve().parent.parent +SKILLS_ROOT = REPO_ROOT / "skills" +PLUGIN_MANIFEST = REPO_ROOT / ".codex-plugin" / "plugin.json" +SKILL_NAME = re.compile(r"^[a-z0-9]+(?:-[a-z0-9]+)*$") +MARKDOWN_LINK = re.compile(r"\[[^]]*]\(([^)]+)\)") +MACHINE_LOCAL_MARKERS = ("/Users/", "~/", "../") + + +@dataclass(frozen=True) +class Finding: + """Describe one actionable metadata validation failure.""" + + path: str + message: str + + +def parse_frontmatter(path: Path) -> tuple[dict[str, object] | None, str, list[Finding]]: + """Split and validate one skill entry point's YAML frontmatter.""" + + text = path.read_text(encoding="utf-8") + relative_path = str(path.relative_to(REPO_ROOT)) + if not text.startswith("---\n"): + return None, text, [Finding(relative_path, "must begin with YAML frontmatter")] + try: + raw_frontmatter, body = text[4:].split("\n---\n", 1) + except ValueError: + return None, text, [Finding(relative_path, "has unterminated YAML frontmatter")] + try: + parsed = yaml.safe_load(raw_frontmatter) + except yaml.YAMLError as error: + return None, body, [Finding(relative_path, f"has invalid YAML frontmatter: {error}")] + if not isinstance(parsed, dict): + return None, body, [Finding(relative_path, "frontmatter must be a YAML mapping")] + return parsed, body, [] + + +def validate_links(path: Path, body: str) -> list[Finding]: + """Check that relative Markdown links remain inside the plugin and resolve.""" + + findings: list[Finding] = [] + for target in MARKDOWN_LINK.findall(body): + if target.startswith(("https://", "http://", "#", "mailto:")): + continue + relative_target = target.split("#", 1)[0] + if not relative_target: + continue + resolved = (path.parent / relative_target).resolve() + try: + resolved.relative_to(REPO_ROOT.resolve()) + except ValueError: + findings.append(Finding(str(path.relative_to(REPO_ROOT)), f"links outside the plugin root: {target}")) + continue + if not resolved.exists(): + findings.append(Finding(str(path.relative_to(REPO_ROOT)), f"links to a missing local resource: {target}")) + return findings + + +def validate_openai_yaml(skill_dir: Path) -> list[Finding]: + """Validate one skill's OpenAI interface metadata.""" + + path = skill_dir / "agents" / "openai.yaml" + relative_path = str(path.relative_to(REPO_ROOT)) + try: + data = yaml.safe_load(path.read_text(encoding="utf-8")) + except FileNotFoundError: + return [Finding(str(skill_dir.relative_to(REPO_ROOT)), "is missing agents/openai.yaml")] + except yaml.YAMLError as error: + return [Finding(relative_path, f"contains invalid YAML: {error}")] + if not isinstance(data, dict) or not isinstance(data.get("interface"), dict): + return [Finding(relative_path, "must define an interface mapping")] + findings: list[Finding] = [] + interface = data["interface"] + for key in ("display_name", "short_description", "default_prompt"): + value = interface.get(key) + if not isinstance(value, str) or not value.strip(): + findings.append(Finding(relative_path, f"interface.{key} must be a non-empty string")) + short_description = interface.get("short_description") + if isinstance(short_description, str) and not 25 <= len(short_description) <= 64: + findings.append(Finding(relative_path, "interface.short_description must be 25 to 64 characters")) + default_prompt = interface.get("default_prompt") + if isinstance(default_prompt, str) and f"${skill_dir.name}" not in default_prompt: + findings.append(Finding(relative_path, f"interface.default_prompt must mention `${skill_dir.name}` explicitly")) + return findings + + +def validate_skill(skill_dir: Path) -> list[Finding]: + """Validate one authored skill folder.""" + + path = skill_dir / "SKILL.md" + if not path.is_file(): + return [Finding(str(skill_dir.relative_to(REPO_ROOT)), "is missing its required SKILL.md")] + frontmatter, body, findings = parse_frontmatter(path) + if frontmatter is not None: + unexpected = sorted(set(frontmatter) - {"name", "description"}) + if unexpected: + findings.append(Finding(str(path.relative_to(REPO_ROOT)), f"frontmatter contains unsupported fields: {', '.join(unexpected)}")) + name = frontmatter.get("name") + if name != skill_dir.name: + findings.append(Finding(str(path.relative_to(REPO_ROOT)), f"frontmatter name must match directory `{skill_dir.name}`")) + if not isinstance(name, str) or not SKILL_NAME.fullmatch(name): + findings.append(Finding(str(path.relative_to(REPO_ROOT)), "frontmatter name violates skill naming rules")) + description = frontmatter.get("description") + if not isinstance(description, str) or not description.strip(): + findings.append(Finding(str(path.relative_to(REPO_ROOT)), "frontmatter description must be non-empty")) + elif len(description) > 1024: + findings.append(Finding(str(path.relative_to(REPO_ROOT)), "frontmatter description exceeds 1024 characters")) + if "TODO" in body: + findings.append(Finding(str(path.relative_to(REPO_ROOT)), "contains unresolved TODO scaffold text")) + for marker in MACHINE_LOCAL_MARKERS: + if marker in body: + findings.append(Finding(str(path.relative_to(REPO_ROOT)), f"contains prohibited path marker `{marker}`")) + findings.extend(validate_links(path, body)) + findings.extend(validate_openai_yaml(skill_dir)) + return findings + + +def validate_manifest() -> list[Finding]: + """Validate the plugin identity and authored skill export.""" + + try: + data = json.loads(PLUGIN_MANIFEST.read_text(encoding="utf-8")) + except FileNotFoundError: + return [Finding(str(PLUGIN_MANIFEST.relative_to(REPO_ROOT)), "is missing")] + except json.JSONDecodeError as error: + return [Finding(str(PLUGIN_MANIFEST.relative_to(REPO_ROOT)), f"contains invalid JSON: {error}")] + findings: list[Finding] = [] + if not isinstance(data, dict): + return [Finding(str(PLUGIN_MANIFEST.relative_to(REPO_ROOT)), "must be a JSON object")] + if data.get("name") != "cybersecurity-skills": + findings.append(Finding(str(PLUGIN_MANIFEST.relative_to(REPO_ROOT)), "must use plugin name `cybersecurity-skills`")) + if data.get("skills") != "./skills/": + findings.append(Finding(str(PLUGIN_MANIFEST.relative_to(REPO_ROOT)), "must export the authored ./skills/ directory")) + return findings + + +def main() -> int: + """Run plugin-local validation and return a shell-compatible status.""" + + findings = validate_manifest() + skill_dirs = sorted(path for path in SKILLS_ROOT.iterdir() if path.is_dir()) if SKILLS_ROOT.is_dir() else [] + if not skill_dirs: + findings.append(Finding("skills", "must contain at least one exported skill directory")) + for skill_dir in skill_dirs: + findings.extend(validate_skill(skill_dir)) + if findings: + print("Cybersecurity Skills validation failed:", file=sys.stderr) + for finding in findings: + print(f"- {finding.path}: {finding.message}", file=sys.stderr) + return 1 + print(f"Cybersecurity Skills validation passed for {len(skill_dirs)} skills.") + return 0 + + +if __name__ == "__main__": + raise SystemExit(main()) diff --git a/plugins/cybersecurity-skills/skills/assess-and-explain-threat/SKILL.md b/plugins/cybersecurity-skills/skills/assess-and-explain-threat/SKILL.md new file mode 100644 index 00000000..bb92931e --- /dev/null +++ b/plugins/cybersecurity-skills/skills/assess-and-explain-threat/SKILL.md @@ -0,0 +1,42 @@ +--- +name: assess-and-explain-threat +description: Assess whether suspicious evidence indicates a real threat and explain the result in practical language. Use when a person needs a confidence-calibrated conclusion, immediate protective actions, remaining uncertainty, impact, or understandable advice after artifact, endpoint, vulnerability, identity, or incident evidence has been collected. +--- + +# Assess And Explain Threat + +## Overview + +Turn mixed evidence into a proportionate conclusion and advice the affected person can follow. Do not collapse signatures, reputation, scanner output, or unusual behavior into a binary safe/malicious verdict. + +Read [references/confidence-and-advice.md](references/confidence-and-advice.md) for conclusion vocabulary and the explanation shape. + +## Workflow + +1. Restate the decision. + - Identify what the user must decide now and what can wait for more evidence. + +2. Grade evidence by directness. + - Separate direct observations, reproducible behaviors, vendor or threat-intelligence claims, weak indicators, absence of findings, and speculation. + - Record contradicting evidence and coverage gaps. + +3. Assess behavior and impact. + - State what access, execution, persistence, collection, credential use, network behavior, or data exposure is observed or technically plausible. + - Distinguish capability from intent and artifact presence from successful compromise. + +4. Choose a calibrated classification. + - Use one classification from the reference and state confidence separately. + - Name the strongest supporting evidence and what would change the conclusion. + +5. Give proportionate advice. + - Put urgent harm-reduction actions first. + - Separate containment, evidence preservation, recovery, credential actions, notification, and long-term hardening. + - Avoid destructive cleanup when evidence is weak and reversible isolation is available. + +6. Explain plainly. + - Answer whether the concern is dangerous, what it appears to do, what is known versus inferred, what to do now, and when to escalate. + - Define specialist terms at first use and avoid fear-amplifying language. + +## Output + +Return the conclusion, confidence, decisive evidence, contradictions/gaps, immediate actions, follow-up analysis, and a short non-specialist explanation. diff --git a/plugins/cybersecurity-skills/skills/assess-and-explain-threat/agents/openai.yaml b/plugins/cybersecurity-skills/skills/assess-and-explain-threat/agents/openai.yaml new file mode 100644 index 00000000..e09427a1 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/assess-and-explain-threat/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Assess And Explain Threat" + short_description: "Calibrate threat confidence and explain practical risk" + default_prompt: "Use $assess-and-explain-threat to turn this evidence into a clear, proportionate security assessment." diff --git a/plugins/cybersecurity-skills/skills/assess-and-explain-threat/references/confidence-and-advice.md b/plugins/cybersecurity-skills/skills/assess-and-explain-threat/references/confidence-and-advice.md new file mode 100644 index 00000000..53f6cd40 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/assess-and-explain-threat/references/confidence-and-advice.md @@ -0,0 +1,22 @@ +# Confidence And Advice + +## Classification + +- `confirmed malicious`: direct, reproducible evidence establishes malicious behavior for the tested question. +- `likely malicious`: multiple independent indicators support malicious behavior, but a decisive observation remains missing. +- `suspicious but unresolved`: behavior or provenance warrants isolation and follow-up, while benign explanations remain credible. +- `likely benign or expected`: observed behavior matches a legitimate explanation and no material malicious evidence was found in the tested scope. +- `confirmed benign for the tested question`: a controlled fixture, authoritative source, or complete reproduction resolves the specific concern; do not generalize beyond it. +- `insufficient evidence`: available evidence cannot support a responsible conclusion. + +State confidence as high, medium, or low and explain why. Confidence describes evidence quality, not severity. + +## Plain-Language Shape + +1. “Based on what we checked, this is …” +2. “The strongest evidence is …” +3. “We still do not know …” +4. “Do this now …” +5. “Do this next if …” + +Avoid “safe,” “clean,” or “hacked” without a bounded definition and supporting evidence. diff --git a/plugins/cybersecurity-skills/skills/operate-agentic-security-tools/SKILL.md b/plugins/cybersecurity-skills/skills/operate-agentic-security-tools/SKILL.md new file mode 100644 index 00000000..a0189fb2 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/operate-agentic-security-tools/SKILL.md @@ -0,0 +1,45 @@ +--- +name: operate-agentic-security-tools +description: Operate security tools through an AI agent with explicit authority and evidence boundaries. Use when an agent may invoke local CLIs, GUI apps, browser automation, MCP servers, remote scanners, sandboxes, vulnerability tools, packet tools, or containment actions and permissions, mounts, network, secrets, approvals, logging, output, and cleanup must be constrained. +--- + +# Operate Agentic Security Tools + +## Overview + +Give the agent only the authority needed for the current security step and keep tool output reproducible. Separate discovery, active testing, exploit validation, containment, and remediation into visible decisions. + +Read [references/agent-tool-controls.md](references/agent-tool-controls.md) for the preflight record and control checklist. + +## Workflow + +1. Define the tool's job. + - State the security question, expected input/output, target, and why this tool is appropriate. + - Prefer read-only or offline operation when it can answer the question. + +2. Discover capability before use. + - Record source, installed path or remote service, version, supported formats, privileges, network behavior, telemetry, and output location. + - Treat missing tools or unusable integrations as results; do not invent output. + +3. Minimize authority. + - Limit readable/writable paths, target list, network destinations, credentials, environment variables, device access, and execution duration. + - Use temporary scoped credentials and disposable environments when credentials are unavoidable. + +4. Gate consequential actions. + - Require an operator decision before active probing, exploit execution, persistence changes, credential access, security-control changes, destructive operations, production writes, or third-party uploads. + - Display the exact target and likely effect before approval. + +5. Preserve evidence. + - Record commands or UI actions, configuration, timestamps, exit status, raw output, tool errors, and transformations. + - Validate high-impact findings with an independent observation or smallest safe reproduction. + +6. Clean up and verify. + - Remove temporary mounts, ports, tokens, sessions, files, rules, and isolated environments. + - Report what remains installed, running, reachable, or retained. + +## Guardrails + +- Do not grant broad host or cloud access merely to reduce approval prompts. +- Do not let an agent expand active-test scope from discovered targets. +- Do not treat an MCP server, GUI automation layer, or tool plugin as a trust boundary. +- Do not obscure failures behind a synthesized security conclusion. diff --git a/plugins/cybersecurity-skills/skills/operate-agentic-security-tools/agents/openai.yaml b/plugins/cybersecurity-skills/skills/operate-agentic-security-tools/agents/openai.yaml new file mode 100644 index 00000000..57ecd3d8 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/operate-agentic-security-tools/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Operate Agentic Security Tools" + short_description: "Constrain agent permissions, targets, evidence, and cleanup" + default_prompt: "Use $operate-agentic-security-tools to constrain this agent-driven security tool run." diff --git a/plugins/cybersecurity-skills/skills/operate-agentic-security-tools/references/agent-tool-controls.md b/plugins/cybersecurity-skills/skills/operate-agentic-security-tools/references/agent-tool-controls.md new file mode 100644 index 00000000..de1209e1 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/operate-agentic-security-tools/references/agent-tool-controls.md @@ -0,0 +1,29 @@ +# Agent Security Tool Controls + +Record before execution: + +```markdown +- Security question: +- Tool/source/version: +- Target and exclusions: +- Read paths: +- Write paths: +- Network destinations: +- Credentials and lifetime: +- Required privileges: +- Approval-gated actions: +- Output and evidence path: +- Timeout/stop condition: +- Cleanup and verification: +``` + +Use distinct approvals for: + +1. sending data off-device; +2. probing a live target; +3. executing a proof of concept; +4. changing persistence or security controls; +5. accessing credentials or private data; +6. containment or remediation that can disrupt service. + +An approval authorizes the described action, not adjacent targets or follow-on techniques. diff --git a/plugins/cybersecurity-skills/skills/preserve-security-evidence/SKILL.md b/plugins/cybersecurity-skills/skills/preserve-security-evidence/SKILL.md new file mode 100644 index 00000000..6a4bbacc --- /dev/null +++ b/plugins/cybersecurity-skills/skills/preserve-security-evidence/SKILL.md @@ -0,0 +1,45 @@ +--- +name: preserve-security-evidence +description: Preserve and document security evidence before analysis, containment, or remediation changes it. Use for suspicious artifacts, volatile host state, vulnerability validation, incident records, logs, screenshots, commands, hashes, timelines, transformations, and analyst handoffs that need reproducible provenance without claiming legal-forensics certification. +--- + +# Preserve Security Evidence + +## Overview + +Create a reproducible security record while keeping originals and observations distinct from transformed working material. Prioritize volatile evidence when delay would erase it, but state when urgent harm reduction must take precedence. + +Read [references/security-record.md](references/security-record.md) for the shared record and transformation shapes. + +## Workflow + +1. Define the question and evidence owner. + - Record the affected person/system, requested decision, acquisition source, time, and analyst. + - Record authorization and disclosure limits when they matter. + +2. Separate original and working material. + - Avoid opening active content during preservation. + - Copy artifacts into a clearly named working area when analysis requires mutation. + - Record every extraction, decoding, re-sign, patch, conversion, or replay as a transformation that creates a new artifact identity. + +3. Capture stable identity. + - Record paths or logical identifiers, sizes, timestamps, cryptographic hashes, versions, bundle/package identifiers, UUIDs, signer identity, and source URLs when applicable. + - Record tool name, version, command, configuration, and environment for consequential observations. + +4. Prioritize volatile state. + - Capture time, logged-in users, processes and ancestry, open files, network state, relevant memory or runtime telemetry, and transient logs only when authorized and proportionate. + - Do not collect unrelated personal or secret data merely because access is available. + +5. Maintain evidence quality. + - Store observations, external intelligence, hypotheses, conclusions, and disproven hypotheses separately. + - Preserve raw output alongside summaries when safe. + - Mark missing data, collection failures, time skew, incomplete coverage, and evidence destroyed by containment. + +6. Produce a handoff. + - State which inputs are originals, which are working copies, what changed, and which next workflow should consume them. + +## Guardrails + +- Do not call ordinary engineering notes a legally sufficient chain of custody. +- Do not upload evidence to a third party without explicit approval and a data-egress explanation. +- Do not overwrite an original with a cleaned, extracted, or transformed copy. diff --git a/plugins/cybersecurity-skills/skills/preserve-security-evidence/agents/openai.yaml b/plugins/cybersecurity-skills/skills/preserve-security-evidence/agents/openai.yaml new file mode 100644 index 00000000..6c924cfb --- /dev/null +++ b/plugins/cybersecurity-skills/skills/preserve-security-evidence/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Preserve Security Evidence" + short_description: "Preserve artifacts, volatile state, and provenance" + default_prompt: "Use $preserve-security-evidence to create a reproducible evidence record before anything changes." diff --git a/plugins/cybersecurity-skills/skills/preserve-security-evidence/references/security-record.md b/plugins/cybersecurity-skills/skills/preserve-security-evidence/references/security-record.md new file mode 100644 index 00000000..d07a99b1 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/preserve-security-evidence/references/security-record.md @@ -0,0 +1,44 @@ +# Shared Security Record + +```markdown +## Question And Scope +- Requested decision: +- Affected surface: +- Owner/authorization: +- Time window: + +## Identity +- Artifact, host, account, service, or target: +- Source/acquisition: +- Hashes, versions, build, hardware, identifiers: + +## Preservation +- Original preserved: +- Working copies: +- Volatile evidence captured or missed: + +## Observations +- Fact — source/tool/time: + +## External Intelligence +- Claim — source/date checked: + +## Hypotheses +- Hypothesis — supporting and contradicting evidence: + +## Assessment +- Classification: +- Confidence: +- Impact: +- Evidence that would change the conclusion: + +## Actions +- Immediate containment: +- Recovery: +- Longer-term hardening: + +## Plain-Language Explanation +- ... +``` + +For every transformation, record the input identity, operation, tool/version, output identity, timestamp, and reason. Treat the output as a new artifact. diff --git a/plugins/cybersecurity-skills/skills/route-security-work/SKILL.md b/plugins/cybersecurity-skills/skills/route-security-work/SKILL.md new file mode 100644 index 00000000..1202e617 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/route-security-work/SKILL.md @@ -0,0 +1,42 @@ +--- +name: route-security-work +description: Route an ambiguous cybersecurity request before tools run. Use for suspicious files, links, messages, host behavior, malware questions, vulnerability reports, authorized pentests, security incidents, threat hunting, detection work, or security advice when the correct workflow and specialist owner are not yet clear. +--- + +# Route Security Work + +## Overview + +Turn the user's concern into one bounded security question, identify the affected surface, and select the smallest safe owner workflow. Do not begin active probing or execute suspicious content during routing. + +Read [references/routing-map.md](references/routing-map.md) when ownership or the difference between investigation, testing, response, and remediation is unclear. + +## Workflow + +1. State the requested decision. + - Capture what the user needs to know or do now. + - Separate “is this dangerous?” from “how does it work?”, “am I affected?”, and “how do I fix it?”. + +2. Identify the surface. + - Classify the primary subject as content or artifact, endpoint, identity, network/service, application/source, vulnerability report, or active incident. + - Record the relevant artifact, host, account, service, repository, target, and time window. + +3. Establish authority and urgency. + - For inspection and defensive response, confirm the user controls or is responsible for the affected surface. + - Before active testing, require the target owner, allowed targets, exclusions, time window, techniques, stop conditions, and contacts. + - If harm is ongoing, route immediate containment separately from evidence preservation. + +4. Choose the next owner. + - Use `preserve-security-evidence` before transformations or volatile state disappears. + - Use `select-analysis-isolation` before opening or executing untrusted content. + - Use `assess-and-explain-threat` when evidence exists but the practical conclusion is unclear. + - Route deep binary work to `reverse-engineering-skills` and repository-wide source scans to Codex Security when available. + - Route ordinary implementation or remediation to the owning Apple, protocol, language, or framework skill after the security acceptance criteria are explicit. + +5. Report the route. + - Name the selected workflow, why it fits, what is intentionally deferred, and the first non-destructive action. + - Preserve uncertainty rather than selecting a dramatic path from weak evidence. + +## Output + +Return the security question, affected surface, urgency, authority/scope state, selected owner, first safe action, and any immediate stop condition. diff --git a/plugins/cybersecurity-skills/skills/route-security-work/agents/openai.yaml b/plugins/cybersecurity-skills/skills/route-security-work/agents/openai.yaml new file mode 100644 index 00000000..b51e5a0a --- /dev/null +++ b/plugins/cybersecurity-skills/skills/route-security-work/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Route Security Work" + short_description: "Choose the safest cybersecurity workflow and owner" + default_prompt: "Use $route-security-work to route this security concern before running tools." diff --git a/plugins/cybersecurity-skills/skills/route-security-work/references/routing-map.md b/plugins/cybersecurity-skills/skills/route-security-work/references/routing-map.md new file mode 100644 index 00000000..f51f2f30 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/route-security-work/references/routing-map.md @@ -0,0 +1,15 @@ +# Security Workflow Routing Map + +| Primary question | Owning workflow | Common handoff | +| --- | --- | --- | +| What is this suspicious file, link, message, profile, package, or document? | `triage-suspicious-content` | Static malware analysis or script/document analysis | +| Is this artifact known, signed, reputable, or reported elsewhere? | `check-artifact-reputation` | Threat assessment | +| What could this artifact do without running it? | `perform-static-malware-analysis` | Reverse engineering for binary internals | +| What did it do in a disposable environment? | `perform-dynamic-malware-analysis` | Behavior mapping or detection content | +| Is this Mac affected and what should change now? | `assess-macos-threat` | Persistence/runtime inspection or containment | +| Is this vulnerability real and reachable here? | `validate-vulnerability` | Exposure assessment or stack remediation | +| May we actively test this target? | `scope-authorized-security-test` | Web/API or network-service testing | +| Is harm occurring across a system or organization? | `triage-security-incident` | Containment and recovery | +| How do I explain the result to the affected person? | `assess-and-explain-threat` | Security assessment report | + +Do not route solely from a tool name. Start from the decision the user needs and the surface that may be affected. diff --git a/plugins/cybersecurity-skills/skills/select-analysis-isolation/SKILL.md b/plugins/cybersecurity-skills/skills/select-analysis-isolation/SKILL.md new file mode 100644 index 00000000..712d1ec3 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/select-analysis-isolation/SKILL.md @@ -0,0 +1,42 @@ +--- +name: select-analysis-isolation +description: Select and configure an isolation boundary before inspecting or executing untrusted content. Use when choosing among local read-only analysis, a disposable container, Linux VM, macOS VM, remote sandbox, or spare physical device and deciding network, mount, clipboard, credential, device, snapshot, evidence-export, and teardown controls. +--- + +# Select Analysis Isolation + +## Overview + +Choose the smallest environment that contains the behaviors the analysis may trigger and can still reproduce the target platform. Treat isolation as a set of controls to verify, not a label supplied by a product. + +Read [references/isolation-matrix.md](references/isolation-matrix.md) before selecting an environment for execution or privileged tooling. + +## Workflow + +1. Identify the behavior to contain. + - Record target OS/runtime, expected privilege, kernel or device access, persistence, networking, anti-VM behavior, and data sensitivity. + +2. Choose the environment. + - Use local read-only inspection for non-executing metadata and text extraction. + - Use a disposable container for bounded Linux user-space tooling when VM-level isolation and target-platform behavior are unnecessary. + - Use a disposable VM for installers, services, dynamic behavior, or full-OS effects. + - Use a macOS VM or spare Mac for macOS payload behavior; do not substitute a Linux container. + - Use a remote sandbox only after data-egress approval and provider-capability review. + +3. Remove ambient authority. + - Exclude personal accounts, host directories, shared clipboard, drag/drop, host sockets, USB/device passthrough, SSH agent, developer certificates, browser profiles, password stores, cloud tokens, and unrelated secrets. + +4. Constrain networking. + - Default to no network or a simulated service. + - If external traffic is required, allow only recorded destinations through a monitored boundary and capture DNS/routes/packets proportionately. + +5. Establish lifecycle evidence. + - Record base image or restore image, OS build, tool versions, configuration, snapshot, clocks, and baseline state. + - Define exactly which evidence may be exported and how it will be scanned before reaching the host. + +6. Verify teardown. + - Stop the workload, export intended evidence, revert or destroy disposable state, revoke temporary credentials, and confirm no host share or forwarded port remains. + +## Stop Conditions + +Stop before execution when the environment cannot reproduce the target platform, the isolation controls cannot be verified, or the task requires host secrets or privileges beyond the approved analysis plan. diff --git a/plugins/cybersecurity-skills/skills/select-analysis-isolation/agents/openai.yaml b/plugins/cybersecurity-skills/skills/select-analysis-isolation/agents/openai.yaml new file mode 100644 index 00000000..3d560ab3 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/select-analysis-isolation/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Select Analysis Isolation" + short_description: "Choose safe container, VM, sandbox, or device isolation" + default_prompt: "Use $select-analysis-isolation to choose and verify a safe environment for this untrusted workload." diff --git a/plugins/cybersecurity-skills/skills/select-analysis-isolation/references/isolation-matrix.md b/plugins/cybersecurity-skills/skills/select-analysis-isolation/references/isolation-matrix.md new file mode 100644 index 00000000..2f5cab59 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/select-analysis-isolation/references/isolation-matrix.md @@ -0,0 +1,14 @@ +# Isolation Matrix + +| Environment | Good fit | Not sufficient for | +| --- | --- | --- | +| Local read-only inspection | Hashing, metadata, signatures, archive listing, strings, rule scans | Any active-content execution | +| Disposable Linux container | Untrusted Linux user-space tools, parsers, reproducible CLI pipelines | macOS behavior, kernel threats, device access, privileged hostile code | +| Disposable Linux VM | Linux installers, services, full-system behavior, kernel/network observations | Native macOS behavior | +| Disposable macOS VM | macOS apps, packages, scripts, signing/quarantine/TCC/persistence behavior | Hardware-specific or anti-VM behavior that requires a spare device | +| Spare physical device | Hardware-dependent or VM-evasive behavior | Casual analysis without a reliable erase/rebuild plan | +| Remote sandbox | Approved commodity sample detonation and shared intelligence | Private artifacts, secrets, custom software, or behavior the provider cannot reproduce | + +For Apple silicon, verify exact host/guest OS support and the chosen Virtualization tool's clipboard, directory-share, network, and snapshot behavior. Apple's `container` uses lightweight Linux VMs but remains a Linux workload surface, not a macOS guest. + +Sources: [Apple Virtualization](https://developer.apple.com/documentation/virtualization) and [Apple container technical overview](https://github.com/apple/container/blob/main/docs/technical-overview.md). From a4c8e0ff5e7fdf4dac98ad94ce94328683b2f3b1 Mon Sep 17 00:00:00 2001 From: Gale W Date: Tue, 14 Jul 2026 15:03:10 -0400 Subject: [PATCH 3/7] security: add malware analysis workflows --- .../SKILL.md | 38 ++++++++++++++++++ .../agents/openai.yaml | 4 ++ .../references/script-document-analysis.md | 11 ++++++ .../skills/author-yara-x-rules/SKILL.md | 36 +++++++++++++++++ .../author-yara-x-rules/agents/openai.yaml | 4 ++ .../references/yara-x-rule-quality.md | 15 +++++++ .../skills/check-artifact-reputation/SKILL.md | 39 +++++++++++++++++++ .../agents/openai.yaml | 4 ++ .../references/reputation-evidence.md | 19 +++++++++ .../skills/map-malware-behavior/SKILL.md | 32 +++++++++++++++ .../map-malware-behavior/agents/openai.yaml | 4 ++ .../references/behavior-mapping.md | 14 +++++++ .../perform-dynamic-malware-analysis/SKILL.md | 34 ++++++++++++++++ .../agents/openai.yaml | 4 ++ .../references/dynamic-observation-plan.md | 34 ++++++++++++++++ .../perform-static-malware-analysis/SKILL.md | 33 ++++++++++++++++ .../agents/openai.yaml | 4 ++ .../references/static-analysis-layers.md | 11 ++++++ .../skills/triage-suspicious-content/SKILL.md | 38 ++++++++++++++++++ .../agents/openai.yaml | 4 ++ .../references/content-preflight.md | 12 ++++++ 21 files changed, 394 insertions(+) create mode 100644 plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/references/script-document-analysis.md create mode 100644 plugins/cybersecurity-skills/skills/author-yara-x-rules/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/author-yara-x-rules/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/author-yara-x-rules/references/yara-x-rule-quality.md create mode 100644 plugins/cybersecurity-skills/skills/check-artifact-reputation/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/check-artifact-reputation/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/check-artifact-reputation/references/reputation-evidence.md create mode 100644 plugins/cybersecurity-skills/skills/map-malware-behavior/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/map-malware-behavior/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/map-malware-behavior/references/behavior-mapping.md create mode 100644 plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/references/dynamic-observation-plan.md create mode 100644 plugins/cybersecurity-skills/skills/perform-static-malware-analysis/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/perform-static-malware-analysis/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/perform-static-malware-analysis/references/static-analysis-layers.md create mode 100644 plugins/cybersecurity-skills/skills/triage-suspicious-content/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/triage-suspicious-content/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/triage-suspicious-content/references/content-preflight.md diff --git a/plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/SKILL.md b/plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/SKILL.md new file mode 100644 index 00000000..1840e36d --- /dev/null +++ b/plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/SKILL.md @@ -0,0 +1,38 @@ +--- +name: analyze-suspicious-script-or-document +description: Decode and analyze suspicious scripts and active documents without triggering them. Use for shell, AppleScript, JavaScript, Python, PowerShell, shortcuts, Office files, PDFs, configuration profiles, encoded commands, macros, embedded objects, external templates, staged downloads, or mixed document-to-script payload chains. +--- + +# Analyze Suspicious Script Or Document + +## Overview + +Recover the execution chain as data. Use parsers and text extraction in isolation, avoid native handlers, and make each decoding transformation reproducible. + +Read [references/script-document-analysis.md](references/script-document-analysis.md) for language and document-specific checks. + +## Workflow + +1. Preserve the original and identify the real container/type. +2. Extract without activation. + - List document members and relationships; extract text, metadata, macros, JavaScript, forms, links, embedded files, and external references with non-executing tooling. + - Render URLs and commands as inert text. +3. Normalize one layer at a time. + - Decode base64/hex/URL escapes, string concatenation, compression, character arithmetic, environment substitution, and generated commands. + - Record input, operation, tool, and output hash for every layer. +4. Reconstruct control and data flow. + - Identify entry conditions, interpreter, downloaded content, execution methods, persistence, credential/file access, network destinations, cleanup, and environment gates. +5. Separate capability from execution. + - State which branches are present, which inputs activate them, and which behaviors remain inferred. +6. Route payloads. + - Send recovered binaries to static/reverse analysis and use dynamic analysis only inside chosen isolation. + +## Guardrails + +- Do not paste decoded commands into an executing shell. +- Do not enable macros, install profiles, follow links, or import shortcuts during static analysis. +- Do not use a cloud document parser for private content without approval. + +## Output + +Return container identity, recovered layers, execution chain, indicators, activation conditions, likely impact, uncertainty, and safe next step. diff --git a/plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/agents/openai.yaml b/plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/agents/openai.yaml new file mode 100644 index 00000000..d3f31070 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Analyze Suspicious Script Or Document" + short_description: "Decode active scripts and documents without execution" + default_prompt: "Use $analyze-suspicious-script-or-document to recover this active-content chain safely." diff --git a/plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/references/script-document-analysis.md b/plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/references/script-document-analysis.md new file mode 100644 index 00000000..c445ad0d --- /dev/null +++ b/plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/references/script-document-analysis.md @@ -0,0 +1,11 @@ +# Script And Document Analysis + +| Surface | Inspect | Avoid during static work | +| --- | --- | --- | +| Shell/AppleScript | interpreters, expansions, heredocs, pipelines, `osascript`, downloads, launch/persistence commands | sourcing or command substitution | +| JavaScript/Python/PowerShell | imports, eval/exec, network, filesystem, subprocess, encoded strings, environment gates | native interpreter execution | +| Office/Open XML | relationships, macros, embedded OLE, external templates, DDE, links | opening with macros or external content enabled | +| PDF | objects, streams, JavaScript, actions, forms, launch/URI entries, embedded files | native preview/browser rendering before parser review | +| Shortcuts/profiles | declared actions or payloads, permissions, certificates, URLs, management settings | importing, installing, or approving payloads | + +Prefer format-aware parsers inside a disposable environment. Parser failure or malformed structure is evidence to preserve, not a reason to open the file normally. diff --git a/plugins/cybersecurity-skills/skills/author-yara-x-rules/SKILL.md b/plugins/cybersecurity-skills/skills/author-yara-x-rules/SKILL.md new file mode 100644 index 00000000..f6f4b25c --- /dev/null +++ b/plugins/cybersecurity-skills/skills/author-yara-x-rules/SKILL.md @@ -0,0 +1,36 @@ +--- +name: author-yara-x-rules +description: Author, test, tune, and document YARA-X detection rules from validated artifact evidence. Use when malware, suspicious files, scripts, documents, or binary features need local pattern detection with stable discriminators, metadata, positive and negative fixtures, performance checks, false-positive review, rule provenance, and regression testing. +--- + +# Author YARA-X Rules + +## Overview + +Create rules that detect the validated property the evidence supports, not a broader malware-family claim. Prefer structural combinations over unique-looking strings copied from one sample. + +Read [references/yara-x-rule-quality.md](references/yara-x-rule-quality.md) before selecting patterns or declaring coverage. + +## Workflow + +1. Define the detection objective and non-goals. +2. Build the fixture set. + - Preserve representative positive samples and near-miss benign negatives with hashes and provenance. + - Use synthetic or redistributable fixtures for repository tests. +3. Select discriminators. + - Prefer format/module facts, byte structures, stable code/config fragments, and combinations of independently meaningful strings. + - Avoid mutable infrastructure, compiler boilerplate, paths, timestamps, or one generic API name as decisive evidence. +4. Author metadata and conditions. + - Include purpose, author, date, source/evidence reference, scope, confidence, and known limitations. + - Bound file type and size where it improves correctness or performance. +5. Validate with current YARA-X. + - Record version; compile/lint the rule; test all positives, negatives, malformed inputs, and a bounded benign corpus. + - Investigate timeouts, warnings, and module-undefined behavior. +6. Review false positives and coverage. + - Tune by improving evidence combinations, not by accumulating arbitrary exclusions. +7. Preserve regression evidence. + - Store allowed fixtures or deterministic generators, expected matches/non-matches, and rule revision. + +## Output + +Return the rule, objective, evidence basis, fixture results, performance notes, known misses/false positives, and deployment limits. diff --git a/plugins/cybersecurity-skills/skills/author-yara-x-rules/agents/openai.yaml b/plugins/cybersecurity-skills/skills/author-yara-x-rules/agents/openai.yaml new file mode 100644 index 00000000..cb48832d --- /dev/null +++ b/plugins/cybersecurity-skills/skills/author-yara-x-rules/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Author YARA-X Rules" + short_description: "Build evidence-backed YARA-X rules with regression tests" + default_prompt: "Use $author-yara-x-rules to create and test a narrow detection rule from this evidence." diff --git a/plugins/cybersecurity-skills/skills/author-yara-x-rules/references/yara-x-rule-quality.md b/plugins/cybersecurity-skills/skills/author-yara-x-rules/references/yara-x-rule-quality.md new file mode 100644 index 00000000..566528a9 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/author-yara-x-rules/references/yara-x-rule-quality.md @@ -0,0 +1,15 @@ +# YARA-X Rule Quality + +Require: + +- current YARA-X syntax and exact tested version; +- a narrow detection objective; +- provenance for every decisive feature; +- at least one positive and meaningful benign negative fixture; +- format/size guards where relevant; +- expected undefined-module behavior; +- regression results and known limits. + +Treat packed, encrypted, truncated, universal, nested, and script/document variants as separate coverage questions. A rule matching one sample does not establish family coverage. + +Use the current [YARA-X documentation](https://virustotal.github.io/yara-x/docs/) and migration guidance. Original YARA compatibility is high but not absolute. diff --git a/plugins/cybersecurity-skills/skills/check-artifact-reputation/SKILL.md b/plugins/cybersecurity-skills/skills/check-artifact-reputation/SKILL.md new file mode 100644 index 00000000..f4b2f7ef --- /dev/null +++ b/plugins/cybersecurity-skills/skills/check-artifact-reputation/SKILL.md @@ -0,0 +1,39 @@ +--- +name: check-artifact-reputation +description: Check local and external reputation for a suspicious artifact, signer, hash, URL, domain, certificate, package, or vendor. Use when provenance and threat-intelligence context could inform triage, while sample-upload privacy, stale intelligence, hash-only misses, false positives, and reputation-versus-behavior limits must remain explicit. +--- + +# Check Artifact Reputation + +## Overview + +Gather provenance and intelligence without treating popularity, valid signing, a clean lookup, or a vendor label as a safety verdict. Prefer local identity and vendor sources before sending data to third parties. + +Read [references/reputation-evidence.md](references/reputation-evidence.md) for source ordering and interpretation. + +## Workflow + +1. Fix identity. + - Record artifact hashes, signer/certificate, exact version, source URL, domain, resolved destinations, and acquisition time. + +2. Check local evidence. + - Inspect quarantine/provenance, signature/notarization, known installation records, local security detections, and expected vendor distribution paths. + +3. Check authoritative sources. + - Prefer vendor advisories, release checksums/signatures, certificate status, official repositories, and current platform security sources. + - Date each lookup. + +4. Decide whether external intelligence is appropriate. + - Explain whether the service receives only a hash/domain or may upload/retain the artifact. + - Obtain explicit approval before sending private artifacts, URLs, customer data, or unknown binaries. + +5. Correlate results. + - Record detection names, engines/sources, first/last seen, submission context, prevalence, relations, and conflicting classifications. + - Distinguish “not present” from “known benign.” + +6. Feed behavior analysis. + - Use reputation to prioritize static/dynamic checks, not replace them. + +## Output + +Return identity, sources/date, privacy decision, reputation observations, conflicts, interpretation limits, confidence effect, and next behavioral check. diff --git a/plugins/cybersecurity-skills/skills/check-artifact-reputation/agents/openai.yaml b/plugins/cybersecurity-skills/skills/check-artifact-reputation/agents/openai.yaml new file mode 100644 index 00000000..9560b3b4 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/check-artifact-reputation/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Check Artifact Reputation" + short_description: "Check provenance and reputation with privacy controls" + default_prompt: "Use $check-artifact-reputation to check this artifact without treating reputation as a verdict." diff --git a/plugins/cybersecurity-skills/skills/check-artifact-reputation/references/reputation-evidence.md b/plugins/cybersecurity-skills/skills/check-artifact-reputation/references/reputation-evidence.md new file mode 100644 index 00000000..e34a02c8 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/check-artifact-reputation/references/reputation-evidence.md @@ -0,0 +1,19 @@ +# Reputation Evidence + +Prefer sources in this order when applicable: + +1. original vendor release channel, checksums, signatures, and advisories; +2. platform identity and security evidence; +3. current certificate/domain registration and infrastructure facts; +4. public vulnerability or malware intelligence tied to exact identifiers; +5. multi-engine reputation services after privacy review; +6. community discussion as a lead requiring independent confirmation. + +Interpret carefully: + +- valid signature: identity/integrity evidence, not benign behavior; +- notarized: no known issue at notarization time, not a permanent safety guarantee; +- zero detections: absence of matching intelligence, not proof of safety; +- one generic detection: weak evidence until behavior or additional sources corroborate it; +- many consistent detections: strong prioritization evidence, still record artifact identity and behavior; +- hash miss: expected for new, rebuilt, packed, or modified artifacts. diff --git a/plugins/cybersecurity-skills/skills/map-malware-behavior/SKILL.md b/plugins/cybersecurity-skills/skills/map-malware-behavior/SKILL.md new file mode 100644 index 00000000..d34d7b85 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/map-malware-behavior/SKILL.md @@ -0,0 +1,32 @@ +--- +name: map-malware-behavior +description: Map observed or strongly evidenced malicious behavior to current MITRE ATT&CK techniques and platform context. Use when static or dynamic analysis, endpoint telemetry, incident evidence, or a malware report needs a behavior map for detection, response, comparison, or communication without inferring an actor, campaign, family, or complete attack chain from labels alone. +--- + +# Map Malware Behavior + +## Overview + +Translate evidence into current ATT&CK technique references while keeping the original observation primary. Map only behaviors supported by evidence and preserve platform/version context. + +Read [references/behavior-mapping.md](references/behavior-mapping.md) for evidence and mapping fields. + +## Workflow + +1. Normalize observations. + - Record actor/process, action, object, time, environment, privilege, source, and confidence. +2. Open current ATT&CK content. + - Select the relevant Enterprise, Mobile, ICS, cloud, container, or platform matrix and record the version/date checked. +3. Match behavior, not keywords. + - Read the technique definition and platform applicability. + - Choose the most specific supported sub-technique; preserve multiple plausible mappings as alternatives when evidence is incomplete. +4. Record mapping evidence. + - Link each technique to the exact observation and explain why it fits and where it does not. +5. Avoid attribution inflation. + - Do not infer actor, malware family, campaign, intent, or sequence solely because ATT&CK pages list similar procedure examples. +6. Use the map. + - Route to containment, hunting, or detection content and name telemetry gaps. + +## Output + +Return an evidence-to-technique table, platform and ATT&CK version/date, confidence, alternative mappings, telemetry gaps, and defensive use. diff --git a/plugins/cybersecurity-skills/skills/map-malware-behavior/agents/openai.yaml b/plugins/cybersecurity-skills/skills/map-malware-behavior/agents/openai.yaml new file mode 100644 index 00000000..56b29275 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/map-malware-behavior/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Map Malware Behavior" + short_description: "Map observed behavior to ATT&CK without overclaiming" + default_prompt: "Use $map-malware-behavior to map these observations to current ATT&CK techniques." diff --git a/plugins/cybersecurity-skills/skills/map-malware-behavior/references/behavior-mapping.md b/plugins/cybersecurity-skills/skills/map-malware-behavior/references/behavior-mapping.md new file mode 100644 index 00000000..3bdf5467 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/map-malware-behavior/references/behavior-mapping.md @@ -0,0 +1,14 @@ +# Behavior Mapping Record + +| Field | Content | +| --- | --- | +| Observation | Exact process/action/object or other evidence | +| Evidence source | Log, trace, static feature, dynamic observation, or report | +| Environment | Platform, build/version, privilege, and time | +| ATT&CK mapping | Technique/sub-technique ID and title | +| Fit | Why the definition matches | +| Limits | Missing behavior, alternative explanation, or unsupported phase | +| Confidence | High, medium, or low with reason | +| Defensive use | Containment, hunt query, telemetry, or detection idea | + +Use current ATT&CK pages, such as the [macOS matrix](https://attack.mitre.org/matrices/enterprise/macos/), and record the date checked because technique content changes. diff --git a/plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/SKILL.md b/plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/SKILL.md new file mode 100644 index 00000000..63e3438e --- /dev/null +++ b/plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/SKILL.md @@ -0,0 +1,34 @@ +--- +name: perform-dynamic-malware-analysis +description: Observe suspicious content in a disposable, instrumented environment. Use when execution, process ancestry, file changes, persistence, network behavior, configuration decryption, child payloads, environment gates, or user interaction must be measured after static analysis and an isolation boundary, authorization, baseline, stop conditions, evidence export, and teardown plan are explicit. +--- + +# Perform Dynamic Malware Analysis + +## Overview + +Execute only inside an environment chosen by `select-analysis-isolation`, with an observation plan that can distinguish artifact behavior from baseline noise. Preserve the exact sample and environment identity. + +Read [references/dynamic-observation-plan.md](references/dynamic-observation-plan.md) for baseline, stimulus, telemetry, and teardown fields. + +## Workflow + +1. Define the unresolved question and minimum stimulus. +2. Verify isolation. + - Record guest/platform build, snapshot, accounts, shares, clipboard, devices, credentials, network mode, monitoring, and export path. +3. Capture a baseline. + - Record processes, files/registrations, persistence surfaces, network state, services, and relevant logs before execution. +4. Execute one controlled step. + - Record command/UI action, time, user/privilege, environment variables, arguments, and interactions. + - Do not improvise additional payloads, credentials, or targets. +5. Observe behavior. + - Correlate process tree, file/registry or platform state, persistence, permissions, child artifacts, network/DNS, logs, prompts, crashes, and timing. + - Hash and preserve dropped/modified artifacts as new evidence. +6. Repeat only to answer a named question. + - Change one variable at a time and revert to the baseline snapshot. +7. Export and tear down. + - Export only intended evidence, scan it before host use, destroy/revert the environment, and revoke temporary access. + +## Output + +Return environment/baseline identity, stimulus, observed timeline, artifacts and indicators, absent expected behavior, evasion/coverage limits, conclusion, and teardown verification. diff --git a/plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/agents/openai.yaml b/plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/agents/openai.yaml new file mode 100644 index 00000000..e38cf5af --- /dev/null +++ b/plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Perform Dynamic Malware Analysis" + short_description: "Observe suspicious behavior in disposable isolation" + default_prompt: "Use $perform-dynamic-malware-analysis to observe this sample in a controlled disposable environment." diff --git a/plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/references/dynamic-observation-plan.md b/plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/references/dynamic-observation-plan.md new file mode 100644 index 00000000..4ffe716b --- /dev/null +++ b/plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/references/dynamic-observation-plan.md @@ -0,0 +1,34 @@ +# Dynamic Observation Plan + +```markdown +## Question +- Behavior to confirm or refute: + +## Environment +- Host/guest platform and build: +- Snapshot/base image: +- Accounts and privileges: +- Shares/clipboard/devices/secrets: +- Network mode and allowed destinations: + +## Baseline +- Process, filesystem, persistence, network, and log state: + +## Stimulus +- Exact command/action and time: +- User interaction supplied: + +## Telemetry +- Process ancestry: +- File/config/persistence changes: +- DNS/network: +- Prompts, logs, crashes: + +## Stop Conditions +- ... + +## Export And Teardown +- Evidence exported: +- Environment reverted/destroyed: +- Temporary access revoked: +``` diff --git a/plugins/cybersecurity-skills/skills/perform-static-malware-analysis/SKILL.md b/plugins/cybersecurity-skills/skills/perform-static-malware-analysis/SKILL.md new file mode 100644 index 00000000..68071208 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/perform-static-malware-analysis/SKILL.md @@ -0,0 +1,33 @@ +--- +name: perform-static-malware-analysis +description: Analyze a suspicious artifact for capabilities without executing it. Use for binaries, apps, packages, archives, scripts, libraries, extensions, firmware, or embedded payloads when metadata, signatures, imports, strings, resources, configuration, rules, obfuscation, and likely behavior must be inspected and deep binary work may hand off to reverse-engineering-skills. +--- + +# Perform Static Malware Analysis + +## Overview + +Build a capability hypothesis from preserved bytes and structure. Keep every source-level or behavioral claim bounded by what static evidence can actually prove. + +Read [references/static-analysis-layers.md](references/static-analysis-layers.md) for layered checks and escalation criteria. + +## Workflow + +1. Establish artifact identity and working copy. +2. Inspect outer structure. + - Identify formats, architectures, bundles, packages, sections, members, overlays, embedded resources, signatures, timestamps, and declared permissions. +3. Extract low-risk indicators. + - Collect imports/exports, linked libraries, symbols, strings, URLs/domains, paths, commands, mutex/service names, configuration, certificates, and persistence references. +4. Inspect code and content shape. + - Identify interpreters, entry points, packers/obfuscation, encrypted blobs, staged payloads, anti-analysis checks, and unusual executable mappings. + - Use YARA-X or other local rules as evidence with rule/version recorded. +5. Form capability hypotheses. + - Map evidence to possible execution, persistence, discovery, credential, collection, command-and-control, exfiltration, or defense-evasion behavior. + - Separate present code from reachable behavior and capability from observed execution. +6. Escalate deliberately. + - Use `reverse-engineering-skills` for control flow, decompilation, protocol/config recovery, or exact binary comparisons. + - Use dynamic analysis only after isolation selection and a clear observation plan. + +## Output + +Return identity, structure, indicators, likely capabilities, contradictory evidence, obfuscation/coverage limits, confidence, and the smallest next analysis step. diff --git a/plugins/cybersecurity-skills/skills/perform-static-malware-analysis/agents/openai.yaml b/plugins/cybersecurity-skills/skills/perform-static-malware-analysis/agents/openai.yaml new file mode 100644 index 00000000..0c0ec9a2 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/perform-static-malware-analysis/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Perform Static Malware Analysis" + short_description: "Inspect suspicious capabilities without execution" + default_prompt: "Use $perform-static-malware-analysis to inspect this artifact without running it." diff --git a/plugins/cybersecurity-skills/skills/perform-static-malware-analysis/references/static-analysis-layers.md b/plugins/cybersecurity-skills/skills/perform-static-malware-analysis/references/static-analysis-layers.md new file mode 100644 index 00000000..e0daf9d5 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/perform-static-malware-analysis/references/static-analysis-layers.md @@ -0,0 +1,11 @@ +# Static Analysis Layers + +1. Identity: hashes, size, type, architecture, version, source. +2. Container: archive/package/bundle members and metadata. +3. Trust metadata: signing, certificates, notarization, declared permissions. +4. Program shape: headers, sections, entry points, imports/exports, symbols. +5. Content: strings, resources, embedded files, configuration, URLs, commands. +6. Rules: YARA-X or format-aware rules with exact rule revision. +7. Code: decompiler/disassembler evidence routed to Reverse Engineering Skills. + +Escalate when static evidence cannot resolve reachability, decrypted configuration, environment gates, runtime downloads, injected behavior, persistence success, or network protocol behavior. diff --git a/plugins/cybersecurity-skills/skills/triage-suspicious-content/SKILL.md b/plugins/cybersecurity-skills/skills/triage-suspicious-content/SKILL.md new file mode 100644 index 00000000..888693a5 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/triage-suspicious-content/SKILL.md @@ -0,0 +1,38 @@ +--- +name: triage-suspicious-content +description: Safely classify suspicious files, archives, installers, packages, scripts, documents, configuration profiles, browser extensions, URLs, QR codes, messages, and nested payloads before execution. Use when someone receives or discovers sketchy content and needs to know what it is, what active behavior it may contain, and the smallest safe next analysis step. +--- + +# Triage Suspicious Content + +## Overview + +Identify the content and its active surfaces without opening, installing, importing, previewing, or following it through a handler that may execute code. Preserve the original and route the smallest useful next check. + +Read [references/content-preflight.md](references/content-preflight.md) for format-specific active-content clues. + +## Workflow + +1. Preserve intake context. + - Record sender/source, delivery channel, claimed purpose, filenames, timestamps, quarantine metadata, URLs as text, and why it looked suspicious. + - Hash files and work from a copy. + +2. Identify containers before content. + - Determine file type from bytes and structure, not extension alone. + - List archive/package members without broad extraction and note traversal paths, symlinks, nested archives, password protection, or misleading double extensions. + +3. Inventory active surfaces. + - Look for executables, scripts, macros, embedded files, links, forms, JavaScript, launch/install metadata, configuration payloads, extension permissions, shortened/redirecting URLs, and QR destinations. + - Treat preview generators and importers as parsers that may be vulnerable. + +4. Check local provenance. + - Record signatures, signer identity, notarization/quarantine evidence, package receipts/metadata, document producer, URL host and certificate context, and expected vendor distribution channel. + - Do not infer trust from any one field. + +5. Route without execution. + - Use reputation checking for hash/domain/vendor context, script/document analysis for active text, static malware analysis for capabilities, and reverse engineering for binary internals. + - Select isolation before any dynamic behavior. + +## Output + +Return intake identity, actual type/container, active surfaces, provenance observations, suspicious and benign explanations, confidence, and the first safe next workflow. diff --git a/plugins/cybersecurity-skills/skills/triage-suspicious-content/agents/openai.yaml b/plugins/cybersecurity-skills/skills/triage-suspicious-content/agents/openai.yaml new file mode 100644 index 00000000..c6582864 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/triage-suspicious-content/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Triage Suspicious Content" + short_description: "Classify sketchy content without activating it" + default_prompt: "Use $triage-suspicious-content to identify this suspicious content and choose a safe next step." diff --git a/plugins/cybersecurity-skills/skills/triage-suspicious-content/references/content-preflight.md b/plugins/cybersecurity-skills/skills/triage-suspicious-content/references/content-preflight.md new file mode 100644 index 00000000..e226ea6b --- /dev/null +++ b/plugins/cybersecurity-skills/skills/triage-suspicious-content/references/content-preflight.md @@ -0,0 +1,12 @@ +# Suspicious Content Preflight + +| Content | Inspect without activation | Common active surface | +| --- | --- | --- | +| Archive/package | Member list, paths, types, signatures, metadata | Nested executables, scripts, symlinks, traversal, installer actions | +| macOS app/pkg/dmg | Bundle/package metadata, signing, notarization, quarantine, mounted layout | Executables, installer scripts, launch services, privileged helpers | +| Script/text | Encoding, interpreter, imports, URLs, commands, heredocs | Download/execute, persistence, credential/file access | +| Office/PDF/document | Container members, relationships, objects, forms, links, metadata | Macros, JavaScript, embedded files, templates, external links | +| Profile/extension | Declared payloads/permissions, signer, distribution source | Network interception, certificates, management, browsing/data access | +| URL/QR/message | Literal destination, sender context, redirects only through approved tooling | Credential capture, drive-by content, deep links, social engineering | + +Avoid Finder Quick Look, Office Protected View assumptions, browser navigation, package installation, and OS handler invocation until the parser/execution risk is understood. From 1a609f328b3019c60d4f37b6a199d39a1d67ac51 Mon Sep 17 00:00:00 2001 From: Gale W Date: Tue, 14 Jul 2026 15:05:39 -0400 Subject: [PATCH 4/7] security: add macos defense workflows --- .../skills/assess-macos-threat/SKILL.md | 33 +++++++++++++++++ .../assess-macos-threat/agents/openai.yaml | 4 +++ .../references/macos-security-layers.md | 15 ++++++++ .../skills/contain-and-recover-macos/SKILL.md | 36 +++++++++++++++++++ .../agents/openai.yaml | 4 +++ .../references/macos-response-ladder.md | 10 ++++++ .../skills/harden-macos/SKILL.md | 35 ++++++++++++++++++ .../skills/harden-macos/agents/openai.yaml | 4 +++ .../references/macos-hardening-review.md | 14 ++++++++ .../skills/inspect-macos-persistence/SKILL.md | 33 +++++++++++++++++ .../agents/openai.yaml | 4 +++ .../references/macos-persistence-surfaces.md | 14 ++++++++ .../inspect-macos-runtime-activity/SKILL.md | 33 +++++++++++++++++ .../agents/openai.yaml | 4 +++ .../references/macos-runtime-evidence.md | 12 +++++++ .../skills/use-objective-see-tools/SKILL.md | 36 +++++++++++++++++++ .../agents/openai.yaml | 4 +++ .../references/objective-see-routing.md | 13 +++++++ 18 files changed, 308 insertions(+) create mode 100644 plugins/cybersecurity-skills/skills/assess-macos-threat/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/assess-macos-threat/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/assess-macos-threat/references/macos-security-layers.md create mode 100644 plugins/cybersecurity-skills/skills/contain-and-recover-macos/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/contain-and-recover-macos/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/contain-and-recover-macos/references/macos-response-ladder.md create mode 100644 plugins/cybersecurity-skills/skills/harden-macos/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/harden-macos/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/harden-macos/references/macos-hardening-review.md create mode 100644 plugins/cybersecurity-skills/skills/inspect-macos-persistence/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/inspect-macos-persistence/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/inspect-macos-persistence/references/macos-persistence-surfaces.md create mode 100644 plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/references/macos-runtime-evidence.md create mode 100644 plugins/cybersecurity-skills/skills/use-objective-see-tools/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/use-objective-see-tools/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/use-objective-see-tools/references/objective-see-routing.md diff --git a/plugins/cybersecurity-skills/skills/assess-macos-threat/SKILL.md b/plugins/cybersecurity-skills/skills/assess-macos-threat/SKILL.md new file mode 100644 index 00000000..d2cd046d --- /dev/null +++ b/plugins/cybersecurity-skills/skills/assess-macos-threat/SKILL.md @@ -0,0 +1,33 @@ +--- +name: assess-macos-threat +description: Assess a suspected macOS security threat using exact host, artifact, and platform evidence. Use for suspicious apps, packages, processes, prompts, downloads, profiles, extensions, XProtect or Gatekeeper alerts, account behavior, persistence, privacy access, or unexpected network activity when signing, notarization, quarantine, TCC, SIP, and observed behavior must remain distinct. +--- + +# Assess macOS Threat + +## Overview + +Establish the affected Mac and event timeline before changing the system. Use Apple security layers as separate evidence sources and route focused persistence, runtime, artifact, or containment work from the resulting record. + +Read [references/macos-security-layers.md](references/macos-security-layers.md) when interpreting platform controls or alerts. + +## Workflow + +1. Identify the Mac and event. + - Record model/chip, exact macOS build, update state, user/session, time/timezone, managed-device context, and what the person observed. +2. Preserve the triggering evidence. + - Record alert text/screenshots, file path/source/hash, quarantine metadata, process identity, prompts, downloads, and relevant logs before cleanup. +3. Inspect artifact identity. + - Record real type, bundle/package metadata, signer, Team ID, signature verification, notarization assessment, entitlements, modifications, and source channel. + - Route binary internals to Reverse Engineering Skills. +4. Inspect platform evidence. + - Check Gatekeeper/quarantine context, XProtect detections or remediation evidence, TCC/privacy grants, profiles, login/background items, system extensions, and relevant system policy without disabling protections. +5. Correlate behavior. + - Route process/file/network evidence to runtime inspection and startup/registration clues to persistence inspection. + - Separate a blocked attempt from successful execution and successful execution from compromise. +6. Assess and advise. + - State classification/confidence, immediate isolation needs, evidence gaps, and the smallest next workflow. + +## Output + +Return host/event identity, platform-layer evidence, artifact identity, observed behavior, assessment/confidence, immediate advice, and focused next checks. diff --git a/plugins/cybersecurity-skills/skills/assess-macos-threat/agents/openai.yaml b/plugins/cybersecurity-skills/skills/assess-macos-threat/agents/openai.yaml new file mode 100644 index 00000000..6ec797f3 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/assess-macos-threat/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Assess macOS Threat" + short_description: "Assess Mac threats across distinct security layers" + default_prompt: "Use $assess-macos-threat to assess this Mac concern without weakening platform protections." diff --git a/plugins/cybersecurity-skills/skills/assess-macos-threat/references/macos-security-layers.md b/plugins/cybersecurity-skills/skills/assess-macos-threat/references/macos-security-layers.md new file mode 100644 index 00000000..2706f5e4 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/assess-macos-threat/references/macos-security-layers.md @@ -0,0 +1,15 @@ +# macOS Security Layers + +Keep these meanings distinct: + +- quarantine/provenance: records downloaded-content origin and first-open context; +- Gatekeeper: evaluates whether downloaded software may launch under current policy; +- notarization: Apple scanned a submitted artifact for known malicious content at submission time; +- XProtect: detects, blocks, and may remediate known or behaviorally suspicious malware; +- code signing: binds identity/integrity and declared entitlements, not benign intent; +- TCC: user/admin-mediated access to protected data and capabilities; +- App Sandbox and containers: constrain participating apps and protect app data; +- SIP and mandatory controls: protect system and data surfaces beyond ordinary root access; +- Endpoint Security: telemetry/control API whose evidence depends on client entitlement and permissions. + +Use current [Apple Platform Security malware guidance](https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/web). Record exact OS build because enforcement and available events change. diff --git a/plugins/cybersecurity-skills/skills/contain-and-recover-macos/SKILL.md b/plugins/cybersecurity-skills/skills/contain-and-recover-macos/SKILL.md new file mode 100644 index 00000000..e6bc7a66 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/contain-and-recover-macos/SKILL.md @@ -0,0 +1,36 @@ +--- +name: contain-and-recover-macos +description: Contain a suspected or confirmed macOS threat and verify recovery. Use when a Mac may need network isolation, process or service containment, account and credential response, persistence removal, artifact quarantine, backup/restore, erase/reinstall, monitoring, or return-to-service decisions while evidence loss, user impact, and platform protections remain explicit. +--- + +# Contain And Recover macOS + +## Overview + +Choose actions proportionate to evidence and ongoing harm. Preserve what matters, use official lifecycle controls, and verify the system after eradication rather than declaring it clean because one artifact disappeared. + +Read [references/macos-response-ladder.md](references/macos-response-ladder.md) for containment and recovery levels. + +## Workflow + +1. Confirm assessment, confidence, affected scope, ongoing behavior, critical data, and evidence needs. +2. Choose immediate containment. + - Prefer reversible network/account/session isolation when it stops harm. + - Record the effect on volatile evidence and business/user access. +3. Preserve decisive evidence. + - Capture artifact, persistence, process/network/log, account, and timeline records before removal when delay is safe. +4. Stop active behavior through official controls. + - End processes/services deliberately; use `launchctl bootout` for approved launch service removal from a domain, app-provided uninstallers for app components, and supported profile/extension management surfaces. + - Never edit launchd's internal state directly. +5. Eradicate the verified mechanism. + - Remove or quarantine confirmed artifacts, registrations, extensions, profiles, helpers, rules, and downloaded stages; preserve hashes and paths. +6. Respond to identity exposure. + - Rotate affected credentials/tokens from a trusted device, revoke sessions/keys, review MFA and recovery methods, and notify owners/providers as warranted. +7. Recover. + - Restore from a known-good point, reinstall/erase when integrity cannot be established, apply updates, reconfigure only needed access, and avoid restoring suspect persistence. +8. Verify and monitor. + - Recheck persistence, runtime/network, accounts, security updates, backups, and recurrence across a defined observation window. + +## Output + +Return containment/impact, evidence preserved, eradication actions, credential response, recovery basis, verification results, residual uncertainty, and return-to-service decision. diff --git a/plugins/cybersecurity-skills/skills/contain-and-recover-macos/agents/openai.yaml b/plugins/cybersecurity-skills/skills/contain-and-recover-macos/agents/openai.yaml new file mode 100644 index 00000000..14bddf4c --- /dev/null +++ b/plugins/cybersecurity-skills/skills/contain-and-recover-macos/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Contain And Recover macOS" + short_description: "Contain Mac threats and verify trustworthy recovery" + default_prompt: "Use $contain-and-recover-macos to choose proportionate containment and verify recovery." diff --git a/plugins/cybersecurity-skills/skills/contain-and-recover-macos/references/macos-response-ladder.md b/plugins/cybersecurity-skills/skills/contain-and-recover-macos/references/macos-response-ladder.md new file mode 100644 index 00000000..0266558a --- /dev/null +++ b/plugins/cybersecurity-skills/skills/contain-and-recover-macos/references/macos-response-ladder.md @@ -0,0 +1,10 @@ +# macOS Response Ladder + +1. Observe: preserve evidence; no system change. +2. Restrict: disconnect selected networks, revoke sessions, disable a user-visible integration, or pause one process. +3. Contain: isolate the host/account, boot out an approved service, block a validated destination, or quarantine a confirmed artifact. +4. Eradicate: remove verified persistence/components and affected credentials through supported lifecycle paths. +5. Recover: restore/reinstall, patch, reconfigure, and return data from a known-good basis. +6. Rebuild/erase: use when privileged compromise, unknown persistence, tampered protections, or missing evidence prevents trustworthy recovery. + +Choose the lowest level that stops ongoing harm and supports a verifiable recovery. Escalate when evidence shows broader access or the chosen step cannot be verified. diff --git a/plugins/cybersecurity-skills/skills/harden-macos/SKILL.md b/plugins/cybersecurity-skills/skills/harden-macos/SKILL.md new file mode 100644 index 00000000..148fd7c2 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/harden-macos/SKILL.md @@ -0,0 +1,35 @@ +--- +name: harden-macos +description: Review and improve macOS defensive posture after a threat assessment, incident, or general security request. Use for updates, XProtect/Gatekeeper posture, FileVault, firewall and sharing, remote access, accounts, login/background items, profiles/extensions, browser safety, privacy permissions, backups, credential habits, and monitoring while preserving usability and managed-device policy. +--- + +# Harden macOS + +## Overview + +Strengthen the actual exposure found on the Mac and verify each change. Preserve built-in protections, user access, recoverability, and organization management requirements. + +Read [references/macos-hardening-review.md](references/macos-hardening-review.md) for a risk-ordered review. + +## Workflow + +1. Establish context. + - Record exact macOS build/hardware, device ownership/management, users, role, exposed services, sensitive data, backups, and the threat being reduced. +2. Apply supported updates. + - Verify OS, rapid/security data updates, browsers, extensions, apps, and package managers from authoritative channels. +3. Preserve platform protections. + - Verify Gatekeeper/XProtect automatic protection, SIP, TCC/privacy access, code-signing expectations, and sandbox/container use where applicable. +4. Protect data and recovery. + - Review FileVault/recovery ownership, screen lock, backup availability and restore testing, account separation, and secure disposal/export practices. +5. Reduce exposed services and persistence. + - Review sharing, remote login/management, firewall policy, listeners, login/background items, profiles, system/network/browser extensions, and privileged helpers. +6. Improve identity/browser behavior. + - Review MFA, password manager use, recovery methods, session/token hygiene, download sources, extensions, phishing-resistant habits, and administrator use. +7. Add proportionate visibility. + - Define which alerts/logs or endpoint tooling are maintained, who reviews them, and how false positives are handled. +8. Verify and document. + - Re-read changed settings, test access/recovery, record exceptions and owner, and avoid claiming perfect prevention. + +## Output + +Return baseline, prioritized changes, applied/verified settings, deferred items and tradeoffs, recovery check, and residual risk. diff --git a/plugins/cybersecurity-skills/skills/harden-macos/agents/openai.yaml b/plugins/cybersecurity-skills/skills/harden-macos/agents/openai.yaml new file mode 100644 index 00000000..fdf5163c --- /dev/null +++ b/plugins/cybersecurity-skills/skills/harden-macos/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Harden macOS" + short_description: "Improve Mac defenses without sacrificing recovery" + default_prompt: "Use $harden-macos to prioritize and verify practical defenses for this Mac." diff --git a/plugins/cybersecurity-skills/skills/harden-macos/references/macos-hardening-review.md b/plugins/cybersecurity-skills/skills/harden-macos/references/macos-hardening-review.md new file mode 100644 index 00000000..6ae2ca3d --- /dev/null +++ b/plugins/cybersecurity-skills/skills/harden-macos/references/macos-hardening-review.md @@ -0,0 +1,14 @@ +# macOS Hardening Review + +Review in risk order: + +1. active compromise or exposed credentials; +2. supported OS and current security data updates; +3. FileVault, screen lock, backups, and recovery ownership; +4. administrator accounts, remote access, sharing, and listening services; +5. Gatekeeper/XProtect/SIP/TCC and security-tool health; +6. login/background items, profiles, helpers, and extensions; +7. browsers, downloads, password manager, MFA, and recovery methods; +8. monitoring, alert ownership, and periodic recheck. + +Use current Apple Platform Security and official support documentation for the exact OS. Do not prescribe disabling SIP, Gatekeeper, quarantine, XProtect, or automatic security updates as routine hardening. diff --git a/plugins/cybersecurity-skills/skills/inspect-macos-persistence/SKILL.md b/plugins/cybersecurity-skills/skills/inspect-macos-persistence/SKILL.md new file mode 100644 index 00000000..fdca7607 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/inspect-macos-persistence/SKILL.md @@ -0,0 +1,33 @@ +--- +name: inspect-macos-persistence +description: Inspect macOS persistence and recurring execution without deleting evidence. Use for suspicious login items, background items, launch agents or daemons, system or network extensions, configuration profiles, shell startup files, scheduled tasks, browser extensions, helper tools, app registrations, or startup behavior that may survive logout, reboot, or application exit. +--- + +# Inspect macOS Persistence + +## Overview + +Inventory registered and file-backed persistence, then correlate it with loaded runtime state and installation history. Read files and official service state; never manage launchd by editing its internal state. + +Read [references/macos-persistence-surfaces.md](references/macos-persistence-surfaces.md) for prioritized surfaces and evidence fields. + +## Workflow + +1. Record host/build, user domains, event timeline, and the suspected executable or label. +2. Inventory user-visible registrations. + - Review Login Items and background-item state, profiles, extensions, browser add-ons, and app-managed helpers. +3. Inventory launch services. + - Inspect user/system LaunchAgents and LaunchDaemons as files and query service state through `launchctl` read operations. + - Record label, domain, program/arguments, working directory, environment, sockets, keep-alive/start conditions, owner/permissions, signer, and loaded PID/status. +4. Inspect adjacent persistence. + - Review shell startup files, scheduled jobs, package receipts/scripts, privileged helpers, system/network extensions, authorization plugins, and current platform-specific surfaces justified by evidence. +5. Correlate provenance and runtime. + - Identify parent installer/app, creation/change time, signature/notarization, executable hash, running process ancestry, files, network, and logs. +6. Classify each item. + - Expected, suspicious, confirmed malicious, disabled/orphaned, or unresolved; explain evidence and impact. +7. Preserve before containment. + - Record files and service state before using official `launchctl bootout` or app/uninstaller paths in the containment workflow. + +## Output + +Return a persistence inventory, loaded-versus-file state, provenance, runtime correlation, classification/confidence, and safe containment handoff. diff --git a/plugins/cybersecurity-skills/skills/inspect-macos-persistence/agents/openai.yaml b/plugins/cybersecurity-skills/skills/inspect-macos-persistence/agents/openai.yaml new file mode 100644 index 00000000..23920688 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/inspect-macos-persistence/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Inspect macOS Persistence" + short_description: "Correlate Mac startup registrations and loaded state" + default_prompt: "Use $inspect-macos-persistence to inventory this Mac persistence without deleting evidence." diff --git a/plugins/cybersecurity-skills/skills/inspect-macos-persistence/references/macos-persistence-surfaces.md b/plugins/cybersecurity-skills/skills/inspect-macos-persistence/references/macos-persistence-surfaces.md new file mode 100644 index 00000000..064f806a --- /dev/null +++ b/plugins/cybersecurity-skills/skills/inspect-macos-persistence/references/macos-persistence-surfaces.md @@ -0,0 +1,14 @@ +# macOS Persistence Surfaces + +Prioritize evidence-driven checks: + +1. Login Items and background items visible to the user. +2. User, local, and system launch service domains and their plist files. +3. Configuration profiles and managed settings. +4. System extensions, network extensions, endpoint clients, and privileged helpers. +5. Browser extensions and native-messaging hosts. +6. Shell startup files and interpreter-specific startup hooks. +7. Package installer scripts/receipts and app-owned update helpers. +8. Scheduled jobs or legacy mechanisms only when the OS build and evidence justify them. + +For every item record label, domain/scope, executable and arguments, trigger, file ownership/mode, signer/hash, load state/PID, install source, timestamps, and related logs/network. A file's presence does not prove it loaded; a running process does not prove reboot persistence. diff --git a/plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/SKILL.md b/plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/SKILL.md new file mode 100644 index 00000000..5d97ae79 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/SKILL.md @@ -0,0 +1,33 @@ +--- +name: inspect-macos-runtime-activity +description: Correlate suspicious macOS process, file, network, permission, and log activity. Use for unexpected processes, child execution, downloads, open files, DNS/connections, privacy prompts, XProtect or Gatekeeper events, file mutations, injected or deleted executables, and Endpoint Security or eslogger evidence when exact permissions and telemetry gaps must remain visible. +--- + +# Inspect macOS Runtime Activity + +## Overview + +Build a time-correlated view of what ran, what changed, and what communicated. Prefer focused native observations and existing telemetry over installing a broad privileged monitor on an affected host. + +Read [references/macos-runtime-evidence.md](references/macos-runtime-evidence.md) for telemetry sources and permission boundaries. + +## Workflow + +1. Fix host/build, user/session, time window, process/artifact identity, and reported symptom. +2. Capture current process context. + - Record PID, executable path/hash/signature, user, parent/ancestry, arguments, environment when authorized, start time, code state, and deleted/replaced executable clues. +3. Correlate files and registrations. + - Record open files, working directory, mapped images, created/modified paths, quarantine/provenance, persistence registrations, and permission failures. +4. Correlate network behavior. + - Record process-to-socket mapping, local/remote endpoints, DNS, protocol clues, timing, and whether a connection completed. +5. Inspect focused logs/events. + - Query relevant unified logs and existing Endpoint Security/XProtect/Gatekeeper evidence for the narrow time window. + - Record Full Disk Access, root, Endpoint Security entitlement, or other permissions required and what absence hides. +6. Build a timeline. + - Separate user action, launch, child processes, file changes, prompts, network, persistence, detection, and termination. +7. Assess behavior and gaps. + - Route binary internals, dynamic reproduction, containment, or hunting as needed. + +## Output + +Return process identity/ancestry, file/network/log timeline, permissions and coverage, observed versus inferred behavior, confidence, and next action. diff --git a/plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/agents/openai.yaml b/plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/agents/openai.yaml new file mode 100644 index 00000000..0febc005 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Inspect macOS Runtime Activity" + short_description: "Correlate Mac process, file, network, and log evidence" + default_prompt: "Use $inspect-macos-runtime-activity to build a focused timeline of this suspicious Mac activity." diff --git a/plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/references/macos-runtime-evidence.md b/plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/references/macos-runtime-evidence.md new file mode 100644 index 00000000..be9909ea --- /dev/null +++ b/plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/references/macos-runtime-evidence.md @@ -0,0 +1,12 @@ +# macOS Runtime Evidence + +| Source | Useful evidence | Boundary | +| --- | --- | --- | +| `ps`, Activity Monitor, process inspection | identity, ancestry, arguments, user, runtime state | short-lived processes may disappear | +| `lsof`, filesystem metadata | open/mapped files and sockets | permission and timing dependent | +| `nettop`, packet/DNS tools | process traffic and endpoints | encrypted content and capture privileges limit visibility | +| unified logging | subsystem events and timelines | privacy redaction, retention, and predicates affect coverage | +| `eslogger` / Endpoint Security client | process, file, Gatekeeper bypass, XProtect events on supported builds | event type, entitlement, root/FDA, and client configuration matter | +| TCC/system settings | declared or granted privacy access | grant presence does not prove use | + +Record failed commands and missing permissions. Do not silently substitute missing telemetry with assumptions. diff --git a/plugins/cybersecurity-skills/skills/use-objective-see-tools/SKILL.md b/plugins/cybersecurity-skills/skills/use-objective-see-tools/SKILL.md new file mode 100644 index 00000000..a5643c5a --- /dev/null +++ b/plugins/cybersecurity-skills/skills/use-objective-see-tools/SKILL.md @@ -0,0 +1,36 @@ +--- +name: use-objective-see-tools +description: Use installed Objective-See macOS security tools as thin evidence adapters. Use for KnockKnock persistence inventory, BlockBlock persistence alerts, LuLu network decisions, ProcessMonitor or FileMonitor activity, WhatsYourSign signature inspection, TaskExplorer process review, or related Objective-See tools while exact version, permissions, user actions, tool limits, and owning investigation workflow remain explicit. +--- + +# Use Objective-See Tools + +## Overview + +Select the Objective-See tool that observes the needed surface, record its current capabilities, and return evidence to the owning macOS workflow. Do not treat one tool's label or UI color as a threat verdict. + +Read [references/objective-see-routing.md](references/objective-see-routing.md) and recheck the official tool page before use. + +## Workflow + +1. Name the unresolved observation: persistence, process, file, network, signing, or process inventory. +2. Discover local capability. + - Verify official source, installed app/path, version, supported macOS build, permissions/system extensions, running state, and export format. + - Do not install, approve extensions, or grant privacy access without an explicit operator decision. +3. Select one tool and bounded action. +4. Preserve context. + - Record scan time, filters, exclusions, baseline, UI/CLI actions, alerts, raw/exported output, and tool errors. +5. Correlate independently. + - Verify signer/path/hash, process ancestry, persistence registration, socket, or file change with native evidence where practical. +6. Route conclusions. + - Send evidence to persistence, runtime, threat assessment, or containment workflows. + +## Guardrails + +- Do not enable blocking rules or terminate/delete items during evidence collection unless containment is separately approved. +- Do not claim historical coverage when the tool was installed after the event. +- Do not assume every Objective-See tool exposes a stable CLI or accessible GUI automation surface. + +## Output + +Return tool/version/capability, permissions, action, observations/export, independent correlation, limitations, and owning workflow. diff --git a/plugins/cybersecurity-skills/skills/use-objective-see-tools/agents/openai.yaml b/plugins/cybersecurity-skills/skills/use-objective-see-tools/agents/openai.yaml new file mode 100644 index 00000000..aae7bfcb --- /dev/null +++ b/plugins/cybersecurity-skills/skills/use-objective-see-tools/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Use Objective-See Tools" + short_description: "Use Objective-See apps as focused evidence adapters" + default_prompt: "Use $use-objective-see-tools to choose a focused Objective-See tool for this Mac investigation." diff --git a/plugins/cybersecurity-skills/skills/use-objective-see-tools/references/objective-see-routing.md b/plugins/cybersecurity-skills/skills/use-objective-see-tools/references/objective-see-routing.md new file mode 100644 index 00000000..2acea68e --- /dev/null +++ b/plugins/cybersecurity-skills/skills/use-objective-see-tools/references/objective-see-routing.md @@ -0,0 +1,13 @@ +# Objective-See Routing + +| Need | Candidate tool | Evidence use | +| --- | --- | --- | +| Enumerate persistence | KnockKnock | Candidate startup items for provenance/runtime correlation | +| Observe new persistence | BlockBlock | Alert-time registration evidence; blocking is containment | +| Observe/control outbound network | LuLu | Process/destination decisions; rules change connectivity | +| Process events | ProcessMonitor | Execution timeline and ancestry context | +| File events | FileMonitor | Scoped file mutation evidence | +| Signature identity | WhatsYourSign | Signing metadata for independent interpretation | +| Rich process inspection | TaskExplorer | Process, libraries, files, connections, and signature context | + +Tool inventory and requirements change. Recheck [Objective-See tools](https://objective-see.org/tools.html), local Help, exact version, and macOS support before relying on a workflow. From 5e7affff307eff1d2609a9959c5f70f9583e3f55 Mon Sep 17 00:00:00 2001 From: Gale W Date: Tue, 14 Jul 2026 15:08:08 -0400 Subject: [PATCH 5/7] security: add vulnerability testing workflows --- .../assess-exposure-and-impact/SKILL.md | 32 +++++++++++++++++ .../agents/openai.yaml | 4 +++ .../references/exposure-impact-model.md | 17 +++++++++ .../report-security-assessment/SKILL.md | 35 ++++++++++++++++++ .../agents/openai.yaml | 4 +++ .../references/security-report-shape.md | 26 ++++++++++++++ .../scope-authorized-security-test/SKILL.md | 35 ++++++++++++++++++ .../agents/openai.yaml | 4 +++ .../references/active-test-scope.md | 36 +++++++++++++++++++ .../skills/test-network-services/SKILL.md | 32 +++++++++++++++++ .../test-network-services/agents/openai.yaml | 4 +++ .../references/network-test-levels.md | 10 ++++++ .../skills/test-web-and-api-security/SKILL.md | 32 +++++++++++++++++ .../agents/openai.yaml | 4 +++ .../references/web-api-test-plan.md | 15 ++++++++ .../triage-vulnerability-report/SKILL.md | 34 ++++++++++++++++++ .../agents/openai.yaml | 4 +++ .../references/vulnerability-intake.md | 22 ++++++++++++ .../skills/validate-vulnerability/SKILL.md | 34 ++++++++++++++++++ .../validate-vulnerability/agents/openai.yaml | 4 +++ .../references/validation-evidence.md | 13 +++++++ 21 files changed, 401 insertions(+) create mode 100644 plugins/cybersecurity-skills/skills/assess-exposure-and-impact/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/assess-exposure-and-impact/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/assess-exposure-and-impact/references/exposure-impact-model.md create mode 100644 plugins/cybersecurity-skills/skills/report-security-assessment/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/report-security-assessment/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/report-security-assessment/references/security-report-shape.md create mode 100644 plugins/cybersecurity-skills/skills/scope-authorized-security-test/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/scope-authorized-security-test/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/scope-authorized-security-test/references/active-test-scope.md create mode 100644 plugins/cybersecurity-skills/skills/test-network-services/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/test-network-services/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/test-network-services/references/network-test-levels.md create mode 100644 plugins/cybersecurity-skills/skills/test-web-and-api-security/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/test-web-and-api-security/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/test-web-and-api-security/references/web-api-test-plan.md create mode 100644 plugins/cybersecurity-skills/skills/triage-vulnerability-report/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/triage-vulnerability-report/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/triage-vulnerability-report/references/vulnerability-intake.md create mode 100644 plugins/cybersecurity-skills/skills/validate-vulnerability/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/validate-vulnerability/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/validate-vulnerability/references/validation-evidence.md diff --git a/plugins/cybersecurity-skills/skills/assess-exposure-and-impact/SKILL.md b/plugins/cybersecurity-skills/skills/assess-exposure-and-impact/SKILL.md new file mode 100644 index 00000000..4fe5a51a --- /dev/null +++ b/plugins/cybersecurity-skills/skills/assess-exposure-and-impact/SKILL.md @@ -0,0 +1,32 @@ +--- +name: assess-exposure-and-impact +description: Prioritize a validated or plausible vulnerability using actual asset exposure and impact. Use when affected versions, deployment reachability, attacker prerequisites, privileges, sensitive data, exploit maturity, CISA KEV status, vendor guidance, mitigations, detection, business criticality, CVSS, and remediation urgency must be combined without relying on a severity score alone. +--- + +# Assess Exposure And Impact + +## Overview + +Translate a technical finding into asset-specific risk and action. Treat CVSS as one technical severity input and current exploitation intelligence as another; neither replaces deployed context. + +Read [references/exposure-impact-model.md](references/exposure-impact-model.md) for the decision factors. + +## Workflow + +1. Confirm finding confidence and exact affected/fixed versions. +2. Inventory affected assets. + - Record internet/internal/local reachability, environment, owner, business function, data, users, privileges, and compensating controls. +3. Model attacker requirements. + - Record access position, authentication, user interaction, configuration, chaining, reliability, and detection likelihood. +4. Check current intelligence. + - Review vendor advisory, fixed release, exploit maturity, CISA KEV/ransomware status, ecosystem advisories, and known active campaigns; date sources. +5. Evaluate consequence. + - Assess confidentiality, integrity, availability, privilege, blast radius, persistence, recovery difficulty, safety/legal/privacy obligations, and business interruption. +6. Evaluate mitigations. + - Test whether configuration, network controls, feature disablement, isolation, monitoring, or virtual patching actually blocks the validated path. +7. Prioritize action. + - Recommend patch, mitigate, isolate, monitor, accept temporarily with owner/expiry, or investigate further; include retest criteria. + +## Output + +Return affected assets, exposure path, impact, current exploitation context, mitigations, priority/rationale, action owner/deadline, and residual uncertainty. diff --git a/plugins/cybersecurity-skills/skills/assess-exposure-and-impact/agents/openai.yaml b/plugins/cybersecurity-skills/skills/assess-exposure-and-impact/agents/openai.yaml new file mode 100644 index 00000000..d48c9d79 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/assess-exposure-and-impact/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Assess Exposure And Impact" + short_description: "Prioritize vulnerabilities from real exposure and consequence" + default_prompt: "Use $assess-exposure-and-impact to prioritize this finding from actual deployed risk." diff --git a/plugins/cybersecurity-skills/skills/assess-exposure-and-impact/references/exposure-impact-model.md b/plugins/cybersecurity-skills/skills/assess-exposure-and-impact/references/exposure-impact-model.md new file mode 100644 index 00000000..84f3a78c --- /dev/null +++ b/plugins/cybersecurity-skills/skills/assess-exposure-and-impact/references/exposure-impact-model.md @@ -0,0 +1,17 @@ +# Exposure And Impact Model + +Evaluate together: + +- evidence confidence and exploit reliability; +- exact affected asset/version/configuration; +- reachable attack surface and authentication; +- attacker prerequisites and user interaction; +- privileges and security boundary crossed; +- data, service, user, and business consequence; +- blast radius and chaining potential; +- vendor fix/mitigation and operational cost; +- current exploitation evidence, including [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog); +- detection and recovery capability; +- CVSS vector/version, not score alone. + +Record the current [CVSS v4.0 specification](https://www.first.org/cvss/v4.0/specification-document) when calculating a vector. Keep business priority separate from the technical vector. diff --git a/plugins/cybersecurity-skills/skills/report-security-assessment/SKILL.md b/plugins/cybersecurity-skills/skills/report-security-assessment/SKILL.md new file mode 100644 index 00000000..d6a5059d --- /dev/null +++ b/plugins/cybersecurity-skills/skills/report-security-assessment/SKILL.md @@ -0,0 +1,35 @@ +--- +name: report-security-assessment +description: Write a reproducible security assessment or penetration-test report from validated evidence. Use when technical findings, negative results, scope, methodology, limitations, exposure, impact, confidence, remediation, retest criteria, evidence handling, and a plain-language executive explanation must be assembled without overstating scanner output or untested coverage. +--- + +# Report Security Assessment + +## Overview + +Produce a report that lets technical owners reproduce findings and non-specialists understand what matters. Preserve uncertainty, scope limits, and negative results that materially constrain conclusions. + +Read [references/security-report-shape.md](references/security-report-shape.md) for the required structure. + +## Workflow + +1. Fix report identity. + - Record title, client/project, assessment type, dates, version, authors, classification, and distribution. +2. State scope and authority. + - List included/excluded targets, environments, accounts/roles, techniques, time windows, constraints, and changes from the approved scope. +3. Summarize outcomes plainly. + - Explain what was found, affected assets, practical consequence, urgent actions, and material uncertainty without jargon or panic. +4. Describe methodology and coverage. + - Name standards/guidance, tools/versions, manual checks, evidence sources, assumptions, unavailable telemetry, and untested areas. +5. Write each finding. + - Include identity, status/confidence, affected assets, prerequisites, evidence/reproduction, impact, exposure, severity/vector if used, remediation, mitigation, and retest steps. + - Keep raw secrets and unnecessary personal data out of the report. +6. Record negative results and limitations. +7. Build a remediation plan. + - Group immediate containment, near-term fixes, structural hardening, owners, deadlines, and dependencies. +8. Verify the report. + - Cross-check evidence links, commands, screenshots, identifiers, redaction, scope, and status. + +## Output + +Return a self-contained report with executive summary, scope, methodology, findings, negative results, limitations, prioritized remediation, and retest plan. diff --git a/plugins/cybersecurity-skills/skills/report-security-assessment/agents/openai.yaml b/plugins/cybersecurity-skills/skills/report-security-assessment/agents/openai.yaml new file mode 100644 index 00000000..16d9b50c --- /dev/null +++ b/plugins/cybersecurity-skills/skills/report-security-assessment/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Report Security Assessment" + short_description: "Write reproducible findings and clear remediation plans" + default_prompt: "Use $report-security-assessment to turn this validated evidence into a clear security report." diff --git a/plugins/cybersecurity-skills/skills/report-security-assessment/references/security-report-shape.md b/plugins/cybersecurity-skills/skills/report-security-assessment/references/security-report-shape.md new file mode 100644 index 00000000..f9535d83 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/report-security-assessment/references/security-report-shape.md @@ -0,0 +1,26 @@ +# Security Assessment Report Shape + +```markdown +# Assessment Title + +## Executive Summary +## Scope And Authorization +## Methodology And Coverage +## Findings Summary +## Detailed Findings +### Finding: Title +- Status/confidence: +- Affected assets: +- Preconditions and exposure: +- Evidence/reproduction: +- Impact: +- Severity/vector and rationale: +- Remediation/mitigation: +- Retest: +## Negative Results +## Limitations And Uncertainty +## Prioritized Remediation Plan +## Evidence Appendix +``` + +Use exact evidence references and redact secrets. “No finding” means no issue was demonstrated under recorded coverage, not that the surface is secure. diff --git a/plugins/cybersecurity-skills/skills/scope-authorized-security-test/SKILL.md b/plugins/cybersecurity-skills/skills/scope-authorized-security-test/SKILL.md new file mode 100644 index 00000000..7161137b --- /dev/null +++ b/plugins/cybersecurity-skills/skills/scope-authorized-security-test/SKILL.md @@ -0,0 +1,35 @@ +--- +name: scope-authorized-security-test +description: Define and verify authorization, targets, rules of engagement, data handling, safety controls, and stop conditions before active security testing. Use for penetration tests, vulnerability scans, exploit validation, web/API tests, network probing, red-team-like exercises, bug bounty work, or agent-driven testing where ownership and allowed techniques must be explicit. +--- + +# Scope Authorized Security Test + +## Overview + +Turn permission into an executable scope record before sending active traffic or running a proof of concept. Authorization must identify the owner and boundaries; access to a target or a public address is not permission. + +Read [references/active-test-scope.md](references/active-test-scope.md) and complete every applicable field. + +## Workflow + +1. Identify authority. + - Record target owner, authorizing person/record, tester, contacts, dates, jurisdiction or program policy, and evidence of permission. +2. Resolve targets precisely. + - List domains, hosts, addresses/ranges, applications, APIs, repositories, accounts, environments, and third-party dependencies. + - List exclusions explicitly and define how dynamic/cloud/CDN targets are resolved. +3. Define allowed techniques. + - Separate passive review, discovery, authenticated testing, automated scanning, fuzzing, exploit validation, social/physical testing, persistence, credential access, data access, and denial-of-service. + - Default unlisted techniques to disallowed. +4. Set operational controls. + - Define source addresses, accounts, rate/concurrency, time windows, test data, logging, notification, emergency stop, cleanup, and restoration. +5. Define data handling. + - Minimize accessed data; specify retention, encryption, screenshots/logs, secrets, evidence transfer, disclosure, and deletion. +6. Establish stop conditions. + - Stop on target drift, third-party impact, instability, sensitive data beyond minimum proof, unexpected privileges, scope ambiguity, or an unapproved technique. +7. Approve the test plan. + - Show exact targets and effects before tools run; update the scope record before expanding work. + +## Output + +Return authority, included/excluded targets, allowed/disallowed techniques, operational controls, data handling, stop/escalation contacts, and approval state. diff --git a/plugins/cybersecurity-skills/skills/scope-authorized-security-test/agents/openai.yaml b/plugins/cybersecurity-skills/skills/scope-authorized-security-test/agents/openai.yaml new file mode 100644 index 00000000..1976162a --- /dev/null +++ b/plugins/cybersecurity-skills/skills/scope-authorized-security-test/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Scope Authorized Security Test" + short_description: "Define targets, permission, techniques, and stop conditions" + default_prompt: "Use $scope-authorized-security-test to establish a complete authorized test scope." diff --git a/plugins/cybersecurity-skills/skills/scope-authorized-security-test/references/active-test-scope.md b/plugins/cybersecurity-skills/skills/scope-authorized-security-test/references/active-test-scope.md new file mode 100644 index 00000000..1548264a --- /dev/null +++ b/plugins/cybersecurity-skills/skills/scope-authorized-security-test/references/active-test-scope.md @@ -0,0 +1,36 @@ +# Active Security Test Scope + +```markdown +## Authority +- Owner and authorizer: +- Authorization record/program policy: +- Tester and contacts: +- Valid dates/timezone: + +## Targets +- Included: +- Excluded: +- Third-party/CDN/cloud boundary: +- Accounts/roles/environment: + +## Techniques +- Allowed: +- Disallowed: +- Proof/impact limit: + +## Operations +- Source addresses and tooling: +- Rate/concurrency/time windows: +- Monitoring and notification: +- Emergency stop and restoration: + +## Data +- Collection minimization: +- Secrets and sensitive-data handling: +- Retention, transfer, disclosure, deletion: + +## Stop Conditions +- ... +``` + +Use current program rules and the planning principles in [NIST SP 800-115](https://csrc.nist.gov/pubs/sp/800/115/final). diff --git a/plugins/cybersecurity-skills/skills/test-network-services/SKILL.md b/plugins/cybersecurity-skills/skills/test-network-services/SKILL.md new file mode 100644 index 00000000..e7e1f777 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/test-network-services/SKILL.md @@ -0,0 +1,32 @@ +--- +name: test-network-services +description: Inventory and test explicitly authorized network services with bounded discovery and protocol-aware validation. Use for approved hosts, address ranges, ports, TLS, banners, service versions, authentication, exposure, segmentation, configuration, packet evidence, or narrowly reviewed vulnerability checks when rate, source, third-party boundaries, and stop conditions are explicit. +--- + +# Test Network Services + +## Overview + +Establish what is actually listening and reachable before making vulnerability claims. Keep discovery, identification, configuration review, authentication tests, and exploit validation as separate authorized levels. + +Read [references/network-test-levels.md](references/network-test-levels.md) before selecting tools or scan intensity. + +## Workflow + +1. Load approved targets/exclusions, source addresses, network path, time/rate limits, credentials, and contacts. +2. Resolve target identity. + - Record DNS, addresses, cloud/CDN/load-balancer ownership, environment, and routes; stop on third-party or out-of-scope resolution. +3. Discover conservatively. + - Start with known assets and low-rate reachability/port checks; record tool/version/options, packet source, loss, and filtering. +4. Identify services. + - Validate protocol, TLS/certificate, banner/version, authentication exposure, and application behavior instead of trusting port numbers or one fingerprint. +5. Assess configuration and exposure. + - Review unnecessary listeners, network boundary, encryption, weak/default access, anonymous behavior, management interfaces, and segmentation from approved vantage points. +6. Validate vulnerability candidates. + - Review scanner/template logic and use the smallest protocol-aware proof; route protocol mechanics to `network-protocol-skills`. +7. Stop and clean up. + - Halt on instability, rate-limit distress, unexpected sensitive data, third parties, or scope drift; close sessions and remove temporary access. + +## Output + +Return target resolution, discovery coverage, validated services, configuration/exposure observations, vulnerability candidates/validation, negative results, impact, and cleanup. diff --git a/plugins/cybersecurity-skills/skills/test-network-services/agents/openai.yaml b/plugins/cybersecurity-skills/skills/test-network-services/agents/openai.yaml new file mode 100644 index 00000000..a777b038 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/test-network-services/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Test Network Services" + short_description: "Validate authorized service exposure in bounded levels" + default_prompt: "Use $test-network-services to inventory and validate these authorized network services safely." diff --git a/plugins/cybersecurity-skills/skills/test-network-services/references/network-test-levels.md b/plugins/cybersecurity-skills/skills/test-network-services/references/network-test-levels.md new file mode 100644 index 00000000..5a2e95d0 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/test-network-services/references/network-test-levels.md @@ -0,0 +1,10 @@ +# Network Test Levels + +1. Asset resolution: owner, DNS/address, route, environment, third parties. +2. Reachability: bounded host/port checks from an approved source. +3. Service identification: protocol handshake, TLS, banner, version, authentication surface. +4. Configuration review: exposure, encryption, access, segmentation, management interfaces. +5. Vulnerability check: reviewed, narrowly selected probe with safe matcher. +6. Exploit validation: separately authorized minimum proof and cleanup. + +Do not jump levels because a tool supports it. Record rate, retries, concurrency, timeouts, excluded ports/hosts, and any service degradation. Use packet capture only when authorized and minimize unrelated traffic/data. diff --git a/plugins/cybersecurity-skills/skills/test-web-and-api-security/SKILL.md b/plugins/cybersecurity-skills/skills/test-web-and-api-security/SKILL.md new file mode 100644 index 00000000..f62494cd --- /dev/null +++ b/plugins/cybersecurity-skills/skills/test-web-and-api-security/SKILL.md @@ -0,0 +1,32 @@ +--- +name: test-web-and-api-security +description: Test an explicitly authorized web application or API using current OWASP guidance and bounded manual or automated checks. Use for authentication, authorization, session, input, browser, API schema, business logic, file handling, server-side request, configuration, transport, error, and data-exposure tests when accounts, roles, target, rate, evidence, and stop conditions are defined. +--- + +# Test Web And API Security + +## Overview + +Test one scoped property at a time with role-aware accounts and reproducible requests. Use passive observation before active mutation and review automated scanner behavior before it reaches the target. + +Read [references/web-api-test-plan.md](references/web-api-test-plan.md) and current OWASP WSTG/API guidance before execution. + +## Workflow + +1. Load the approved scope, environment, accounts/roles, data, rate limits, and stop conditions. +2. Map the application. + - Record hosts, routes, APIs/schemas, roles, trust boundaries, sessions/tokens, browser controls, uploads, integrations, and state-changing operations. +3. Capture a baseline. + - Preserve normal requests/responses and expected authorization for each role and resource owner. +4. Test by security property. + - Cover identity/session, object/function authorization, input handling, browser/client boundaries, server-side fetches, files, configuration, errors, data exposure, business logic, and rate/resource controls as scope permits. +5. Use tools deliberately. + - Keep proxy/browser history scoped; review ZAP or Nuclei configuration/templates; exclude destructive or broad checks; record exact versions and requests. +6. Validate candidates. + - Reproduce with the smallest request, negative control, different role/owner, and fixed/mitigated state when available. +7. Clean up. + - Remove test data/accounts/tokens, restore state, and report anything that could not be reverted. + +## Output + +Return scope/accounts, application map, tests and evidence, validated findings, negative results/coverage gaps, cleanup, and retest criteria. diff --git a/plugins/cybersecurity-skills/skills/test-web-and-api-security/agents/openai.yaml b/plugins/cybersecurity-skills/skills/test-web-and-api-security/agents/openai.yaml new file mode 100644 index 00000000..cb85656b --- /dev/null +++ b/plugins/cybersecurity-skills/skills/test-web-and-api-security/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Test Web And API Security" + short_description: "Run scoped, role-aware web and API security tests" + default_prompt: "Use $test-web-and-api-security to test this authorized web or API surface methodically." diff --git a/plugins/cybersecurity-skills/skills/test-web-and-api-security/references/web-api-test-plan.md b/plugins/cybersecurity-skills/skills/test-web-and-api-security/references/web-api-test-plan.md new file mode 100644 index 00000000..121a1e04 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/test-web-and-api-security/references/web-api-test-plan.md @@ -0,0 +1,15 @@ +# Web And API Test Plan + +Record: + +- WSTG/API test identifier or named security property; +- exact endpoint, method, content type, schema, and environment; +- account, role, tenant, and resource owner; +- normal baseline request/response; +- one changed input or state; +- expected security behavior; +- observed response, server-side evidence, and side effect; +- negative control and cleanup; +- rate/concurrency and stop condition. + +Use the current [OWASP Web Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) and [ZAP documentation](https://www.zaproxy.org/docs/). Review Nuclei templates before use; a template match is a validation candidate, not a confirmed finding. diff --git a/plugins/cybersecurity-skills/skills/triage-vulnerability-report/SKILL.md b/plugins/cybersecurity-skills/skills/triage-vulnerability-report/SKILL.md new file mode 100644 index 00000000..19a8bf0f --- /dev/null +++ b/plugins/cybersecurity-skills/skills/triage-vulnerability-report/SKILL.md @@ -0,0 +1,34 @@ +--- +name: triage-vulnerability-report +description: Normalize and triage a supplied vulnerability report, scanner result, advisory, CVE, proof of concept, bug bounty submission, security ticket, or researcher note. Use when affected component/version, source credibility, prerequisites, evidence, duplicate status, asset applicability, source-code owner, validation plan, and immediate exposure questions must be established before accepting or rejecting a finding. +--- + +# Triage Vulnerability Report + +## Overview + +Convert incoming claims into a testable hypothesis tied to an exact product, version, configuration, and asset. Do not reproduce active impact until authorization and the smallest safe validation plan are explicit. + +Read [references/vulnerability-intake.md](references/vulnerability-intake.md) for the normalized record. + +## Workflow + +1. Preserve the original report and source. +2. Normalize identity. + - Record product/component, versions, commit/build/image, dependency identity, advisory/CVE/CWE, endpoints/code paths, deployment/configuration, and affected assets. +3. Extract the claim. + - State attacker position, prerequisites, input, security boundary crossed, result, impact, and supplied reproduction. +4. Grade evidence. + - Separate scanner matching, vulnerable-code presence, reachability, successful reproduction, external advisory, and speculation. + - Record logs, requests/responses, traces, screenshots, code, and environment details. +5. Check authoritative context. + - Use vendor advisories, source/release history, OSV/ecosystem advisories, CISA KEV, and current disclosure state; date lookups. +6. Route ownership. + - Use Codex Security for repository/diff scanning or attack-path work when available. + - Route to vulnerability validation for a supplied claim and to the owning stack for remediation only after acceptance criteria are clear. +7. Define immediate action. + - Identify exposed assets, reversible mitigations, missing evidence, safe validation, and disclosure/notification needs. + +## Output + +Return normalized identity, claim, evidence grade, asset applicability, duplicates/advisories, urgency, validation plan, and owner. diff --git a/plugins/cybersecurity-skills/skills/triage-vulnerability-report/agents/openai.yaml b/plugins/cybersecurity-skills/skills/triage-vulnerability-report/agents/openai.yaml new file mode 100644 index 00000000..9a270796 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/triage-vulnerability-report/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Triage Vulnerability Report" + short_description: "Normalize vulnerability claims and missing evidence" + default_prompt: "Use $triage-vulnerability-report to turn this report into a testable, owned security claim." diff --git a/plugins/cybersecurity-skills/skills/triage-vulnerability-report/references/vulnerability-intake.md b/plugins/cybersecurity-skills/skills/triage-vulnerability-report/references/vulnerability-intake.md new file mode 100644 index 00000000..9709f0be --- /dev/null +++ b/plugins/cybersecurity-skills/skills/triage-vulnerability-report/references/vulnerability-intake.md @@ -0,0 +1,22 @@ +# Vulnerability Intake Record + +```markdown +- Source/report ID/date: +- Product/component/build/dependency: +- Affected and fixed versions claimed: +- Deployment/configuration/assets: +- Attacker position and prerequisites: +- Input/action: +- Boundary crossed: +- Result and impact: +- Supplied evidence/reproduction: +- Advisory/CVE/CWE/vendor status: +- Scanner/tool/version/rules: +- Present code or package: +- Reachability/exploitability evidence: +- Missing evidence and contradictions: +- Validation authorization/environment: +- Immediate mitigation and owner: +``` + +Do not let a CVE or package-name match substitute for exact product lineage, version, configuration, and reachable behavior. diff --git a/plugins/cybersecurity-skills/skills/validate-vulnerability/SKILL.md b/plugins/cybersecurity-skills/skills/validate-vulnerability/SKILL.md new file mode 100644 index 00000000..79b8e39c --- /dev/null +++ b/plugins/cybersecurity-skills/skills/validate-vulnerability/SKILL.md @@ -0,0 +1,34 @@ +--- +name: validate-vulnerability +description: Determine whether a specific vulnerability claim is valid, reachable, exploitable, and impactful in an authorized environment. Use for scanner candidates, advisories, CVEs, supplied PoCs, source-level concerns, configuration weaknesses, or regression tests when the smallest safe proof, negative controls, exact build, prerequisites, boundary crossed, and confidence must be recorded. +--- + +# Validate Vulnerability + +## Overview + +Prove or refute the narrow claim with the least invasive reproduction. Separate vulnerable code or package presence from reachability, controllability, boundary crossing, and demonstrated impact. + +Read [references/validation-evidence.md](references/validation-evidence.md) for proof levels and controls. + +## Workflow + +1. Confirm authorization and exact target/build/configuration. +2. State the hypothesis. + - Define attacker position, controlled input, preconditions, code/endpoint, expected security property, and observable violation. +3. Establish controls. + - Prepare a known-vulnerable or claimed build, fixed/patched or negative build, baseline input, and minimally changed trigger when practical. +4. Trace reachability. + - Show how input reaches the affected component and whether authentication, feature flags, deployment topology, sanitization, mitigations, or dead code block it. + - Use Codex Security for repository attack-path analysis when appropriate. +5. Reproduce minimally. + - Prefer harmless markers, bounded data, synthetic accounts, and local fixtures. + - Stop before destructive impact, persistence, unrelated data access, lateral movement, or instability beyond scope. +6. Capture evidence. + - Record request/input, response/output, traces/logs, process or state change, exact tool/version, timestamps, cleanup, and retest. +7. Classify. + - Validated exploitable, validated but constrained, vulnerable component present but not reachable, false positive for this target, fixed, or unresolved. + +## Output + +Return hypothesis, environment, controls, reachability, minimal proof, impact boundary, classification/confidence, cleanup, and remediation/retest criteria. diff --git a/plugins/cybersecurity-skills/skills/validate-vulnerability/agents/openai.yaml b/plugins/cybersecurity-skills/skills/validate-vulnerability/agents/openai.yaml new file mode 100644 index 00000000..b861c1ff --- /dev/null +++ b/plugins/cybersecurity-skills/skills/validate-vulnerability/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Validate Vulnerability" + short_description: "Prove reachability and impact with minimal safe evidence" + default_prompt: "Use $validate-vulnerability to safely prove or refute this specific vulnerability claim." diff --git a/plugins/cybersecurity-skills/skills/validate-vulnerability/references/validation-evidence.md b/plugins/cybersecurity-skills/skills/validate-vulnerability/references/validation-evidence.md new file mode 100644 index 00000000..1c437ae2 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/validate-vulnerability/references/validation-evidence.md @@ -0,0 +1,13 @@ +# Vulnerability Validation Evidence + +Increasing evidence strength: + +1. advisory or scanner claims a match; +2. affected component/version is present; +3. relevant feature/code path is deployed; +4. attacker-controlled input reaches the path; +5. security property is violated under controlled conditions; +6. meaningful impact is demonstrated within scope; +7. fixed build or mitigation prevents the same reproduction. + +Use negative controls to reject environmental noise. Preserve failed attempts and contradictory results. A crash alone does not establish code execution; an error alone does not establish injection; a vulnerable dependency alone does not establish reachable exposure. From d8b886b4ad147cdf0227aa81e45cdf2b1c8d0079 Mon Sep 17 00:00:00 2001 From: Gale W Date: Tue, 14 Jul 2026 15:15:41 -0400 Subject: [PATCH 6/7] security: complete cybersecurity skill workflows Why: Ship the full guidance-only cybersecurity plugin across malware analysis, macOS defense, authorized testing, incident response, and detection engineering. Verification: - 30 child skills validated - 99 root tests passed; 1 skipped - mypy passed - marketplace, Hermes, architecture, and plugin validators passed - ruff remains blocked by two unrelated baseline findings --- .agents/plugins/marketplace.json | 2 +- README.md | 3 +- ROADMAP.md | 42 +- docs/architecture/ARCHITECTURE.md | 74 +- docs/architecture/architecture.json | 2663 ++++++++++++----- .../cybersecurity-skills-plugin-plan.md | 4 +- docs/maintainers/hermes-compatibility.md | 6 + .../scripts/validate_repo_metadata.py | 44 + .../skills/assess-and-explain-threat/SKILL.md | 2 +- .../skills/author-detection-content/SKILL.md | 34 + .../agents/openai.yaml | 4 + .../references/detection-quality.md | 12 + .../skills/contain-security-incident/SKILL.md | 34 + .../agents/openai.yaml | 4 + .../references/containment-plan.md | 17 + .../skills/hunt-security-indicators/SKILL.md | 34 + .../agents/openai.yaml | 4 + .../references/hunt-record.md | 17 + .../skills/recover-security-incident/SKILL.md | 33 + .../agents/openai.yaml | 4 + .../references/recovery-gates.md | 11 + .../skills/triage-security-incident/SKILL.md | 36 + .../agents/openai.yaml | 4 + .../references/incident-triage-record.md | 18 + scripts/export_hermes_skills.py | 59 +- skills.sh.json | 35 + .../SKILL.md | 38 + .../agents/openai.yaml | 4 + .../references/script-document-analysis.md | 11 + skills/assess-and-explain-threat/SKILL.md | 42 + .../agents/openai.yaml | 4 + .../references/confidence-and-advice.md | 22 + skills/assess-exposure-and-impact/SKILL.md | 32 + .../agents/openai.yaml | 4 + .../references/exposure-impact-model.md | 17 + skills/assess-macos-threat/SKILL.md | 33 + skills/assess-macos-threat/agents/openai.yaml | 4 + .../references/macos-security-layers.md | 15 + skills/author-detection-content/SKILL.md | 34 + .../agents/openai.yaml | 4 + .../references/detection-quality.md | 12 + skills/author-yara-x-rules/SKILL.md | 36 + skills/author-yara-x-rules/agents/openai.yaml | 4 + .../references/yara-x-rule-quality.md | 15 + skills/check-artifact-reputation/SKILL.md | 39 + .../agents/openai.yaml | 4 + .../references/reputation-evidence.md | 19 + skills/contain-and-recover-macos/SKILL.md | 36 + .../agents/openai.yaml | 4 + .../references/macos-response-ladder.md | 10 + skills/contain-security-incident/SKILL.md | 34 + .../agents/openai.yaml | 4 + .../references/containment-plan.md | 17 + skills/harden-macos/SKILL.md | 35 + skills/harden-macos/agents/openai.yaml | 4 + .../references/macos-hardening-review.md | 14 + skills/hunt-security-indicators/SKILL.md | 34 + .../agents/openai.yaml | 4 + .../references/hunt-record.md | 17 + skills/inspect-macos-persistence/SKILL.md | 33 + .../agents/openai.yaml | 4 + .../references/macos-persistence-surfaces.md | 14 + .../inspect-macos-runtime-activity/SKILL.md | 33 + .../agents/openai.yaml | 4 + .../references/macos-runtime-evidence.md | 12 + skills/map-malware-behavior/SKILL.md | 32 + .../map-malware-behavior/agents/openai.yaml | 4 + .../references/behavior-mapping.md | 14 + .../operate-agentic-security-tools/SKILL.md | 45 + .../agents/openai.yaml | 4 + .../references/agent-tool-controls.md | 29 + .../perform-dynamic-malware-analysis/SKILL.md | 34 + .../agents/openai.yaml | 4 + .../references/dynamic-observation-plan.md | 34 + .../perform-static-malware-analysis/SKILL.md | 33 + .../agents/openai.yaml | 4 + .../references/static-analysis-layers.md | 11 + skills/preserve-security-evidence/SKILL.md | 45 + .../agents/openai.yaml | 4 + .../references/security-record.md | 44 + skills/recover-security-incident/SKILL.md | 33 + .../agents/openai.yaml | 4 + .../references/recovery-gates.md | 11 + skills/report-security-assessment/SKILL.md | 35 + .../agents/openai.yaml | 4 + .../references/security-report-shape.md | 26 + skills/route-security-work/SKILL.md | 42 + skills/route-security-work/agents/openai.yaml | 4 + .../references/routing-map.md | 15 + .../scope-authorized-security-test/SKILL.md | 35 + .../agents/openai.yaml | 4 + .../references/active-test-scope.md | 36 + skills/select-analysis-isolation/SKILL.md | 42 + .../agents/openai.yaml | 4 + .../references/isolation-matrix.md | 14 + skills/test-network-services/SKILL.md | 32 + .../test-network-services/agents/openai.yaml | 4 + .../references/network-test-levels.md | 10 + skills/test-web-and-api-security/SKILL.md | 32 + .../agents/openai.yaml | 4 + .../references/web-api-test-plan.md | 15 + skills/triage-security-incident/SKILL.md | 36 + .../agents/openai.yaml | 4 + .../references/incident-triage-record.md | 18 + skills/triage-suspicious-content/SKILL.md | 38 + .../agents/openai.yaml | 4 + .../references/content-preflight.md | 12 + skills/triage-vulnerability-report/SKILL.md | 34 + .../agents/openai.yaml | 4 + .../references/vulnerability-intake.md | 22 + skills/use-objective-see-tools/SKILL.md | 36 + .../agents/openai.yaml | 4 + .../references/objective-see-routing.md | 13 + skills/validate-vulnerability/SKILL.md | 34 + .../validate-vulnerability/agents/openai.yaml | 4 + .../references/validation-evidence.md | 13 + tests/test_cybersecurity_skill_contracts.py | 121 + tests/test_validate_hermes_compatibility.py | 1 + 118 files changed, 4192 insertions(+), 859 deletions(-) create mode 100644 plugins/cybersecurity-skills/skills/author-detection-content/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/author-detection-content/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/author-detection-content/references/detection-quality.md create mode 100644 plugins/cybersecurity-skills/skills/contain-security-incident/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/contain-security-incident/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/contain-security-incident/references/containment-plan.md create mode 100644 plugins/cybersecurity-skills/skills/hunt-security-indicators/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/hunt-security-indicators/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/hunt-security-indicators/references/hunt-record.md create mode 100644 plugins/cybersecurity-skills/skills/recover-security-incident/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/recover-security-incident/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/recover-security-incident/references/recovery-gates.md create mode 100644 plugins/cybersecurity-skills/skills/triage-security-incident/SKILL.md create mode 100644 plugins/cybersecurity-skills/skills/triage-security-incident/agents/openai.yaml create mode 100644 plugins/cybersecurity-skills/skills/triage-security-incident/references/incident-triage-record.md create mode 100644 skills/analyze-suspicious-script-or-document/SKILL.md create mode 100644 skills/analyze-suspicious-script-or-document/agents/openai.yaml create mode 100644 skills/analyze-suspicious-script-or-document/references/script-document-analysis.md create mode 100644 skills/assess-and-explain-threat/SKILL.md create mode 100644 skills/assess-and-explain-threat/agents/openai.yaml create mode 100644 skills/assess-and-explain-threat/references/confidence-and-advice.md create mode 100644 skills/assess-exposure-and-impact/SKILL.md create mode 100644 skills/assess-exposure-and-impact/agents/openai.yaml create mode 100644 skills/assess-exposure-and-impact/references/exposure-impact-model.md create mode 100644 skills/assess-macos-threat/SKILL.md create mode 100644 skills/assess-macos-threat/agents/openai.yaml create mode 100644 skills/assess-macos-threat/references/macos-security-layers.md create mode 100644 skills/author-detection-content/SKILL.md create mode 100644 skills/author-detection-content/agents/openai.yaml create mode 100644 skills/author-detection-content/references/detection-quality.md create mode 100644 skills/author-yara-x-rules/SKILL.md create mode 100644 skills/author-yara-x-rules/agents/openai.yaml create mode 100644 skills/author-yara-x-rules/references/yara-x-rule-quality.md create mode 100644 skills/check-artifact-reputation/SKILL.md create mode 100644 skills/check-artifact-reputation/agents/openai.yaml create mode 100644 skills/check-artifact-reputation/references/reputation-evidence.md create mode 100644 skills/contain-and-recover-macos/SKILL.md create mode 100644 skills/contain-and-recover-macos/agents/openai.yaml create mode 100644 skills/contain-and-recover-macos/references/macos-response-ladder.md create mode 100644 skills/contain-security-incident/SKILL.md create mode 100644 skills/contain-security-incident/agents/openai.yaml create mode 100644 skills/contain-security-incident/references/containment-plan.md create mode 100644 skills/harden-macos/SKILL.md create mode 100644 skills/harden-macos/agents/openai.yaml create mode 100644 skills/harden-macos/references/macos-hardening-review.md create mode 100644 skills/hunt-security-indicators/SKILL.md create mode 100644 skills/hunt-security-indicators/agents/openai.yaml create mode 100644 skills/hunt-security-indicators/references/hunt-record.md create mode 100644 skills/inspect-macos-persistence/SKILL.md create mode 100644 skills/inspect-macos-persistence/agents/openai.yaml create mode 100644 skills/inspect-macos-persistence/references/macos-persistence-surfaces.md create mode 100644 skills/inspect-macos-runtime-activity/SKILL.md create mode 100644 skills/inspect-macos-runtime-activity/agents/openai.yaml create mode 100644 skills/inspect-macos-runtime-activity/references/macos-runtime-evidence.md create mode 100644 skills/map-malware-behavior/SKILL.md create mode 100644 skills/map-malware-behavior/agents/openai.yaml create mode 100644 skills/map-malware-behavior/references/behavior-mapping.md create mode 100644 skills/operate-agentic-security-tools/SKILL.md create mode 100644 skills/operate-agentic-security-tools/agents/openai.yaml create mode 100644 skills/operate-agentic-security-tools/references/agent-tool-controls.md create mode 100644 skills/perform-dynamic-malware-analysis/SKILL.md create mode 100644 skills/perform-dynamic-malware-analysis/agents/openai.yaml create mode 100644 skills/perform-dynamic-malware-analysis/references/dynamic-observation-plan.md create mode 100644 skills/perform-static-malware-analysis/SKILL.md create mode 100644 skills/perform-static-malware-analysis/agents/openai.yaml create mode 100644 skills/perform-static-malware-analysis/references/static-analysis-layers.md create mode 100644 skills/preserve-security-evidence/SKILL.md create mode 100644 skills/preserve-security-evidence/agents/openai.yaml create mode 100644 skills/preserve-security-evidence/references/security-record.md create mode 100644 skills/recover-security-incident/SKILL.md create mode 100644 skills/recover-security-incident/agents/openai.yaml create mode 100644 skills/recover-security-incident/references/recovery-gates.md create mode 100644 skills/report-security-assessment/SKILL.md create mode 100644 skills/report-security-assessment/agents/openai.yaml create mode 100644 skills/report-security-assessment/references/security-report-shape.md create mode 100644 skills/route-security-work/SKILL.md create mode 100644 skills/route-security-work/agents/openai.yaml create mode 100644 skills/route-security-work/references/routing-map.md create mode 100644 skills/scope-authorized-security-test/SKILL.md create mode 100644 skills/scope-authorized-security-test/agents/openai.yaml create mode 100644 skills/scope-authorized-security-test/references/active-test-scope.md create mode 100644 skills/select-analysis-isolation/SKILL.md create mode 100644 skills/select-analysis-isolation/agents/openai.yaml create mode 100644 skills/select-analysis-isolation/references/isolation-matrix.md create mode 100644 skills/test-network-services/SKILL.md create mode 100644 skills/test-network-services/agents/openai.yaml create mode 100644 skills/test-network-services/references/network-test-levels.md create mode 100644 skills/test-web-and-api-security/SKILL.md create mode 100644 skills/test-web-and-api-security/agents/openai.yaml create mode 100644 skills/test-web-and-api-security/references/web-api-test-plan.md create mode 100644 skills/triage-security-incident/SKILL.md create mode 100644 skills/triage-security-incident/agents/openai.yaml create mode 100644 skills/triage-security-incident/references/incident-triage-record.md create mode 100644 skills/triage-suspicious-content/SKILL.md create mode 100644 skills/triage-suspicious-content/agents/openai.yaml create mode 100644 skills/triage-suspicious-content/references/content-preflight.md create mode 100644 skills/triage-vulnerability-report/SKILL.md create mode 100644 skills/triage-vulnerability-report/agents/openai.yaml create mode 100644 skills/triage-vulnerability-report/references/vulnerability-intake.md create mode 100644 skills/use-objective-see-tools/SKILL.md create mode 100644 skills/use-objective-see-tools/agents/openai.yaml create mode 100644 skills/use-objective-see-tools/references/objective-see-routing.md create mode 100644 skills/validate-vulnerability/SKILL.md create mode 100644 skills/validate-vulnerability/agents/openai.yaml create mode 100644 skills/validate-vulnerability/references/validation-evidence.md create mode 100644 tests/test_cybersecurity_skill_contracts.py diff --git a/.agents/plugins/marketplace.json b/.agents/plugins/marketplace.json index b66b02b4..aff80760 100644 --- a/.agents/plugins/marketplace.json +++ b/.agents/plugins/marketplace.json @@ -306,7 +306,7 @@ "path": "./plugins/cybersecurity-skills" }, "policy": { - "installation": "NOT_AVAILABLE", + "installation": "AVAILABLE", "authentication": "ON_INSTALL" }, "category": "Developer Tools" diff --git a/README.md b/README.md index d0a39312..498e8c71 100644 --- a/README.md +++ b/README.md @@ -104,6 +104,7 @@ Currently available from the catalog: - `cardhop-app` - `cloud-deployment-skills` - `cloud-inference-skills` +- `cybersecurity-skills` - `messaging-collaboration-skills` - `agentdeck` - `dotnet-skills` @@ -134,6 +135,7 @@ Current Socket catalog shape: - `cardhop-app`: mixed skill plus bundled MCP server for Cardhop.app contact workflows - `cloud-deployment-skills`: cloud provider deployment routing, official provider plugin selection, credential and mutation boundary checks, and AWS handoff to the official AWS Agent Toolkit rather than duplicated AWS MCP, CLI, or SAM setup - `cloud-inference-skills`: cloud AI inference, training, model conversion, and GPU infrastructure routing for Runpod, Hugging Face, AWS, Vast.ai, CoreWeave, and similar providers, with bundled Runpod MCP server configuration, upstream Runpod skill mirrors, and first-party Hugging Face/AWS handoffs +- `cybersecurity-skills`: suspicious-content triage, evidence preservation, malware analysis, isolation, agentic security-tool controls, macOS investigation and defense, vulnerability validation, authorized web/API and network testing, incident response, threat hunting, detection content, and clear non-specialist advice - `messaging-collaboration-skills`: chat-app, bot, business-messaging, meeting-collaboration, iMessage collaboration, Communication Notifications, Push to Talk, VoIP/SIP, documented iOS/iPadOS default communication roles, and app-owned macOS client workflows for Discord, Telegram, Slack, Teams, WhatsApp Business, SMS/MMS/RCS, Google Meet, and Apple communication surfaces, with explicit Signal and Mac operator-automation boundaries - `agentdeck`: local Codex runtime utilities, starting with hooks that prefix generated Codex thread titles with the project directory name - `dotnet-skills`: .NET, F#, and C# project-shape, bootstrap, implementation, test, package, diagnostics, ASP.NET Core, interop, CI, upgrade, and tooling guidance @@ -153,7 +155,6 @@ Current Socket catalog shape: Placeholder directories for future plugins (not available for install): -- `cybersecurity-skills` - `spotify` ## Development diff --git a/ROADMAP.md b/ROADMAP.md index 4c98ded7..543ecc60 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -867,37 +867,37 @@ Completed ### Status -Planned +Completed ### Scope -- [ ] Add a dedicated Socket-hosted `cybersecurity-skills` child plugin for suspicious-content triage, malware analysis, safe isolation, macOS defense, vulnerability validation, authorized security testing, incident response, detection content, and understandable defensive advice. -- [ ] Keep the first release guidance-only: no bundled scanners, malware or exploit samples, privileged helper, daemon, hook, MCP server, VM/container image, remote-sandbox credential, or autonomous active-testing runtime. -- [ ] Keep `reverse-engineering-skills` focused on compiled artifacts and binary internals; use explicit handoffs instead of absorbing reverse engineering into the new plugin. -- [ ] Route repository-wide and diff-based source scanning to Codex Security when it is available rather than duplicating its scan pipeline. -- [ ] Make the suspicious-content-to-macOS-defense path the first installable release, with vulnerability and incident-response expansion built on the same evidence, confidence, isolation, and reporting records. +- [x] Add a dedicated Socket-hosted `cybersecurity-skills` child plugin for suspicious-content triage, malware analysis, safe isolation, macOS defense, vulnerability validation, authorized security testing, incident response, detection content, and understandable defensive advice. +- [x] Keep the first release guidance-only: no bundled scanners, malware or exploit samples, privileged helper, daemon, hook, MCP server, VM/container image, remote-sandbox credential, or autonomous active-testing runtime. +- [x] Keep `reverse-engineering-skills` focused on compiled artifacts and binary internals; use explicit handoffs instead of absorbing reverse engineering into the new plugin. +- [x] Route repository-wide and diff-based source scanning to Codex Security when it is available rather than duplicating its scan pipeline. +- [x] Make the suspicious-content-to-macOS-defense path the first installable release, with vulnerability and incident-response expansion built on the same evidence, confidence, isolation, and reporting records. ### Tickets - [x] Record the architecture, ownership, safety, source, validation, and phased implementation plan in [`docs/maintainers/cybersecurity-skills-plugin-plan.md`](./docs/maintainers/cybersecurity-skills-plugin-plan.md). -- [ ] Create `plugins/cybersecurity-skills/` with `.codex-plugin/plugin.json`, `AGENTS.md`, authored `skills/`, assets, and focused child validation. -- [ ] Add the root marketplace entry as unavailable while the plugin is a placeholder; switch it to installable only after a usable skill slice exists. -- [ ] Add shared routing, evidence preservation, confidence/explanation, isolation selection, and agentic-security-tool workflows. -- [ ] Add suspicious-content triage, privacy-aware reputation, static/dynamic malware analysis, suspicious script/document, YARA-X, and behavior-mapping workflows. -- [ ] Add macOS threat assessment, persistence, runtime activity, Objective-See adapter, containment/recovery, and hardening workflows. -- [ ] Add authorized-test scoping, vulnerability triage/validation/exposure, web/API and network testing, and security-assessment reporting in fixture-validated slices. -- [ ] Add incident triage, containment, recovery, threat hunting, and detection-content workflows after the first defensive analysis release is stable. -- [ ] Forward-test benign lookalikes, malicious simulations, isolation failures, macOS VM workflows, scanner false positives, reachable/unreachable vulnerabilities, and non-specialist advice. -- [ ] Export portable skills through the Hermes tap and validate each host-specific or future MCP/runtime decision explicitly. -- [ ] Update root README inventory text, marketplace metadata, architecture metadata, and validation when the plugin becomes installable. +- [x] Create `plugins/cybersecurity-skills/` with `.codex-plugin/plugin.json`, `AGENTS.md`, authored `skills/`, assets, and focused child validation. +- [x] Add the root marketplace entry as unavailable while the plugin is a placeholder; switch it to installable only after a usable skill slice exists. +- [x] Add shared routing, evidence preservation, confidence/explanation, isolation selection, and agentic-security-tool workflows. +- [x] Add suspicious-content triage, privacy-aware reputation, static/dynamic malware analysis, suspicious script/document, YARA-X, and behavior-mapping workflows. +- [x] Add macOS threat assessment, persistence, runtime activity, Objective-See adapter, containment/recovery, and hardening workflows. +- [x] Add authorized-test scoping, vulnerability triage/validation/exposure, web/API and network testing, and security-assessment reporting in fixture-validated slices. +- [x] Add incident triage, containment, recovery, threat hunting, and detection-content workflows on the shared records after the earlier defensive slices validated. +- [x] Forward-test benign lookalikes, isolation failures, macOS-control separation, privacy-aware reputation, scanner false positives, reachable/unreachable vulnerabilities, incident containment, detection fixtures, and non-specialist advice. +- [x] Export portable skills through the Hermes tap and validate each host-specific or future MCP/runtime decision explicitly. +- [x] Update root README inventory text, marketplace metadata, architecture metadata, and validation when the plugin becomes installable. ### Exit Criteria -- [ ] An agent can move from an ambiguous suspicious artifact or activity report to preserved evidence, an appropriate isolation boundary, a confidence-calibrated assessment, and clear immediate advice. -- [ ] macOS workflows distinguish signing, notarization, quarantine, XProtect, Gatekeeper, TCC, SIP, process/file/network behavior, persistence, containment, and verified recovery. -- [ ] Vulnerability and authorized-testing workflows require explicit scope and validate exploitability and exposure rather than treating scanner output, CVSS, or an exploit template as proof. -- [ ] Deep binary work, repository source scanning, Apple implementation, and stack-specific fixes have explicit owner handoffs with no duplicate catch-all workflows. -- [ ] Root documentation, marketplace wiring, Codex/Hermes compatibility, plugin metadata, and validation agree on the shipped skill inventory. +- [x] An agent can move from an ambiguous suspicious artifact or activity report to preserved evidence, an appropriate isolation boundary, a confidence-calibrated assessment, and clear immediate advice. +- [x] macOS workflows distinguish signing, notarization, quarantine, XProtect, Gatekeeper, TCC, SIP, process/file/network behavior, persistence, containment, and verified recovery. +- [x] Vulnerability and authorized-testing workflows require explicit scope and validate exploitability and exposure rather than treating scanner output, CVSS, or an exploit template as proof. +- [x] Deep binary work, repository source scanning, Apple implementation, and stack-specific fixes have explicit owner handoffs with no duplicate catch-all workflows. +- [x] Root documentation, marketplace wiring, Codex/Hermes compatibility, plugin metadata, and validation agree on the shipped skill inventory. ## Small Tickets diff --git a/docs/architecture/ARCHITECTURE.md b/docs/architecture/ARCHITECTURE.md index f6289c16..6430ecef 100644 --- a/docs/architecture/ARCHITECTURE.md +++ b/docs/architecture/ARCHITECTURE.md @@ -18,6 +18,7 @@ See [SLICES.md](./SLICES.md) for provable end-to-end code paths. - `cardhop-app` (codex-plugin) uses targets: skills:plugins/cardhop-app/skills, mcp:plugins/cardhop-app/.mcp.json. - `cloud-deployment-skills` (codex-plugin) uses targets: skills:plugins/cloud-deployment-skills/skills. - `cloud-inference-skills` (codex-plugin) uses targets: skills:plugins/cloud-inference-skills/skills, mcp:plugins/cloud-inference-skills/.mcp.json. +- `cybersecurity-skills` (codex-plugin) uses targets: skills:plugins/cybersecurity-skills/skills. - `dotnet-skills` (codex-plugin) uses targets: skills:plugins/dotnet-skills/skills. - `game-dev-skills` (codex-plugin) uses targets: skills:plugins/game-dev-skills/skills. - `messaging-collaboration-skills` (codex-plugin) uses targets: skills:plugins/messaging-collaboration-skills/skills. @@ -33,7 +34,7 @@ See [SLICES.md](./SLICES.md) for provable end-to-end code paths. - `swiftasb-skills` (codex-plugin) uses targets: skills:plugins/swiftasb-skills/skills. - `things-app` (codex-plugin) uses targets: skills:plugins/things-app/skills, mcp:plugins/things-app/.mcp.json. - `web-dev-skills` (codex-plugin) uses targets: skills:plugins/web-dev-skills/skills. -- `socket` (codex-plugin-marketplace) uses targets: agent-portability-skills, android-dev-skills, apple-dev-skills, apple-creator-studio-skills, cardhop-app, cloud-deployment-skills, cloud-inference-skills, dotnet-skills, productivity-skills, python-skills, network-protocol-skills, server-side-swift, swift-lang, server-side-jvm, rust-skills, speak-swiftly, swiftasb-skills, things-app, spotify, web-dev-skills, reverse-engineering-skills, agentdeck, game-dev-skills, messaging-collaboration-skills. +- `socket` (codex-plugin-marketplace) uses targets: agent-portability-skills, android-dev-skills, apple-dev-skills, apple-creator-studio-skills, cardhop-app, cloud-deployment-skills, cloud-inference-skills, dotnet-skills, productivity-skills, python-skills, network-protocol-skills, server-side-swift, swift-lang, server-side-jvm, rust-skills, speak-swiftly, swiftasb-skills, things-app, spotify, web-dev-skills, reverse-engineering-skills, agentdeck, game-dev-skills, messaging-collaboration-skills, cybersecurity-skills. - `speak-swiftly` (remote-plugin-entry) uses targets: no targets recorded. @@ -123,6 +124,36 @@ See [SLICES.md](./SLICES.md) for provable end-to-end code paths. - `skill:cloud-inference-skills/flash` (codex-skill) at `plugins/cloud-inference-skills/skills/flash/SKILL.md` depends on: no declared dependencies. - `skill:cloud-inference-skills/runpodctl` (codex-skill) at `plugins/cloud-inference-skills/skills/runpodctl/SKILL.md` depends on: no declared dependencies. - `mcp:plugins/cloud-inference-skills/.mcp.json` (mcp-config) at `plugins/cloud-inference-skills/.mcp.json` depends on: no declared dependencies. +- `skill:cybersecurity-skills/analyze-suspicious-script-or-document` (codex-skill) at `plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/assess-and-explain-threat` (codex-skill) at `plugins/cybersecurity-skills/skills/assess-and-explain-threat/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/assess-exposure-and-impact` (codex-skill) at `plugins/cybersecurity-skills/skills/assess-exposure-and-impact/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/assess-macos-threat` (codex-skill) at `plugins/cybersecurity-skills/skills/assess-macos-threat/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/author-detection-content` (codex-skill) at `plugins/cybersecurity-skills/skills/author-detection-content/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/author-yara-x-rules` (codex-skill) at `plugins/cybersecurity-skills/skills/author-yara-x-rules/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/check-artifact-reputation` (codex-skill) at `plugins/cybersecurity-skills/skills/check-artifact-reputation/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/contain-and-recover-macos` (codex-skill) at `plugins/cybersecurity-skills/skills/contain-and-recover-macos/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/contain-security-incident` (codex-skill) at `plugins/cybersecurity-skills/skills/contain-security-incident/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/harden-macos` (codex-skill) at `plugins/cybersecurity-skills/skills/harden-macos/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/hunt-security-indicators` (codex-skill) at `plugins/cybersecurity-skills/skills/hunt-security-indicators/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/inspect-macos-persistence` (codex-skill) at `plugins/cybersecurity-skills/skills/inspect-macos-persistence/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/inspect-macos-runtime-activity` (codex-skill) at `plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/map-malware-behavior` (codex-skill) at `plugins/cybersecurity-skills/skills/map-malware-behavior/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/operate-agentic-security-tools` (codex-skill) at `plugins/cybersecurity-skills/skills/operate-agentic-security-tools/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/perform-dynamic-malware-analysis` (codex-skill) at `plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/perform-static-malware-analysis` (codex-skill) at `plugins/cybersecurity-skills/skills/perform-static-malware-analysis/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/preserve-security-evidence` (codex-skill) at `plugins/cybersecurity-skills/skills/preserve-security-evidence/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/recover-security-incident` (codex-skill) at `plugins/cybersecurity-skills/skills/recover-security-incident/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/report-security-assessment` (codex-skill) at `plugins/cybersecurity-skills/skills/report-security-assessment/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/route-security-work` (codex-skill) at `plugins/cybersecurity-skills/skills/route-security-work/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/scope-authorized-security-test` (codex-skill) at `plugins/cybersecurity-skills/skills/scope-authorized-security-test/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/select-analysis-isolation` (codex-skill) at `plugins/cybersecurity-skills/skills/select-analysis-isolation/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/test-network-services` (codex-skill) at `plugins/cybersecurity-skills/skills/test-network-services/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/test-web-and-api-security` (codex-skill) at `plugins/cybersecurity-skills/skills/test-web-and-api-security/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/triage-security-incident` (codex-skill) at `plugins/cybersecurity-skills/skills/triage-security-incident/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/triage-suspicious-content` (codex-skill) at `plugins/cybersecurity-skills/skills/triage-suspicious-content/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/triage-vulnerability-report` (codex-skill) at `plugins/cybersecurity-skills/skills/triage-vulnerability-report/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/use-objective-see-tools` (codex-skill) at `plugins/cybersecurity-skills/skills/use-objective-see-tools/SKILL.md` depends on: no declared dependencies. +- `skill:cybersecurity-skills/validate-vulnerability` (codex-skill) at `plugins/cybersecurity-skills/skills/validate-vulnerability/SKILL.md` depends on: no declared dependencies. - `skill:dotnet-skills/aspnet-core-service-workflow` (codex-skill) at `plugins/dotnet-skills/skills/aspnet-core-service-workflow/SKILL.md` depends on: no declared dependencies. - `skill:dotnet-skills/bootstrap-solution` (codex-skill) at `plugins/dotnet-skills/skills/bootstrap-solution/SKILL.md` depends on: no declared dependencies. - `skill:dotnet-skills/build-csharp-project` (codex-skill) at `plugins/dotnet-skills/skills/build-csharp-project/SKILL.md` depends on: no declared dependencies. @@ -144,13 +175,18 @@ See [SLICES.md](./SLICES.md) for provable end-to-end code paths. - `skill:game-dev-skills/xcode-game-profiling-workflow` (codex-skill) at `plugins/game-dev-skills/skills/xcode-game-profiling-workflow/SKILL.md` depends on: no declared dependencies. - `skill:messaging-collaboration-skills/apple-communication-workflow` (codex-skill) at `plugins/messaging-collaboration-skills/skills/apple-communication-workflow/SKILL.md` depends on: no declared dependencies. - `skill:messaging-collaboration-skills/choose-platform-integration` (codex-skill) at `plugins/messaging-collaboration-skills/skills/choose-platform-integration/SKILL.md` depends on: no declared dependencies. +- `skill:messaging-collaboration-skills/communication-notifications-workflow` (codex-skill) at `plugins/messaging-collaboration-skills/skills/communication-notifications-workflow/SKILL.md` depends on: no declared dependencies. - `skill:messaging-collaboration-skills/conversation-state-human-handoff` (codex-skill) at `plugins/messaging-collaboration-skills/skills/conversation-state-human-handoff/SKILL.md` depends on: no declared dependencies. +- `skill:messaging-collaboration-skills/default-communication-app-workflow` (codex-skill) at `plugins/messaging-collaboration-skills/skills/default-communication-app-workflow/SKILL.md` depends on: no declared dependencies. - `skill:messaging-collaboration-skills/discord-app-workflow` (codex-skill) at `plugins/messaging-collaboration-skills/skills/discord-app-workflow/SKILL.md` depends on: no declared dependencies. - `skill:messaging-collaboration-skills/google-meet-collaboration-workflow` (codex-skill) at `plugins/messaging-collaboration-skills/skills/google-meet-collaboration-workflow/SKILL.md` depends on: no declared dependencies. +- `skill:messaging-collaboration-skills/imessage-app-and-collaboration-workflow` (codex-skill) at `plugins/messaging-collaboration-skills/skills/imessage-app-and-collaboration-workflow/SKILL.md` depends on: no declared dependencies. +- `skill:messaging-collaboration-skills/push-to-talk-workflow` (codex-skill) at `plugins/messaging-collaboration-skills/skills/push-to-talk-workflow/SKILL.md` depends on: no declared dependencies. - `skill:messaging-collaboration-skills/slack-app-workflow` (codex-skill) at `plugins/messaging-collaboration-skills/skills/slack-app-workflow/SKILL.md` depends on: no declared dependencies. - `skill:messaging-collaboration-skills/sms-mms-rcs-workflow` (codex-skill) at `plugins/messaging-collaboration-skills/skills/sms-mms-rcs-workflow/SKILL.md` depends on: no declared dependencies. - `skill:messaging-collaboration-skills/teams-agent-workflow` (codex-skill) at `plugins/messaging-collaboration-skills/skills/teams-agent-workflow/SKILL.md` depends on: no declared dependencies. - `skill:messaging-collaboration-skills/telegram-bot-workflow` (codex-skill) at `plugins/messaging-collaboration-skills/skills/telegram-bot-workflow/SKILL.md` depends on: no declared dependencies. +- `skill:messaging-collaboration-skills/voip-sip-calling-workflow` (codex-skill) at `plugins/messaging-collaboration-skills/skills/voip-sip-calling-workflow/SKILL.md` depends on: no declared dependencies. - `skill:messaging-collaboration-skills/webhook-and-event-lifecycle` (codex-skill) at `plugins/messaging-collaboration-skills/skills/webhook-and-event-lifecycle/SKILL.md` depends on: no declared dependencies. - `skill:messaging-collaboration-skills/whatsapp-business-workflow` (codex-skill) at `plugins/messaging-collaboration-skills/skills/whatsapp-business-workflow/SKILL.md` depends on: no declared dependencies. - `skill:network-protocol-skills/choose-network-transport` (codex-skill) at `plugins/network-protocol-skills/skills/choose-network-transport/SKILL.md` depends on: no declared dependencies. @@ -354,6 +390,37 @@ The structured visual model lives in [architecture.json](./architecture.json). I - `skill-manifest` evidence from `plugins/cloud-inference-skills/skills/runpodctl/SKILL.md`. - `mcp-config` evidence from `plugins/cloud-inference-skills/.mcp.json`. - `codex-plugin-manifest` evidence from `plugins/cloud-inference-skills/.codex-plugin/plugin.json`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/assess-and-explain-threat/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/assess-exposure-and-impact/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/assess-macos-threat/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/author-detection-content/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/author-yara-x-rules/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/check-artifact-reputation/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/contain-and-recover-macos/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/contain-security-incident/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/harden-macos/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/hunt-security-indicators/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/inspect-macos-persistence/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/map-malware-behavior/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/operate-agentic-security-tools/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/perform-static-malware-analysis/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/preserve-security-evidence/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/recover-security-incident/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/report-security-assessment/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/route-security-work/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/scope-authorized-security-test/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/select-analysis-isolation/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/test-network-services/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/test-web-and-api-security/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/triage-security-incident/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/triage-suspicious-content/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/triage-vulnerability-report/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/use-objective-see-tools/SKILL.md`. +- `skill-manifest` evidence from `plugins/cybersecurity-skills/skills/validate-vulnerability/SKILL.md`. +- `codex-plugin-manifest` evidence from `plugins/cybersecurity-skills/.codex-plugin/plugin.json`. - `skill-manifest` evidence from `plugins/dotnet-skills/skills/aspnet-core-service-workflow/SKILL.md`. - `skill-manifest` evidence from `plugins/dotnet-skills/skills/bootstrap-solution/SKILL.md`. - `skill-manifest` evidence from `plugins/dotnet-skills/skills/build-csharp-project/SKILL.md`. @@ -377,13 +444,18 @@ The structured visual model lives in [architecture.json](./architecture.json). I - `codex-plugin-manifest` evidence from `plugins/game-dev-skills/.codex-plugin/plugin.json`. - `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/apple-communication-workflow/SKILL.md`. - `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/choose-platform-integration/SKILL.md`. +- `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/communication-notifications-workflow/SKILL.md`. - `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/conversation-state-human-handoff/SKILL.md`. +- `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/default-communication-app-workflow/SKILL.md`. - `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/discord-app-workflow/SKILL.md`. - `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/google-meet-collaboration-workflow/SKILL.md`. +- `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/imessage-app-and-collaboration-workflow/SKILL.md`. +- `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/push-to-talk-workflow/SKILL.md`. - `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/slack-app-workflow/SKILL.md`. - `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/sms-mms-rcs-workflow/SKILL.md`. - `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/teams-agent-workflow/SKILL.md`. - `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/telegram-bot-workflow/SKILL.md`. +- `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/voip-sip-calling-workflow/SKILL.md`. - `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/webhook-and-event-lifecycle/SKILL.md`. - `skill-manifest` evidence from `plugins/messaging-collaboration-skills/skills/whatsapp-business-workflow/SKILL.md`. - `codex-plugin-manifest` evidence from `plugins/messaging-collaboration-skills/.codex-plugin/plugin.json`. diff --git a/docs/architecture/architecture.json b/docs/architecture/architecture.json index 9483199c..c6355eca 100644 --- a/docs/architecture/architecture.json +++ b/docs/architecture/architecture.json @@ -1,5 +1,5 @@ { - "detectedAt": "2026-07-14T17:46:43.650198+00:00", + "detectedAt": "2026-07-14T19:14:11.979386+00:00", "detectionSource": "plugin-repo", "evidence": [ { @@ -358,6 +358,130 @@ "kind": "codex-plugin-manifest", "path": "plugins/cloud-inference-skills/.codex-plugin/plugin.json" }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/assess-and-explain-threat/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/assess-exposure-and-impact/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/assess-macos-threat/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/author-detection-content/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/author-yara-x-rules/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/check-artifact-reputation/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/contain-and-recover-macos/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/contain-security-incident/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/harden-macos/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/hunt-security-indicators/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/inspect-macos-persistence/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/map-malware-behavior/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/operate-agentic-security-tools/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/perform-static-malware-analysis/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/preserve-security-evidence/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/recover-security-incident/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/report-security-assessment/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/route-security-work/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/scope-authorized-security-test/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/select-analysis-isolation/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/test-network-services/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/test-web-and-api-security/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/triage-security-incident/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/triage-suspicious-content/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/triage-vulnerability-report/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/use-objective-see-tools/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/validate-vulnerability/SKILL.md" + }, + { + "kind": "codex-plugin-manifest", + "path": "plugins/cybersecurity-skills/.codex-plugin/plugin.json" + }, { "kind": "skill-manifest", "path": "plugins/dotnet-skills/skills/aspnet-core-service-workflow/SKILL.md" @@ -450,10 +574,18 @@ "kind": "skill-manifest", "path": "plugins/messaging-collaboration-skills/skills/choose-platform-integration/SKILL.md" }, + { + "kind": "skill-manifest", + "path": "plugins/messaging-collaboration-skills/skills/communication-notifications-workflow/SKILL.md" + }, { "kind": "skill-manifest", "path": "plugins/messaging-collaboration-skills/skills/conversation-state-human-handoff/SKILL.md" }, + { + "kind": "skill-manifest", + "path": "plugins/messaging-collaboration-skills/skills/default-communication-app-workflow/SKILL.md" + }, { "kind": "skill-manifest", "path": "plugins/messaging-collaboration-skills/skills/discord-app-workflow/SKILL.md" @@ -462,6 +594,14 @@ "kind": "skill-manifest", "path": "plugins/messaging-collaboration-skills/skills/google-meet-collaboration-workflow/SKILL.md" }, + { + "kind": "skill-manifest", + "path": "plugins/messaging-collaboration-skills/skills/imessage-app-and-collaboration-workflow/SKILL.md" + }, + { + "kind": "skill-manifest", + "path": "plugins/messaging-collaboration-skills/skills/push-to-talk-workflow/SKILL.md" + }, { "kind": "skill-manifest", "path": "plugins/messaging-collaboration-skills/skills/slack-app-workflow/SKILL.md" @@ -478,6 +618,10 @@ "kind": "skill-manifest", "path": "plugins/messaging-collaboration-skills/skills/telegram-bot-workflow/SKILL.md" }, + { + "kind": "skill-manifest", + "path": "plugins/messaging-collaboration-skills/skills/voip-sip-calling-workflow/SKILL.md" + }, { "kind": "skill-manifest", "path": "plugins/messaging-collaboration-skills/skills/webhook-and-event-lifecycle/SKILL.md" @@ -1046,6 +1190,20 @@ "mcp:plugins/cloud-inference-skills/.mcp.json" ] }, + { + "evidence": [ + { + "kind": "codex-plugin-manifest", + "path": "plugins/cybersecurity-skills/.codex-plugin/plugin.json" + } + ], + "kind": "codex-plugin", + "name": "cybersecurity-skills", + "path": "plugins/cybersecurity-skills", + "targets": [ + "skills:plugins/cybersecurity-skills/skills" + ] + }, { "evidence": [ { @@ -1290,7 +1448,8 @@ "reverse-engineering-skills", "agentdeck", "game-dev-skills", - "messaging-collaboration-skills" + "messaging-collaboration-skills", + "cybersecurity-skills" ] }, { @@ -2284,1789 +2443,1945 @@ "evidence": [ { "kind": "skill-directory", - "path": "plugins/dotnet-skills/skills/aspnet-core-service-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/SKILL.md" } ], - "from": "product:dotnet-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:dotnet-skills/aspnet-core-service-workflow" + "to": "target:skill:cybersecurity-skills/analyze-suspicious-script-or-document" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/dotnet-skills/skills/bootstrap-solution/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/assess-and-explain-threat/SKILL.md" } ], - "from": "product:dotnet-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:dotnet-skills/bootstrap-solution" + "to": "target:skill:cybersecurity-skills/assess-and-explain-threat" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/dotnet-skills/skills/build-csharp-project/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/assess-exposure-and-impact/SKILL.md" } ], - "from": "product:dotnet-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:dotnet-skills/build-csharp-project" + "to": "target:skill:cybersecurity-skills/assess-exposure-and-impact" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/dotnet-skills/skills/build-fsharp-project/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/assess-macos-threat/SKILL.md" } ], - "from": "product:dotnet-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:dotnet-skills/build-fsharp-project" + "to": "target:skill:cybersecurity-skills/assess-macos-threat" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/dotnet-skills/skills/choose-project-shape/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/author-detection-content/SKILL.md" } ], - "from": "product:dotnet-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:dotnet-skills/choose-project-shape" + "to": "target:skill:cybersecurity-skills/author-detection-content" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/dotnet-skills/skills/ci-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/author-yara-x-rules/SKILL.md" } ], - "from": "product:dotnet-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:dotnet-skills/ci-workflow" + "to": "target:skill:cybersecurity-skills/author-yara-x-rules" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/dotnet-skills/skills/diagnose-project/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/check-artifact-reputation/SKILL.md" } ], - "from": "product:dotnet-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:dotnet-skills/diagnose-project" + "to": "target:skill:cybersecurity-skills/check-artifact-reputation" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/dotnet-skills/skills/fsharp-csharp-interop/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/contain-and-recover-macos/SKILL.md" } ], - "from": "product:dotnet-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:dotnet-skills/fsharp-csharp-interop" + "to": "target:skill:cybersecurity-skills/contain-and-recover-macos" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/dotnet-skills/skills/package-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/contain-security-incident/SKILL.md" } ], - "from": "product:dotnet-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:dotnet-skills/package-workflow" + "to": "target:skill:cybersecurity-skills/contain-security-incident" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/dotnet-skills/skills/testing-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/harden-macos/SKILL.md" } ], - "from": "product:dotnet-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:dotnet-skills/testing-workflow" + "to": "target:skill:cybersecurity-skills/harden-macos" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/dotnet-skills/skills/tooling-style-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/hunt-security-indicators/SKILL.md" } ], - "from": "product:dotnet-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:dotnet-skills/tooling-style-workflow" + "to": "target:skill:cybersecurity-skills/hunt-security-indicators" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/dotnet-skills/skills/upgrade-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/inspect-macos-persistence/SKILL.md" } ], - "from": "product:dotnet-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:dotnet-skills/upgrade-workflow" + "to": "target:skill:cybersecurity-skills/inspect-macos-persistence" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/game-dev-skills/skills/choose-apple-game-stack/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/SKILL.md" } ], - "from": "product:game-dev-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:game-dev-skills/choose-apple-game-stack" + "to": "target:skill:cybersecurity-skills/inspect-macos-runtime-activity" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/game-dev-skills/skills/core-haptics-game-feedback-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/map-malware-behavior/SKILL.md" } ], - "from": "product:game-dev-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:game-dev-skills/core-haptics-game-feedback-workflow" + "to": "target:skill:cybersecurity-skills/map-malware-behavior" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/game-dev-skills/skills/game-controller-input-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/operate-agentic-security-tools/SKILL.md" } ], - "from": "product:game-dev-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:game-dev-skills/game-controller-input-workflow" + "to": "target:skill:cybersecurity-skills/operate-agentic-security-tools" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/game-dev-skills/skills/gameplaykit-simulation-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/SKILL.md" } ], - "from": "product:game-dev-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:game-dev-skills/gameplaykit-simulation-workflow" + "to": "target:skill:cybersecurity-skills/perform-dynamic-malware-analysis" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/game-dev-skills/skills/scenekit-game-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/perform-static-malware-analysis/SKILL.md" } ], - "from": "product:game-dev-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:game-dev-skills/scenekit-game-workflow" + "to": "target:skill:cybersecurity-skills/perform-static-malware-analysis" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/game-dev-skills/skills/spritekit-game-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/preserve-security-evidence/SKILL.md" } ], - "from": "product:game-dev-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:game-dev-skills/spritekit-game-workflow" + "to": "target:skill:cybersecurity-skills/preserve-security-evidence" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/game-dev-skills/skills/xcode-game-profiling-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/recover-security-incident/SKILL.md" } ], - "from": "product:game-dev-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:game-dev-skills/xcode-game-profiling-workflow" + "to": "target:skill:cybersecurity-skills/recover-security-incident" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/messaging-collaboration-skills/skills/apple-communication-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/report-security-assessment/SKILL.md" } ], - "from": "product:messaging-collaboration-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:messaging-collaboration-skills/apple-communication-workflow" + "to": "target:skill:cybersecurity-skills/report-security-assessment" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/messaging-collaboration-skills/skills/choose-platform-integration/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/route-security-work/SKILL.md" } ], - "from": "product:messaging-collaboration-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:messaging-collaboration-skills/choose-platform-integration" + "to": "target:skill:cybersecurity-skills/route-security-work" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/messaging-collaboration-skills/skills/conversation-state-human-handoff/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/scope-authorized-security-test/SKILL.md" } ], - "from": "product:messaging-collaboration-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:messaging-collaboration-skills/conversation-state-human-handoff" + "to": "target:skill:cybersecurity-skills/scope-authorized-security-test" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/messaging-collaboration-skills/skills/discord-app-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/select-analysis-isolation/SKILL.md" } ], - "from": "product:messaging-collaboration-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:messaging-collaboration-skills/discord-app-workflow" + "to": "target:skill:cybersecurity-skills/select-analysis-isolation" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/messaging-collaboration-skills/skills/google-meet-collaboration-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/test-network-services/SKILL.md" } ], - "from": "product:messaging-collaboration-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:messaging-collaboration-skills/google-meet-collaboration-workflow" + "to": "target:skill:cybersecurity-skills/test-network-services" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/messaging-collaboration-skills/skills/slack-app-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/test-web-and-api-security/SKILL.md" } ], - "from": "product:messaging-collaboration-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:messaging-collaboration-skills/slack-app-workflow" + "to": "target:skill:cybersecurity-skills/test-web-and-api-security" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/messaging-collaboration-skills/skills/sms-mms-rcs-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/triage-security-incident/SKILL.md" } ], - "from": "product:messaging-collaboration-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:messaging-collaboration-skills/sms-mms-rcs-workflow" + "to": "target:skill:cybersecurity-skills/triage-security-incident" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/messaging-collaboration-skills/skills/teams-agent-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/triage-suspicious-content/SKILL.md" } ], - "from": "product:messaging-collaboration-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:messaging-collaboration-skills/teams-agent-workflow" + "to": "target:skill:cybersecurity-skills/triage-suspicious-content" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/messaging-collaboration-skills/skills/telegram-bot-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/triage-vulnerability-report/SKILL.md" } ], - "from": "product:messaging-collaboration-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:messaging-collaboration-skills/telegram-bot-workflow" + "to": "target:skill:cybersecurity-skills/triage-vulnerability-report" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/messaging-collaboration-skills/skills/webhook-and-event-lifecycle/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/use-objective-see-tools/SKILL.md" } ], - "from": "product:messaging-collaboration-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:messaging-collaboration-skills/webhook-and-event-lifecycle" + "to": "target:skill:cybersecurity-skills/use-objective-see-tools" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/messaging-collaboration-skills/skills/whatsapp-business-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/validate-vulnerability/SKILL.md" } ], - "from": "product:messaging-collaboration-skills", + "from": "product:cybersecurity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:messaging-collaboration-skills/whatsapp-business-workflow" + "to": "target:skill:cybersecurity-skills/validate-vulnerability" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/network-protocol-skills/skills/choose-network-transport/SKILL.md" + "path": "plugins/dotnet-skills/skills/aspnet-core-service-workflow/SKILL.md" } ], - "from": "product:network-protocol-skills", + "from": "product:dotnet-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:network-protocol-skills/choose-network-transport" + "to": "target:skill:dotnet-skills/aspnet-core-service-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/network-protocol-skills/skills/http3-quic-workflow/SKILL.md" + "path": "plugins/dotnet-skills/skills/bootstrap-solution/SKILL.md" } ], - "from": "product:network-protocol-skills", + "from": "product:dotnet-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:network-protocol-skills/http3-quic-workflow" + "to": "target:skill:dotnet-skills/bootstrap-solution" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/network-protocol-skills/skills/network-protocol-diagnostics/SKILL.md" + "path": "plugins/dotnet-skills/skills/build-csharp-project/SKILL.md" } ], - "from": "product:network-protocol-skills", + "from": "product:dotnet-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:network-protocol-skills/network-protocol-diagnostics" + "to": "target:skill:dotnet-skills/build-csharp-project" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/network-protocol-skills/skills/realtime-media-over-quic-workflow/SKILL.md" + "path": "plugins/dotnet-skills/skills/build-fsharp-project/SKILL.md" } ], - "from": "product:network-protocol-skills", + "from": "product:dotnet-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:network-protocol-skills/realtime-media-over-quic-workflow" + "to": "target:skill:dotnet-skills/build-fsharp-project" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/network-protocol-skills/skills/webrtc-workflow/SKILL.md" + "path": "plugins/dotnet-skills/skills/choose-project-shape/SKILL.md" } ], - "from": "product:network-protocol-skills", + "from": "product:dotnet-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:network-protocol-skills/webrtc-workflow" + "to": "target:skill:dotnet-skills/choose-project-shape" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/codex-gui-worktree-workflow/SKILL.md" + "path": "plugins/dotnet-skills/skills/ci-workflow/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:dotnet-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/codex-gui-worktree-workflow" + "to": "target:skill:dotnet-skills/ci-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/design-agent-automation-workflow/SKILL.md" + "path": "plugins/dotnet-skills/skills/diagnose-project/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:dotnet-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/design-agent-automation-workflow" + "to": "target:skill:dotnet-skills/diagnose-project" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/design-agent-eval-workflow/SKILL.md" + "path": "plugins/dotnet-skills/skills/fsharp-csharp-interop/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:dotnet-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/design-agent-eval-workflow" + "to": "target:skill:dotnet-skills/fsharp-csharp-interop" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/dice-job-search-workflow/SKILL.md" + "path": "plugins/dotnet-skills/skills/package-workflow/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:dotnet-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/dice-job-search-workflow" + "to": "target:skill:dotnet-skills/package-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/explain-code-slice/SKILL.md" + "path": "plugins/dotnet-skills/skills/testing-workflow/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:dotnet-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/explain-code-slice" + "to": "target:skill:dotnet-skills/testing-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/maintain-github-repository/SKILL.md" + "path": "plugins/dotnet-skills/skills/tooling-style-workflow/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:dotnet-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/maintain-github-repository" + "to": "target:skill:dotnet-skills/tooling-style-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/maintain-project-accessibility/SKILL.md" + "path": "plugins/dotnet-skills/skills/upgrade-workflow/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:dotnet-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/maintain-project-accessibility" + "to": "target:skill:dotnet-skills/upgrade-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/maintain-project-agents/SKILL.md" + "path": "plugins/game-dev-skills/skills/choose-apple-game-stack/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:game-dev-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/maintain-project-agents" + "to": "target:skill:game-dev-skills/choose-apple-game-stack" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/maintain-project-api/SKILL.md" + "path": "plugins/game-dev-skills/skills/core-haptics-game-feedback-workflow/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:game-dev-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/maintain-project-api" + "to": "target:skill:game-dev-skills/core-haptics-game-feedback-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/maintain-project-architecture/SKILL.md" + "path": "plugins/game-dev-skills/skills/game-controller-input-workflow/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:game-dev-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/maintain-project-architecture" + "to": "target:skill:game-dev-skills/game-controller-input-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/maintain-project-contributing/SKILL.md" + "path": "plugins/game-dev-skills/skills/gameplaykit-simulation-workflow/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:game-dev-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/maintain-project-contributing" + "to": "target:skill:game-dev-skills/gameplaykit-simulation-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/maintain-project-docs/SKILL.md" + "path": "plugins/game-dev-skills/skills/scenekit-game-workflow/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:game-dev-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/maintain-project-docs" + "to": "target:skill:game-dev-skills/scenekit-game-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/maintain-project-readme/SKILL.md" + "path": "plugins/game-dev-skills/skills/spritekit-game-workflow/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:game-dev-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/maintain-project-readme" + "to": "target:skill:game-dev-skills/spritekit-game-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/maintain-project-repo/SKILL.md" + "path": "plugins/game-dev-skills/skills/xcode-game-profiling-workflow/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:game-dev-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/maintain-project-repo" + "to": "target:skill:game-dev-skills/xcode-game-profiling-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/productivity-skills/skills/maintain-project-roadmap/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/apple-communication-workflow/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:productivity-skills/maintain-project-roadmap" + "to": "target:skill:messaging-collaboration-skills/apple-communication-workflow" }, { "evidence": [ { - "kind": "codex-plugin-manifest", - "path": "plugins/productivity-skills/.codex-plugin/plugin.json" + "kind": "skill-directory", + "path": "plugins/messaging-collaboration-skills/skills/choose-platform-integration/SKILL.md" } ], - "from": "product:productivity-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", - "label": "plugin declares MCP servers", - "to": "target:mcp:plugins/productivity-skills/.mcp.json" + "label": "plugin exposes skill", + "to": "target:skill:messaging-collaboration-skills/choose-platform-integration" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/python-skills/skills/bootstrap-python-mcp-service/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/communication-notifications-workflow/SKILL.md" } ], - "from": "product:python-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:python-skills/bootstrap-python-mcp-service" + "to": "target:skill:messaging-collaboration-skills/communication-notifications-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/python-skills/skills/bootstrap-python-service/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/conversation-state-human-handoff/SKILL.md" } ], - "from": "product:python-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:python-skills/bootstrap-python-service" + "to": "target:skill:messaging-collaboration-skills/conversation-state-human-handoff" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/python-skills/skills/bootstrap-uv-python-workspace/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/default-communication-app-workflow/SKILL.md" } ], - "from": "product:python-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:python-skills/bootstrap-uv-python-workspace" + "to": "target:skill:messaging-collaboration-skills/default-communication-app-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/python-skills/skills/build-python-project/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/discord-app-workflow/SKILL.md" } ], - "from": "product:python-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:python-skills/build-python-project" + "to": "target:skill:messaging-collaboration-skills/discord-app-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/python-skills/skills/choose-python-project-shape/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/google-meet-collaboration-workflow/SKILL.md" } ], - "from": "product:python-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:python-skills/choose-python-project-shape" + "to": "target:skill:messaging-collaboration-skills/google-meet-collaboration-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/python-skills/skills/diagnose-python-project/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/imessage-app-and-collaboration-workflow/SKILL.md" } ], - "from": "product:python-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:python-skills/diagnose-python-project" + "to": "target:skill:messaging-collaboration-skills/imessage-app-and-collaboration-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/python-skills/skills/integrate-fastapi-fastmcp/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/push-to-talk-workflow/SKILL.md" } ], - "from": "product:python-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:python-skills/integrate-fastapi-fastmcp" + "to": "target:skill:messaging-collaboration-skills/push-to-talk-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/python-skills/skills/python-ci-workflow/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/slack-app-workflow/SKILL.md" } ], - "from": "product:python-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:python-skills/python-ci-workflow" + "to": "target:skill:messaging-collaboration-skills/slack-app-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/python-skills/skills/python-package-workflow/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/sms-mms-rcs-workflow/SKILL.md" } ], - "from": "product:python-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:python-skills/python-package-workflow" + "to": "target:skill:messaging-collaboration-skills/sms-mms-rcs-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/python-skills/skills/python-tooling-style-workflow/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/teams-agent-workflow/SKILL.md" } ], - "from": "product:python-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:python-skills/python-tooling-style-workflow" + "to": "target:skill:messaging-collaboration-skills/teams-agent-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/python-skills/skills/python-upgrade-workflow/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/telegram-bot-workflow/SKILL.md" } ], - "from": "product:python-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:python-skills/python-upgrade-workflow" + "to": "target:skill:messaging-collaboration-skills/telegram-bot-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/python-skills/skills/uv-pytest-unit-testing/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/voip-sip-calling-workflow/SKILL.md" } ], - "from": "product:python-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:python-skills/uv-pytest-unit-testing" + "to": "target:skill:messaging-collaboration-skills/voip-sip-calling-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/analyze-apple-silicon-arm64e/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/webhook-and-event-lifecycle/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/analyze-apple-silicon-arm64e" + "to": "target:skill:messaging-collaboration-skills/webhook-and-event-lifecycle" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/audit-apple-signing-and-containment/SKILL.md" + "path": "plugins/messaging-collaboration-skills/skills/whatsapp-business-workflow/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:messaging-collaboration-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/audit-apple-signing-and-containment" + "to": "target:skill:messaging-collaboration-skills/whatsapp-business-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/compare-binary-versions/SKILL.md" + "path": "plugins/network-protocol-skills/skills/choose-network-transport/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:network-protocol-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/compare-binary-versions" + "to": "target:skill:network-protocol-skills/choose-network-transport" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/correlate-apple-symbols-and-crashes/SKILL.md" + "path": "plugins/network-protocol-skills/skills/http3-quic-workflow/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:network-protocol-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/correlate-apple-symbols-and-crashes" + "to": "target:skill:network-protocol-skills/http3-quic-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/evidence-notes-workflow/SKILL.md" + "path": "plugins/network-protocol-skills/skills/network-protocol-diagnostics/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:network-protocol-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/evidence-notes-workflow" + "to": "target:skill:network-protocol-skills/network-protocol-diagnostics" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/inspect-apple-artifact/SKILL.md" + "path": "plugins/network-protocol-skills/skills/realtime-media-over-quic-workflow/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:network-protocol-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/inspect-apple-artifact" + "to": "target:skill:network-protocol-skills/realtime-media-over-quic-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/inspect-dotnet-assemblies/SKILL.md" + "path": "plugins/network-protocol-skills/skills/webrtc-workflow/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:network-protocol-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/inspect-dotnet-assemblies" + "to": "target:skill:network-protocol-skills/webrtc-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/inspect-dyld-shared-cache/SKILL.md" + "path": "plugins/productivity-skills/skills/codex-gui-worktree-workflow/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/inspect-dyld-shared-cache" + "to": "target:skill:productivity-skills/codex-gui-worktree-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/inspect-unity-artifacts/SKILL.md" + "path": "plugins/productivity-skills/skills/design-agent-automation-workflow/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/inspect-unity-artifacts" + "to": "target:skill:productivity-skills/design-agent-automation-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/perform-apple-dynamic-analysis/SKILL.md" + "path": "plugins/productivity-skills/skills/design-agent-eval-workflow/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/perform-apple-dynamic-analysis" + "to": "target:skill:productivity-skills/design-agent-eval-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/preserve-binary-artifacts/SKILL.md" + "path": "plugins/productivity-skills/skills/dice-job-search-workflow/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/preserve-binary-artifacts" + "to": "target:skill:productivity-skills/dice-job-search-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/recover-apple-runtime-metadata/SKILL.md" + "path": "plugins/productivity-skills/skills/explain-code-slice/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/recover-apple-runtime-metadata" + "to": "target:skill:productivity-skills/explain-code-slice" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/report-apple-security-research/SKILL.md" + "path": "plugins/productivity-skills/skills/maintain-github-repository/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/report-apple-security-research" + "to": "target:skill:productivity-skills/maintain-github-repository" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/research-apple-kernel-boot-and-firmware/SKILL.md" + "path": "plugins/productivity-skills/skills/maintain-project-accessibility/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/research-apple-kernel-boot-and-firmware" + "to": "target:skill:productivity-skills/maintain-project-accessibility" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/review-decompiler-output/SKILL.md" + "path": "plugins/productivity-skills/skills/maintain-project-agents/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/review-decompiler-output" + "to": "target:skill:productivity-skills/maintain-project-agents" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/select-analysis-path/SKILL.md" + "path": "plugins/productivity-skills/skills/maintain-project-api/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/select-analysis-path" + "to": "target:skill:productivity-skills/maintain-project-api" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/triage-artifact/SKILL.md" + "path": "plugins/productivity-skills/skills/maintain-project-architecture/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/triage-artifact" + "to": "target:skill:productivity-skills/maintain-project-architecture" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/use-cutter-and-rizin/SKILL.md" + "path": "plugins/productivity-skills/skills/maintain-project-contributing/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/use-cutter-and-rizin" + "to": "target:skill:productivity-skills/maintain-project-contributing" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/use-ghidra/SKILL.md" + "path": "plugins/productivity-skills/skills/maintain-project-docs/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/use-ghidra" + "to": "target:skill:productivity-skills/maintain-project-docs" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/use-hopper/SKILL.md" + "path": "plugins/productivity-skills/skills/maintain-project-readme/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/use-hopper" + "to": "target:skill:productivity-skills/maintain-project-readme" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/reverse-engineering-skills/skills/use-malimite/SKILL.md" + "path": "plugins/productivity-skills/skills/maintain-project-repo/SKILL.md" } ], - "from": "product:reverse-engineering-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:reverse-engineering-skills/use-malimite" + "to": "target:skill:productivity-skills/maintain-project-repo" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/rust-skills/skills/bootstrap-cargo-project/SKILL.md" + "path": "plugins/productivity-skills/skills/maintain-project-roadmap/SKILL.md" } ], - "from": "product:rust-skills", + "from": "product:productivity-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:rust-skills/bootstrap-cargo-project" + "to": "target:skill:productivity-skills/maintain-project-roadmap" }, { "evidence": [ { - "kind": "skill-directory", - "path": "plugins/rust-skills/skills/build-cli-project/SKILL.md" + "kind": "codex-plugin-manifest", + "path": "plugins/productivity-skills/.codex-plugin/plugin.json" } ], - "from": "product:rust-skills", + "from": "product:productivity-skills", "kind": "exposes", - "label": "plugin exposes skill", - "to": "target:skill:rust-skills/build-cli-project" + "label": "plugin declares MCP servers", + "to": "target:mcp:plugins/productivity-skills/.mcp.json" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/rust-skills/skills/build-library-crate/SKILL.md" + "path": "plugins/python-skills/skills/bootstrap-python-mcp-service/SKILL.md" } ], - "from": "product:rust-skills", + "from": "product:python-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:rust-skills/build-library-crate" + "to": "target:skill:python-skills/bootstrap-python-mcp-service" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/rust-skills/skills/choose-project-shape/SKILL.md" + "path": "plugins/python-skills/skills/bootstrap-python-service/SKILL.md" } ], - "from": "product:rust-skills", + "from": "product:python-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:rust-skills/choose-project-shape" + "to": "target:skill:python-skills/bootstrap-python-service" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/rust-skills/skills/ci-workflow/SKILL.md" + "path": "plugins/python-skills/skills/bootstrap-uv-python-workspace/SKILL.md" } ], - "from": "product:rust-skills", + "from": "product:python-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:rust-skills/ci-workflow" + "to": "target:skill:python-skills/bootstrap-uv-python-workspace" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/rust-skills/skills/package-workflow/SKILL.md" + "path": "plugins/python-skills/skills/build-python-project/SKILL.md" } ], - "from": "product:rust-skills", + "from": "product:python-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:rust-skills/package-workflow" + "to": "target:skill:python-skills/build-python-project" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/rust-skills/skills/testing-workflow/SKILL.md" + "path": "plugins/python-skills/skills/choose-python-project-shape/SKILL.md" } ], - "from": "product:rust-skills", + "from": "product:python-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:rust-skills/testing-workflow" + "to": "target:skill:python-skills/choose-python-project-shape" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/rust-skills/skills/tooling-style-workflow/SKILL.md" + "path": "plugins/python-skills/skills/diagnose-python-project/SKILL.md" } ], - "from": "product:rust-skills", + "from": "product:python-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:rust-skills/tooling-style-workflow" + "to": "target:skill:python-skills/diagnose-python-project" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-jvm/skills/build-java-service/SKILL.md" + "path": "plugins/python-skills/skills/integrate-fastapi-fastmcp/SKILL.md" } ], - "from": "product:server-side-jvm", + "from": "product:python-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-jvm/build-java-service" + "to": "target:skill:python-skills/integrate-fastapi-fastmcp" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-jvm/skills/build-scala-service/SKILL.md" + "path": "plugins/python-skills/skills/python-ci-workflow/SKILL.md" } ], - "from": "product:server-side-jvm", + "from": "product:python-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-jvm/build-scala-service" + "to": "target:skill:python-skills/python-ci-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-jvm/skills/build-tooling-workflow/SKILL.md" + "path": "plugins/python-skills/skills/python-package-workflow/SKILL.md" } ], - "from": "product:server-side-jvm", + "from": "product:python-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-jvm/build-tooling-workflow" + "to": "target:skill:python-skills/python-package-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-jvm/skills/choose-service-shape/SKILL.md" + "path": "plugins/python-skills/skills/python-tooling-style-workflow/SKILL.md" } ], - "from": "product:server-side-jvm", + "from": "product:python-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-jvm/choose-service-shape" + "to": "target:skill:python-skills/python-tooling-style-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-jvm/skills/testing-workflow/SKILL.md" + "path": "plugins/python-skills/skills/python-upgrade-workflow/SKILL.md" } ], - "from": "product:server-side-jvm", + "from": "product:python-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-jvm/testing-workflow" + "to": "target:skill:python-skills/python-upgrade-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-swift/skills/app-sync-workflow/SKILL.md" + "path": "plugins/python-skills/skills/uv-pytest-unit-testing/SKILL.md" } ], - "from": "product:server-side-swift", + "from": "product:python-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-swift/app-sync-workflow" + "to": "target:skill:python-skills/uv-pytest-unit-testing" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-swift/skills/apple-containerization-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/analyze-apple-silicon-arm64e/SKILL.md" } ], - "from": "product:server-side-swift", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-swift/apple-containerization-workflow" + "to": "target:skill:reverse-engineering-skills/analyze-apple-silicon-arm64e" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-swift/skills/auth-authorization-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/audit-apple-signing-and-containment/SKILL.md" } ], - "from": "product:server-side-swift", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-swift/auth-authorization-workflow" + "to": "target:skill:reverse-engineering-skills/audit-apple-signing-and-containment" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-swift/skills/bootstrap-hummingbird-service/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/compare-binary-versions/SKILL.md" } ], - "from": "product:server-side-swift", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-swift/bootstrap-hummingbird-service" + "to": "target:skill:reverse-engineering-skills/compare-binary-versions" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-swift/skills/bootstrap-vapor-service/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/correlate-apple-symbols-and-crashes/SKILL.md" } ], - "from": "product:server-side-swift", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-swift/bootstrap-vapor-service" + "to": "target:skill:reverse-engineering-skills/correlate-apple-symbols-and-crashes" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-swift/skills/docker-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/evidence-notes-workflow/SKILL.md" } ], - "from": "product:server-side-swift", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-swift/docker-workflow" + "to": "target:skill:reverse-engineering-skills/evidence-notes-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-swift/skills/fly-io-deployment-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/inspect-apple-artifact/SKILL.md" } ], - "from": "product:server-side-swift", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-swift/fly-io-deployment-workflow" + "to": "target:skill:reverse-engineering-skills/inspect-apple-artifact" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-swift/skills/hummingbird-server-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/inspect-dotnet-assemblies/SKILL.md" } ], - "from": "product:server-side-swift", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-swift/hummingbird-server-workflow" + "to": "target:skill:reverse-engineering-skills/inspect-dotnet-assemblies" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-swift/skills/observability-tracing-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/inspect-dyld-shared-cache/SKILL.md" } ], - "from": "product:server-side-swift", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-swift/observability-tracing-workflow" + "to": "target:skill:reverse-engineering-skills/inspect-dyld-shared-cache" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-swift/skills/openapi-rpc-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/inspect-unity-artifacts/SKILL.md" } ], - "from": "product:server-side-swift", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-swift/openapi-rpc-workflow" + "to": "target:skill:reverse-engineering-skills/inspect-unity-artifacts" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-swift/skills/persistence-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/perform-apple-dynamic-analysis/SKILL.md" } ], - "from": "product:server-side-swift", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-swift/persistence-workflow" + "to": "target:skill:reverse-engineering-skills/perform-apple-dynamic-analysis" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-swift/skills/swiftnio-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/preserve-binary-artifacts/SKILL.md" } ], - "from": "product:server-side-swift", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-swift/swiftnio-workflow" + "to": "target:skill:reverse-engineering-skills/preserve-binary-artifacts" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-swift/skills/sync-hummingbird-service-guidance/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/recover-apple-runtime-metadata/SKILL.md" } ], - "from": "product:server-side-swift", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-swift/sync-hummingbird-service-guidance" + "to": "target:skill:reverse-engineering-skills/recover-apple-runtime-metadata" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/server-side-swift/skills/vapor-server-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/report-apple-security-research/SKILL.md" } ], - "from": "product:server-side-swift", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:server-side-swift/vapor-server-workflow" + "to": "target:skill:reverse-engineering-skills/report-apple-security-research" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/swift-lang/skills/swift-api-style-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/research-apple-kernel-boot-and-firmware/SKILL.md" } ], - "from": "product:swift-lang", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:swift-lang/swift-api-style-workflow" + "to": "target:skill:reverse-engineering-skills/research-apple-kernel-boot-and-firmware" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/swift-lang/skills/swift-error-handling-style-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/review-decompiler-output/SKILL.md" } ], - "from": "product:swift-lang", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:swift-lang/swift-error-handling-style-workflow" + "to": "target:skill:reverse-engineering-skills/review-decompiler-output" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/swift-lang/skills/swift-format-style-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/select-analysis-path/SKILL.md" } ], - "from": "product:swift-lang", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:swift-lang/swift-format-style-workflow" + "to": "target:skill:reverse-engineering-skills/select-analysis-path" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/swift-lang/skills/swift-functional-pipelines-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/triage-artifact/SKILL.md" } ], - "from": "product:swift-lang", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:swift-lang/swift-functional-pipelines-workflow" + "to": "target:skill:reverse-engineering-skills/triage-artifact" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/swift-lang/skills/swift-modernization-cleanup-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/use-cutter-and-rizin/SKILL.md" } ], - "from": "product:swift-lang", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:swift-lang/swift-modernization-cleanup-workflow" + "to": "target:skill:reverse-engineering-skills/use-cutter-and-rizin" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/swift-lang/skills/swift-source-organization-workflow/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/use-ghidra/SKILL.md" } ], - "from": "product:swift-lang", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:swift-lang/swift-source-organization-workflow" + "to": "target:skill:reverse-engineering-skills/use-ghidra" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/swiftasb-skills/skills/build-appkit-app/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/use-hopper/SKILL.md" } ], - "from": "product:swiftasb-skills", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:swiftasb-skills/build-appkit-app" + "to": "target:skill:reverse-engineering-skills/use-hopper" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/swiftasb-skills/skills/build-swift-package/SKILL.md" + "path": "plugins/reverse-engineering-skills/skills/use-malimite/SKILL.md" } ], - "from": "product:swiftasb-skills", + "from": "product:reverse-engineering-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:swiftasb-skills/build-swift-package" + "to": "target:skill:reverse-engineering-skills/use-malimite" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/swiftasb-skills/skills/build-swiftui-app/SKILL.md" + "path": "plugins/rust-skills/skills/bootstrap-cargo-project/SKILL.md" } ], - "from": "product:swiftasb-skills", + "from": "product:rust-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:swiftasb-skills/build-swiftui-app" + "to": "target:skill:rust-skills/bootstrap-cargo-project" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/swiftasb-skills/skills/choose-integration-shape/SKILL.md" + "path": "plugins/rust-skills/skills/build-cli-project/SKILL.md" } ], - "from": "product:swiftasb-skills", + "from": "product:rust-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:swiftasb-skills/choose-integration-shape" + "to": "target:skill:rust-skills/build-cli-project" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/swiftasb-skills/skills/diagnose-integration/SKILL.md" + "path": "plugins/rust-skills/skills/build-library-crate/SKILL.md" } ], - "from": "product:swiftasb-skills", + "from": "product:rust-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:swiftasb-skills/diagnose-integration" + "to": "target:skill:rust-skills/build-library-crate" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/swiftasb-skills/skills/explain-swiftasb/SKILL.md" + "path": "plugins/rust-skills/skills/choose-project-shape/SKILL.md" } ], - "from": "product:swiftasb-skills", + "from": "product:rust-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:swiftasb-skills/explain-swiftasb" + "to": "target:skill:rust-skills/choose-project-shape" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/things-app/skills/things-digest-generator/SKILL.md" + "path": "plugins/rust-skills/skills/ci-workflow/SKILL.md" } ], - "from": "product:things-app", + "from": "product:rust-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:things-app/things-digest-generator" + "to": "target:skill:rust-skills/ci-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/things-app/skills/things-reminders-manager/SKILL.md" + "path": "plugins/rust-skills/skills/package-workflow/SKILL.md" } ], - "from": "product:things-app", + "from": "product:rust-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:things-app/things-reminders-manager" + "to": "target:skill:rust-skills/package-workflow" }, { "evidence": [ { - "kind": "codex-plugin-manifest", - "path": "plugins/things-app/.codex-plugin/plugin.json" + "kind": "skill-directory", + "path": "plugins/rust-skills/skills/testing-workflow/SKILL.md" } ], - "from": "product:things-app", + "from": "product:rust-skills", "kind": "exposes", - "label": "plugin declares MCP servers", - "to": "target:mcp:plugins/things-app/.mcp.json" + "label": "plugin exposes skill", + "to": "target:skill:rust-skills/testing-workflow" }, { "evidence": [ { "kind": "skill-directory", - "path": "plugins/web-dev-skills/skills/expo-inline-native-modules-workflow/SKILL.md" + "path": "plugins/rust-skills/skills/tooling-style-workflow/SKILL.md" } ], - "from": "product:web-dev-skills", + "from": "product:rust-skills", "kind": "exposes", "label": "plugin exposes skill", - "to": "target:skill:web-dev-skills/expo-inline-native-modules-workflow" + "to": "target:skill:rust-skills/tooling-style-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-jvm/skills/build-java-service/SKILL.md" } ], - "from": "product:socket", + "from": "product:server-side-jvm", "kind": "exposes", - "label": "marketplace exposes plugin entry", - "to": "product:agent-portability-skills" + "label": "plugin exposes skill", + "to": "target:skill:server-side-jvm/build-java-service" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-jvm/skills/build-scala-service/SKILL.md" } ], - "from": "product:agent-portability-skills", - "kind": "owns", - "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/agent-portability-skills" + "from": "product:server-side-jvm", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:server-side-jvm/build-scala-service" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-jvm/skills/build-tooling-workflow/SKILL.md" } ], - "from": "product:socket", + "from": "product:server-side-jvm", "kind": "exposes", - "label": "marketplace exposes plugin entry", - "to": "product:android-dev-skills" + "label": "plugin exposes skill", + "to": "target:skill:server-side-jvm/build-tooling-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-jvm/skills/choose-service-shape/SKILL.md" } ], - "from": "product:android-dev-skills", - "kind": "owns", - "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/android-dev-skills" + "from": "product:server-side-jvm", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:server-side-jvm/choose-service-shape" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-jvm/skills/testing-workflow/SKILL.md" } ], - "from": "product:socket", + "from": "product:server-side-jvm", "kind": "exposes", - "label": "marketplace exposes plugin entry", - "to": "product:apple-dev-skills" + "label": "plugin exposes skill", + "to": "target:skill:server-side-jvm/testing-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-swift/skills/app-sync-workflow/SKILL.md" } ], - "from": "product:apple-dev-skills", - "kind": "owns", - "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/apple-dev-skills" + "from": "product:server-side-swift", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:server-side-swift/app-sync-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-swift/skills/apple-containerization-workflow/SKILL.md" } ], - "from": "product:socket", + "from": "product:server-side-swift", "kind": "exposes", - "label": "marketplace exposes plugin entry", - "to": "product:apple-creator-studio-skills" + "label": "plugin exposes skill", + "to": "target:skill:server-side-swift/apple-containerization-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-swift/skills/auth-authorization-workflow/SKILL.md" } ], - "from": "product:apple-creator-studio-skills", - "kind": "owns", - "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/apple-creator-studio-skills" + "from": "product:server-side-swift", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:server-side-swift/auth-authorization-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-swift/skills/bootstrap-hummingbird-service/SKILL.md" } ], - "from": "product:socket", + "from": "product:server-side-swift", "kind": "exposes", - "label": "marketplace exposes plugin entry", - "to": "product:cardhop-app" + "label": "plugin exposes skill", + "to": "target:skill:server-side-swift/bootstrap-hummingbird-service" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-swift/skills/bootstrap-vapor-service/SKILL.md" } ], - "from": "product:cardhop-app", - "kind": "owns", - "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/cardhop-app" + "from": "product:server-side-swift", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:server-side-swift/bootstrap-vapor-service" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-swift/skills/docker-workflow/SKILL.md" } ], - "from": "product:socket", + "from": "product:server-side-swift", "kind": "exposes", - "label": "marketplace exposes plugin entry", - "to": "product:cloud-deployment-skills" + "label": "plugin exposes skill", + "to": "target:skill:server-side-swift/docker-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-swift/skills/fly-io-deployment-workflow/SKILL.md" } ], - "from": "product:cloud-deployment-skills", - "kind": "owns", - "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/cloud-deployment-skills" + "from": "product:server-side-swift", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:server-side-swift/fly-io-deployment-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-swift/skills/hummingbird-server-workflow/SKILL.md" } ], - "from": "product:socket", + "from": "product:server-side-swift", "kind": "exposes", - "label": "marketplace exposes plugin entry", - "to": "product:cloud-inference-skills" + "label": "plugin exposes skill", + "to": "target:skill:server-side-swift/hummingbird-server-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-swift/skills/observability-tracing-workflow/SKILL.md" } ], - "from": "product:cloud-inference-skills", - "kind": "owns", - "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/cloud-inference-skills" + "from": "product:server-side-swift", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:server-side-swift/observability-tracing-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-swift/skills/openapi-rpc-workflow/SKILL.md" } ], - "from": "product:socket", + "from": "product:server-side-swift", "kind": "exposes", - "label": "marketplace exposes plugin entry", - "to": "product:dotnet-skills" + "label": "plugin exposes skill", + "to": "target:skill:server-side-swift/openapi-rpc-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-swift/skills/persistence-workflow/SKILL.md" } ], - "from": "product:dotnet-skills", - "kind": "owns", - "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/dotnet-skills" + "from": "product:server-side-swift", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:server-side-swift/persistence-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-swift/skills/swiftnio-workflow/SKILL.md" } ], - "from": "product:socket", + "from": "product:server-side-swift", "kind": "exposes", - "label": "marketplace exposes plugin entry", - "to": "product:productivity-skills" + "label": "plugin exposes skill", + "to": "target:skill:server-side-swift/swiftnio-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-swift/skills/sync-hummingbird-service-guidance/SKILL.md" } ], - "from": "product:productivity-skills", - "kind": "owns", - "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/productivity-skills" + "from": "product:server-side-swift", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:server-side-swift/sync-hummingbird-service-guidance" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/server-side-swift/skills/vapor-server-workflow/SKILL.md" } ], - "from": "product:socket", + "from": "product:server-side-swift", "kind": "exposes", - "label": "marketplace exposes plugin entry", - "to": "product:python-skills" + "label": "plugin exposes skill", + "to": "target:skill:server-side-swift/vapor-server-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/swift-lang/skills/swift-api-style-workflow/SKILL.md" } ], - "from": "product:python-skills", - "kind": "owns", - "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/python-skills" + "from": "product:swift-lang", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:swift-lang/swift-api-style-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/swift-lang/skills/swift-error-handling-style-workflow/SKILL.md" } ], - "from": "product:socket", + "from": "product:swift-lang", "kind": "exposes", - "label": "marketplace exposes plugin entry", - "to": "product:network-protocol-skills" + "label": "plugin exposes skill", + "to": "target:skill:swift-lang/swift-error-handling-style-workflow" }, { "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-directory", + "path": "plugins/swift-lang/skills/swift-format-style-workflow/SKILL.md" } ], - "from": "product:network-protocol-skills", - "kind": "owns", - "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/network-protocol-skills" + "from": "product:swift-lang", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:swift-lang/swift-format-style-workflow" + }, + { + "evidence": [ + { + "kind": "skill-directory", + "path": "plugins/swift-lang/skills/swift-functional-pipelines-workflow/SKILL.md" + } + ], + "from": "product:swift-lang", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:swift-lang/swift-functional-pipelines-workflow" + }, + { + "evidence": [ + { + "kind": "skill-directory", + "path": "plugins/swift-lang/skills/swift-modernization-cleanup-workflow/SKILL.md" + } + ], + "from": "product:swift-lang", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:swift-lang/swift-modernization-cleanup-workflow" + }, + { + "evidence": [ + { + "kind": "skill-directory", + "path": "plugins/swift-lang/skills/swift-source-organization-workflow/SKILL.md" + } + ], + "from": "product:swift-lang", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:swift-lang/swift-source-organization-workflow" + }, + { + "evidence": [ + { + "kind": "skill-directory", + "path": "plugins/swiftasb-skills/skills/build-appkit-app/SKILL.md" + } + ], + "from": "product:swiftasb-skills", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:swiftasb-skills/build-appkit-app" + }, + { + "evidence": [ + { + "kind": "skill-directory", + "path": "plugins/swiftasb-skills/skills/build-swift-package/SKILL.md" + } + ], + "from": "product:swiftasb-skills", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:swiftasb-skills/build-swift-package" + }, + { + "evidence": [ + { + "kind": "skill-directory", + "path": "plugins/swiftasb-skills/skills/build-swiftui-app/SKILL.md" + } + ], + "from": "product:swiftasb-skills", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:swiftasb-skills/build-swiftui-app" + }, + { + "evidence": [ + { + "kind": "skill-directory", + "path": "plugins/swiftasb-skills/skills/choose-integration-shape/SKILL.md" + } + ], + "from": "product:swiftasb-skills", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:swiftasb-skills/choose-integration-shape" + }, + { + "evidence": [ + { + "kind": "skill-directory", + "path": "plugins/swiftasb-skills/skills/diagnose-integration/SKILL.md" + } + ], + "from": "product:swiftasb-skills", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:swiftasb-skills/diagnose-integration" + }, + { + "evidence": [ + { + "kind": "skill-directory", + "path": "plugins/swiftasb-skills/skills/explain-swiftasb/SKILL.md" + } + ], + "from": "product:swiftasb-skills", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:swiftasb-skills/explain-swiftasb" + }, + { + "evidence": [ + { + "kind": "skill-directory", + "path": "plugins/things-app/skills/things-digest-generator/SKILL.md" + } + ], + "from": "product:things-app", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:things-app/things-digest-generator" + }, + { + "evidence": [ + { + "kind": "skill-directory", + "path": "plugins/things-app/skills/things-reminders-manager/SKILL.md" + } + ], + "from": "product:things-app", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:things-app/things-reminders-manager" + }, + { + "evidence": [ + { + "kind": "codex-plugin-manifest", + "path": "plugins/things-app/.codex-plugin/plugin.json" + } + ], + "from": "product:things-app", + "kind": "exposes", + "label": "plugin declares MCP servers", + "to": "target:mcp:plugins/things-app/.mcp.json" + }, + { + "evidence": [ + { + "kind": "skill-directory", + "path": "plugins/web-dev-skills/skills/expo-inline-native-modules-workflow/SKILL.md" + } + ], + "from": "product:web-dev-skills", + "kind": "exposes", + "label": "plugin exposes skill", + "to": "target:skill:web-dev-skills/expo-inline-native-modules-workflow" }, { "evidence": [ @@ -4078,7 +4393,7 @@ "from": "product:socket", "kind": "exposes", "label": "marketplace exposes plugin entry", - "to": "product:server-side-swift" + "to": "product:agent-portability-skills" }, { "evidence": [ @@ -4087,10 +4402,10 @@ "path": ".agents/plugins/marketplace.json" } ], - "from": "product:server-side-swift", + "from": "product:agent-portability-skills", "kind": "owns", "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/server-side-swift" + "to": "path:./plugins/agent-portability-skills" }, { "evidence": [ @@ -4102,7 +4417,7 @@ "from": "product:socket", "kind": "exposes", "label": "marketplace exposes plugin entry", - "to": "product:swift-lang" + "to": "product:android-dev-skills" }, { "evidence": [ @@ -4111,10 +4426,10 @@ "path": ".agents/plugins/marketplace.json" } ], - "from": "product:swift-lang", + "from": "product:android-dev-skills", "kind": "owns", "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/swift-lang" + "to": "path:./plugins/android-dev-skills" }, { "evidence": [ @@ -4126,7 +4441,7 @@ "from": "product:socket", "kind": "exposes", "label": "marketplace exposes plugin entry", - "to": "product:server-side-jvm" + "to": "product:apple-dev-skills" }, { "evidence": [ @@ -4135,10 +4450,10 @@ "path": ".agents/plugins/marketplace.json" } ], - "from": "product:server-side-jvm", + "from": "product:apple-dev-skills", "kind": "owns", "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/server-side-jvm" + "to": "path:./plugins/apple-dev-skills" }, { "evidence": [ @@ -4150,7 +4465,7 @@ "from": "product:socket", "kind": "exposes", "label": "marketplace exposes plugin entry", - "to": "product:rust-skills" + "to": "product:apple-creator-studio-skills" }, { "evidence": [ @@ -4159,10 +4474,10 @@ "path": ".agents/plugins/marketplace.json" } ], - "from": "product:rust-skills", + "from": "product:apple-creator-studio-skills", "kind": "owns", "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/rust-skills" + "to": "path:./plugins/apple-creator-studio-skills" }, { "evidence": [ @@ -4174,7 +4489,19 @@ "from": "product:socket", "kind": "exposes", "label": "marketplace exposes plugin entry", - "to": "product:speak-swiftly" + "to": "product:cardhop-app" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:cardhop-app", + "kind": "owns", + "label": "marketplace entry points at local plugin root", + "to": "path:./plugins/cardhop-app" }, { "evidence": [ @@ -4186,7 +4513,7 @@ "from": "product:socket", "kind": "exposes", "label": "marketplace exposes plugin entry", - "to": "product:swiftasb-skills" + "to": "product:cloud-deployment-skills" }, { "evidence": [ @@ -4195,10 +4522,10 @@ "path": ".agents/plugins/marketplace.json" } ], - "from": "product:swiftasb-skills", + "from": "product:cloud-deployment-skills", "kind": "owns", "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/swiftasb-skills" + "to": "path:./plugins/cloud-deployment-skills" }, { "evidence": [ @@ -4210,7 +4537,7 @@ "from": "product:socket", "kind": "exposes", "label": "marketplace exposes plugin entry", - "to": "product:things-app" + "to": "product:cloud-inference-skills" }, { "evidence": [ @@ -4219,10 +4546,10 @@ "path": ".agents/plugins/marketplace.json" } ], - "from": "product:things-app", + "from": "product:cloud-inference-skills", "kind": "owns", "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/things-app" + "to": "path:./plugins/cloud-inference-skills" }, { "evidence": [ @@ -4234,7 +4561,7 @@ "from": "product:socket", "kind": "exposes", "label": "marketplace exposes plugin entry", - "to": "product:spotify" + "to": "product:dotnet-skills" }, { "evidence": [ @@ -4243,10 +4570,10 @@ "path": ".agents/plugins/marketplace.json" } ], - "from": "product:spotify", + "from": "product:dotnet-skills", "kind": "owns", "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/spotify" + "to": "path:./plugins/dotnet-skills" }, { "evidence": [ @@ -4258,7 +4585,7 @@ "from": "product:socket", "kind": "exposes", "label": "marketplace exposes plugin entry", - "to": "product:web-dev-skills" + "to": "product:productivity-skills" }, { "evidence": [ @@ -4267,10 +4594,10 @@ "path": ".agents/plugins/marketplace.json" } ], - "from": "product:web-dev-skills", + "from": "product:productivity-skills", "kind": "owns", "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/web-dev-skills" + "to": "path:./plugins/productivity-skills" }, { "evidence": [ @@ -4282,7 +4609,7 @@ "from": "product:socket", "kind": "exposes", "label": "marketplace exposes plugin entry", - "to": "product:reverse-engineering-skills" + "to": "product:python-skills" }, { "evidence": [ @@ -4291,10 +4618,10 @@ "path": ".agents/plugins/marketplace.json" } ], - "from": "product:reverse-engineering-skills", + "from": "product:python-skills", "kind": "owns", "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/reverse-engineering-skills" + "to": "path:./plugins/python-skills" }, { "evidence": [ @@ -4306,7 +4633,7 @@ "from": "product:socket", "kind": "exposes", "label": "marketplace exposes plugin entry", - "to": "product:agentdeck" + "to": "product:network-protocol-skills" }, { "evidence": [ @@ -4315,10 +4642,10 @@ "path": ".agents/plugins/marketplace.json" } ], - "from": "product:agentdeck", + "from": "product:network-protocol-skills", "kind": "owns", "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/agentdeck" + "to": "path:./plugins/network-protocol-skills" }, { "evidence": [ @@ -4330,1019 +4657,1655 @@ "from": "product:socket", "kind": "exposes", "label": "marketplace exposes plugin entry", - "to": "product:game-dev-skills" + "to": "product:server-side-swift" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:server-side-swift", + "kind": "owns", + "label": "marketplace entry points at local plugin root", + "to": "path:./plugins/server-side-swift" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:socket", + "kind": "exposes", + "label": "marketplace exposes plugin entry", + "to": "product:swift-lang" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:swift-lang", + "kind": "owns", + "label": "marketplace entry points at local plugin root", + "to": "path:./plugins/swift-lang" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:socket", + "kind": "exposes", + "label": "marketplace exposes plugin entry", + "to": "product:server-side-jvm" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:server-side-jvm", + "kind": "owns", + "label": "marketplace entry points at local plugin root", + "to": "path:./plugins/server-side-jvm" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:socket", + "kind": "exposes", + "label": "marketplace exposes plugin entry", + "to": "product:rust-skills" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:rust-skills", + "kind": "owns", + "label": "marketplace entry points at local plugin root", + "to": "path:./plugins/rust-skills" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:socket", + "kind": "exposes", + "label": "marketplace exposes plugin entry", + "to": "product:speak-swiftly" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:socket", + "kind": "exposes", + "label": "marketplace exposes plugin entry", + "to": "product:swiftasb-skills" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:swiftasb-skills", + "kind": "owns", + "label": "marketplace entry points at local plugin root", + "to": "path:./plugins/swiftasb-skills" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:socket", + "kind": "exposes", + "label": "marketplace exposes plugin entry", + "to": "product:things-app" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:things-app", + "kind": "owns", + "label": "marketplace entry points at local plugin root", + "to": "path:./plugins/things-app" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:socket", + "kind": "exposes", + "label": "marketplace exposes plugin entry", + "to": "product:spotify" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:spotify", + "kind": "owns", + "label": "marketplace entry points at local plugin root", + "to": "path:./plugins/spotify" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:socket", + "kind": "exposes", + "label": "marketplace exposes plugin entry", + "to": "product:web-dev-skills" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:web-dev-skills", + "kind": "owns", + "label": "marketplace entry points at local plugin root", + "to": "path:./plugins/web-dev-skills" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:socket", + "kind": "exposes", + "label": "marketplace exposes plugin entry", + "to": "product:reverse-engineering-skills" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:reverse-engineering-skills", + "kind": "owns", + "label": "marketplace entry points at local plugin root", + "to": "path:./plugins/reverse-engineering-skills" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:socket", + "kind": "exposes", + "label": "marketplace exposes plugin entry", + "to": "product:agentdeck" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:agentdeck", + "kind": "owns", + "label": "marketplace entry points at local plugin root", + "to": "path:./plugins/agentdeck" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:socket", + "kind": "exposes", + "label": "marketplace exposes plugin entry", + "to": "product:game-dev-skills" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:game-dev-skills", + "kind": "owns", + "label": "marketplace entry points at local plugin root", + "to": "path:./plugins/game-dev-skills" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:socket", + "kind": "exposes", + "label": "marketplace exposes plugin entry", + "to": "product:messaging-collaboration-skills" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:messaging-collaboration-skills", + "kind": "owns", + "label": "marketplace entry points at local plugin root", + "to": "path:./plugins/messaging-collaboration-skills" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:socket", + "kind": "exposes", + "label": "marketplace exposes plugin entry", + "to": "product:cybersecurity-skills" + }, + { + "evidence": [ + { + "kind": "plugin-marketplace", + "path": ".agents/plugins/marketplace.json" + } + ], + "from": "product:cybersecurity-skills", + "kind": "owns", + "label": "marketplace entry points at local plugin root", + "to": "path:./plugins/cybersecurity-skills" + } + ], + "schemaVersion": 1, + "slices": [], + "targets": [ + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/agent-portability-skills/skills/bootstrap-skills-plugin-repo/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:agent-portability-skills/bootstrap-skills-plugin-repo", + "path": "plugins/agent-portability-skills/skills/bootstrap-skills-plugin-repo/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/agent-portability-skills/skills/hermes-agent-compatibility/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:agent-portability-skills/hermes-agent-compatibility", + "path": "plugins/agent-portability-skills/skills/hermes-agent-compatibility/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/agent-portability-skills/skills/sync-skills-repo-guidance/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:agent-portability-skills/sync-skills-repo-guidance", + "path": "plugins/agent-portability-skills/skills/sync-skills-repo-guidance/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/android-dev-skills/skills/build-kotlin-android/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:android-dev-skills/build-kotlin-android", + "path": "plugins/android-dev-skills/skills/build-kotlin-android/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/android-dev-skills/skills/choose-project-shape/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:android-dev-skills/choose-project-shape", + "path": "plugins/android-dev-skills/skills/choose-project-shape/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/android-dev-skills/skills/gradle-agp-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:android-dev-skills/gradle-agp-workflow", + "path": "plugins/android-dev-skills/skills/gradle-agp-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/android-dev-skills/skills/java-android-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:android-dev-skills/java-android-workflow", + "path": "plugins/android-dev-skills/skills/java-android-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/android-dev-skills/skills/release-readiness-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:android-dev-skills/release-readiness-workflow", + "path": "plugins/android-dev-skills/skills/release-readiness-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/android-dev-skills/skills/testing-lint-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:android-dev-skills/testing-lint-workflow", + "path": "plugins/android-dev-skills/skills/testing-lint-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-creator-studio-skills/skills/compressor-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-creator-studio-skills/compressor-workflow", + "path": "plugins/apple-creator-studio-skills/skills/compressor-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-creator-studio-skills/skills/final-cut-pro-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-creator-studio-skills/final-cut-pro-workflow", + "path": "plugins/apple-creator-studio-skills/skills/final-cut-pro-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-creator-studio-skills/skills/garageband-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-creator-studio-skills/garageband-workflow", + "path": "plugins/apple-creator-studio-skills/skills/garageband-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-creator-studio-skills/skills/logic-pro-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-creator-studio-skills/logic-pro-workflow", + "path": "plugins/apple-creator-studio-skills/skills/logic-pro-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-creator-studio-skills/skills/mainstage-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-creator-studio-skills/mainstage-workflow", + "path": "plugins/apple-creator-studio-skills/skills/mainstage-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-creator-studio-skills/skills/motion-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-creator-studio-skills/motion-workflow", + "path": "plugins/apple-creator-studio-skills/skills/motion-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/app-intents-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-dev-skills/app-intents-workflow", + "path": "plugins/apple-dev-skills/skills/app-intents-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/appkit-app-architecture-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-dev-skills/appkit-app-architecture-workflow", + "path": "plugins/apple-dev-skills/skills/appkit-app-architecture-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/apple-developer-provisioning-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-dev-skills/apple-developer-provisioning-workflow", + "path": "plugins/apple-dev-skills/skills/apple-developer-provisioning-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/apple-image-representation-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-dev-skills/apple-image-representation-workflow", + "path": "plugins/apple-dev-skills/skills/apple-image-representation-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/apple-runtime-telemetry-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-dev-skills/apple-runtime-telemetry-workflow", + "path": "plugins/apple-dev-skills/skills/apple-runtime-telemetry-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/apple-typography-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-dev-skills/apple-typography-workflow", + "path": "plugins/apple-dev-skills/skills/apple-typography-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/apple-ui-accessibility-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-dev-skills/apple-ui-accessibility-workflow", + "path": "plugins/apple-dev-skills/skills/apple-ui-accessibility-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/arkit-face-body-tracking-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-dev-skills/arkit-face-body-tracking-workflow", + "path": "plugins/apple-dev-skills/skills/arkit-face-body-tracking-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/arkit-spatial-sensing-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-dev-skills/arkit-spatial-sensing-workflow", + "path": "plugins/apple-dev-skills/skills/arkit-spatial-sensing-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/author-swift-docc-docs/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-dev-skills/author-swift-docc-docs", + "path": "plugins/apple-dev-skills/skills/author-swift-docc-docs/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/avaudio-engine-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-dev-skills/avaudio-engine-workflow", + "path": "plugins/apple-dev-skills/skills/avaudio-engine-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/avfaudio-session-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:apple-dev-skills/avfaudio-session-workflow", + "path": "plugins/apple-dev-skills/skills/avfaudio-session-workflow/SKILL.md" }, { + "dependencies": [], "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/avfoundation-media-pipeline-workflow/SKILL.md" } ], - "from": "product:game-dev-skills", - "kind": "owns", - "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/game-dev-skills" + "kind": "codex-skill", + "name": "skill:apple-dev-skills/avfoundation-media-pipeline-workflow", + "path": "plugins/apple-dev-skills/skills/avfoundation-media-pipeline-workflow/SKILL.md" }, { + "dependencies": [], "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/bootstrap-swift-package/SKILL.md" } ], - "from": "product:socket", - "kind": "exposes", - "label": "marketplace exposes plugin entry", - "to": "product:messaging-collaboration-skills" + "kind": "codex-skill", + "name": "skill:apple-dev-skills/bootstrap-swift-package", + "path": "plugins/apple-dev-skills/skills/bootstrap-swift-package/SKILL.md" }, { + "dependencies": [], "evidence": [ { - "kind": "plugin-marketplace", - "path": ".agents/plugins/marketplace.json" + "kind": "skill-manifest", + "path": "plugins/apple-dev-skills/skills/bootstrap-xcode-app-project/SKILL.md" } ], - "from": "product:messaging-collaboration-skills", - "kind": "owns", - "label": "marketplace entry points at local plugin root", - "to": "path:./plugins/messaging-collaboration-skills" - } - ], - "schemaVersion": 1, - "slices": [], - "targets": [ + "kind": "codex-skill", + "name": "skill:apple-dev-skills/bootstrap-xcode-app-project", + "path": "plugins/apple-dev-skills/skills/bootstrap-xcode-app-project/SKILL.md" + }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/agent-portability-skills/skills/bootstrap-skills-plugin-repo/SKILL.md" + "path": "plugins/apple-dev-skills/skills/camera-capture-depth-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:agent-portability-skills/bootstrap-skills-plugin-repo", - "path": "plugins/agent-portability-skills/skills/bootstrap-skills-plugin-repo/SKILL.md" + "name": "skill:apple-dev-skills/camera-capture-depth-workflow", + "path": "plugins/apple-dev-skills/skills/camera-capture-depth-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/agent-portability-skills/skills/hermes-agent-compatibility/SKILL.md" + "path": "plugins/apple-dev-skills/skills/core-animation-layer-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:agent-portability-skills/hermes-agent-compatibility", - "path": "plugins/agent-portability-skills/skills/hermes-agent-compatibility/SKILL.md" + "name": "skill:apple-dev-skills/core-animation-layer-workflow", + "path": "plugins/apple-dev-skills/skills/core-animation-layer-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/agent-portability-skills/skills/sync-skills-repo-guidance/SKILL.md" + "path": "plugins/apple-dev-skills/skills/core-image-processing-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:agent-portability-skills/sync-skills-repo-guidance", - "path": "plugins/agent-portability-skills/skills/sync-skills-repo-guidance/SKILL.md" + "name": "skill:apple-dev-skills/core-image-processing-workflow", + "path": "plugins/apple-dev-skills/skills/core-image-processing-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/android-dev-skills/skills/build-kotlin-android/SKILL.md" + "path": "plugins/apple-dev-skills/skills/coreaudio-modernization-repair-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:android-dev-skills/build-kotlin-android", - "path": "plugins/android-dev-skills/skills/build-kotlin-android/SKILL.md" + "name": "skill:apple-dev-skills/coreaudio-modernization-repair-workflow", + "path": "plugins/apple-dev-skills/skills/coreaudio-modernization-repair-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/android-dev-skills/skills/choose-project-shape/SKILL.md" + "path": "plugins/apple-dev-skills/skills/coremedia-timing-samplebuffer-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:android-dev-skills/choose-project-shape", - "path": "plugins/android-dev-skills/skills/choose-project-shape/SKILL.md" + "name": "skill:apple-dev-skills/coremedia-timing-samplebuffer-workflow", + "path": "plugins/apple-dev-skills/skills/coremedia-timing-samplebuffer-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/android-dev-skills/skills/gradle-agp-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/devicecheck-app-attest-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:android-dev-skills/gradle-agp-workflow", - "path": "plugins/android-dev-skills/skills/gradle-agp-workflow/SKILL.md" + "name": "skill:apple-dev-skills/devicecheck-app-attest-workflow", + "path": "plugins/apple-dev-skills/skills/devicecheck-app-attest-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/android-dev-skills/skills/java-android-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/explore-apple-swift-docs/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:android-dev-skills/java-android-workflow", - "path": "plugins/android-dev-skills/skills/java-android-workflow/SKILL.md" + "name": "skill:apple-dev-skills/explore-apple-swift-docs", + "path": "plugins/apple-dev-skills/skills/explore-apple-swift-docs/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/android-dev-skills/skills/release-readiness-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/feedback-assistant-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:android-dev-skills/release-readiness-workflow", - "path": "plugins/android-dev-skills/skills/release-readiness-workflow/SKILL.md" + "name": "skill:apple-dev-skills/feedback-assistant-workflow", + "path": "plugins/apple-dev-skills/skills/feedback-assistant-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/android-dev-skills/skills/testing-lint-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/format-swift-sources/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:android-dev-skills/testing-lint-workflow", - "path": "plugins/android-dev-skills/skills/testing-lint-workflow/SKILL.md" + "name": "skill:apple-dev-skills/format-swift-sources", + "path": "plugins/apple-dev-skills/skills/format-swift-sources/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-creator-studio-skills/skills/compressor-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/icon-composer-app-icon-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-creator-studio-skills/compressor-workflow", - "path": "plugins/apple-creator-studio-skills/skills/compressor-workflow/SKILL.md" + "name": "skill:apple-dev-skills/icon-composer-app-icon-workflow", + "path": "plugins/apple-dev-skills/skills/icon-composer-app-icon-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-creator-studio-skills/skills/final-cut-pro-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/ios-runtime-forensics-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-creator-studio-skills/final-cut-pro-workflow", - "path": "plugins/apple-creator-studio-skills/skills/final-cut-pro-workflow/SKILL.md" + "name": "skill:apple-dev-skills/ios-runtime-forensics-workflow", + "path": "plugins/apple-dev-skills/skills/ios-runtime-forensics-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-creator-studio-skills/skills/garageband-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/macos-distribution-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-creator-studio-skills/garageband-workflow", - "path": "plugins/apple-creator-studio-skills/skills/garageband-workflow/SKILL.md" + "name": "skill:apple-dev-skills/macos-distribution-workflow", + "path": "plugins/apple-dev-skills/skills/macos-distribution-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-creator-studio-skills/skills/logic-pro-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/macos-window-management-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-creator-studio-skills/logic-pro-workflow", - "path": "plugins/apple-creator-studio-skills/skills/logic-pro-workflow/SKILL.md" + "name": "skill:apple-dev-skills/macos-window-management-workflow", + "path": "plugins/apple-dev-skills/skills/macos-window-management-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-creator-studio-skills/skills/mainstage-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/migrate-xcode-project-to-xcodegen/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-creator-studio-skills/mainstage-workflow", - "path": "plugins/apple-creator-studio-skills/skills/mainstage-workflow/SKILL.md" + "name": "skill:apple-dev-skills/migrate-xcode-project-to-xcodegen", + "path": "plugins/apple-dev-skills/skills/migrate-xcode-project-to-xcodegen/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-creator-studio-skills/skills/motion-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/photos-library-editing-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-creator-studio-skills/motion-workflow", - "path": "plugins/apple-creator-studio-skills/skills/motion-workflow/SKILL.md" + "name": "skill:apple-dev-skills/photos-library-editing-workflow", + "path": "plugins/apple-dev-skills/skills/photos-library-editing-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/app-intents-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/safari-extension-control-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/app-intents-workflow", - "path": "plugins/apple-dev-skills/skills/app-intents-workflow/SKILL.md" + "name": "skill:apple-dev-skills/safari-extension-control-workflow", + "path": "plugins/apple-dev-skills/skills/safari-extension-control-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/appkit-app-architecture-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/sf-symbols-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/appkit-app-architecture-workflow", - "path": "plugins/apple-dev-skills/skills/appkit-app-architecture-workflow/SKILL.md" + "name": "skill:apple-dev-skills/sf-symbols-workflow", + "path": "plugins/apple-dev-skills/skills/sf-symbols-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/apple-developer-provisioning-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/structure-swift-sources/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/apple-developer-provisioning-workflow", - "path": "plugins/apple-dev-skills/skills/apple-developer-provisioning-workflow/SKILL.md" + "name": "skill:apple-dev-skills/structure-swift-sources", + "path": "plugins/apple-dev-skills/skills/structure-swift-sources/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/apple-image-representation-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/swift-openapi-client-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/apple-image-representation-workflow", - "path": "plugins/apple-dev-skills/skills/apple-image-representation-workflow/SKILL.md" + "name": "skill:apple-dev-skills/swift-openapi-client-workflow", + "path": "plugins/apple-dev-skills/skills/swift-openapi-client-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/apple-runtime-telemetry-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/swift-package-build-run-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/apple-runtime-telemetry-workflow", - "path": "plugins/apple-dev-skills/skills/apple-runtime-telemetry-workflow/SKILL.md" + "name": "skill:apple-dev-skills/swift-package-build-run-workflow", + "path": "plugins/apple-dev-skills/skills/swift-package-build-run-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/apple-typography-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/swift-package-testing-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/apple-typography-workflow", - "path": "plugins/apple-dev-skills/skills/apple-typography-workflow/SKILL.md" + "name": "skill:apple-dev-skills/swift-package-testing-workflow", + "path": "plugins/apple-dev-skills/skills/swift-package-testing-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/apple-ui-accessibility-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/swift-package-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/apple-ui-accessibility-workflow", - "path": "plugins/apple-dev-skills/skills/apple-ui-accessibility-workflow/SKILL.md" + "name": "skill:apple-dev-skills/swift-package-workflow", + "path": "plugins/apple-dev-skills/skills/swift-package-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/arkit-face-body-tracking-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/swiftdata-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/arkit-face-body-tracking-workflow", - "path": "plugins/apple-dev-skills/skills/arkit-face-body-tracking-workflow/SKILL.md" + "name": "skill:apple-dev-skills/swiftdata-workflow", + "path": "plugins/apple-dev-skills/skills/swiftdata-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/arkit-spatial-sensing-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/swiftui-animation-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/arkit-spatial-sensing-workflow", - "path": "plugins/apple-dev-skills/skills/arkit-spatial-sensing-workflow/SKILL.md" + "name": "skill:apple-dev-skills/swiftui-animation-workflow", + "path": "plugins/apple-dev-skills/skills/swiftui-animation-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/author-swift-docc-docs/SKILL.md" + "path": "plugins/apple-dev-skills/skills/swiftui-app-architecture-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/author-swift-docc-docs", - "path": "plugins/apple-dev-skills/skills/author-swift-docc-docs/SKILL.md" + "name": "skill:apple-dev-skills/swiftui-app-architecture-workflow", + "path": "plugins/apple-dev-skills/skills/swiftui-app-architecture-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/avaudio-engine-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/swiftui-component-audit-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/avaudio-engine-workflow", - "path": "plugins/apple-dev-skills/skills/avaudio-engine-workflow/SKILL.md" + "name": "skill:apple-dev-skills/swiftui-component-audit-workflow", + "path": "plugins/apple-dev-skills/skills/swiftui-component-audit-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/avfaudio-session-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/swiftui-liquid-glass/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/avfaudio-session-workflow", - "path": "plugins/apple-dev-skills/skills/avfaudio-session-workflow/SKILL.md" + "name": "skill:apple-dev-skills/swiftui-liquid-glass", + "path": "plugins/apple-dev-skills/skills/swiftui-liquid-glass/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/avfoundation-media-pipeline-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/swiftui-performance-audit/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/avfoundation-media-pipeline-workflow", - "path": "plugins/apple-dev-skills/skills/avfoundation-media-pipeline-workflow/SKILL.md" + "name": "skill:apple-dev-skills/swiftui-performance-audit", + "path": "plugins/apple-dev-skills/skills/swiftui-performance-audit/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/bootstrap-swift-package/SKILL.md" + "path": "plugins/apple-dev-skills/skills/sync-swift-package-guidance/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/bootstrap-swift-package", - "path": "plugins/apple-dev-skills/skills/bootstrap-swift-package/SKILL.md" + "name": "skill:apple-dev-skills/sync-swift-package-guidance", + "path": "plugins/apple-dev-skills/skills/sync-swift-package-guidance/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/bootstrap-xcode-app-project/SKILL.md" + "path": "plugins/apple-dev-skills/skills/sync-xcode-project-guidance/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/bootstrap-xcode-app-project", - "path": "plugins/apple-dev-skills/skills/bootstrap-xcode-app-project/SKILL.md" + "name": "skill:apple-dev-skills/sync-xcode-project-guidance", + "path": "plugins/apple-dev-skills/skills/sync-xcode-project-guidance/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/camera-capture-depth-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/tipkit-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/camera-capture-depth-workflow", - "path": "plugins/apple-dev-skills/skills/camera-capture-depth-workflow/SKILL.md" + "name": "skill:apple-dev-skills/tipkit-workflow", + "path": "plugins/apple-dev-skills/skills/tipkit-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/core-animation-layer-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/tips-helpviewer-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/core-animation-layer-workflow", - "path": "plugins/apple-dev-skills/skills/core-animation-layer-workflow/SKILL.md" + "name": "skill:apple-dev-skills/tips-helpviewer-workflow", + "path": "plugins/apple-dev-skills/skills/tips-helpviewer-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/core-image-processing-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/video-codec-processing-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/core-image-processing-workflow", - "path": "plugins/apple-dev-skills/skills/core-image-processing-workflow/SKILL.md" + "name": "skill:apple-dev-skills/video-codec-processing-workflow", + "path": "plugins/apple-dev-skills/skills/video-codec-processing-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/coreaudio-modernization-repair-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/vision-coreml-recognition-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/coreaudio-modernization-repair-workflow", - "path": "plugins/apple-dev-skills/skills/coreaudio-modernization-repair-workflow/SKILL.md" + "name": "skill:apple-dev-skills/vision-coreml-recognition-workflow", + "path": "plugins/apple-dev-skills/skills/vision-coreml-recognition-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/coremedia-timing-samplebuffer-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/vision-image-analysis-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/coremedia-timing-samplebuffer-workflow", - "path": "plugins/apple-dev-skills/skills/coremedia-timing-samplebuffer-workflow/SKILL.md" + "name": "skill:apple-dev-skills/vision-image-analysis-workflow", + "path": "plugins/apple-dev-skills/skills/vision-image-analysis-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/devicecheck-app-attest-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/xcode-app-project-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/devicecheck-app-attest-workflow", - "path": "plugins/apple-dev-skills/skills/devicecheck-app-attest-workflow/SKILL.md" + "name": "skill:apple-dev-skills/xcode-app-project-workflow", + "path": "plugins/apple-dev-skills/skills/xcode-app-project-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/explore-apple-swift-docs/SKILL.md" + "path": "plugins/apple-dev-skills/skills/xcode-build-run-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/explore-apple-swift-docs", - "path": "plugins/apple-dev-skills/skills/explore-apple-swift-docs/SKILL.md" + "name": "skill:apple-dev-skills/xcode-build-run-workflow", + "path": "plugins/apple-dev-skills/skills/xcode-build-run-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/feedback-assistant-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/xcode-coding-intelligence-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/feedback-assistant-workflow", - "path": "plugins/apple-dev-skills/skills/feedback-assistant-workflow/SKILL.md" + "name": "skill:apple-dev-skills/xcode-coding-intelligence-workflow", + "path": "plugins/apple-dev-skills/skills/xcode-coding-intelligence-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/format-swift-sources/SKILL.md" + "path": "plugins/apple-dev-skills/skills/xcode-debugger-mcp-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/format-swift-sources", - "path": "plugins/apple-dev-skills/skills/format-swift-sources/SKILL.md" + "name": "skill:apple-dev-skills/xcode-debugger-mcp-workflow", + "path": "plugins/apple-dev-skills/skills/xcode-debugger-mcp-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/icon-composer-app-icon-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/xcode-device-hub-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/icon-composer-app-icon-workflow", - "path": "plugins/apple-dev-skills/skills/icon-composer-app-icon-workflow/SKILL.md" + "name": "skill:apple-dev-skills/xcode-device-hub-workflow", + "path": "plugins/apple-dev-skills/skills/xcode-device-hub-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/ios-runtime-forensics-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/xcode-localization-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/ios-runtime-forensics-workflow", - "path": "plugins/apple-dev-skills/skills/ios-runtime-forensics-workflow/SKILL.md" + "name": "skill:apple-dev-skills/xcode-localization-workflow", + "path": "plugins/apple-dev-skills/skills/xcode-localization-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/macos-distribution-workflow/SKILL.md" + "path": "plugins/apple-dev-skills/skills/xcode-testing-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/macos-distribution-workflow", - "path": "plugins/apple-dev-skills/skills/macos-distribution-workflow/SKILL.md" + "name": "skill:apple-dev-skills/xcode-testing-workflow", + "path": "plugins/apple-dev-skills/skills/xcode-testing-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { - "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/macos-window-management-workflow/SKILL.md" + "kind": "mcp-config", + "path": "plugins/apple-dev-skills/.mcp.json" } ], - "kind": "codex-skill", - "name": "skill:apple-dev-skills/macos-window-management-workflow", - "path": "plugins/apple-dev-skills/skills/macos-window-management-workflow/SKILL.md" + "kind": "mcp-config", + "name": "mcp:plugins/apple-dev-skills/.mcp.json", + "path": "plugins/apple-dev-skills/.mcp.json" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/migrate-xcode-project-to-xcodegen/SKILL.md" + "path": "plugins/cardhop-app/skills/cardhop-contact-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/migrate-xcode-project-to-xcodegen", - "path": "plugins/apple-dev-skills/skills/migrate-xcode-project-to-xcodegen/SKILL.md" + "name": "skill:cardhop-app/cardhop-contact-workflow", + "path": "plugins/cardhop-app/skills/cardhop-contact-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { - "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/photos-library-editing-workflow/SKILL.md" + "kind": "mcp-config", + "path": "plugins/cardhop-app/.mcp.json" } ], - "kind": "codex-skill", - "name": "skill:apple-dev-skills/photos-library-editing-workflow", - "path": "plugins/apple-dev-skills/skills/photos-library-editing-workflow/SKILL.md" + "kind": "mcp-config", + "name": "mcp:plugins/cardhop-app/.mcp.json", + "path": "plugins/cardhop-app/.mcp.json" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/safari-extension-control-workflow/SKILL.md" + "path": "plugins/cloud-deployment-skills/skills/cloud-deployment-routing-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/safari-extension-control-workflow", - "path": "plugins/apple-dev-skills/skills/safari-extension-control-workflow/SKILL.md" + "name": "skill:cloud-deployment-skills/cloud-deployment-routing-workflow", + "path": "plugins/cloud-deployment-skills/skills/cloud-deployment-routing-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/sf-symbols-workflow/SKILL.md" + "path": "plugins/cloud-inference-skills/skills/cloud-inference-routing-workflow/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/sf-symbols-workflow", - "path": "plugins/apple-dev-skills/skills/sf-symbols-workflow/SKILL.md" + "name": "skill:cloud-inference-skills/cloud-inference-routing-workflow", + "path": "plugins/cloud-inference-skills/skills/cloud-inference-routing-workflow/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/structure-swift-sources/SKILL.md" + "path": "plugins/cloud-inference-skills/skills/companion-clis/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/structure-swift-sources", - "path": "plugins/apple-dev-skills/skills/structure-swift-sources/SKILL.md" + "name": "skill:cloud-inference-skills/companion-clis", + "path": "plugins/cloud-inference-skills/skills/companion-clis/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/swift-openapi-client-workflow/SKILL.md" + "path": "plugins/cloud-inference-skills/skills/flash/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/swift-openapi-client-workflow", - "path": "plugins/apple-dev-skills/skills/swift-openapi-client-workflow/SKILL.md" + "name": "skill:cloud-inference-skills/flash", + "path": "plugins/cloud-inference-skills/skills/flash/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/swift-package-build-run-workflow/SKILL.md" + "path": "plugins/cloud-inference-skills/skills/runpodctl/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/swift-package-build-run-workflow", - "path": "plugins/apple-dev-skills/skills/swift-package-build-run-workflow/SKILL.md" + "name": "skill:cloud-inference-skills/runpodctl", + "path": "plugins/cloud-inference-skills/skills/runpodctl/SKILL.md" }, { "dependencies": [], "evidence": [ { - "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/swift-package-testing-workflow/SKILL.md" + "kind": "mcp-config", + "path": "plugins/cloud-inference-skills/.mcp.json" } ], - "kind": "codex-skill", - "name": "skill:apple-dev-skills/swift-package-testing-workflow", - "path": "plugins/apple-dev-skills/skills/swift-package-testing-workflow/SKILL.md" + "kind": "mcp-config", + "name": "mcp:plugins/cloud-inference-skills/.mcp.json", + "path": "plugins/cloud-inference-skills/.mcp.json" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/swift-package-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/swift-package-workflow", - "path": "plugins/apple-dev-skills/skills/swift-package-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/analyze-suspicious-script-or-document", + "path": "plugins/cybersecurity-skills/skills/analyze-suspicious-script-or-document/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/swiftdata-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/assess-and-explain-threat/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/swiftdata-workflow", - "path": "plugins/apple-dev-skills/skills/swiftdata-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/assess-and-explain-threat", + "path": "plugins/cybersecurity-skills/skills/assess-and-explain-threat/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/swiftui-animation-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/assess-exposure-and-impact/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/swiftui-animation-workflow", - "path": "plugins/apple-dev-skills/skills/swiftui-animation-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/assess-exposure-and-impact", + "path": "plugins/cybersecurity-skills/skills/assess-exposure-and-impact/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/swiftui-app-architecture-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/assess-macos-threat/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/swiftui-app-architecture-workflow", - "path": "plugins/apple-dev-skills/skills/swiftui-app-architecture-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/assess-macos-threat", + "path": "plugins/cybersecurity-skills/skills/assess-macos-threat/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/swiftui-component-audit-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/author-detection-content/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/swiftui-component-audit-workflow", - "path": "plugins/apple-dev-skills/skills/swiftui-component-audit-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/author-detection-content", + "path": "plugins/cybersecurity-skills/skills/author-detection-content/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/swiftui-liquid-glass/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/author-yara-x-rules/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/swiftui-liquid-glass", - "path": "plugins/apple-dev-skills/skills/swiftui-liquid-glass/SKILL.md" + "name": "skill:cybersecurity-skills/author-yara-x-rules", + "path": "plugins/cybersecurity-skills/skills/author-yara-x-rules/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/swiftui-performance-audit/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/check-artifact-reputation/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/swiftui-performance-audit", - "path": "plugins/apple-dev-skills/skills/swiftui-performance-audit/SKILL.md" + "name": "skill:cybersecurity-skills/check-artifact-reputation", + "path": "plugins/cybersecurity-skills/skills/check-artifact-reputation/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/sync-swift-package-guidance/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/contain-and-recover-macos/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/sync-swift-package-guidance", - "path": "plugins/apple-dev-skills/skills/sync-swift-package-guidance/SKILL.md" + "name": "skill:cybersecurity-skills/contain-and-recover-macos", + "path": "plugins/cybersecurity-skills/skills/contain-and-recover-macos/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/sync-xcode-project-guidance/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/contain-security-incident/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/sync-xcode-project-guidance", - "path": "plugins/apple-dev-skills/skills/sync-xcode-project-guidance/SKILL.md" + "name": "skill:cybersecurity-skills/contain-security-incident", + "path": "plugins/cybersecurity-skills/skills/contain-security-incident/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/tipkit-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/harden-macos/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/tipkit-workflow", - "path": "plugins/apple-dev-skills/skills/tipkit-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/harden-macos", + "path": "plugins/cybersecurity-skills/skills/harden-macos/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/tips-helpviewer-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/hunt-security-indicators/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/tips-helpviewer-workflow", - "path": "plugins/apple-dev-skills/skills/tips-helpviewer-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/hunt-security-indicators", + "path": "plugins/cybersecurity-skills/skills/hunt-security-indicators/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/video-codec-processing-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/inspect-macos-persistence/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/video-codec-processing-workflow", - "path": "plugins/apple-dev-skills/skills/video-codec-processing-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/inspect-macos-persistence", + "path": "plugins/cybersecurity-skills/skills/inspect-macos-persistence/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/vision-coreml-recognition-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/vision-coreml-recognition-workflow", - "path": "plugins/apple-dev-skills/skills/vision-coreml-recognition-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/inspect-macos-runtime-activity", + "path": "plugins/cybersecurity-skills/skills/inspect-macos-runtime-activity/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/vision-image-analysis-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/map-malware-behavior/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/vision-image-analysis-workflow", - "path": "plugins/apple-dev-skills/skills/vision-image-analysis-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/map-malware-behavior", + "path": "plugins/cybersecurity-skills/skills/map-malware-behavior/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/xcode-app-project-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/operate-agentic-security-tools/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/xcode-app-project-workflow", - "path": "plugins/apple-dev-skills/skills/xcode-app-project-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/operate-agentic-security-tools", + "path": "plugins/cybersecurity-skills/skills/operate-agentic-security-tools/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/xcode-build-run-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/xcode-build-run-workflow", - "path": "plugins/apple-dev-skills/skills/xcode-build-run-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/perform-dynamic-malware-analysis", + "path": "plugins/cybersecurity-skills/skills/perform-dynamic-malware-analysis/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/xcode-coding-intelligence-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/perform-static-malware-analysis/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/xcode-coding-intelligence-workflow", - "path": "plugins/apple-dev-skills/skills/xcode-coding-intelligence-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/perform-static-malware-analysis", + "path": "plugins/cybersecurity-skills/skills/perform-static-malware-analysis/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/xcode-debugger-mcp-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/preserve-security-evidence/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/xcode-debugger-mcp-workflow", - "path": "plugins/apple-dev-skills/skills/xcode-debugger-mcp-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/preserve-security-evidence", + "path": "plugins/cybersecurity-skills/skills/preserve-security-evidence/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/xcode-device-hub-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/recover-security-incident/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/xcode-device-hub-workflow", - "path": "plugins/apple-dev-skills/skills/xcode-device-hub-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/recover-security-incident", + "path": "plugins/cybersecurity-skills/skills/recover-security-incident/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/xcode-localization-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/report-security-assessment/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/xcode-localization-workflow", - "path": "plugins/apple-dev-skills/skills/xcode-localization-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/report-security-assessment", + "path": "plugins/cybersecurity-skills/skills/report-security-assessment/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/apple-dev-skills/skills/xcode-testing-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/route-security-work/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:apple-dev-skills/xcode-testing-workflow", - "path": "plugins/apple-dev-skills/skills/xcode-testing-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/route-security-work", + "path": "plugins/cybersecurity-skills/skills/route-security-work/SKILL.md" }, { "dependencies": [], "evidence": [ { - "kind": "mcp-config", - "path": "plugins/apple-dev-skills/.mcp.json" + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/scope-authorized-security-test/SKILL.md" } ], - "kind": "mcp-config", - "name": "mcp:plugins/apple-dev-skills/.mcp.json", - "path": "plugins/apple-dev-skills/.mcp.json" + "kind": "codex-skill", + "name": "skill:cybersecurity-skills/scope-authorized-security-test", + "path": "plugins/cybersecurity-skills/skills/scope-authorized-security-test/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/cardhop-app/skills/cardhop-contact-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/select-analysis-isolation/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:cardhop-app/cardhop-contact-workflow", - "path": "plugins/cardhop-app/skills/cardhop-contact-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/select-analysis-isolation", + "path": "plugins/cybersecurity-skills/skills/select-analysis-isolation/SKILL.md" }, { "dependencies": [], "evidence": [ { - "kind": "mcp-config", - "path": "plugins/cardhop-app/.mcp.json" + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/test-network-services/SKILL.md" } ], - "kind": "mcp-config", - "name": "mcp:plugins/cardhop-app/.mcp.json", - "path": "plugins/cardhop-app/.mcp.json" + "kind": "codex-skill", + "name": "skill:cybersecurity-skills/test-network-services", + "path": "plugins/cybersecurity-skills/skills/test-network-services/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/cloud-deployment-skills/skills/cloud-deployment-routing-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/test-web-and-api-security/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:cloud-deployment-skills/cloud-deployment-routing-workflow", - "path": "plugins/cloud-deployment-skills/skills/cloud-deployment-routing-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/test-web-and-api-security", + "path": "plugins/cybersecurity-skills/skills/test-web-and-api-security/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/cloud-inference-skills/skills/cloud-inference-routing-workflow/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/triage-security-incident/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:cloud-inference-skills/cloud-inference-routing-workflow", - "path": "plugins/cloud-inference-skills/skills/cloud-inference-routing-workflow/SKILL.md" + "name": "skill:cybersecurity-skills/triage-security-incident", + "path": "plugins/cybersecurity-skills/skills/triage-security-incident/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/cloud-inference-skills/skills/companion-clis/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/triage-suspicious-content/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:cloud-inference-skills/companion-clis", - "path": "plugins/cloud-inference-skills/skills/companion-clis/SKILL.md" + "name": "skill:cybersecurity-skills/triage-suspicious-content", + "path": "plugins/cybersecurity-skills/skills/triage-suspicious-content/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/cloud-inference-skills/skills/flash/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/triage-vulnerability-report/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:cloud-inference-skills/flash", - "path": "plugins/cloud-inference-skills/skills/flash/SKILL.md" + "name": "skill:cybersecurity-skills/triage-vulnerability-report", + "path": "plugins/cybersecurity-skills/skills/triage-vulnerability-report/SKILL.md" }, { "dependencies": [], "evidence": [ { "kind": "skill-manifest", - "path": "plugins/cloud-inference-skills/skills/runpodctl/SKILL.md" + "path": "plugins/cybersecurity-skills/skills/use-objective-see-tools/SKILL.md" } ], "kind": "codex-skill", - "name": "skill:cloud-inference-skills/runpodctl", - "path": "plugins/cloud-inference-skills/skills/runpodctl/SKILL.md" + "name": "skill:cybersecurity-skills/use-objective-see-tools", + "path": "plugins/cybersecurity-skills/skills/use-objective-see-tools/SKILL.md" }, { "dependencies": [], "evidence": [ { - "kind": "mcp-config", - "path": "plugins/cloud-inference-skills/.mcp.json" + "kind": "skill-manifest", + "path": "plugins/cybersecurity-skills/skills/validate-vulnerability/SKILL.md" } ], - "kind": "mcp-config", - "name": "mcp:plugins/cloud-inference-skills/.mcp.json", - "path": "plugins/cloud-inference-skills/.mcp.json" + "kind": "codex-skill", + "name": "skill:cybersecurity-skills/validate-vulnerability", + "path": "plugins/cybersecurity-skills/skills/validate-vulnerability/SKILL.md" }, { "dependencies": [], @@ -5596,6 +6559,18 @@ "name": "skill:messaging-collaboration-skills/choose-platform-integration", "path": "plugins/messaging-collaboration-skills/skills/choose-platform-integration/SKILL.md" }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/messaging-collaboration-skills/skills/communication-notifications-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:messaging-collaboration-skills/communication-notifications-workflow", + "path": "plugins/messaging-collaboration-skills/skills/communication-notifications-workflow/SKILL.md" + }, { "dependencies": [], "evidence": [ @@ -5608,6 +6583,18 @@ "name": "skill:messaging-collaboration-skills/conversation-state-human-handoff", "path": "plugins/messaging-collaboration-skills/skills/conversation-state-human-handoff/SKILL.md" }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/messaging-collaboration-skills/skills/default-communication-app-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:messaging-collaboration-skills/default-communication-app-workflow", + "path": "plugins/messaging-collaboration-skills/skills/default-communication-app-workflow/SKILL.md" + }, { "dependencies": [], "evidence": [ @@ -5632,6 +6619,30 @@ "name": "skill:messaging-collaboration-skills/google-meet-collaboration-workflow", "path": "plugins/messaging-collaboration-skills/skills/google-meet-collaboration-workflow/SKILL.md" }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/messaging-collaboration-skills/skills/imessage-app-and-collaboration-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:messaging-collaboration-skills/imessage-app-and-collaboration-workflow", + "path": "plugins/messaging-collaboration-skills/skills/imessage-app-and-collaboration-workflow/SKILL.md" + }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/messaging-collaboration-skills/skills/push-to-talk-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:messaging-collaboration-skills/push-to-talk-workflow", + "path": "plugins/messaging-collaboration-skills/skills/push-to-talk-workflow/SKILL.md" + }, { "dependencies": [], "evidence": [ @@ -5680,6 +6691,18 @@ "name": "skill:messaging-collaboration-skills/telegram-bot-workflow", "path": "plugins/messaging-collaboration-skills/skills/telegram-bot-workflow/SKILL.md" }, + { + "dependencies": [], + "evidence": [ + { + "kind": "skill-manifest", + "path": "plugins/messaging-collaboration-skills/skills/voip-sip-calling-workflow/SKILL.md" + } + ], + "kind": "codex-skill", + "name": "skill:messaging-collaboration-skills/voip-sip-calling-workflow", + "path": "plugins/messaging-collaboration-skills/skills/voip-sip-calling-workflow/SKILL.md" + }, { "dependencies": [], "evidence": [ diff --git a/docs/maintainers/cybersecurity-skills-plugin-plan.md b/docs/maintainers/cybersecurity-skills-plugin-plan.md index a728ef3a..fca27908 100644 --- a/docs/maintainers/cybersecurity-skills-plugin-plan.md +++ b/docs/maintainers/cybersecurity-skills-plugin-plan.md @@ -254,6 +254,6 @@ Recheck these sources during implementation; the list was verified on 2026-07-14 ## Release Decision -Implement Phases 0 through 3 as the first installable release so the plugin delivers the complete suspicious-content-to-macOS-defense path that motivated it. Include the Phase 4 scope, validation, exposure, and reporting foundations in that release if they validate cleanly; keep broad web/API and network test adapters out rather than rushing unsafe automation. +The first installable release implements all five planned phases. It delivers the complete suspicious-content-to-macOS-defense path, authorized vulnerability-validation and bounded web/API and network-testing guidance, incident response, hunting, and reusable detection-content workflows on the same evidence, confidence, isolation, scope, and reporting records. -Treat the first installable `cybersecurity-skills` release as a Socket minor version. Phases 4 and 5 may land in later minor releases after fixture-driven validation. Any privileged runtime, bundled scanner, MCP server, remote sandbox integration, or autonomous active-testing surface requires a separate explicit architecture and release decision. +Treat the first installable `cybersecurity-skills` release as a Socket minor version. Any privileged runtime, bundled scanner, MCP server, remote sandbox integration, or autonomous active-testing surface requires a separate explicit architecture and release decision. diff --git a/docs/maintainers/hermes-compatibility.md b/docs/maintainers/hermes-compatibility.md index 63046a23..e4aee3e3 100644 --- a/docs/maintainers/hermes-compatibility.md +++ b/docs/maintainers/hermes-compatibility.md @@ -51,6 +51,12 @@ the roadmap tracks that migration. New or materially changed skills must either join the generated tap with grouping metadata or document why their workflow is not portable to Hermes. +The complete `cybersecurity-skills` inventory is portable guidance and is +exported under the `Cybersecurity Skills` grouping. Its Codex manifest and icon +remain host-specific packaging metadata. The initial plugin ships no MCP server, +hook, app, custom agent, or native Hermes runtime surface, so no `mcp_servers` +translation or Python Hermes plugin is required. + ## Maintainer Workflow 1. Classify each changed surface before editing: portable skill, translated MCP, diff --git a/plugins/cybersecurity-skills/scripts/validate_repo_metadata.py b/plugins/cybersecurity-skills/scripts/validate_repo_metadata.py index 157b41f7..04a37ab0 100755 --- a/plugins/cybersecurity-skills/scripts/validate_repo_metadata.py +++ b/plugins/cybersecurity-skills/scripts/validate_repo_metadata.py @@ -24,6 +24,40 @@ SKILL_NAME = re.compile(r"^[a-z0-9]+(?:-[a-z0-9]+)*$") MARKDOWN_LINK = re.compile(r"\[[^]]*]\(([^)]+)\)") MACHINE_LOCAL_MARKERS = ("/Users/", "~/", "../") +EXPECTED_SKILLS = frozenset( + { + "analyze-suspicious-script-or-document", + "assess-and-explain-threat", + "assess-exposure-and-impact", + "assess-macos-threat", + "author-detection-content", + "author-yara-x-rules", + "check-artifact-reputation", + "contain-and-recover-macos", + "contain-security-incident", + "harden-macos", + "hunt-security-indicators", + "inspect-macos-persistence", + "inspect-macos-runtime-activity", + "map-malware-behavior", + "operate-agentic-security-tools", + "perform-dynamic-malware-analysis", + "perform-static-malware-analysis", + "preserve-security-evidence", + "recover-security-incident", + "report-security-assessment", + "route-security-work", + "scope-authorized-security-test", + "select-analysis-isolation", + "test-network-services", + "test-web-and-api-security", + "triage-security-incident", + "triage-suspicious-content", + "triage-vulnerability-report", + "use-objective-see-tools", + "validate-vulnerability", + } +) @dataclass(frozen=True) @@ -160,6 +194,16 @@ def main() -> int: skill_dirs = sorted(path for path in SKILLS_ROOT.iterdir() if path.is_dir()) if SKILLS_ROOT.is_dir() else [] if not skill_dirs: findings.append(Finding("skills", "must contain at least one exported skill directory")) + actual_skills = {path.name for path in skill_dirs} + if actual_skills != EXPECTED_SKILLS: + missing = sorted(EXPECTED_SKILLS - actual_skills) + unexpected = sorted(actual_skills - EXPECTED_SKILLS) + details = [] + if missing: + details.append(f"missing: {', '.join(missing)}") + if unexpected: + details.append(f"unexpected: {', '.join(unexpected)}") + findings.append(Finding("skills", f"inventory differs from the expected 30-skill surface ({'; '.join(details)})")) for skill_dir in skill_dirs: findings.extend(validate_skill(skill_dir)) if findings: diff --git a/plugins/cybersecurity-skills/skills/assess-and-explain-threat/SKILL.md b/plugins/cybersecurity-skills/skills/assess-and-explain-threat/SKILL.md index bb92931e..0710ae54 100644 --- a/plugins/cybersecurity-skills/skills/assess-and-explain-threat/SKILL.md +++ b/plugins/cybersecurity-skills/skills/assess-and-explain-threat/SKILL.md @@ -33,7 +33,7 @@ Read [references/confidence-and-advice.md](references/confidence-and-advice.md) - Separate containment, evidence preservation, recovery, credential actions, notification, and long-term hardening. - Avoid destructive cleanup when evidence is weak and reversible isolation is available. -6. Explain plainly. +6. Give a plain-language explanation. - Answer whether the concern is dangerous, what it appears to do, what is known versus inferred, what to do now, and when to escalate. - Define specialist terms at first use and avoid fear-amplifying language. diff --git a/plugins/cybersecurity-skills/skills/author-detection-content/SKILL.md b/plugins/cybersecurity-skills/skills/author-detection-content/SKILL.md new file mode 100644 index 00000000..aa0aeb90 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/author-detection-content/SKILL.md @@ -0,0 +1,34 @@ +--- +name: author-detection-content +description: Turn validated security behavior into tested detection content. Use for Sigma, osquery, YARA-X routing, endpoint queries, SIEM rules, cloud or application detections, correlation logic, alert enrichment, or regression fixtures when telemetry prerequisites, provenance, expected matches, benign negatives, false-positive controls, performance, severity, response, deployment, and maintenance ownership must be explicit. +--- + +# Author Detection Content + +## Overview + +Detect the validated behavior at the most reliable telemetry layer. Use `author-yara-x-rules` for artifact pattern rules; use this workflow for event, query, correlation, and alert content. + +Read [references/detection-quality.md](references/detection-quality.md) before choosing logic or deployment severity. + +## Workflow + +1. Define objective and response. + - State the behavior, threat/finding source, protected surface, expected alert consumer, urgency, and action. +2. Identify telemetry prerequisites. + - Record source/product/version, event types/fields, collection permissions, normalization, retention, latency, and known blind spots. +3. Select durable features. + - Prefer behavior and context combinations over mutable infrastructure or one noisy field. + - Map to ATT&CK only when evidence supports it. +4. Author content. + - Include title/ID, description, status, author/date, references, log source, logic/query, fields, false positives, level/severity, tags, and test notes as the target format permits. +5. Test fixtures. + - Include validated positive events, benign near-misses, missing/renamed fields, ordering/time-window cases, duplicate events, volume/performance, and known platform variants. +6. Tune and validate response. + - Improve logic before adding exclusions; verify enrichment and runbook lead an analyst to decisive evidence. +7. Deploy and maintain. + - Record target environments, owner, version, rollout, alert volume, suppression/exception expiry, health checks, and review triggers. + +## Output + +Return detection content, telemetry contract, evidence provenance, fixture results, false positives/limits, performance, severity/response, deployment plan, and owner/review date. diff --git a/plugins/cybersecurity-skills/skills/author-detection-content/agents/openai.yaml b/plugins/cybersecurity-skills/skills/author-detection-content/agents/openai.yaml new file mode 100644 index 00000000..f91d3157 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/author-detection-content/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Author Detection Content" + short_description: "Build telemetry-backed detections with regression fixtures" + default_prompt: "Use $author-detection-content to turn this validated behavior into tested detection logic." diff --git a/plugins/cybersecurity-skills/skills/author-detection-content/references/detection-quality.md b/plugins/cybersecurity-skills/skills/author-detection-content/references/detection-quality.md new file mode 100644 index 00000000..ca6f72db --- /dev/null +++ b/plugins/cybersecurity-skills/skills/author-detection-content/references/detection-quality.md @@ -0,0 +1,12 @@ +# Detection Quality Checklist + +- Objective describes one validated behavior and intended response. +- Telemetry source, version, permissions, fields, normalization, and gaps are explicit. +- Logic uses durable features with documented provenance. +- Positive fixtures reproduce the behavior; benign negatives challenge the same fields. +- Missing fields, duplicates, event order, time windows, platform variants, and load are tested. +- False-positive guidance explains analyst validation, not blanket suppression. +- Severity matches response urgency and evidence, not ATT&CK tactic alone. +- Rule ID/version, owner, deployment scope, alert health, exception expiry, and review trigger are recorded. + +For artifact pattern matching, use `author-yara-x-rules`. For portable event rules, use the current target format specification rather than assuming Sigma or query-field compatibility across backends. diff --git a/plugins/cybersecurity-skills/skills/contain-security-incident/SKILL.md b/plugins/cybersecurity-skills/skills/contain-security-incident/SKILL.md new file mode 100644 index 00000000..b72d2f91 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/contain-security-incident/SKILL.md @@ -0,0 +1,34 @@ +--- +name: contain-security-incident +description: Contain an active or credible cybersecurity incident across hosts, identities, applications, services, cloud resources, networks, or data. Use when ongoing access, execution, exfiltration, fraud, destruction, lateral movement, unsafe service behavior, or repeated compromise must be interrupted with authorized, reversible actions while evidence, business impact, dependencies, communication, and rollback are tracked. +--- + +# Contain Security Incident + +## Overview + +Interrupt the validated path of harm with the smallest effective action, then verify the containment. Do not confuse a blocked symptom with eradication or recovery. + +Read [references/containment-plan.md](references/containment-plan.md) before making disruptive changes. + +## Workflow + +1. Confirm incident lead, authority, current scope, harm path, critical services, evidence priorities, and emergency contacts. +2. Model containment choices. + - Consider host/network isolation, process/service suspension, account disablement, session/token/key revocation, access-policy change, application feature disablement, route/rule changes, or provider controls. + - Record expected harm reduction, operational impact, volatile evidence loss, dependencies, rollback, and attacker visibility. +3. Sequence actions. + - Address active exfiltration/destruction/safety first, then privileged access, propagation, persistence, and re-entry paths. + - Coordinate simultaneous identity, host, application, and network actions when staggered changes would alert or strand access. +4. Apply approved changes. + - Record exact target, operator, time, command/control surface, result, failures, and unexpected effects. +5. Verify containment. + - Check that the harmful path stopped, access/session state changed, affected services remain understood, and monitoring still functions. +6. Expand scope carefully. + - Hunt for related indicators and access paths; update the incident record before new targets or actions. +7. Define exit criteria. + - State what evidence permits eradication/recovery and what temporary controls must remain. + +## Output + +Return containment objective, options/tradeoffs, actions/results, verification, residual access, business impact, temporary controls, rollback, and next-phase criteria. diff --git a/plugins/cybersecurity-skills/skills/contain-security-incident/agents/openai.yaml b/plugins/cybersecurity-skills/skills/contain-security-incident/agents/openai.yaml new file mode 100644 index 00000000..112c46f0 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/contain-security-incident/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Contain Security Incident" + short_description: "Interrupt active harm with verified, reversible controls" + default_prompt: "Use $contain-security-incident to choose, apply, and verify proportionate containment." diff --git a/plugins/cybersecurity-skills/skills/contain-security-incident/references/containment-plan.md b/plugins/cybersecurity-skills/skills/contain-security-incident/references/containment-plan.md new file mode 100644 index 00000000..8815082e --- /dev/null +++ b/plugins/cybersecurity-skills/skills/contain-security-incident/references/containment-plan.md @@ -0,0 +1,17 @@ +# Incident Containment Plan + +For each action record: + +| Field | Content | +| --- | --- | +| Harm path | Access or behavior being interrupted | +| Target | Exact host, account, token, service, route, rule, or feature | +| Action/authority | Approved control and decision owner | +| Evidence effect | Volatile data or visibility lost/preserved | +| Operational effect | Users, services, dependencies, and duration | +| Attacker effect | Access removed, signal exposed, or path merely displaced | +| Rollback | Safe reversal and owner | +| Verification | Evidence that containment worked | +| Residual risk | Remaining path or uncertainty | + +Keep temporary containment changes inventoried so recovery does not silently leave emergency rules or disabled controls behind. diff --git a/plugins/cybersecurity-skills/skills/hunt-security-indicators/SKILL.md b/plugins/cybersecurity-skills/skills/hunt-security-indicators/SKILL.md new file mode 100644 index 00000000..349430e6 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/hunt-security-indicators/SKILL.md @@ -0,0 +1,34 @@ +--- +name: hunt-security-indicators +description: Hunt scoped systems and telemetry for supplied security indicators or behaviors. Use for hashes, paths, domains, addresses, certificates, accounts, processes, commands, persistence, ATT&CK behaviors, cloud or application events, or incident expansion when data sources, time window, query logic, coverage, false positives, privacy, and follow-up validation must be explicit. +--- + +# Hunt Security Indicators + +## Overview + +Turn validated evidence into bounded queries across known data sources, then validate matches in context. Absence of matches means only that the indicator was not observed in the recorded coverage. + +Read [references/hunt-record.md](references/hunt-record.md) for query and coverage fields. + +## Workflow + +1. Define the hunt question and scope. + - Record incident/finding, assets, identities, environments, time window, data owners, privacy constraints, and expected decision. +2. Normalize indicators and behaviors. + - Preserve type, value, source, confidence, first/last seen, expected context, variants, and expiration. + - Prefer behavior chains over one mutable hash/domain when telemetry supports them. +3. Inventory data sources. + - Record endpoint/process/file, identity, DNS/network/proxy, application, cloud, email, vulnerability, and backup evidence plus retention, collection delay, and gaps. +4. Write reproducible queries. + - Record platform/tool/version, exact query, normalization/timezone, filters, exclusions, and expected benign matches. +5. Validate matches. + - Correlate asset/user/time/process/parent/path/signer/network or application context; preserve false-positive rationale. +6. Expand deliberately. + - Pivot only from validated relations and update scope, indicators, and confidence. +7. Report coverage. + - State searched/failed sources, earliest/latest available data, assets not covered, matches, negative results, and next response/detection action. + +## Output + +Return hypothesis, indicators/behaviors, data coverage, queries, validated matches, false positives, gaps, pivots, and response recommendations. diff --git a/plugins/cybersecurity-skills/skills/hunt-security-indicators/agents/openai.yaml b/plugins/cybersecurity-skills/skills/hunt-security-indicators/agents/openai.yaml new file mode 100644 index 00000000..b73bf5f6 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/hunt-security-indicators/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Hunt Security Indicators" + short_description: "Search scoped telemetry with explicit coverage and context" + default_prompt: "Use $hunt-security-indicators to search for these indicators and report the real coverage." diff --git a/plugins/cybersecurity-skills/skills/hunt-security-indicators/references/hunt-record.md b/plugins/cybersecurity-skills/skills/hunt-security-indicators/references/hunt-record.md new file mode 100644 index 00000000..88dc4813 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/hunt-security-indicators/references/hunt-record.md @@ -0,0 +1,17 @@ +# Security Hunt Record + +```markdown +- Hunt question and source incident/finding: +- Assets/identities/environments/time window: +- Indicator or behavior, provenance, confidence, expiry: +- Data source, retention, delay, and permissions: +- Exact query/tool/version/timezone: +- Filters and known benign context: +- Matches and independent validation: +- False positives and rationale: +- Sources/assets not searched or failed: +- Coverage-bounded negative result: +- Approved pivots and next action: +``` + +Hash, address, and domain indicators decay quickly. Record date checked and prefer durable behavior/context when possible. diff --git a/plugins/cybersecurity-skills/skills/recover-security-incident/SKILL.md b/plugins/cybersecurity-skills/skills/recover-security-incident/SKILL.md new file mode 100644 index 00000000..3e408e9e --- /dev/null +++ b/plugins/cybersecurity-skills/skills/recover-security-incident/SKILL.md @@ -0,0 +1,33 @@ +--- +name: recover-security-incident +description: Eradicate verified compromise mechanisms, restore trusted service, and monitor after a cybersecurity incident. Use when affected hosts, identities, applications, cloud resources, network controls, or data need rebuild/restore, patching, secret rotation, configuration repair, validation, staged return to service, temporary-control removal, lessons learned, and residual-risk ownership. +--- + +# Recover Security Incident + +## Overview + +Return systems and people to a trusted operating state using explicit eradication and validation criteria. Recovery is complete only when restored behavior, security controls, access, monitoring, and residual risk are verified. + +Read [references/recovery-gates.md](references/recovery-gates.md) for staged return-to-service gates. + +## Workflow + +1. Establish eradication criteria. + - Identify root/access path, persistence, affected identities/secrets, vulnerable configuration/code, related artifacts, and known scope. +2. Choose restore basis. + - Decide clean rebuild, known-good backup, patched image, repaired configuration, provider recovery, or controlled cleanup from evidence and integrity confidence. +3. Eradicate. + - Remove verified mechanisms, patch or mitigate the entry path, rotate/revoke secrets and sessions from trusted systems, repair policies/configuration, and preserve evidence of changes. +4. Restore in stages. + - Validate offline or isolated, restore dependencies/data, enable limited traffic/users, monitor, then broaden service. +5. Verify security and function. + - Reproduce the original detection/path as a negative test, confirm expected functionality, review access/persistence/network/logging, and check backups and monitoring. +6. Remove temporary controls deliberately. + - Inventory emergency rules, disabled services, isolation, temporary accounts, logging, tokens, and exceptions; retain only approved controls with owners/expiry. +7. Close and improve. + - Record timeline, root cause, affected scope, actions, notifications, evidence retention, lessons, structural hardening, and residual risk owner. + +## Output + +Return eradication evidence, restore basis, staged recovery results, negative retest, temporary-control disposition, monitoring window, lessons/actions, and residual-risk decision. diff --git a/plugins/cybersecurity-skills/skills/recover-security-incident/agents/openai.yaml b/plugins/cybersecurity-skills/skills/recover-security-incident/agents/openai.yaml new file mode 100644 index 00000000..c68310ff --- /dev/null +++ b/plugins/cybersecurity-skills/skills/recover-security-incident/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Recover Security Incident" + short_description: "Eradicate compromise and verify staged recovery" + default_prompt: "Use $recover-security-incident to restore trusted service and verify the original path is closed." diff --git a/plugins/cybersecurity-skills/skills/recover-security-incident/references/recovery-gates.md b/plugins/cybersecurity-skills/skills/recover-security-incident/references/recovery-gates.md new file mode 100644 index 00000000..9d5be304 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/recover-security-incident/references/recovery-gates.md @@ -0,0 +1,11 @@ +# Recovery Gates + +1. Scope gate: affected assets, identities, data, and access paths are sufficiently understood. +2. Eradication gate: entry path, persistence, vulnerable condition, and exposed secrets are remediated or explicitly mitigated. +3. Trust gate: rebuild/backup/configuration basis is known and verified. +4. Functional gate: critical behavior and dependencies pass tests. +5. Security gate: original path fails, controls and telemetry work, and no validated recurrence appears. +6. Staged service gate: limited users/traffic operate within monitoring thresholds. +7. Closure gate: temporary controls, notifications, evidence, lessons, owners, deadlines, and residual risk are accounted for. + +Do not remove containment merely because a deadline arrives; satisfy or explicitly accept each gate. diff --git a/plugins/cybersecurity-skills/skills/triage-security-incident/SKILL.md b/plugins/cybersecurity-skills/skills/triage-security-incident/SKILL.md new file mode 100644 index 00000000..aa8f9efa --- /dev/null +++ b/plugins/cybersecurity-skills/skills/triage-security-incident/SKILL.md @@ -0,0 +1,36 @@ +--- +name: triage-security-incident +description: Triage a suspected cybersecurity incident across endpoints, identities, applications, services, cloud resources, networks, or data. Use when an alert, report, compromise indicator, service disruption, unauthorized access, malware event, credential concern, or data exposure needs an incident owner, affected scope, urgency, evidence plan, immediate harm-reduction decision, and communication path. +--- + +# Triage Security Incident + +## Overview + +Establish whether coordinated response is needed, what may be affected, and who owns decisions. Preserve uncertainty and avoid destructive cleanup while urgent harm reduction and evidence collection are balanced. + +Read [references/incident-triage-record.md](references/incident-triage-record.md) for the initial record aligned with current NIST incident-response guidance. + +## Workflow + +1. Open the incident record. + - Record reporter, detection source, time/timezone, symptoms, affected person/system, current status, and incident lead. +2. Validate the signal. + - Preserve the original alert/report and confirm artifact, account, host, service, or event identity. + - Separate direct observation, external intelligence, automation labels, and speculation. +3. Estimate scope and urgency. + - Identify potentially affected assets, identities, data, users, environments, business function, privileges, and time window. + - Record ongoing execution, access, exfiltration, destruction, fraud, safety, or service impact. +4. Decide immediate harm reduction. + - Choose reversible isolation, session/token revocation, feature disablement, traffic control, or monitoring only when evidence and authority justify it. + - State evidence loss and operational impact. +5. Preserve priority evidence. + - Capture volatile state, logs, artifacts, identity/provider records, application events, network evidence, and timeline sources proportionately. +6. Establish coordination. + - Name technical, business, legal/privacy, communications, vendor/provider, and affected-user contacts as applicable; keep sensitive details need-to-know. +7. Route the next phase. + - Use containment for ongoing harm, hunting for scope, specialist analysis for evidence, and recovery only after eradication criteria are defined. + +## Output + +Return incident identity/owner, signal confidence, affected/potential scope, urgency, immediate actions, evidence plan, contacts, open questions, and next phase. diff --git a/plugins/cybersecurity-skills/skills/triage-security-incident/agents/openai.yaml b/plugins/cybersecurity-skills/skills/triage-security-incident/agents/openai.yaml new file mode 100644 index 00000000..441b939d --- /dev/null +++ b/plugins/cybersecurity-skills/skills/triage-security-incident/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Triage Security Incident" + short_description: "Establish incident scope, urgency, evidence, and owners" + default_prompt: "Use $triage-security-incident to establish this incident and the safest immediate response." diff --git a/plugins/cybersecurity-skills/skills/triage-security-incident/references/incident-triage-record.md b/plugins/cybersecurity-skills/skills/triage-security-incident/references/incident-triage-record.md new file mode 100644 index 00000000..ca480f54 --- /dev/null +++ b/plugins/cybersecurity-skills/skills/triage-security-incident/references/incident-triage-record.md @@ -0,0 +1,18 @@ +# Incident Triage Record + +```markdown +- Incident ID/title/status: +- Reporter/detection source/time: +- Incident lead and decision owners: +- Observed facts and confidence: +- Potentially affected assets/identities/data/users: +- Time window and ongoing behavior: +- Business/service/privacy/safety impact: +- Immediate harm-reduction action and evidence tradeoff: +- Evidence sources preserved/missing: +- Communication and notification contacts: +- Open hypotheses and disconfirming evidence: +- Next response phase and exit criteria: +``` + +Use current [NIST SP 800-61 Rev. 3](https://csrc.nist.gov/pubs/sp/800/61/r3/final). Treat incident response as part of ongoing risk management, preparation, detection, response, and recovery rather than a one-time linear checklist. diff --git a/scripts/export_hermes_skills.py b/scripts/export_hermes_skills.py index 4a4cdb9e..6270c9ac 100644 --- a/scripts/export_hermes_skills.py +++ b/scripts/export_hermes_skills.py @@ -14,11 +14,14 @@ SOURCE_ROOT = REPO_ROOT / "plugins" / "agent-portability-skills" / "skills" MESSAGING_SOURCE_ROOT = REPO_ROOT / "plugins" / "messaging-collaboration-skills" / "skills" APPLE_SOURCE_ROOT = REPO_ROOT / "plugins" / "apple-dev-skills" / "skills" +CYBERSECURITY_SOURCE_ROOT = REPO_ROOT / "plugins" / "cybersecurity-skills" / "skills" EXPORT_ROOT = REPO_ROOT / "skills" -EXPORTED_SKILLS = ( +AGENT_PORTABILITY_SKILLS = ( "bootstrap-skills-plugin-repo", "hermes-agent-compatibility", "sync-skills-repo-guidance", +) +MESSAGING_SKILLS = ( "apple-communication-workflow", "choose-platform-integration", "communication-notifications-workflow", @@ -35,12 +38,47 @@ "voip-sip-calling-workflow", "webhook-and-event-lifecycle", "whatsapp-business-workflow", +) +APPLE_SKILLS = ( "app-extension-architecture-workflow", "mailkit-workflow", "file-provider-and-finder-sync-workflow", ) -AGENT_PORTABILITY_SKILLS = frozenset(EXPORTED_SKILLS[:3]) -MESSAGING_SKILLS = frozenset(EXPORTED_SKILLS[3:19]) +CYBERSECURITY_SKILLS = ( + "analyze-suspicious-script-or-document", + "assess-and-explain-threat", + "assess-exposure-and-impact", + "assess-macos-threat", + "author-detection-content", + "author-yara-x-rules", + "check-artifact-reputation", + "contain-and-recover-macos", + "contain-security-incident", + "harden-macos", + "hunt-security-indicators", + "inspect-macos-persistence", + "inspect-macos-runtime-activity", + "map-malware-behavior", + "operate-agentic-security-tools", + "perform-dynamic-malware-analysis", + "perform-static-malware-analysis", + "preserve-security-evidence", + "recover-security-incident", + "report-security-assessment", + "route-security-work", + "scope-authorized-security-test", + "select-analysis-isolation", + "test-network-services", + "test-web-and-api-security", + "triage-security-incident", + "triage-suspicious-content", + "triage-vulnerability-report", + "use-objective-see-tools", + "validate-vulnerability", +) +EXPORTED_SKILLS = ( + AGENT_PORTABILITY_SKILLS + MESSAGING_SKILLS + APPLE_SKILLS + CYBERSECURITY_SKILLS +) class ExportError(RuntimeError): @@ -50,16 +88,13 @@ class ExportError(RuntimeError): def source_paths(source_root: Path | None = None) -> dict[str, Path]: if source_root is not None: return {skill_name: source_root / skill_name for skill_name in EXPORTED_SKILLS} - return { - skill_name: ( - SOURCE_ROOT - if skill_name in AGENT_PORTABILITY_SKILLS - else MESSAGING_SOURCE_ROOT - if skill_name in MESSAGING_SKILLS - else APPLE_SOURCE_ROOT - ) / skill_name - for skill_name in EXPORTED_SKILLS + roots = { + **{skill_name: SOURCE_ROOT for skill_name in AGENT_PORTABILITY_SKILLS}, + **{skill_name: MESSAGING_SOURCE_ROOT for skill_name in MESSAGING_SKILLS}, + **{skill_name: APPLE_SOURCE_ROOT for skill_name in APPLE_SKILLS}, + **{skill_name: CYBERSECURITY_SOURCE_ROOT for skill_name in CYBERSECURITY_SKILLS}, } + return {skill_name: roots[skill_name] / skill_name for skill_name in EXPORTED_SKILLS} def validate_sources(source_root: Path | None = None) -> None: diff --git a/skills.sh.json b/skills.sh.json index 7c0873c8..7a26082c 100644 --- a/skills.sh.json +++ b/skills.sh.json @@ -37,6 +37,41 @@ "mailkit-workflow", "file-provider-and-finder-sync-workflow" ] + }, + { + "title": "Cybersecurity Skills", + "skills": [ + "analyze-suspicious-script-or-document", + "assess-and-explain-threat", + "assess-exposure-and-impact", + "assess-macos-threat", + "author-detection-content", + "author-yara-x-rules", + "check-artifact-reputation", + "contain-and-recover-macos", + "contain-security-incident", + "harden-macos", + "hunt-security-indicators", + "inspect-macos-persistence", + "inspect-macos-runtime-activity", + "map-malware-behavior", + "operate-agentic-security-tools", + "perform-dynamic-malware-analysis", + "perform-static-malware-analysis", + "preserve-security-evidence", + "recover-security-incident", + "report-security-assessment", + "route-security-work", + "scope-authorized-security-test", + "select-analysis-isolation", + "test-network-services", + "test-web-and-api-security", + "triage-security-incident", + "triage-suspicious-content", + "triage-vulnerability-report", + "use-objective-see-tools", + "validate-vulnerability" + ] } ] } diff --git a/skills/analyze-suspicious-script-or-document/SKILL.md b/skills/analyze-suspicious-script-or-document/SKILL.md new file mode 100644 index 00000000..1840e36d --- /dev/null +++ b/skills/analyze-suspicious-script-or-document/SKILL.md @@ -0,0 +1,38 @@ +--- +name: analyze-suspicious-script-or-document +description: Decode and analyze suspicious scripts and active documents without triggering them. Use for shell, AppleScript, JavaScript, Python, PowerShell, shortcuts, Office files, PDFs, configuration profiles, encoded commands, macros, embedded objects, external templates, staged downloads, or mixed document-to-script payload chains. +--- + +# Analyze Suspicious Script Or Document + +## Overview + +Recover the execution chain as data. Use parsers and text extraction in isolation, avoid native handlers, and make each decoding transformation reproducible. + +Read [references/script-document-analysis.md](references/script-document-analysis.md) for language and document-specific checks. + +## Workflow + +1. Preserve the original and identify the real container/type. +2. Extract without activation. + - List document members and relationships; extract text, metadata, macros, JavaScript, forms, links, embedded files, and external references with non-executing tooling. + - Render URLs and commands as inert text. +3. Normalize one layer at a time. + - Decode base64/hex/URL escapes, string concatenation, compression, character arithmetic, environment substitution, and generated commands. + - Record input, operation, tool, and output hash for every layer. +4. Reconstruct control and data flow. + - Identify entry conditions, interpreter, downloaded content, execution methods, persistence, credential/file access, network destinations, cleanup, and environment gates. +5. Separate capability from execution. + - State which branches are present, which inputs activate them, and which behaviors remain inferred. +6. Route payloads. + - Send recovered binaries to static/reverse analysis and use dynamic analysis only inside chosen isolation. + +## Guardrails + +- Do not paste decoded commands into an executing shell. +- Do not enable macros, install profiles, follow links, or import shortcuts during static analysis. +- Do not use a cloud document parser for private content without approval. + +## Output + +Return container identity, recovered layers, execution chain, indicators, activation conditions, likely impact, uncertainty, and safe next step. diff --git a/skills/analyze-suspicious-script-or-document/agents/openai.yaml b/skills/analyze-suspicious-script-or-document/agents/openai.yaml new file mode 100644 index 00000000..d3f31070 --- /dev/null +++ b/skills/analyze-suspicious-script-or-document/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Analyze Suspicious Script Or Document" + short_description: "Decode active scripts and documents without execution" + default_prompt: "Use $analyze-suspicious-script-or-document to recover this active-content chain safely." diff --git a/skills/analyze-suspicious-script-or-document/references/script-document-analysis.md b/skills/analyze-suspicious-script-or-document/references/script-document-analysis.md new file mode 100644 index 00000000..c445ad0d --- /dev/null +++ b/skills/analyze-suspicious-script-or-document/references/script-document-analysis.md @@ -0,0 +1,11 @@ +# Script And Document Analysis + +| Surface | Inspect | Avoid during static work | +| --- | --- | --- | +| Shell/AppleScript | interpreters, expansions, heredocs, pipelines, `osascript`, downloads, launch/persistence commands | sourcing or command substitution | +| JavaScript/Python/PowerShell | imports, eval/exec, network, filesystem, subprocess, encoded strings, environment gates | native interpreter execution | +| Office/Open XML | relationships, macros, embedded OLE, external templates, DDE, links | opening with macros or external content enabled | +| PDF | objects, streams, JavaScript, actions, forms, launch/URI entries, embedded files | native preview/browser rendering before parser review | +| Shortcuts/profiles | declared actions or payloads, permissions, certificates, URLs, management settings | importing, installing, or approving payloads | + +Prefer format-aware parsers inside a disposable environment. Parser failure or malformed structure is evidence to preserve, not a reason to open the file normally. diff --git a/skills/assess-and-explain-threat/SKILL.md b/skills/assess-and-explain-threat/SKILL.md new file mode 100644 index 00000000..0710ae54 --- /dev/null +++ b/skills/assess-and-explain-threat/SKILL.md @@ -0,0 +1,42 @@ +--- +name: assess-and-explain-threat +description: Assess whether suspicious evidence indicates a real threat and explain the result in practical language. Use when a person needs a confidence-calibrated conclusion, immediate protective actions, remaining uncertainty, impact, or understandable advice after artifact, endpoint, vulnerability, identity, or incident evidence has been collected. +--- + +# Assess And Explain Threat + +## Overview + +Turn mixed evidence into a proportionate conclusion and advice the affected person can follow. Do not collapse signatures, reputation, scanner output, or unusual behavior into a binary safe/malicious verdict. + +Read [references/confidence-and-advice.md](references/confidence-and-advice.md) for conclusion vocabulary and the explanation shape. + +## Workflow + +1. Restate the decision. + - Identify what the user must decide now and what can wait for more evidence. + +2. Grade evidence by directness. + - Separate direct observations, reproducible behaviors, vendor or threat-intelligence claims, weak indicators, absence of findings, and speculation. + - Record contradicting evidence and coverage gaps. + +3. Assess behavior and impact. + - State what access, execution, persistence, collection, credential use, network behavior, or data exposure is observed or technically plausible. + - Distinguish capability from intent and artifact presence from successful compromise. + +4. Choose a calibrated classification. + - Use one classification from the reference and state confidence separately. + - Name the strongest supporting evidence and what would change the conclusion. + +5. Give proportionate advice. + - Put urgent harm-reduction actions first. + - Separate containment, evidence preservation, recovery, credential actions, notification, and long-term hardening. + - Avoid destructive cleanup when evidence is weak and reversible isolation is available. + +6. Give a plain-language explanation. + - Answer whether the concern is dangerous, what it appears to do, what is known versus inferred, what to do now, and when to escalate. + - Define specialist terms at first use and avoid fear-amplifying language. + +## Output + +Return the conclusion, confidence, decisive evidence, contradictions/gaps, immediate actions, follow-up analysis, and a short non-specialist explanation. diff --git a/skills/assess-and-explain-threat/agents/openai.yaml b/skills/assess-and-explain-threat/agents/openai.yaml new file mode 100644 index 00000000..e09427a1 --- /dev/null +++ b/skills/assess-and-explain-threat/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Assess And Explain Threat" + short_description: "Calibrate threat confidence and explain practical risk" + default_prompt: "Use $assess-and-explain-threat to turn this evidence into a clear, proportionate security assessment." diff --git a/skills/assess-and-explain-threat/references/confidence-and-advice.md b/skills/assess-and-explain-threat/references/confidence-and-advice.md new file mode 100644 index 00000000..53f6cd40 --- /dev/null +++ b/skills/assess-and-explain-threat/references/confidence-and-advice.md @@ -0,0 +1,22 @@ +# Confidence And Advice + +## Classification + +- `confirmed malicious`: direct, reproducible evidence establishes malicious behavior for the tested question. +- `likely malicious`: multiple independent indicators support malicious behavior, but a decisive observation remains missing. +- `suspicious but unresolved`: behavior or provenance warrants isolation and follow-up, while benign explanations remain credible. +- `likely benign or expected`: observed behavior matches a legitimate explanation and no material malicious evidence was found in the tested scope. +- `confirmed benign for the tested question`: a controlled fixture, authoritative source, or complete reproduction resolves the specific concern; do not generalize beyond it. +- `insufficient evidence`: available evidence cannot support a responsible conclusion. + +State confidence as high, medium, or low and explain why. Confidence describes evidence quality, not severity. + +## Plain-Language Shape + +1. “Based on what we checked, this is …” +2. “The strongest evidence is …” +3. “We still do not know …” +4. “Do this now …” +5. “Do this next if …” + +Avoid “safe,” “clean,” or “hacked” without a bounded definition and supporting evidence. diff --git a/skills/assess-exposure-and-impact/SKILL.md b/skills/assess-exposure-and-impact/SKILL.md new file mode 100644 index 00000000..4fe5a51a --- /dev/null +++ b/skills/assess-exposure-and-impact/SKILL.md @@ -0,0 +1,32 @@ +--- +name: assess-exposure-and-impact +description: Prioritize a validated or plausible vulnerability using actual asset exposure and impact. Use when affected versions, deployment reachability, attacker prerequisites, privileges, sensitive data, exploit maturity, CISA KEV status, vendor guidance, mitigations, detection, business criticality, CVSS, and remediation urgency must be combined without relying on a severity score alone. +--- + +# Assess Exposure And Impact + +## Overview + +Translate a technical finding into asset-specific risk and action. Treat CVSS as one technical severity input and current exploitation intelligence as another; neither replaces deployed context. + +Read [references/exposure-impact-model.md](references/exposure-impact-model.md) for the decision factors. + +## Workflow + +1. Confirm finding confidence and exact affected/fixed versions. +2. Inventory affected assets. + - Record internet/internal/local reachability, environment, owner, business function, data, users, privileges, and compensating controls. +3. Model attacker requirements. + - Record access position, authentication, user interaction, configuration, chaining, reliability, and detection likelihood. +4. Check current intelligence. + - Review vendor advisory, fixed release, exploit maturity, CISA KEV/ransomware status, ecosystem advisories, and known active campaigns; date sources. +5. Evaluate consequence. + - Assess confidentiality, integrity, availability, privilege, blast radius, persistence, recovery difficulty, safety/legal/privacy obligations, and business interruption. +6. Evaluate mitigations. + - Test whether configuration, network controls, feature disablement, isolation, monitoring, or virtual patching actually blocks the validated path. +7. Prioritize action. + - Recommend patch, mitigate, isolate, monitor, accept temporarily with owner/expiry, or investigate further; include retest criteria. + +## Output + +Return affected assets, exposure path, impact, current exploitation context, mitigations, priority/rationale, action owner/deadline, and residual uncertainty. diff --git a/skills/assess-exposure-and-impact/agents/openai.yaml b/skills/assess-exposure-and-impact/agents/openai.yaml new file mode 100644 index 00000000..d48c9d79 --- /dev/null +++ b/skills/assess-exposure-and-impact/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Assess Exposure And Impact" + short_description: "Prioritize vulnerabilities from real exposure and consequence" + default_prompt: "Use $assess-exposure-and-impact to prioritize this finding from actual deployed risk." diff --git a/skills/assess-exposure-and-impact/references/exposure-impact-model.md b/skills/assess-exposure-and-impact/references/exposure-impact-model.md new file mode 100644 index 00000000..84f3a78c --- /dev/null +++ b/skills/assess-exposure-and-impact/references/exposure-impact-model.md @@ -0,0 +1,17 @@ +# Exposure And Impact Model + +Evaluate together: + +- evidence confidence and exploit reliability; +- exact affected asset/version/configuration; +- reachable attack surface and authentication; +- attacker prerequisites and user interaction; +- privileges and security boundary crossed; +- data, service, user, and business consequence; +- blast radius and chaining potential; +- vendor fix/mitigation and operational cost; +- current exploitation evidence, including [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog); +- detection and recovery capability; +- CVSS vector/version, not score alone. + +Record the current [CVSS v4.0 specification](https://www.first.org/cvss/v4.0/specification-document) when calculating a vector. Keep business priority separate from the technical vector. diff --git a/skills/assess-macos-threat/SKILL.md b/skills/assess-macos-threat/SKILL.md new file mode 100644 index 00000000..d2cd046d --- /dev/null +++ b/skills/assess-macos-threat/SKILL.md @@ -0,0 +1,33 @@ +--- +name: assess-macos-threat +description: Assess a suspected macOS security threat using exact host, artifact, and platform evidence. Use for suspicious apps, packages, processes, prompts, downloads, profiles, extensions, XProtect or Gatekeeper alerts, account behavior, persistence, privacy access, or unexpected network activity when signing, notarization, quarantine, TCC, SIP, and observed behavior must remain distinct. +--- + +# Assess macOS Threat + +## Overview + +Establish the affected Mac and event timeline before changing the system. Use Apple security layers as separate evidence sources and route focused persistence, runtime, artifact, or containment work from the resulting record. + +Read [references/macos-security-layers.md](references/macos-security-layers.md) when interpreting platform controls or alerts. + +## Workflow + +1. Identify the Mac and event. + - Record model/chip, exact macOS build, update state, user/session, time/timezone, managed-device context, and what the person observed. +2. Preserve the triggering evidence. + - Record alert text/screenshots, file path/source/hash, quarantine metadata, process identity, prompts, downloads, and relevant logs before cleanup. +3. Inspect artifact identity. + - Record real type, bundle/package metadata, signer, Team ID, signature verification, notarization assessment, entitlements, modifications, and source channel. + - Route binary internals to Reverse Engineering Skills. +4. Inspect platform evidence. + - Check Gatekeeper/quarantine context, XProtect detections or remediation evidence, TCC/privacy grants, profiles, login/background items, system extensions, and relevant system policy without disabling protections. +5. Correlate behavior. + - Route process/file/network evidence to runtime inspection and startup/registration clues to persistence inspection. + - Separate a blocked attempt from successful execution and successful execution from compromise. +6. Assess and advise. + - State classification/confidence, immediate isolation needs, evidence gaps, and the smallest next workflow. + +## Output + +Return host/event identity, platform-layer evidence, artifact identity, observed behavior, assessment/confidence, immediate advice, and focused next checks. diff --git a/skills/assess-macos-threat/agents/openai.yaml b/skills/assess-macos-threat/agents/openai.yaml new file mode 100644 index 00000000..6ec797f3 --- /dev/null +++ b/skills/assess-macos-threat/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Assess macOS Threat" + short_description: "Assess Mac threats across distinct security layers" + default_prompt: "Use $assess-macos-threat to assess this Mac concern without weakening platform protections." diff --git a/skills/assess-macos-threat/references/macos-security-layers.md b/skills/assess-macos-threat/references/macos-security-layers.md new file mode 100644 index 00000000..2706f5e4 --- /dev/null +++ b/skills/assess-macos-threat/references/macos-security-layers.md @@ -0,0 +1,15 @@ +# macOS Security Layers + +Keep these meanings distinct: + +- quarantine/provenance: records downloaded-content origin and first-open context; +- Gatekeeper: evaluates whether downloaded software may launch under current policy; +- notarization: Apple scanned a submitted artifact for known malicious content at submission time; +- XProtect: detects, blocks, and may remediate known or behaviorally suspicious malware; +- code signing: binds identity/integrity and declared entitlements, not benign intent; +- TCC: user/admin-mediated access to protected data and capabilities; +- App Sandbox and containers: constrain participating apps and protect app data; +- SIP and mandatory controls: protect system and data surfaces beyond ordinary root access; +- Endpoint Security: telemetry/control API whose evidence depends on client entitlement and permissions. + +Use current [Apple Platform Security malware guidance](https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/web). Record exact OS build because enforcement and available events change. diff --git a/skills/author-detection-content/SKILL.md b/skills/author-detection-content/SKILL.md new file mode 100644 index 00000000..aa0aeb90 --- /dev/null +++ b/skills/author-detection-content/SKILL.md @@ -0,0 +1,34 @@ +--- +name: author-detection-content +description: Turn validated security behavior into tested detection content. Use for Sigma, osquery, YARA-X routing, endpoint queries, SIEM rules, cloud or application detections, correlation logic, alert enrichment, or regression fixtures when telemetry prerequisites, provenance, expected matches, benign negatives, false-positive controls, performance, severity, response, deployment, and maintenance ownership must be explicit. +--- + +# Author Detection Content + +## Overview + +Detect the validated behavior at the most reliable telemetry layer. Use `author-yara-x-rules` for artifact pattern rules; use this workflow for event, query, correlation, and alert content. + +Read [references/detection-quality.md](references/detection-quality.md) before choosing logic or deployment severity. + +## Workflow + +1. Define objective and response. + - State the behavior, threat/finding source, protected surface, expected alert consumer, urgency, and action. +2. Identify telemetry prerequisites. + - Record source/product/version, event types/fields, collection permissions, normalization, retention, latency, and known blind spots. +3. Select durable features. + - Prefer behavior and context combinations over mutable infrastructure or one noisy field. + - Map to ATT&CK only when evidence supports it. +4. Author content. + - Include title/ID, description, status, author/date, references, log source, logic/query, fields, false positives, level/severity, tags, and test notes as the target format permits. +5. Test fixtures. + - Include validated positive events, benign near-misses, missing/renamed fields, ordering/time-window cases, duplicate events, volume/performance, and known platform variants. +6. Tune and validate response. + - Improve logic before adding exclusions; verify enrichment and runbook lead an analyst to decisive evidence. +7. Deploy and maintain. + - Record target environments, owner, version, rollout, alert volume, suppression/exception expiry, health checks, and review triggers. + +## Output + +Return detection content, telemetry contract, evidence provenance, fixture results, false positives/limits, performance, severity/response, deployment plan, and owner/review date. diff --git a/skills/author-detection-content/agents/openai.yaml b/skills/author-detection-content/agents/openai.yaml new file mode 100644 index 00000000..f91d3157 --- /dev/null +++ b/skills/author-detection-content/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Author Detection Content" + short_description: "Build telemetry-backed detections with regression fixtures" + default_prompt: "Use $author-detection-content to turn this validated behavior into tested detection logic." diff --git a/skills/author-detection-content/references/detection-quality.md b/skills/author-detection-content/references/detection-quality.md new file mode 100644 index 00000000..ca6f72db --- /dev/null +++ b/skills/author-detection-content/references/detection-quality.md @@ -0,0 +1,12 @@ +# Detection Quality Checklist + +- Objective describes one validated behavior and intended response. +- Telemetry source, version, permissions, fields, normalization, and gaps are explicit. +- Logic uses durable features with documented provenance. +- Positive fixtures reproduce the behavior; benign negatives challenge the same fields. +- Missing fields, duplicates, event order, time windows, platform variants, and load are tested. +- False-positive guidance explains analyst validation, not blanket suppression. +- Severity matches response urgency and evidence, not ATT&CK tactic alone. +- Rule ID/version, owner, deployment scope, alert health, exception expiry, and review trigger are recorded. + +For artifact pattern matching, use `author-yara-x-rules`. For portable event rules, use the current target format specification rather than assuming Sigma or query-field compatibility across backends. diff --git a/skills/author-yara-x-rules/SKILL.md b/skills/author-yara-x-rules/SKILL.md new file mode 100644 index 00000000..f6f4b25c --- /dev/null +++ b/skills/author-yara-x-rules/SKILL.md @@ -0,0 +1,36 @@ +--- +name: author-yara-x-rules +description: Author, test, tune, and document YARA-X detection rules from validated artifact evidence. Use when malware, suspicious files, scripts, documents, or binary features need local pattern detection with stable discriminators, metadata, positive and negative fixtures, performance checks, false-positive review, rule provenance, and regression testing. +--- + +# Author YARA-X Rules + +## Overview + +Create rules that detect the validated property the evidence supports, not a broader malware-family claim. Prefer structural combinations over unique-looking strings copied from one sample. + +Read [references/yara-x-rule-quality.md](references/yara-x-rule-quality.md) before selecting patterns or declaring coverage. + +## Workflow + +1. Define the detection objective and non-goals. +2. Build the fixture set. + - Preserve representative positive samples and near-miss benign negatives with hashes and provenance. + - Use synthetic or redistributable fixtures for repository tests. +3. Select discriminators. + - Prefer format/module facts, byte structures, stable code/config fragments, and combinations of independently meaningful strings. + - Avoid mutable infrastructure, compiler boilerplate, paths, timestamps, or one generic API name as decisive evidence. +4. Author metadata and conditions. + - Include purpose, author, date, source/evidence reference, scope, confidence, and known limitations. + - Bound file type and size where it improves correctness or performance. +5. Validate with current YARA-X. + - Record version; compile/lint the rule; test all positives, negatives, malformed inputs, and a bounded benign corpus. + - Investigate timeouts, warnings, and module-undefined behavior. +6. Review false positives and coverage. + - Tune by improving evidence combinations, not by accumulating arbitrary exclusions. +7. Preserve regression evidence. + - Store allowed fixtures or deterministic generators, expected matches/non-matches, and rule revision. + +## Output + +Return the rule, objective, evidence basis, fixture results, performance notes, known misses/false positives, and deployment limits. diff --git a/skills/author-yara-x-rules/agents/openai.yaml b/skills/author-yara-x-rules/agents/openai.yaml new file mode 100644 index 00000000..cb48832d --- /dev/null +++ b/skills/author-yara-x-rules/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Author YARA-X Rules" + short_description: "Build evidence-backed YARA-X rules with regression tests" + default_prompt: "Use $author-yara-x-rules to create and test a narrow detection rule from this evidence." diff --git a/skills/author-yara-x-rules/references/yara-x-rule-quality.md b/skills/author-yara-x-rules/references/yara-x-rule-quality.md new file mode 100644 index 00000000..566528a9 --- /dev/null +++ b/skills/author-yara-x-rules/references/yara-x-rule-quality.md @@ -0,0 +1,15 @@ +# YARA-X Rule Quality + +Require: + +- current YARA-X syntax and exact tested version; +- a narrow detection objective; +- provenance for every decisive feature; +- at least one positive and meaningful benign negative fixture; +- format/size guards where relevant; +- expected undefined-module behavior; +- regression results and known limits. + +Treat packed, encrypted, truncated, universal, nested, and script/document variants as separate coverage questions. A rule matching one sample does not establish family coverage. + +Use the current [YARA-X documentation](https://virustotal.github.io/yara-x/docs/) and migration guidance. Original YARA compatibility is high but not absolute. diff --git a/skills/check-artifact-reputation/SKILL.md b/skills/check-artifact-reputation/SKILL.md new file mode 100644 index 00000000..f4b2f7ef --- /dev/null +++ b/skills/check-artifact-reputation/SKILL.md @@ -0,0 +1,39 @@ +--- +name: check-artifact-reputation +description: Check local and external reputation for a suspicious artifact, signer, hash, URL, domain, certificate, package, or vendor. Use when provenance and threat-intelligence context could inform triage, while sample-upload privacy, stale intelligence, hash-only misses, false positives, and reputation-versus-behavior limits must remain explicit. +--- + +# Check Artifact Reputation + +## Overview + +Gather provenance and intelligence without treating popularity, valid signing, a clean lookup, or a vendor label as a safety verdict. Prefer local identity and vendor sources before sending data to third parties. + +Read [references/reputation-evidence.md](references/reputation-evidence.md) for source ordering and interpretation. + +## Workflow + +1. Fix identity. + - Record artifact hashes, signer/certificate, exact version, source URL, domain, resolved destinations, and acquisition time. + +2. Check local evidence. + - Inspect quarantine/provenance, signature/notarization, known installation records, local security detections, and expected vendor distribution paths. + +3. Check authoritative sources. + - Prefer vendor advisories, release checksums/signatures, certificate status, official repositories, and current platform security sources. + - Date each lookup. + +4. Decide whether external intelligence is appropriate. + - Explain whether the service receives only a hash/domain or may upload/retain the artifact. + - Obtain explicit approval before sending private artifacts, URLs, customer data, or unknown binaries. + +5. Correlate results. + - Record detection names, engines/sources, first/last seen, submission context, prevalence, relations, and conflicting classifications. + - Distinguish “not present” from “known benign.” + +6. Feed behavior analysis. + - Use reputation to prioritize static/dynamic checks, not replace them. + +## Output + +Return identity, sources/date, privacy decision, reputation observations, conflicts, interpretation limits, confidence effect, and next behavioral check. diff --git a/skills/check-artifact-reputation/agents/openai.yaml b/skills/check-artifact-reputation/agents/openai.yaml new file mode 100644 index 00000000..9560b3b4 --- /dev/null +++ b/skills/check-artifact-reputation/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Check Artifact Reputation" + short_description: "Check provenance and reputation with privacy controls" + default_prompt: "Use $check-artifact-reputation to check this artifact without treating reputation as a verdict." diff --git a/skills/check-artifact-reputation/references/reputation-evidence.md b/skills/check-artifact-reputation/references/reputation-evidence.md new file mode 100644 index 00000000..e34a02c8 --- /dev/null +++ b/skills/check-artifact-reputation/references/reputation-evidence.md @@ -0,0 +1,19 @@ +# Reputation Evidence + +Prefer sources in this order when applicable: + +1. original vendor release channel, checksums, signatures, and advisories; +2. platform identity and security evidence; +3. current certificate/domain registration and infrastructure facts; +4. public vulnerability or malware intelligence tied to exact identifiers; +5. multi-engine reputation services after privacy review; +6. community discussion as a lead requiring independent confirmation. + +Interpret carefully: + +- valid signature: identity/integrity evidence, not benign behavior; +- notarized: no known issue at notarization time, not a permanent safety guarantee; +- zero detections: absence of matching intelligence, not proof of safety; +- one generic detection: weak evidence until behavior or additional sources corroborate it; +- many consistent detections: strong prioritization evidence, still record artifact identity and behavior; +- hash miss: expected for new, rebuilt, packed, or modified artifacts. diff --git a/skills/contain-and-recover-macos/SKILL.md b/skills/contain-and-recover-macos/SKILL.md new file mode 100644 index 00000000..e6bc7a66 --- /dev/null +++ b/skills/contain-and-recover-macos/SKILL.md @@ -0,0 +1,36 @@ +--- +name: contain-and-recover-macos +description: Contain a suspected or confirmed macOS threat and verify recovery. Use when a Mac may need network isolation, process or service containment, account and credential response, persistence removal, artifact quarantine, backup/restore, erase/reinstall, monitoring, or return-to-service decisions while evidence loss, user impact, and platform protections remain explicit. +--- + +# Contain And Recover macOS + +## Overview + +Choose actions proportionate to evidence and ongoing harm. Preserve what matters, use official lifecycle controls, and verify the system after eradication rather than declaring it clean because one artifact disappeared. + +Read [references/macos-response-ladder.md](references/macos-response-ladder.md) for containment and recovery levels. + +## Workflow + +1. Confirm assessment, confidence, affected scope, ongoing behavior, critical data, and evidence needs. +2. Choose immediate containment. + - Prefer reversible network/account/session isolation when it stops harm. + - Record the effect on volatile evidence and business/user access. +3. Preserve decisive evidence. + - Capture artifact, persistence, process/network/log, account, and timeline records before removal when delay is safe. +4. Stop active behavior through official controls. + - End processes/services deliberately; use `launchctl bootout` for approved launch service removal from a domain, app-provided uninstallers for app components, and supported profile/extension management surfaces. + - Never edit launchd's internal state directly. +5. Eradicate the verified mechanism. + - Remove or quarantine confirmed artifacts, registrations, extensions, profiles, helpers, rules, and downloaded stages; preserve hashes and paths. +6. Respond to identity exposure. + - Rotate affected credentials/tokens from a trusted device, revoke sessions/keys, review MFA and recovery methods, and notify owners/providers as warranted. +7. Recover. + - Restore from a known-good point, reinstall/erase when integrity cannot be established, apply updates, reconfigure only needed access, and avoid restoring suspect persistence. +8. Verify and monitor. + - Recheck persistence, runtime/network, accounts, security updates, backups, and recurrence across a defined observation window. + +## Output + +Return containment/impact, evidence preserved, eradication actions, credential response, recovery basis, verification results, residual uncertainty, and return-to-service decision. diff --git a/skills/contain-and-recover-macos/agents/openai.yaml b/skills/contain-and-recover-macos/agents/openai.yaml new file mode 100644 index 00000000..14bddf4c --- /dev/null +++ b/skills/contain-and-recover-macos/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Contain And Recover macOS" + short_description: "Contain Mac threats and verify trustworthy recovery" + default_prompt: "Use $contain-and-recover-macos to choose proportionate containment and verify recovery." diff --git a/skills/contain-and-recover-macos/references/macos-response-ladder.md b/skills/contain-and-recover-macos/references/macos-response-ladder.md new file mode 100644 index 00000000..0266558a --- /dev/null +++ b/skills/contain-and-recover-macos/references/macos-response-ladder.md @@ -0,0 +1,10 @@ +# macOS Response Ladder + +1. Observe: preserve evidence; no system change. +2. Restrict: disconnect selected networks, revoke sessions, disable a user-visible integration, or pause one process. +3. Contain: isolate the host/account, boot out an approved service, block a validated destination, or quarantine a confirmed artifact. +4. Eradicate: remove verified persistence/components and affected credentials through supported lifecycle paths. +5. Recover: restore/reinstall, patch, reconfigure, and return data from a known-good basis. +6. Rebuild/erase: use when privileged compromise, unknown persistence, tampered protections, or missing evidence prevents trustworthy recovery. + +Choose the lowest level that stops ongoing harm and supports a verifiable recovery. Escalate when evidence shows broader access or the chosen step cannot be verified. diff --git a/skills/contain-security-incident/SKILL.md b/skills/contain-security-incident/SKILL.md new file mode 100644 index 00000000..b72d2f91 --- /dev/null +++ b/skills/contain-security-incident/SKILL.md @@ -0,0 +1,34 @@ +--- +name: contain-security-incident +description: Contain an active or credible cybersecurity incident across hosts, identities, applications, services, cloud resources, networks, or data. Use when ongoing access, execution, exfiltration, fraud, destruction, lateral movement, unsafe service behavior, or repeated compromise must be interrupted with authorized, reversible actions while evidence, business impact, dependencies, communication, and rollback are tracked. +--- + +# Contain Security Incident + +## Overview + +Interrupt the validated path of harm with the smallest effective action, then verify the containment. Do not confuse a blocked symptom with eradication or recovery. + +Read [references/containment-plan.md](references/containment-plan.md) before making disruptive changes. + +## Workflow + +1. Confirm incident lead, authority, current scope, harm path, critical services, evidence priorities, and emergency contacts. +2. Model containment choices. + - Consider host/network isolation, process/service suspension, account disablement, session/token/key revocation, access-policy change, application feature disablement, route/rule changes, or provider controls. + - Record expected harm reduction, operational impact, volatile evidence loss, dependencies, rollback, and attacker visibility. +3. Sequence actions. + - Address active exfiltration/destruction/safety first, then privileged access, propagation, persistence, and re-entry paths. + - Coordinate simultaneous identity, host, application, and network actions when staggered changes would alert or strand access. +4. Apply approved changes. + - Record exact target, operator, time, command/control surface, result, failures, and unexpected effects. +5. Verify containment. + - Check that the harmful path stopped, access/session state changed, affected services remain understood, and monitoring still functions. +6. Expand scope carefully. + - Hunt for related indicators and access paths; update the incident record before new targets or actions. +7. Define exit criteria. + - State what evidence permits eradication/recovery and what temporary controls must remain. + +## Output + +Return containment objective, options/tradeoffs, actions/results, verification, residual access, business impact, temporary controls, rollback, and next-phase criteria. diff --git a/skills/contain-security-incident/agents/openai.yaml b/skills/contain-security-incident/agents/openai.yaml new file mode 100644 index 00000000..112c46f0 --- /dev/null +++ b/skills/contain-security-incident/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Contain Security Incident" + short_description: "Interrupt active harm with verified, reversible controls" + default_prompt: "Use $contain-security-incident to choose, apply, and verify proportionate containment." diff --git a/skills/contain-security-incident/references/containment-plan.md b/skills/contain-security-incident/references/containment-plan.md new file mode 100644 index 00000000..8815082e --- /dev/null +++ b/skills/contain-security-incident/references/containment-plan.md @@ -0,0 +1,17 @@ +# Incident Containment Plan + +For each action record: + +| Field | Content | +| --- | --- | +| Harm path | Access or behavior being interrupted | +| Target | Exact host, account, token, service, route, rule, or feature | +| Action/authority | Approved control and decision owner | +| Evidence effect | Volatile data or visibility lost/preserved | +| Operational effect | Users, services, dependencies, and duration | +| Attacker effect | Access removed, signal exposed, or path merely displaced | +| Rollback | Safe reversal and owner | +| Verification | Evidence that containment worked | +| Residual risk | Remaining path or uncertainty | + +Keep temporary containment changes inventoried so recovery does not silently leave emergency rules or disabled controls behind. diff --git a/skills/harden-macos/SKILL.md b/skills/harden-macos/SKILL.md new file mode 100644 index 00000000..148fd7c2 --- /dev/null +++ b/skills/harden-macos/SKILL.md @@ -0,0 +1,35 @@ +--- +name: harden-macos +description: Review and improve macOS defensive posture after a threat assessment, incident, or general security request. Use for updates, XProtect/Gatekeeper posture, FileVault, firewall and sharing, remote access, accounts, login/background items, profiles/extensions, browser safety, privacy permissions, backups, credential habits, and monitoring while preserving usability and managed-device policy. +--- + +# Harden macOS + +## Overview + +Strengthen the actual exposure found on the Mac and verify each change. Preserve built-in protections, user access, recoverability, and organization management requirements. + +Read [references/macos-hardening-review.md](references/macos-hardening-review.md) for a risk-ordered review. + +## Workflow + +1. Establish context. + - Record exact macOS build/hardware, device ownership/management, users, role, exposed services, sensitive data, backups, and the threat being reduced. +2. Apply supported updates. + - Verify OS, rapid/security data updates, browsers, extensions, apps, and package managers from authoritative channels. +3. Preserve platform protections. + - Verify Gatekeeper/XProtect automatic protection, SIP, TCC/privacy access, code-signing expectations, and sandbox/container use where applicable. +4. Protect data and recovery. + - Review FileVault/recovery ownership, screen lock, backup availability and restore testing, account separation, and secure disposal/export practices. +5. Reduce exposed services and persistence. + - Review sharing, remote login/management, firewall policy, listeners, login/background items, profiles, system/network/browser extensions, and privileged helpers. +6. Improve identity/browser behavior. + - Review MFA, password manager use, recovery methods, session/token hygiene, download sources, extensions, phishing-resistant habits, and administrator use. +7. Add proportionate visibility. + - Define which alerts/logs or endpoint tooling are maintained, who reviews them, and how false positives are handled. +8. Verify and document. + - Re-read changed settings, test access/recovery, record exceptions and owner, and avoid claiming perfect prevention. + +## Output + +Return baseline, prioritized changes, applied/verified settings, deferred items and tradeoffs, recovery check, and residual risk. diff --git a/skills/harden-macos/agents/openai.yaml b/skills/harden-macos/agents/openai.yaml new file mode 100644 index 00000000..fdf5163c --- /dev/null +++ b/skills/harden-macos/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Harden macOS" + short_description: "Improve Mac defenses without sacrificing recovery" + default_prompt: "Use $harden-macos to prioritize and verify practical defenses for this Mac." diff --git a/skills/harden-macos/references/macos-hardening-review.md b/skills/harden-macos/references/macos-hardening-review.md new file mode 100644 index 00000000..6ae2ca3d --- /dev/null +++ b/skills/harden-macos/references/macos-hardening-review.md @@ -0,0 +1,14 @@ +# macOS Hardening Review + +Review in risk order: + +1. active compromise or exposed credentials; +2. supported OS and current security data updates; +3. FileVault, screen lock, backups, and recovery ownership; +4. administrator accounts, remote access, sharing, and listening services; +5. Gatekeeper/XProtect/SIP/TCC and security-tool health; +6. login/background items, profiles, helpers, and extensions; +7. browsers, downloads, password manager, MFA, and recovery methods; +8. monitoring, alert ownership, and periodic recheck. + +Use current Apple Platform Security and official support documentation for the exact OS. Do not prescribe disabling SIP, Gatekeeper, quarantine, XProtect, or automatic security updates as routine hardening. diff --git a/skills/hunt-security-indicators/SKILL.md b/skills/hunt-security-indicators/SKILL.md new file mode 100644 index 00000000..349430e6 --- /dev/null +++ b/skills/hunt-security-indicators/SKILL.md @@ -0,0 +1,34 @@ +--- +name: hunt-security-indicators +description: Hunt scoped systems and telemetry for supplied security indicators or behaviors. Use for hashes, paths, domains, addresses, certificates, accounts, processes, commands, persistence, ATT&CK behaviors, cloud or application events, or incident expansion when data sources, time window, query logic, coverage, false positives, privacy, and follow-up validation must be explicit. +--- + +# Hunt Security Indicators + +## Overview + +Turn validated evidence into bounded queries across known data sources, then validate matches in context. Absence of matches means only that the indicator was not observed in the recorded coverage. + +Read [references/hunt-record.md](references/hunt-record.md) for query and coverage fields. + +## Workflow + +1. Define the hunt question and scope. + - Record incident/finding, assets, identities, environments, time window, data owners, privacy constraints, and expected decision. +2. Normalize indicators and behaviors. + - Preserve type, value, source, confidence, first/last seen, expected context, variants, and expiration. + - Prefer behavior chains over one mutable hash/domain when telemetry supports them. +3. Inventory data sources. + - Record endpoint/process/file, identity, DNS/network/proxy, application, cloud, email, vulnerability, and backup evidence plus retention, collection delay, and gaps. +4. Write reproducible queries. + - Record platform/tool/version, exact query, normalization/timezone, filters, exclusions, and expected benign matches. +5. Validate matches. + - Correlate asset/user/time/process/parent/path/signer/network or application context; preserve false-positive rationale. +6. Expand deliberately. + - Pivot only from validated relations and update scope, indicators, and confidence. +7. Report coverage. + - State searched/failed sources, earliest/latest available data, assets not covered, matches, negative results, and next response/detection action. + +## Output + +Return hypothesis, indicators/behaviors, data coverage, queries, validated matches, false positives, gaps, pivots, and response recommendations. diff --git a/skills/hunt-security-indicators/agents/openai.yaml b/skills/hunt-security-indicators/agents/openai.yaml new file mode 100644 index 00000000..b73bf5f6 --- /dev/null +++ b/skills/hunt-security-indicators/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Hunt Security Indicators" + short_description: "Search scoped telemetry with explicit coverage and context" + default_prompt: "Use $hunt-security-indicators to search for these indicators and report the real coverage." diff --git a/skills/hunt-security-indicators/references/hunt-record.md b/skills/hunt-security-indicators/references/hunt-record.md new file mode 100644 index 00000000..88dc4813 --- /dev/null +++ b/skills/hunt-security-indicators/references/hunt-record.md @@ -0,0 +1,17 @@ +# Security Hunt Record + +```markdown +- Hunt question and source incident/finding: +- Assets/identities/environments/time window: +- Indicator or behavior, provenance, confidence, expiry: +- Data source, retention, delay, and permissions: +- Exact query/tool/version/timezone: +- Filters and known benign context: +- Matches and independent validation: +- False positives and rationale: +- Sources/assets not searched or failed: +- Coverage-bounded negative result: +- Approved pivots and next action: +``` + +Hash, address, and domain indicators decay quickly. Record date checked and prefer durable behavior/context when possible. diff --git a/skills/inspect-macos-persistence/SKILL.md b/skills/inspect-macos-persistence/SKILL.md new file mode 100644 index 00000000..fdca7607 --- /dev/null +++ b/skills/inspect-macos-persistence/SKILL.md @@ -0,0 +1,33 @@ +--- +name: inspect-macos-persistence +description: Inspect macOS persistence and recurring execution without deleting evidence. Use for suspicious login items, background items, launch agents or daemons, system or network extensions, configuration profiles, shell startup files, scheduled tasks, browser extensions, helper tools, app registrations, or startup behavior that may survive logout, reboot, or application exit. +--- + +# Inspect macOS Persistence + +## Overview + +Inventory registered and file-backed persistence, then correlate it with loaded runtime state and installation history. Read files and official service state; never manage launchd by editing its internal state. + +Read [references/macos-persistence-surfaces.md](references/macos-persistence-surfaces.md) for prioritized surfaces and evidence fields. + +## Workflow + +1. Record host/build, user domains, event timeline, and the suspected executable or label. +2. Inventory user-visible registrations. + - Review Login Items and background-item state, profiles, extensions, browser add-ons, and app-managed helpers. +3. Inventory launch services. + - Inspect user/system LaunchAgents and LaunchDaemons as files and query service state through `launchctl` read operations. + - Record label, domain, program/arguments, working directory, environment, sockets, keep-alive/start conditions, owner/permissions, signer, and loaded PID/status. +4. Inspect adjacent persistence. + - Review shell startup files, scheduled jobs, package receipts/scripts, privileged helpers, system/network extensions, authorization plugins, and current platform-specific surfaces justified by evidence. +5. Correlate provenance and runtime. + - Identify parent installer/app, creation/change time, signature/notarization, executable hash, running process ancestry, files, network, and logs. +6. Classify each item. + - Expected, suspicious, confirmed malicious, disabled/orphaned, or unresolved; explain evidence and impact. +7. Preserve before containment. + - Record files and service state before using official `launchctl bootout` or app/uninstaller paths in the containment workflow. + +## Output + +Return a persistence inventory, loaded-versus-file state, provenance, runtime correlation, classification/confidence, and safe containment handoff. diff --git a/skills/inspect-macos-persistence/agents/openai.yaml b/skills/inspect-macos-persistence/agents/openai.yaml new file mode 100644 index 00000000..23920688 --- /dev/null +++ b/skills/inspect-macos-persistence/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Inspect macOS Persistence" + short_description: "Correlate Mac startup registrations and loaded state" + default_prompt: "Use $inspect-macos-persistence to inventory this Mac persistence without deleting evidence." diff --git a/skills/inspect-macos-persistence/references/macos-persistence-surfaces.md b/skills/inspect-macos-persistence/references/macos-persistence-surfaces.md new file mode 100644 index 00000000..064f806a --- /dev/null +++ b/skills/inspect-macos-persistence/references/macos-persistence-surfaces.md @@ -0,0 +1,14 @@ +# macOS Persistence Surfaces + +Prioritize evidence-driven checks: + +1. Login Items and background items visible to the user. +2. User, local, and system launch service domains and their plist files. +3. Configuration profiles and managed settings. +4. System extensions, network extensions, endpoint clients, and privileged helpers. +5. Browser extensions and native-messaging hosts. +6. Shell startup files and interpreter-specific startup hooks. +7. Package installer scripts/receipts and app-owned update helpers. +8. Scheduled jobs or legacy mechanisms only when the OS build and evidence justify them. + +For every item record label, domain/scope, executable and arguments, trigger, file ownership/mode, signer/hash, load state/PID, install source, timestamps, and related logs/network. A file's presence does not prove it loaded; a running process does not prove reboot persistence. diff --git a/skills/inspect-macos-runtime-activity/SKILL.md b/skills/inspect-macos-runtime-activity/SKILL.md new file mode 100644 index 00000000..5d97ae79 --- /dev/null +++ b/skills/inspect-macos-runtime-activity/SKILL.md @@ -0,0 +1,33 @@ +--- +name: inspect-macos-runtime-activity +description: Correlate suspicious macOS process, file, network, permission, and log activity. Use for unexpected processes, child execution, downloads, open files, DNS/connections, privacy prompts, XProtect or Gatekeeper events, file mutations, injected or deleted executables, and Endpoint Security or eslogger evidence when exact permissions and telemetry gaps must remain visible. +--- + +# Inspect macOS Runtime Activity + +## Overview + +Build a time-correlated view of what ran, what changed, and what communicated. Prefer focused native observations and existing telemetry over installing a broad privileged monitor on an affected host. + +Read [references/macos-runtime-evidence.md](references/macos-runtime-evidence.md) for telemetry sources and permission boundaries. + +## Workflow + +1. Fix host/build, user/session, time window, process/artifact identity, and reported symptom. +2. Capture current process context. + - Record PID, executable path/hash/signature, user, parent/ancestry, arguments, environment when authorized, start time, code state, and deleted/replaced executable clues. +3. Correlate files and registrations. + - Record open files, working directory, mapped images, created/modified paths, quarantine/provenance, persistence registrations, and permission failures. +4. Correlate network behavior. + - Record process-to-socket mapping, local/remote endpoints, DNS, protocol clues, timing, and whether a connection completed. +5. Inspect focused logs/events. + - Query relevant unified logs and existing Endpoint Security/XProtect/Gatekeeper evidence for the narrow time window. + - Record Full Disk Access, root, Endpoint Security entitlement, or other permissions required and what absence hides. +6. Build a timeline. + - Separate user action, launch, child processes, file changes, prompts, network, persistence, detection, and termination. +7. Assess behavior and gaps. + - Route binary internals, dynamic reproduction, containment, or hunting as needed. + +## Output + +Return process identity/ancestry, file/network/log timeline, permissions and coverage, observed versus inferred behavior, confidence, and next action. diff --git a/skills/inspect-macos-runtime-activity/agents/openai.yaml b/skills/inspect-macos-runtime-activity/agents/openai.yaml new file mode 100644 index 00000000..0febc005 --- /dev/null +++ b/skills/inspect-macos-runtime-activity/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Inspect macOS Runtime Activity" + short_description: "Correlate Mac process, file, network, and log evidence" + default_prompt: "Use $inspect-macos-runtime-activity to build a focused timeline of this suspicious Mac activity." diff --git a/skills/inspect-macos-runtime-activity/references/macos-runtime-evidence.md b/skills/inspect-macos-runtime-activity/references/macos-runtime-evidence.md new file mode 100644 index 00000000..be9909ea --- /dev/null +++ b/skills/inspect-macos-runtime-activity/references/macos-runtime-evidence.md @@ -0,0 +1,12 @@ +# macOS Runtime Evidence + +| Source | Useful evidence | Boundary | +| --- | --- | --- | +| `ps`, Activity Monitor, process inspection | identity, ancestry, arguments, user, runtime state | short-lived processes may disappear | +| `lsof`, filesystem metadata | open/mapped files and sockets | permission and timing dependent | +| `nettop`, packet/DNS tools | process traffic and endpoints | encrypted content and capture privileges limit visibility | +| unified logging | subsystem events and timelines | privacy redaction, retention, and predicates affect coverage | +| `eslogger` / Endpoint Security client | process, file, Gatekeeper bypass, XProtect events on supported builds | event type, entitlement, root/FDA, and client configuration matter | +| TCC/system settings | declared or granted privacy access | grant presence does not prove use | + +Record failed commands and missing permissions. Do not silently substitute missing telemetry with assumptions. diff --git a/skills/map-malware-behavior/SKILL.md b/skills/map-malware-behavior/SKILL.md new file mode 100644 index 00000000..d34d7b85 --- /dev/null +++ b/skills/map-malware-behavior/SKILL.md @@ -0,0 +1,32 @@ +--- +name: map-malware-behavior +description: Map observed or strongly evidenced malicious behavior to current MITRE ATT&CK techniques and platform context. Use when static or dynamic analysis, endpoint telemetry, incident evidence, or a malware report needs a behavior map for detection, response, comparison, or communication without inferring an actor, campaign, family, or complete attack chain from labels alone. +--- + +# Map Malware Behavior + +## Overview + +Translate evidence into current ATT&CK technique references while keeping the original observation primary. Map only behaviors supported by evidence and preserve platform/version context. + +Read [references/behavior-mapping.md](references/behavior-mapping.md) for evidence and mapping fields. + +## Workflow + +1. Normalize observations. + - Record actor/process, action, object, time, environment, privilege, source, and confidence. +2. Open current ATT&CK content. + - Select the relevant Enterprise, Mobile, ICS, cloud, container, or platform matrix and record the version/date checked. +3. Match behavior, not keywords. + - Read the technique definition and platform applicability. + - Choose the most specific supported sub-technique; preserve multiple plausible mappings as alternatives when evidence is incomplete. +4. Record mapping evidence. + - Link each technique to the exact observation and explain why it fits and where it does not. +5. Avoid attribution inflation. + - Do not infer actor, malware family, campaign, intent, or sequence solely because ATT&CK pages list similar procedure examples. +6. Use the map. + - Route to containment, hunting, or detection content and name telemetry gaps. + +## Output + +Return an evidence-to-technique table, platform and ATT&CK version/date, confidence, alternative mappings, telemetry gaps, and defensive use. diff --git a/skills/map-malware-behavior/agents/openai.yaml b/skills/map-malware-behavior/agents/openai.yaml new file mode 100644 index 00000000..56b29275 --- /dev/null +++ b/skills/map-malware-behavior/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Map Malware Behavior" + short_description: "Map observed behavior to ATT&CK without overclaiming" + default_prompt: "Use $map-malware-behavior to map these observations to current ATT&CK techniques." diff --git a/skills/map-malware-behavior/references/behavior-mapping.md b/skills/map-malware-behavior/references/behavior-mapping.md new file mode 100644 index 00000000..3bdf5467 --- /dev/null +++ b/skills/map-malware-behavior/references/behavior-mapping.md @@ -0,0 +1,14 @@ +# Behavior Mapping Record + +| Field | Content | +| --- | --- | +| Observation | Exact process/action/object or other evidence | +| Evidence source | Log, trace, static feature, dynamic observation, or report | +| Environment | Platform, build/version, privilege, and time | +| ATT&CK mapping | Technique/sub-technique ID and title | +| Fit | Why the definition matches | +| Limits | Missing behavior, alternative explanation, or unsupported phase | +| Confidence | High, medium, or low with reason | +| Defensive use | Containment, hunt query, telemetry, or detection idea | + +Use current ATT&CK pages, such as the [macOS matrix](https://attack.mitre.org/matrices/enterprise/macos/), and record the date checked because technique content changes. diff --git a/skills/operate-agentic-security-tools/SKILL.md b/skills/operate-agentic-security-tools/SKILL.md new file mode 100644 index 00000000..a0189fb2 --- /dev/null +++ b/skills/operate-agentic-security-tools/SKILL.md @@ -0,0 +1,45 @@ +--- +name: operate-agentic-security-tools +description: Operate security tools through an AI agent with explicit authority and evidence boundaries. Use when an agent may invoke local CLIs, GUI apps, browser automation, MCP servers, remote scanners, sandboxes, vulnerability tools, packet tools, or containment actions and permissions, mounts, network, secrets, approvals, logging, output, and cleanup must be constrained. +--- + +# Operate Agentic Security Tools + +## Overview + +Give the agent only the authority needed for the current security step and keep tool output reproducible. Separate discovery, active testing, exploit validation, containment, and remediation into visible decisions. + +Read [references/agent-tool-controls.md](references/agent-tool-controls.md) for the preflight record and control checklist. + +## Workflow + +1. Define the tool's job. + - State the security question, expected input/output, target, and why this tool is appropriate. + - Prefer read-only or offline operation when it can answer the question. + +2. Discover capability before use. + - Record source, installed path or remote service, version, supported formats, privileges, network behavior, telemetry, and output location. + - Treat missing tools or unusable integrations as results; do not invent output. + +3. Minimize authority. + - Limit readable/writable paths, target list, network destinations, credentials, environment variables, device access, and execution duration. + - Use temporary scoped credentials and disposable environments when credentials are unavoidable. + +4. Gate consequential actions. + - Require an operator decision before active probing, exploit execution, persistence changes, credential access, security-control changes, destructive operations, production writes, or third-party uploads. + - Display the exact target and likely effect before approval. + +5. Preserve evidence. + - Record commands or UI actions, configuration, timestamps, exit status, raw output, tool errors, and transformations. + - Validate high-impact findings with an independent observation or smallest safe reproduction. + +6. Clean up and verify. + - Remove temporary mounts, ports, tokens, sessions, files, rules, and isolated environments. + - Report what remains installed, running, reachable, or retained. + +## Guardrails + +- Do not grant broad host or cloud access merely to reduce approval prompts. +- Do not let an agent expand active-test scope from discovered targets. +- Do not treat an MCP server, GUI automation layer, or tool plugin as a trust boundary. +- Do not obscure failures behind a synthesized security conclusion. diff --git a/skills/operate-agentic-security-tools/agents/openai.yaml b/skills/operate-agentic-security-tools/agents/openai.yaml new file mode 100644 index 00000000..57ecd3d8 --- /dev/null +++ b/skills/operate-agentic-security-tools/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Operate Agentic Security Tools" + short_description: "Constrain agent permissions, targets, evidence, and cleanup" + default_prompt: "Use $operate-agentic-security-tools to constrain this agent-driven security tool run." diff --git a/skills/operate-agentic-security-tools/references/agent-tool-controls.md b/skills/operate-agentic-security-tools/references/agent-tool-controls.md new file mode 100644 index 00000000..de1209e1 --- /dev/null +++ b/skills/operate-agentic-security-tools/references/agent-tool-controls.md @@ -0,0 +1,29 @@ +# Agent Security Tool Controls + +Record before execution: + +```markdown +- Security question: +- Tool/source/version: +- Target and exclusions: +- Read paths: +- Write paths: +- Network destinations: +- Credentials and lifetime: +- Required privileges: +- Approval-gated actions: +- Output and evidence path: +- Timeout/stop condition: +- Cleanup and verification: +``` + +Use distinct approvals for: + +1. sending data off-device; +2. probing a live target; +3. executing a proof of concept; +4. changing persistence or security controls; +5. accessing credentials or private data; +6. containment or remediation that can disrupt service. + +An approval authorizes the described action, not adjacent targets or follow-on techniques. diff --git a/skills/perform-dynamic-malware-analysis/SKILL.md b/skills/perform-dynamic-malware-analysis/SKILL.md new file mode 100644 index 00000000..63e3438e --- /dev/null +++ b/skills/perform-dynamic-malware-analysis/SKILL.md @@ -0,0 +1,34 @@ +--- +name: perform-dynamic-malware-analysis +description: Observe suspicious content in a disposable, instrumented environment. Use when execution, process ancestry, file changes, persistence, network behavior, configuration decryption, child payloads, environment gates, or user interaction must be measured after static analysis and an isolation boundary, authorization, baseline, stop conditions, evidence export, and teardown plan are explicit. +--- + +# Perform Dynamic Malware Analysis + +## Overview + +Execute only inside an environment chosen by `select-analysis-isolation`, with an observation plan that can distinguish artifact behavior from baseline noise. Preserve the exact sample and environment identity. + +Read [references/dynamic-observation-plan.md](references/dynamic-observation-plan.md) for baseline, stimulus, telemetry, and teardown fields. + +## Workflow + +1. Define the unresolved question and minimum stimulus. +2. Verify isolation. + - Record guest/platform build, snapshot, accounts, shares, clipboard, devices, credentials, network mode, monitoring, and export path. +3. Capture a baseline. + - Record processes, files/registrations, persistence surfaces, network state, services, and relevant logs before execution. +4. Execute one controlled step. + - Record command/UI action, time, user/privilege, environment variables, arguments, and interactions. + - Do not improvise additional payloads, credentials, or targets. +5. Observe behavior. + - Correlate process tree, file/registry or platform state, persistence, permissions, child artifacts, network/DNS, logs, prompts, crashes, and timing. + - Hash and preserve dropped/modified artifacts as new evidence. +6. Repeat only to answer a named question. + - Change one variable at a time and revert to the baseline snapshot. +7. Export and tear down. + - Export only intended evidence, scan it before host use, destroy/revert the environment, and revoke temporary access. + +## Output + +Return environment/baseline identity, stimulus, observed timeline, artifacts and indicators, absent expected behavior, evasion/coverage limits, conclusion, and teardown verification. diff --git a/skills/perform-dynamic-malware-analysis/agents/openai.yaml b/skills/perform-dynamic-malware-analysis/agents/openai.yaml new file mode 100644 index 00000000..e38cf5af --- /dev/null +++ b/skills/perform-dynamic-malware-analysis/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Perform Dynamic Malware Analysis" + short_description: "Observe suspicious behavior in disposable isolation" + default_prompt: "Use $perform-dynamic-malware-analysis to observe this sample in a controlled disposable environment." diff --git a/skills/perform-dynamic-malware-analysis/references/dynamic-observation-plan.md b/skills/perform-dynamic-malware-analysis/references/dynamic-observation-plan.md new file mode 100644 index 00000000..4ffe716b --- /dev/null +++ b/skills/perform-dynamic-malware-analysis/references/dynamic-observation-plan.md @@ -0,0 +1,34 @@ +# Dynamic Observation Plan + +```markdown +## Question +- Behavior to confirm or refute: + +## Environment +- Host/guest platform and build: +- Snapshot/base image: +- Accounts and privileges: +- Shares/clipboard/devices/secrets: +- Network mode and allowed destinations: + +## Baseline +- Process, filesystem, persistence, network, and log state: + +## Stimulus +- Exact command/action and time: +- User interaction supplied: + +## Telemetry +- Process ancestry: +- File/config/persistence changes: +- DNS/network: +- Prompts, logs, crashes: + +## Stop Conditions +- ... + +## Export And Teardown +- Evidence exported: +- Environment reverted/destroyed: +- Temporary access revoked: +``` diff --git a/skills/perform-static-malware-analysis/SKILL.md b/skills/perform-static-malware-analysis/SKILL.md new file mode 100644 index 00000000..68071208 --- /dev/null +++ b/skills/perform-static-malware-analysis/SKILL.md @@ -0,0 +1,33 @@ +--- +name: perform-static-malware-analysis +description: Analyze a suspicious artifact for capabilities without executing it. Use for binaries, apps, packages, archives, scripts, libraries, extensions, firmware, or embedded payloads when metadata, signatures, imports, strings, resources, configuration, rules, obfuscation, and likely behavior must be inspected and deep binary work may hand off to reverse-engineering-skills. +--- + +# Perform Static Malware Analysis + +## Overview + +Build a capability hypothesis from preserved bytes and structure. Keep every source-level or behavioral claim bounded by what static evidence can actually prove. + +Read [references/static-analysis-layers.md](references/static-analysis-layers.md) for layered checks and escalation criteria. + +## Workflow + +1. Establish artifact identity and working copy. +2. Inspect outer structure. + - Identify formats, architectures, bundles, packages, sections, members, overlays, embedded resources, signatures, timestamps, and declared permissions. +3. Extract low-risk indicators. + - Collect imports/exports, linked libraries, symbols, strings, URLs/domains, paths, commands, mutex/service names, configuration, certificates, and persistence references. +4. Inspect code and content shape. + - Identify interpreters, entry points, packers/obfuscation, encrypted blobs, staged payloads, anti-analysis checks, and unusual executable mappings. + - Use YARA-X or other local rules as evidence with rule/version recorded. +5. Form capability hypotheses. + - Map evidence to possible execution, persistence, discovery, credential, collection, command-and-control, exfiltration, or defense-evasion behavior. + - Separate present code from reachable behavior and capability from observed execution. +6. Escalate deliberately. + - Use `reverse-engineering-skills` for control flow, decompilation, protocol/config recovery, or exact binary comparisons. + - Use dynamic analysis only after isolation selection and a clear observation plan. + +## Output + +Return identity, structure, indicators, likely capabilities, contradictory evidence, obfuscation/coverage limits, confidence, and the smallest next analysis step. diff --git a/skills/perform-static-malware-analysis/agents/openai.yaml b/skills/perform-static-malware-analysis/agents/openai.yaml new file mode 100644 index 00000000..0c0ec9a2 --- /dev/null +++ b/skills/perform-static-malware-analysis/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Perform Static Malware Analysis" + short_description: "Inspect suspicious capabilities without execution" + default_prompt: "Use $perform-static-malware-analysis to inspect this artifact without running it." diff --git a/skills/perform-static-malware-analysis/references/static-analysis-layers.md b/skills/perform-static-malware-analysis/references/static-analysis-layers.md new file mode 100644 index 00000000..e0daf9d5 --- /dev/null +++ b/skills/perform-static-malware-analysis/references/static-analysis-layers.md @@ -0,0 +1,11 @@ +# Static Analysis Layers + +1. Identity: hashes, size, type, architecture, version, source. +2. Container: archive/package/bundle members and metadata. +3. Trust metadata: signing, certificates, notarization, declared permissions. +4. Program shape: headers, sections, entry points, imports/exports, symbols. +5. Content: strings, resources, embedded files, configuration, URLs, commands. +6. Rules: YARA-X or format-aware rules with exact rule revision. +7. Code: decompiler/disassembler evidence routed to Reverse Engineering Skills. + +Escalate when static evidence cannot resolve reachability, decrypted configuration, environment gates, runtime downloads, injected behavior, persistence success, or network protocol behavior. diff --git a/skills/preserve-security-evidence/SKILL.md b/skills/preserve-security-evidence/SKILL.md new file mode 100644 index 00000000..6a4bbacc --- /dev/null +++ b/skills/preserve-security-evidence/SKILL.md @@ -0,0 +1,45 @@ +--- +name: preserve-security-evidence +description: Preserve and document security evidence before analysis, containment, or remediation changes it. Use for suspicious artifacts, volatile host state, vulnerability validation, incident records, logs, screenshots, commands, hashes, timelines, transformations, and analyst handoffs that need reproducible provenance without claiming legal-forensics certification. +--- + +# Preserve Security Evidence + +## Overview + +Create a reproducible security record while keeping originals and observations distinct from transformed working material. Prioritize volatile evidence when delay would erase it, but state when urgent harm reduction must take precedence. + +Read [references/security-record.md](references/security-record.md) for the shared record and transformation shapes. + +## Workflow + +1. Define the question and evidence owner. + - Record the affected person/system, requested decision, acquisition source, time, and analyst. + - Record authorization and disclosure limits when they matter. + +2. Separate original and working material. + - Avoid opening active content during preservation. + - Copy artifacts into a clearly named working area when analysis requires mutation. + - Record every extraction, decoding, re-sign, patch, conversion, or replay as a transformation that creates a new artifact identity. + +3. Capture stable identity. + - Record paths or logical identifiers, sizes, timestamps, cryptographic hashes, versions, bundle/package identifiers, UUIDs, signer identity, and source URLs when applicable. + - Record tool name, version, command, configuration, and environment for consequential observations. + +4. Prioritize volatile state. + - Capture time, logged-in users, processes and ancestry, open files, network state, relevant memory or runtime telemetry, and transient logs only when authorized and proportionate. + - Do not collect unrelated personal or secret data merely because access is available. + +5. Maintain evidence quality. + - Store observations, external intelligence, hypotheses, conclusions, and disproven hypotheses separately. + - Preserve raw output alongside summaries when safe. + - Mark missing data, collection failures, time skew, incomplete coverage, and evidence destroyed by containment. + +6. Produce a handoff. + - State which inputs are originals, which are working copies, what changed, and which next workflow should consume them. + +## Guardrails + +- Do not call ordinary engineering notes a legally sufficient chain of custody. +- Do not upload evidence to a third party without explicit approval and a data-egress explanation. +- Do not overwrite an original with a cleaned, extracted, or transformed copy. diff --git a/skills/preserve-security-evidence/agents/openai.yaml b/skills/preserve-security-evidence/agents/openai.yaml new file mode 100644 index 00000000..6c924cfb --- /dev/null +++ b/skills/preserve-security-evidence/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Preserve Security Evidence" + short_description: "Preserve artifacts, volatile state, and provenance" + default_prompt: "Use $preserve-security-evidence to create a reproducible evidence record before anything changes." diff --git a/skills/preserve-security-evidence/references/security-record.md b/skills/preserve-security-evidence/references/security-record.md new file mode 100644 index 00000000..d07a99b1 --- /dev/null +++ b/skills/preserve-security-evidence/references/security-record.md @@ -0,0 +1,44 @@ +# Shared Security Record + +```markdown +## Question And Scope +- Requested decision: +- Affected surface: +- Owner/authorization: +- Time window: + +## Identity +- Artifact, host, account, service, or target: +- Source/acquisition: +- Hashes, versions, build, hardware, identifiers: + +## Preservation +- Original preserved: +- Working copies: +- Volatile evidence captured or missed: + +## Observations +- Fact — source/tool/time: + +## External Intelligence +- Claim — source/date checked: + +## Hypotheses +- Hypothesis — supporting and contradicting evidence: + +## Assessment +- Classification: +- Confidence: +- Impact: +- Evidence that would change the conclusion: + +## Actions +- Immediate containment: +- Recovery: +- Longer-term hardening: + +## Plain-Language Explanation +- ... +``` + +For every transformation, record the input identity, operation, tool/version, output identity, timestamp, and reason. Treat the output as a new artifact. diff --git a/skills/recover-security-incident/SKILL.md b/skills/recover-security-incident/SKILL.md new file mode 100644 index 00000000..3e408e9e --- /dev/null +++ b/skills/recover-security-incident/SKILL.md @@ -0,0 +1,33 @@ +--- +name: recover-security-incident +description: Eradicate verified compromise mechanisms, restore trusted service, and monitor after a cybersecurity incident. Use when affected hosts, identities, applications, cloud resources, network controls, or data need rebuild/restore, patching, secret rotation, configuration repair, validation, staged return to service, temporary-control removal, lessons learned, and residual-risk ownership. +--- + +# Recover Security Incident + +## Overview + +Return systems and people to a trusted operating state using explicit eradication and validation criteria. Recovery is complete only when restored behavior, security controls, access, monitoring, and residual risk are verified. + +Read [references/recovery-gates.md](references/recovery-gates.md) for staged return-to-service gates. + +## Workflow + +1. Establish eradication criteria. + - Identify root/access path, persistence, affected identities/secrets, vulnerable configuration/code, related artifacts, and known scope. +2. Choose restore basis. + - Decide clean rebuild, known-good backup, patched image, repaired configuration, provider recovery, or controlled cleanup from evidence and integrity confidence. +3. Eradicate. + - Remove verified mechanisms, patch or mitigate the entry path, rotate/revoke secrets and sessions from trusted systems, repair policies/configuration, and preserve evidence of changes. +4. Restore in stages. + - Validate offline or isolated, restore dependencies/data, enable limited traffic/users, monitor, then broaden service. +5. Verify security and function. + - Reproduce the original detection/path as a negative test, confirm expected functionality, review access/persistence/network/logging, and check backups and monitoring. +6. Remove temporary controls deliberately. + - Inventory emergency rules, disabled services, isolation, temporary accounts, logging, tokens, and exceptions; retain only approved controls with owners/expiry. +7. Close and improve. + - Record timeline, root cause, affected scope, actions, notifications, evidence retention, lessons, structural hardening, and residual risk owner. + +## Output + +Return eradication evidence, restore basis, staged recovery results, negative retest, temporary-control disposition, monitoring window, lessons/actions, and residual-risk decision. diff --git a/skills/recover-security-incident/agents/openai.yaml b/skills/recover-security-incident/agents/openai.yaml new file mode 100644 index 00000000..c68310ff --- /dev/null +++ b/skills/recover-security-incident/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Recover Security Incident" + short_description: "Eradicate compromise and verify staged recovery" + default_prompt: "Use $recover-security-incident to restore trusted service and verify the original path is closed." diff --git a/skills/recover-security-incident/references/recovery-gates.md b/skills/recover-security-incident/references/recovery-gates.md new file mode 100644 index 00000000..9d5be304 --- /dev/null +++ b/skills/recover-security-incident/references/recovery-gates.md @@ -0,0 +1,11 @@ +# Recovery Gates + +1. Scope gate: affected assets, identities, data, and access paths are sufficiently understood. +2. Eradication gate: entry path, persistence, vulnerable condition, and exposed secrets are remediated or explicitly mitigated. +3. Trust gate: rebuild/backup/configuration basis is known and verified. +4. Functional gate: critical behavior and dependencies pass tests. +5. Security gate: original path fails, controls and telemetry work, and no validated recurrence appears. +6. Staged service gate: limited users/traffic operate within monitoring thresholds. +7. Closure gate: temporary controls, notifications, evidence, lessons, owners, deadlines, and residual risk are accounted for. + +Do not remove containment merely because a deadline arrives; satisfy or explicitly accept each gate. diff --git a/skills/report-security-assessment/SKILL.md b/skills/report-security-assessment/SKILL.md new file mode 100644 index 00000000..d6a5059d --- /dev/null +++ b/skills/report-security-assessment/SKILL.md @@ -0,0 +1,35 @@ +--- +name: report-security-assessment +description: Write a reproducible security assessment or penetration-test report from validated evidence. Use when technical findings, negative results, scope, methodology, limitations, exposure, impact, confidence, remediation, retest criteria, evidence handling, and a plain-language executive explanation must be assembled without overstating scanner output or untested coverage. +--- + +# Report Security Assessment + +## Overview + +Produce a report that lets technical owners reproduce findings and non-specialists understand what matters. Preserve uncertainty, scope limits, and negative results that materially constrain conclusions. + +Read [references/security-report-shape.md](references/security-report-shape.md) for the required structure. + +## Workflow + +1. Fix report identity. + - Record title, client/project, assessment type, dates, version, authors, classification, and distribution. +2. State scope and authority. + - List included/excluded targets, environments, accounts/roles, techniques, time windows, constraints, and changes from the approved scope. +3. Summarize outcomes plainly. + - Explain what was found, affected assets, practical consequence, urgent actions, and material uncertainty without jargon or panic. +4. Describe methodology and coverage. + - Name standards/guidance, tools/versions, manual checks, evidence sources, assumptions, unavailable telemetry, and untested areas. +5. Write each finding. + - Include identity, status/confidence, affected assets, prerequisites, evidence/reproduction, impact, exposure, severity/vector if used, remediation, mitigation, and retest steps. + - Keep raw secrets and unnecessary personal data out of the report. +6. Record negative results and limitations. +7. Build a remediation plan. + - Group immediate containment, near-term fixes, structural hardening, owners, deadlines, and dependencies. +8. Verify the report. + - Cross-check evidence links, commands, screenshots, identifiers, redaction, scope, and status. + +## Output + +Return a self-contained report with executive summary, scope, methodology, findings, negative results, limitations, prioritized remediation, and retest plan. diff --git a/skills/report-security-assessment/agents/openai.yaml b/skills/report-security-assessment/agents/openai.yaml new file mode 100644 index 00000000..16d9b50c --- /dev/null +++ b/skills/report-security-assessment/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Report Security Assessment" + short_description: "Write reproducible findings and clear remediation plans" + default_prompt: "Use $report-security-assessment to turn this validated evidence into a clear security report." diff --git a/skills/report-security-assessment/references/security-report-shape.md b/skills/report-security-assessment/references/security-report-shape.md new file mode 100644 index 00000000..f9535d83 --- /dev/null +++ b/skills/report-security-assessment/references/security-report-shape.md @@ -0,0 +1,26 @@ +# Security Assessment Report Shape + +```markdown +# Assessment Title + +## Executive Summary +## Scope And Authorization +## Methodology And Coverage +## Findings Summary +## Detailed Findings +### Finding: Title +- Status/confidence: +- Affected assets: +- Preconditions and exposure: +- Evidence/reproduction: +- Impact: +- Severity/vector and rationale: +- Remediation/mitigation: +- Retest: +## Negative Results +## Limitations And Uncertainty +## Prioritized Remediation Plan +## Evidence Appendix +``` + +Use exact evidence references and redact secrets. “No finding” means no issue was demonstrated under recorded coverage, not that the surface is secure. diff --git a/skills/route-security-work/SKILL.md b/skills/route-security-work/SKILL.md new file mode 100644 index 00000000..1202e617 --- /dev/null +++ b/skills/route-security-work/SKILL.md @@ -0,0 +1,42 @@ +--- +name: route-security-work +description: Route an ambiguous cybersecurity request before tools run. Use for suspicious files, links, messages, host behavior, malware questions, vulnerability reports, authorized pentests, security incidents, threat hunting, detection work, or security advice when the correct workflow and specialist owner are not yet clear. +--- + +# Route Security Work + +## Overview + +Turn the user's concern into one bounded security question, identify the affected surface, and select the smallest safe owner workflow. Do not begin active probing or execute suspicious content during routing. + +Read [references/routing-map.md](references/routing-map.md) when ownership or the difference between investigation, testing, response, and remediation is unclear. + +## Workflow + +1. State the requested decision. + - Capture what the user needs to know or do now. + - Separate “is this dangerous?” from “how does it work?”, “am I affected?”, and “how do I fix it?”. + +2. Identify the surface. + - Classify the primary subject as content or artifact, endpoint, identity, network/service, application/source, vulnerability report, or active incident. + - Record the relevant artifact, host, account, service, repository, target, and time window. + +3. Establish authority and urgency. + - For inspection and defensive response, confirm the user controls or is responsible for the affected surface. + - Before active testing, require the target owner, allowed targets, exclusions, time window, techniques, stop conditions, and contacts. + - If harm is ongoing, route immediate containment separately from evidence preservation. + +4. Choose the next owner. + - Use `preserve-security-evidence` before transformations or volatile state disappears. + - Use `select-analysis-isolation` before opening or executing untrusted content. + - Use `assess-and-explain-threat` when evidence exists but the practical conclusion is unclear. + - Route deep binary work to `reverse-engineering-skills` and repository-wide source scans to Codex Security when available. + - Route ordinary implementation or remediation to the owning Apple, protocol, language, or framework skill after the security acceptance criteria are explicit. + +5. Report the route. + - Name the selected workflow, why it fits, what is intentionally deferred, and the first non-destructive action. + - Preserve uncertainty rather than selecting a dramatic path from weak evidence. + +## Output + +Return the security question, affected surface, urgency, authority/scope state, selected owner, first safe action, and any immediate stop condition. diff --git a/skills/route-security-work/agents/openai.yaml b/skills/route-security-work/agents/openai.yaml new file mode 100644 index 00000000..b51e5a0a --- /dev/null +++ b/skills/route-security-work/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Route Security Work" + short_description: "Choose the safest cybersecurity workflow and owner" + default_prompt: "Use $route-security-work to route this security concern before running tools." diff --git a/skills/route-security-work/references/routing-map.md b/skills/route-security-work/references/routing-map.md new file mode 100644 index 00000000..f51f2f30 --- /dev/null +++ b/skills/route-security-work/references/routing-map.md @@ -0,0 +1,15 @@ +# Security Workflow Routing Map + +| Primary question | Owning workflow | Common handoff | +| --- | --- | --- | +| What is this suspicious file, link, message, profile, package, or document? | `triage-suspicious-content` | Static malware analysis or script/document analysis | +| Is this artifact known, signed, reputable, or reported elsewhere? | `check-artifact-reputation` | Threat assessment | +| What could this artifact do without running it? | `perform-static-malware-analysis` | Reverse engineering for binary internals | +| What did it do in a disposable environment? | `perform-dynamic-malware-analysis` | Behavior mapping or detection content | +| Is this Mac affected and what should change now? | `assess-macos-threat` | Persistence/runtime inspection or containment | +| Is this vulnerability real and reachable here? | `validate-vulnerability` | Exposure assessment or stack remediation | +| May we actively test this target? | `scope-authorized-security-test` | Web/API or network-service testing | +| Is harm occurring across a system or organization? | `triage-security-incident` | Containment and recovery | +| How do I explain the result to the affected person? | `assess-and-explain-threat` | Security assessment report | + +Do not route solely from a tool name. Start from the decision the user needs and the surface that may be affected. diff --git a/skills/scope-authorized-security-test/SKILL.md b/skills/scope-authorized-security-test/SKILL.md new file mode 100644 index 00000000..7161137b --- /dev/null +++ b/skills/scope-authorized-security-test/SKILL.md @@ -0,0 +1,35 @@ +--- +name: scope-authorized-security-test +description: Define and verify authorization, targets, rules of engagement, data handling, safety controls, and stop conditions before active security testing. Use for penetration tests, vulnerability scans, exploit validation, web/API tests, network probing, red-team-like exercises, bug bounty work, or agent-driven testing where ownership and allowed techniques must be explicit. +--- + +# Scope Authorized Security Test + +## Overview + +Turn permission into an executable scope record before sending active traffic or running a proof of concept. Authorization must identify the owner and boundaries; access to a target or a public address is not permission. + +Read [references/active-test-scope.md](references/active-test-scope.md) and complete every applicable field. + +## Workflow + +1. Identify authority. + - Record target owner, authorizing person/record, tester, contacts, dates, jurisdiction or program policy, and evidence of permission. +2. Resolve targets precisely. + - List domains, hosts, addresses/ranges, applications, APIs, repositories, accounts, environments, and third-party dependencies. + - List exclusions explicitly and define how dynamic/cloud/CDN targets are resolved. +3. Define allowed techniques. + - Separate passive review, discovery, authenticated testing, automated scanning, fuzzing, exploit validation, social/physical testing, persistence, credential access, data access, and denial-of-service. + - Default unlisted techniques to disallowed. +4. Set operational controls. + - Define source addresses, accounts, rate/concurrency, time windows, test data, logging, notification, emergency stop, cleanup, and restoration. +5. Define data handling. + - Minimize accessed data; specify retention, encryption, screenshots/logs, secrets, evidence transfer, disclosure, and deletion. +6. Establish stop conditions. + - Stop on target drift, third-party impact, instability, sensitive data beyond minimum proof, unexpected privileges, scope ambiguity, or an unapproved technique. +7. Approve the test plan. + - Show exact targets and effects before tools run; update the scope record before expanding work. + +## Output + +Return authority, included/excluded targets, allowed/disallowed techniques, operational controls, data handling, stop/escalation contacts, and approval state. diff --git a/skills/scope-authorized-security-test/agents/openai.yaml b/skills/scope-authorized-security-test/agents/openai.yaml new file mode 100644 index 00000000..1976162a --- /dev/null +++ b/skills/scope-authorized-security-test/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Scope Authorized Security Test" + short_description: "Define targets, permission, techniques, and stop conditions" + default_prompt: "Use $scope-authorized-security-test to establish a complete authorized test scope." diff --git a/skills/scope-authorized-security-test/references/active-test-scope.md b/skills/scope-authorized-security-test/references/active-test-scope.md new file mode 100644 index 00000000..1548264a --- /dev/null +++ b/skills/scope-authorized-security-test/references/active-test-scope.md @@ -0,0 +1,36 @@ +# Active Security Test Scope + +```markdown +## Authority +- Owner and authorizer: +- Authorization record/program policy: +- Tester and contacts: +- Valid dates/timezone: + +## Targets +- Included: +- Excluded: +- Third-party/CDN/cloud boundary: +- Accounts/roles/environment: + +## Techniques +- Allowed: +- Disallowed: +- Proof/impact limit: + +## Operations +- Source addresses and tooling: +- Rate/concurrency/time windows: +- Monitoring and notification: +- Emergency stop and restoration: + +## Data +- Collection minimization: +- Secrets and sensitive-data handling: +- Retention, transfer, disclosure, deletion: + +## Stop Conditions +- ... +``` + +Use current program rules and the planning principles in [NIST SP 800-115](https://csrc.nist.gov/pubs/sp/800/115/final). diff --git a/skills/select-analysis-isolation/SKILL.md b/skills/select-analysis-isolation/SKILL.md new file mode 100644 index 00000000..712d1ec3 --- /dev/null +++ b/skills/select-analysis-isolation/SKILL.md @@ -0,0 +1,42 @@ +--- +name: select-analysis-isolation +description: Select and configure an isolation boundary before inspecting or executing untrusted content. Use when choosing among local read-only analysis, a disposable container, Linux VM, macOS VM, remote sandbox, or spare physical device and deciding network, mount, clipboard, credential, device, snapshot, evidence-export, and teardown controls. +--- + +# Select Analysis Isolation + +## Overview + +Choose the smallest environment that contains the behaviors the analysis may trigger and can still reproduce the target platform. Treat isolation as a set of controls to verify, not a label supplied by a product. + +Read [references/isolation-matrix.md](references/isolation-matrix.md) before selecting an environment for execution or privileged tooling. + +## Workflow + +1. Identify the behavior to contain. + - Record target OS/runtime, expected privilege, kernel or device access, persistence, networking, anti-VM behavior, and data sensitivity. + +2. Choose the environment. + - Use local read-only inspection for non-executing metadata and text extraction. + - Use a disposable container for bounded Linux user-space tooling when VM-level isolation and target-platform behavior are unnecessary. + - Use a disposable VM for installers, services, dynamic behavior, or full-OS effects. + - Use a macOS VM or spare Mac for macOS payload behavior; do not substitute a Linux container. + - Use a remote sandbox only after data-egress approval and provider-capability review. + +3. Remove ambient authority. + - Exclude personal accounts, host directories, shared clipboard, drag/drop, host sockets, USB/device passthrough, SSH agent, developer certificates, browser profiles, password stores, cloud tokens, and unrelated secrets. + +4. Constrain networking. + - Default to no network or a simulated service. + - If external traffic is required, allow only recorded destinations through a monitored boundary and capture DNS/routes/packets proportionately. + +5. Establish lifecycle evidence. + - Record base image or restore image, OS build, tool versions, configuration, snapshot, clocks, and baseline state. + - Define exactly which evidence may be exported and how it will be scanned before reaching the host. + +6. Verify teardown. + - Stop the workload, export intended evidence, revert or destroy disposable state, revoke temporary credentials, and confirm no host share or forwarded port remains. + +## Stop Conditions + +Stop before execution when the environment cannot reproduce the target platform, the isolation controls cannot be verified, or the task requires host secrets or privileges beyond the approved analysis plan. diff --git a/skills/select-analysis-isolation/agents/openai.yaml b/skills/select-analysis-isolation/agents/openai.yaml new file mode 100644 index 00000000..3d560ab3 --- /dev/null +++ b/skills/select-analysis-isolation/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Select Analysis Isolation" + short_description: "Choose safe container, VM, sandbox, or device isolation" + default_prompt: "Use $select-analysis-isolation to choose and verify a safe environment for this untrusted workload." diff --git a/skills/select-analysis-isolation/references/isolation-matrix.md b/skills/select-analysis-isolation/references/isolation-matrix.md new file mode 100644 index 00000000..2f5cab59 --- /dev/null +++ b/skills/select-analysis-isolation/references/isolation-matrix.md @@ -0,0 +1,14 @@ +# Isolation Matrix + +| Environment | Good fit | Not sufficient for | +| --- | --- | --- | +| Local read-only inspection | Hashing, metadata, signatures, archive listing, strings, rule scans | Any active-content execution | +| Disposable Linux container | Untrusted Linux user-space tools, parsers, reproducible CLI pipelines | macOS behavior, kernel threats, device access, privileged hostile code | +| Disposable Linux VM | Linux installers, services, full-system behavior, kernel/network observations | Native macOS behavior | +| Disposable macOS VM | macOS apps, packages, scripts, signing/quarantine/TCC/persistence behavior | Hardware-specific or anti-VM behavior that requires a spare device | +| Spare physical device | Hardware-dependent or VM-evasive behavior | Casual analysis without a reliable erase/rebuild plan | +| Remote sandbox | Approved commodity sample detonation and shared intelligence | Private artifacts, secrets, custom software, or behavior the provider cannot reproduce | + +For Apple silicon, verify exact host/guest OS support and the chosen Virtualization tool's clipboard, directory-share, network, and snapshot behavior. Apple's `container` uses lightweight Linux VMs but remains a Linux workload surface, not a macOS guest. + +Sources: [Apple Virtualization](https://developer.apple.com/documentation/virtualization) and [Apple container technical overview](https://github.com/apple/container/blob/main/docs/technical-overview.md). diff --git a/skills/test-network-services/SKILL.md b/skills/test-network-services/SKILL.md new file mode 100644 index 00000000..e7e1f777 --- /dev/null +++ b/skills/test-network-services/SKILL.md @@ -0,0 +1,32 @@ +--- +name: test-network-services +description: Inventory and test explicitly authorized network services with bounded discovery and protocol-aware validation. Use for approved hosts, address ranges, ports, TLS, banners, service versions, authentication, exposure, segmentation, configuration, packet evidence, or narrowly reviewed vulnerability checks when rate, source, third-party boundaries, and stop conditions are explicit. +--- + +# Test Network Services + +## Overview + +Establish what is actually listening and reachable before making vulnerability claims. Keep discovery, identification, configuration review, authentication tests, and exploit validation as separate authorized levels. + +Read [references/network-test-levels.md](references/network-test-levels.md) before selecting tools or scan intensity. + +## Workflow + +1. Load approved targets/exclusions, source addresses, network path, time/rate limits, credentials, and contacts. +2. Resolve target identity. + - Record DNS, addresses, cloud/CDN/load-balancer ownership, environment, and routes; stop on third-party or out-of-scope resolution. +3. Discover conservatively. + - Start with known assets and low-rate reachability/port checks; record tool/version/options, packet source, loss, and filtering. +4. Identify services. + - Validate protocol, TLS/certificate, banner/version, authentication exposure, and application behavior instead of trusting port numbers or one fingerprint. +5. Assess configuration and exposure. + - Review unnecessary listeners, network boundary, encryption, weak/default access, anonymous behavior, management interfaces, and segmentation from approved vantage points. +6. Validate vulnerability candidates. + - Review scanner/template logic and use the smallest protocol-aware proof; route protocol mechanics to `network-protocol-skills`. +7. Stop and clean up. + - Halt on instability, rate-limit distress, unexpected sensitive data, third parties, or scope drift; close sessions and remove temporary access. + +## Output + +Return target resolution, discovery coverage, validated services, configuration/exposure observations, vulnerability candidates/validation, negative results, impact, and cleanup. diff --git a/skills/test-network-services/agents/openai.yaml b/skills/test-network-services/agents/openai.yaml new file mode 100644 index 00000000..a777b038 --- /dev/null +++ b/skills/test-network-services/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Test Network Services" + short_description: "Validate authorized service exposure in bounded levels" + default_prompt: "Use $test-network-services to inventory and validate these authorized network services safely." diff --git a/skills/test-network-services/references/network-test-levels.md b/skills/test-network-services/references/network-test-levels.md new file mode 100644 index 00000000..5a2e95d0 --- /dev/null +++ b/skills/test-network-services/references/network-test-levels.md @@ -0,0 +1,10 @@ +# Network Test Levels + +1. Asset resolution: owner, DNS/address, route, environment, third parties. +2. Reachability: bounded host/port checks from an approved source. +3. Service identification: protocol handshake, TLS, banner, version, authentication surface. +4. Configuration review: exposure, encryption, access, segmentation, management interfaces. +5. Vulnerability check: reviewed, narrowly selected probe with safe matcher. +6. Exploit validation: separately authorized minimum proof and cleanup. + +Do not jump levels because a tool supports it. Record rate, retries, concurrency, timeouts, excluded ports/hosts, and any service degradation. Use packet capture only when authorized and minimize unrelated traffic/data. diff --git a/skills/test-web-and-api-security/SKILL.md b/skills/test-web-and-api-security/SKILL.md new file mode 100644 index 00000000..f62494cd --- /dev/null +++ b/skills/test-web-and-api-security/SKILL.md @@ -0,0 +1,32 @@ +--- +name: test-web-and-api-security +description: Test an explicitly authorized web application or API using current OWASP guidance and bounded manual or automated checks. Use for authentication, authorization, session, input, browser, API schema, business logic, file handling, server-side request, configuration, transport, error, and data-exposure tests when accounts, roles, target, rate, evidence, and stop conditions are defined. +--- + +# Test Web And API Security + +## Overview + +Test one scoped property at a time with role-aware accounts and reproducible requests. Use passive observation before active mutation and review automated scanner behavior before it reaches the target. + +Read [references/web-api-test-plan.md](references/web-api-test-plan.md) and current OWASP WSTG/API guidance before execution. + +## Workflow + +1. Load the approved scope, environment, accounts/roles, data, rate limits, and stop conditions. +2. Map the application. + - Record hosts, routes, APIs/schemas, roles, trust boundaries, sessions/tokens, browser controls, uploads, integrations, and state-changing operations. +3. Capture a baseline. + - Preserve normal requests/responses and expected authorization for each role and resource owner. +4. Test by security property. + - Cover identity/session, object/function authorization, input handling, browser/client boundaries, server-side fetches, files, configuration, errors, data exposure, business logic, and rate/resource controls as scope permits. +5. Use tools deliberately. + - Keep proxy/browser history scoped; review ZAP or Nuclei configuration/templates; exclude destructive or broad checks; record exact versions and requests. +6. Validate candidates. + - Reproduce with the smallest request, negative control, different role/owner, and fixed/mitigated state when available. +7. Clean up. + - Remove test data/accounts/tokens, restore state, and report anything that could not be reverted. + +## Output + +Return scope/accounts, application map, tests and evidence, validated findings, negative results/coverage gaps, cleanup, and retest criteria. diff --git a/skills/test-web-and-api-security/agents/openai.yaml b/skills/test-web-and-api-security/agents/openai.yaml new file mode 100644 index 00000000..cb85656b --- /dev/null +++ b/skills/test-web-and-api-security/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Test Web And API Security" + short_description: "Run scoped, role-aware web and API security tests" + default_prompt: "Use $test-web-and-api-security to test this authorized web or API surface methodically." diff --git a/skills/test-web-and-api-security/references/web-api-test-plan.md b/skills/test-web-and-api-security/references/web-api-test-plan.md new file mode 100644 index 00000000..121a1e04 --- /dev/null +++ b/skills/test-web-and-api-security/references/web-api-test-plan.md @@ -0,0 +1,15 @@ +# Web And API Test Plan + +Record: + +- WSTG/API test identifier or named security property; +- exact endpoint, method, content type, schema, and environment; +- account, role, tenant, and resource owner; +- normal baseline request/response; +- one changed input or state; +- expected security behavior; +- observed response, server-side evidence, and side effect; +- negative control and cleanup; +- rate/concurrency and stop condition. + +Use the current [OWASP Web Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) and [ZAP documentation](https://www.zaproxy.org/docs/). Review Nuclei templates before use; a template match is a validation candidate, not a confirmed finding. diff --git a/skills/triage-security-incident/SKILL.md b/skills/triage-security-incident/SKILL.md new file mode 100644 index 00000000..aa8f9efa --- /dev/null +++ b/skills/triage-security-incident/SKILL.md @@ -0,0 +1,36 @@ +--- +name: triage-security-incident +description: Triage a suspected cybersecurity incident across endpoints, identities, applications, services, cloud resources, networks, or data. Use when an alert, report, compromise indicator, service disruption, unauthorized access, malware event, credential concern, or data exposure needs an incident owner, affected scope, urgency, evidence plan, immediate harm-reduction decision, and communication path. +--- + +# Triage Security Incident + +## Overview + +Establish whether coordinated response is needed, what may be affected, and who owns decisions. Preserve uncertainty and avoid destructive cleanup while urgent harm reduction and evidence collection are balanced. + +Read [references/incident-triage-record.md](references/incident-triage-record.md) for the initial record aligned with current NIST incident-response guidance. + +## Workflow + +1. Open the incident record. + - Record reporter, detection source, time/timezone, symptoms, affected person/system, current status, and incident lead. +2. Validate the signal. + - Preserve the original alert/report and confirm artifact, account, host, service, or event identity. + - Separate direct observation, external intelligence, automation labels, and speculation. +3. Estimate scope and urgency. + - Identify potentially affected assets, identities, data, users, environments, business function, privileges, and time window. + - Record ongoing execution, access, exfiltration, destruction, fraud, safety, or service impact. +4. Decide immediate harm reduction. + - Choose reversible isolation, session/token revocation, feature disablement, traffic control, or monitoring only when evidence and authority justify it. + - State evidence loss and operational impact. +5. Preserve priority evidence. + - Capture volatile state, logs, artifacts, identity/provider records, application events, network evidence, and timeline sources proportionately. +6. Establish coordination. + - Name technical, business, legal/privacy, communications, vendor/provider, and affected-user contacts as applicable; keep sensitive details need-to-know. +7. Route the next phase. + - Use containment for ongoing harm, hunting for scope, specialist analysis for evidence, and recovery only after eradication criteria are defined. + +## Output + +Return incident identity/owner, signal confidence, affected/potential scope, urgency, immediate actions, evidence plan, contacts, open questions, and next phase. diff --git a/skills/triage-security-incident/agents/openai.yaml b/skills/triage-security-incident/agents/openai.yaml new file mode 100644 index 00000000..441b939d --- /dev/null +++ b/skills/triage-security-incident/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Triage Security Incident" + short_description: "Establish incident scope, urgency, evidence, and owners" + default_prompt: "Use $triage-security-incident to establish this incident and the safest immediate response." diff --git a/skills/triage-security-incident/references/incident-triage-record.md b/skills/triage-security-incident/references/incident-triage-record.md new file mode 100644 index 00000000..ca480f54 --- /dev/null +++ b/skills/triage-security-incident/references/incident-triage-record.md @@ -0,0 +1,18 @@ +# Incident Triage Record + +```markdown +- Incident ID/title/status: +- Reporter/detection source/time: +- Incident lead and decision owners: +- Observed facts and confidence: +- Potentially affected assets/identities/data/users: +- Time window and ongoing behavior: +- Business/service/privacy/safety impact: +- Immediate harm-reduction action and evidence tradeoff: +- Evidence sources preserved/missing: +- Communication and notification contacts: +- Open hypotheses and disconfirming evidence: +- Next response phase and exit criteria: +``` + +Use current [NIST SP 800-61 Rev. 3](https://csrc.nist.gov/pubs/sp/800/61/r3/final). Treat incident response as part of ongoing risk management, preparation, detection, response, and recovery rather than a one-time linear checklist. diff --git a/skills/triage-suspicious-content/SKILL.md b/skills/triage-suspicious-content/SKILL.md new file mode 100644 index 00000000..888693a5 --- /dev/null +++ b/skills/triage-suspicious-content/SKILL.md @@ -0,0 +1,38 @@ +--- +name: triage-suspicious-content +description: Safely classify suspicious files, archives, installers, packages, scripts, documents, configuration profiles, browser extensions, URLs, QR codes, messages, and nested payloads before execution. Use when someone receives or discovers sketchy content and needs to know what it is, what active behavior it may contain, and the smallest safe next analysis step. +--- + +# Triage Suspicious Content + +## Overview + +Identify the content and its active surfaces without opening, installing, importing, previewing, or following it through a handler that may execute code. Preserve the original and route the smallest useful next check. + +Read [references/content-preflight.md](references/content-preflight.md) for format-specific active-content clues. + +## Workflow + +1. Preserve intake context. + - Record sender/source, delivery channel, claimed purpose, filenames, timestamps, quarantine metadata, URLs as text, and why it looked suspicious. + - Hash files and work from a copy. + +2. Identify containers before content. + - Determine file type from bytes and structure, not extension alone. + - List archive/package members without broad extraction and note traversal paths, symlinks, nested archives, password protection, or misleading double extensions. + +3. Inventory active surfaces. + - Look for executables, scripts, macros, embedded files, links, forms, JavaScript, launch/install metadata, configuration payloads, extension permissions, shortened/redirecting URLs, and QR destinations. + - Treat preview generators and importers as parsers that may be vulnerable. + +4. Check local provenance. + - Record signatures, signer identity, notarization/quarantine evidence, package receipts/metadata, document producer, URL host and certificate context, and expected vendor distribution channel. + - Do not infer trust from any one field. + +5. Route without execution. + - Use reputation checking for hash/domain/vendor context, script/document analysis for active text, static malware analysis for capabilities, and reverse engineering for binary internals. + - Select isolation before any dynamic behavior. + +## Output + +Return intake identity, actual type/container, active surfaces, provenance observations, suspicious and benign explanations, confidence, and the first safe next workflow. diff --git a/skills/triage-suspicious-content/agents/openai.yaml b/skills/triage-suspicious-content/agents/openai.yaml new file mode 100644 index 00000000..c6582864 --- /dev/null +++ b/skills/triage-suspicious-content/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Triage Suspicious Content" + short_description: "Classify sketchy content without activating it" + default_prompt: "Use $triage-suspicious-content to identify this suspicious content and choose a safe next step." diff --git a/skills/triage-suspicious-content/references/content-preflight.md b/skills/triage-suspicious-content/references/content-preflight.md new file mode 100644 index 00000000..e226ea6b --- /dev/null +++ b/skills/triage-suspicious-content/references/content-preflight.md @@ -0,0 +1,12 @@ +# Suspicious Content Preflight + +| Content | Inspect without activation | Common active surface | +| --- | --- | --- | +| Archive/package | Member list, paths, types, signatures, metadata | Nested executables, scripts, symlinks, traversal, installer actions | +| macOS app/pkg/dmg | Bundle/package metadata, signing, notarization, quarantine, mounted layout | Executables, installer scripts, launch services, privileged helpers | +| Script/text | Encoding, interpreter, imports, URLs, commands, heredocs | Download/execute, persistence, credential/file access | +| Office/PDF/document | Container members, relationships, objects, forms, links, metadata | Macros, JavaScript, embedded files, templates, external links | +| Profile/extension | Declared payloads/permissions, signer, distribution source | Network interception, certificates, management, browsing/data access | +| URL/QR/message | Literal destination, sender context, redirects only through approved tooling | Credential capture, drive-by content, deep links, social engineering | + +Avoid Finder Quick Look, Office Protected View assumptions, browser navigation, package installation, and OS handler invocation until the parser/execution risk is understood. diff --git a/skills/triage-vulnerability-report/SKILL.md b/skills/triage-vulnerability-report/SKILL.md new file mode 100644 index 00000000..19a8bf0f --- /dev/null +++ b/skills/triage-vulnerability-report/SKILL.md @@ -0,0 +1,34 @@ +--- +name: triage-vulnerability-report +description: Normalize and triage a supplied vulnerability report, scanner result, advisory, CVE, proof of concept, bug bounty submission, security ticket, or researcher note. Use when affected component/version, source credibility, prerequisites, evidence, duplicate status, asset applicability, source-code owner, validation plan, and immediate exposure questions must be established before accepting or rejecting a finding. +--- + +# Triage Vulnerability Report + +## Overview + +Convert incoming claims into a testable hypothesis tied to an exact product, version, configuration, and asset. Do not reproduce active impact until authorization and the smallest safe validation plan are explicit. + +Read [references/vulnerability-intake.md](references/vulnerability-intake.md) for the normalized record. + +## Workflow + +1. Preserve the original report and source. +2. Normalize identity. + - Record product/component, versions, commit/build/image, dependency identity, advisory/CVE/CWE, endpoints/code paths, deployment/configuration, and affected assets. +3. Extract the claim. + - State attacker position, prerequisites, input, security boundary crossed, result, impact, and supplied reproduction. +4. Grade evidence. + - Separate scanner matching, vulnerable-code presence, reachability, successful reproduction, external advisory, and speculation. + - Record logs, requests/responses, traces, screenshots, code, and environment details. +5. Check authoritative context. + - Use vendor advisories, source/release history, OSV/ecosystem advisories, CISA KEV, and current disclosure state; date lookups. +6. Route ownership. + - Use Codex Security for repository/diff scanning or attack-path work when available. + - Route to vulnerability validation for a supplied claim and to the owning stack for remediation only after acceptance criteria are clear. +7. Define immediate action. + - Identify exposed assets, reversible mitigations, missing evidence, safe validation, and disclosure/notification needs. + +## Output + +Return normalized identity, claim, evidence grade, asset applicability, duplicates/advisories, urgency, validation plan, and owner. diff --git a/skills/triage-vulnerability-report/agents/openai.yaml b/skills/triage-vulnerability-report/agents/openai.yaml new file mode 100644 index 00000000..9a270796 --- /dev/null +++ b/skills/triage-vulnerability-report/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Triage Vulnerability Report" + short_description: "Normalize vulnerability claims and missing evidence" + default_prompt: "Use $triage-vulnerability-report to turn this report into a testable, owned security claim." diff --git a/skills/triage-vulnerability-report/references/vulnerability-intake.md b/skills/triage-vulnerability-report/references/vulnerability-intake.md new file mode 100644 index 00000000..9709f0be --- /dev/null +++ b/skills/triage-vulnerability-report/references/vulnerability-intake.md @@ -0,0 +1,22 @@ +# Vulnerability Intake Record + +```markdown +- Source/report ID/date: +- Product/component/build/dependency: +- Affected and fixed versions claimed: +- Deployment/configuration/assets: +- Attacker position and prerequisites: +- Input/action: +- Boundary crossed: +- Result and impact: +- Supplied evidence/reproduction: +- Advisory/CVE/CWE/vendor status: +- Scanner/tool/version/rules: +- Present code or package: +- Reachability/exploitability evidence: +- Missing evidence and contradictions: +- Validation authorization/environment: +- Immediate mitigation and owner: +``` + +Do not let a CVE or package-name match substitute for exact product lineage, version, configuration, and reachable behavior. diff --git a/skills/use-objective-see-tools/SKILL.md b/skills/use-objective-see-tools/SKILL.md new file mode 100644 index 00000000..a5643c5a --- /dev/null +++ b/skills/use-objective-see-tools/SKILL.md @@ -0,0 +1,36 @@ +--- +name: use-objective-see-tools +description: Use installed Objective-See macOS security tools as thin evidence adapters. Use for KnockKnock persistence inventory, BlockBlock persistence alerts, LuLu network decisions, ProcessMonitor or FileMonitor activity, WhatsYourSign signature inspection, TaskExplorer process review, or related Objective-See tools while exact version, permissions, user actions, tool limits, and owning investigation workflow remain explicit. +--- + +# Use Objective-See Tools + +## Overview + +Select the Objective-See tool that observes the needed surface, record its current capabilities, and return evidence to the owning macOS workflow. Do not treat one tool's label or UI color as a threat verdict. + +Read [references/objective-see-routing.md](references/objective-see-routing.md) and recheck the official tool page before use. + +## Workflow + +1. Name the unresolved observation: persistence, process, file, network, signing, or process inventory. +2. Discover local capability. + - Verify official source, installed app/path, version, supported macOS build, permissions/system extensions, running state, and export format. + - Do not install, approve extensions, or grant privacy access without an explicit operator decision. +3. Select one tool and bounded action. +4. Preserve context. + - Record scan time, filters, exclusions, baseline, UI/CLI actions, alerts, raw/exported output, and tool errors. +5. Correlate independently. + - Verify signer/path/hash, process ancestry, persistence registration, socket, or file change with native evidence where practical. +6. Route conclusions. + - Send evidence to persistence, runtime, threat assessment, or containment workflows. + +## Guardrails + +- Do not enable blocking rules or terminate/delete items during evidence collection unless containment is separately approved. +- Do not claim historical coverage when the tool was installed after the event. +- Do not assume every Objective-See tool exposes a stable CLI or accessible GUI automation surface. + +## Output + +Return tool/version/capability, permissions, action, observations/export, independent correlation, limitations, and owning workflow. diff --git a/skills/use-objective-see-tools/agents/openai.yaml b/skills/use-objective-see-tools/agents/openai.yaml new file mode 100644 index 00000000..aae7bfcb --- /dev/null +++ b/skills/use-objective-see-tools/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Use Objective-See Tools" + short_description: "Use Objective-See apps as focused evidence adapters" + default_prompt: "Use $use-objective-see-tools to choose a focused Objective-See tool for this Mac investigation." diff --git a/skills/use-objective-see-tools/references/objective-see-routing.md b/skills/use-objective-see-tools/references/objective-see-routing.md new file mode 100644 index 00000000..2acea68e --- /dev/null +++ b/skills/use-objective-see-tools/references/objective-see-routing.md @@ -0,0 +1,13 @@ +# Objective-See Routing + +| Need | Candidate tool | Evidence use | +| --- | --- | --- | +| Enumerate persistence | KnockKnock | Candidate startup items for provenance/runtime correlation | +| Observe new persistence | BlockBlock | Alert-time registration evidence; blocking is containment | +| Observe/control outbound network | LuLu | Process/destination decisions; rules change connectivity | +| Process events | ProcessMonitor | Execution timeline and ancestry context | +| File events | FileMonitor | Scoped file mutation evidence | +| Signature identity | WhatsYourSign | Signing metadata for independent interpretation | +| Rich process inspection | TaskExplorer | Process, libraries, files, connections, and signature context | + +Tool inventory and requirements change. Recheck [Objective-See tools](https://objective-see.org/tools.html), local Help, exact version, and macOS support before relying on a workflow. diff --git a/skills/validate-vulnerability/SKILL.md b/skills/validate-vulnerability/SKILL.md new file mode 100644 index 00000000..79b8e39c --- /dev/null +++ b/skills/validate-vulnerability/SKILL.md @@ -0,0 +1,34 @@ +--- +name: validate-vulnerability +description: Determine whether a specific vulnerability claim is valid, reachable, exploitable, and impactful in an authorized environment. Use for scanner candidates, advisories, CVEs, supplied PoCs, source-level concerns, configuration weaknesses, or regression tests when the smallest safe proof, negative controls, exact build, prerequisites, boundary crossed, and confidence must be recorded. +--- + +# Validate Vulnerability + +## Overview + +Prove or refute the narrow claim with the least invasive reproduction. Separate vulnerable code or package presence from reachability, controllability, boundary crossing, and demonstrated impact. + +Read [references/validation-evidence.md](references/validation-evidence.md) for proof levels and controls. + +## Workflow + +1. Confirm authorization and exact target/build/configuration. +2. State the hypothesis. + - Define attacker position, controlled input, preconditions, code/endpoint, expected security property, and observable violation. +3. Establish controls. + - Prepare a known-vulnerable or claimed build, fixed/patched or negative build, baseline input, and minimally changed trigger when practical. +4. Trace reachability. + - Show how input reaches the affected component and whether authentication, feature flags, deployment topology, sanitization, mitigations, or dead code block it. + - Use Codex Security for repository attack-path analysis when appropriate. +5. Reproduce minimally. + - Prefer harmless markers, bounded data, synthetic accounts, and local fixtures. + - Stop before destructive impact, persistence, unrelated data access, lateral movement, or instability beyond scope. +6. Capture evidence. + - Record request/input, response/output, traces/logs, process or state change, exact tool/version, timestamps, cleanup, and retest. +7. Classify. + - Validated exploitable, validated but constrained, vulnerable component present but not reachable, false positive for this target, fixed, or unresolved. + +## Output + +Return hypothesis, environment, controls, reachability, minimal proof, impact boundary, classification/confidence, cleanup, and remediation/retest criteria. diff --git a/skills/validate-vulnerability/agents/openai.yaml b/skills/validate-vulnerability/agents/openai.yaml new file mode 100644 index 00000000..b861c1ff --- /dev/null +++ b/skills/validate-vulnerability/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Validate Vulnerability" + short_description: "Prove reachability and impact with minimal safe evidence" + default_prompt: "Use $validate-vulnerability to safely prove or refute this specific vulnerability claim." diff --git a/skills/validate-vulnerability/references/validation-evidence.md b/skills/validate-vulnerability/references/validation-evidence.md new file mode 100644 index 00000000..1c437ae2 --- /dev/null +++ b/skills/validate-vulnerability/references/validation-evidence.md @@ -0,0 +1,13 @@ +# Vulnerability Validation Evidence + +Increasing evidence strength: + +1. advisory or scanner claims a match; +2. affected component/version is present; +3. relevant feature/code path is deployed; +4. attacker-controlled input reaches the path; +5. security property is violated under controlled conditions; +6. meaningful impact is demonstrated within scope; +7. fixed build or mitigation prevents the same reproduction. + +Use negative controls to reject environmental noise. Preserve failed attempts and contradictory results. A crash alone does not establish code execution; an error alone does not establish injection; a vulnerable dependency alone does not establish reachable exposure. diff --git a/tests/test_cybersecurity_skill_contracts.py b/tests/test_cybersecurity_skill_contracts.py new file mode 100644 index 00000000..a7d43bf2 --- /dev/null +++ b/tests/test_cybersecurity_skill_contracts.py @@ -0,0 +1,121 @@ +from __future__ import annotations + +from pathlib import Path + + +ROOT = Path(__file__).resolve().parent.parent +SKILLS_ROOT = ROOT / "plugins" / "cybersecurity-skills" / "skills" + + +def skill_text(name: str) -> str: + return (SKILLS_ROOT / name / "SKILL.md").read_text(encoding="utf-8").lower() + + +def assert_contract(name: str, *required_phrases: str) -> None: + contents = skill_text(name) + missing = [phrase for phrase in required_phrases if phrase.lower() not in contents] + assert not missing, f"{name} is missing required contract phrases: {missing}" + + +def test_benign_lookalikes_do_not_become_binary_verdicts() -> None: + assert_contract( + "assess-and-explain-threat", + "binary safe/malicious verdict", + "contradicting evidence", + "state confidence separately", + ) + + +def test_remote_reputation_requires_egress_approval() -> None: + assert_contract( + "check-artifact-reputation", + "explicit approval", + "upload", + "privacy", + ) + + +def test_isolation_rejects_linux_container_for_macos_payload() -> None: + assert_contract( + "select-analysis-isolation", + "use a macos vm or spare mac for macos payload behavior", + "do not substitute a linux container", + "no host share or forwarded port remains", + ) + + +def test_authorized_testing_has_scope_and_stop_conditions() -> None: + assert_contract( + "scope-authorized-security-test", + "access to a target or a public address is not permission", + "establish stop conditions", + "update the scope record before expanding work", + ) + + +def test_vulnerability_validation_keeps_negative_results() -> None: + assert_contract( + "validate-vulnerability", + "smallest safe proof", + "not reachable", + "false positive", + "stop before destructive impact", + ) + + +def test_macos_assessment_separates_platform_controls() -> None: + assert_contract( + "assess-macos-threat", + "gatekeeper", + "notarization", + "xprotect", + "tcc", + "sip", + ) + + +def test_macos_recovery_preserves_evidence_and_verifies_outcome() -> None: + assert_contract( + "contain-and-recover-macos", + "preserve decisive evidence", + "prefer reversible", + "residual uncertainty", + "return-to-service decision", + ) + + +def test_incident_containment_records_operational_impact() -> None: + assert_contract( + "contain-security-incident", + "business impact", + "volatile evidence", + "rollback", + ) + + +def test_detection_content_requires_positive_and_negative_fixtures() -> None: + assert_contract( + "author-detection-content", + "test fixtures", + "benign negatives", + "false positives", + "telemetry contract", + ) + + +def test_non_specialist_advice_is_immediate_and_calm() -> None: + assert_contract( + "assess-and-explain-threat", + "plain-language", + "what to do now", + "avoid fear", + ) + + +def test_repository_scanning_routes_to_codex_security() -> None: + assert_contract( + "route-security-work", + "codex security", + "repository-wide", + "reverse-engineering-skills", + ) diff --git a/tests/test_validate_hermes_compatibility.py b/tests/test_validate_hermes_compatibility.py index c299eda6..dedd4eae 100644 --- a/tests/test_validate_hermes_compatibility.py +++ b/tests/test_validate_hermes_compatibility.py @@ -72,6 +72,7 @@ def configure_paths(repo_root: Path, monkeypatch: pytest.MonkeyPatch) -> None: monkeypatch.setattr(export_hermes_skills, "SOURCE_ROOT", repo_root / "plugins" / "agent-portability-skills" / "skills") monkeypatch.setattr(export_hermes_skills, "MESSAGING_SOURCE_ROOT", repo_root / "plugins" / "agent-portability-skills" / "skills") monkeypatch.setattr(export_hermes_skills, "APPLE_SOURCE_ROOT", repo_root / "plugins" / "agent-portability-skills" / "skills") + monkeypatch.setattr(export_hermes_skills, "CYBERSECURITY_SOURCE_ROOT", repo_root / "plugins" / "agent-portability-skills" / "skills") monkeypatch.setattr(export_hermes_skills, "EXPORT_ROOT", repo_root / "skills") monkeypatch.setattr(validate_hermes_compatibility, "REPO_ROOT", repo_root) monkeypatch.setattr(validate_hermes_compatibility, "EXPORT_ROOT", repo_root / "skills") From fbf76f74d3ddd19d576fd8b1edadadb490a4f32b Mon Sep 17 00:00:00 2001 From: Gale W Date: Tue, 14 Jul 2026 15:20:56 -0400 Subject: [PATCH 7/7] release: prepare v9.13.0 Verification: - shared version inventory reports 9.13.0 - 99 tests passed; 1 skipped - marketplace and Hermes validation passed - mypy passed --- plugins/agent-portability-skills/.codex-plugin/plugin.json | 2 +- plugins/agent-portability-skills/pyproject.toml | 2 +- plugins/agent-portability-skills/uv.lock | 2 +- plugins/agentdeck/.codex-plugin/plugin.json | 2 +- plugins/android-dev-skills/.codex-plugin/plugin.json | 2 +- plugins/apple-creator-studio-skills/.codex-plugin/plugin.json | 2 +- plugins/apple-dev-skills/.codex-plugin/plugin.json | 2 +- plugins/apple-dev-skills/pyproject.toml | 2 +- plugins/apple-dev-skills/uv.lock | 2 +- plugins/cardhop-app/.codex-plugin/plugin.json | 2 +- plugins/cardhop-app/mcp/pyproject.toml | 2 +- plugins/cardhop-app/mcp/uv.lock | 2 +- plugins/cloud-deployment-skills/.codex-plugin/plugin.json | 2 +- plugins/cloud-inference-skills/.codex-plugin/plugin.json | 2 +- plugins/cybersecurity-skills/.codex-plugin/plugin.json | 2 +- plugins/dotnet-skills/.codex-plugin/plugin.json | 2 +- plugins/game-dev-skills/.codex-plugin/plugin.json | 2 +- .../messaging-collaboration-skills/.codex-plugin/plugin.json | 2 +- plugins/network-protocol-skills/.codex-plugin/plugin.json | 2 +- plugins/productivity-skills/.codex-plugin/plugin.json | 2 +- plugins/productivity-skills/pyproject.toml | 2 +- plugins/productivity-skills/uv.lock | 2 +- plugins/python-skills/.codex-plugin/plugin.json | 2 +- plugins/python-skills/pyproject.toml | 2 +- plugins/python-skills/uv.lock | 2 +- plugins/reverse-engineering-skills/.codex-plugin/plugin.json | 2 +- plugins/rust-skills/.codex-plugin/plugin.json | 2 +- plugins/server-side-jvm/.codex-plugin/plugin.json | 2 +- plugins/server-side-swift/.codex-plugin/plugin.json | 2 +- plugins/spotify/.codex-plugin/plugin.json | 2 +- plugins/swift-lang/.codex-plugin/plugin.json | 2 +- plugins/swiftasb-skills/.codex-plugin/plugin.json | 2 +- plugins/things-app/.codex-plugin/plugin.json | 2 +- plugins/things-app/mcp/pyproject.toml | 2 +- plugins/things-app/mcp/uv.lock | 2 +- plugins/things-app/pyproject.toml | 2 +- plugins/things-app/uv.lock | 2 +- plugins/web-dev-skills/.codex-plugin/plugin.json | 2 +- pyproject.toml | 2 +- uv.lock | 2 +- 40 files changed, 40 insertions(+), 40 deletions(-) diff --git a/plugins/agent-portability-skills/.codex-plugin/plugin.json b/plugins/agent-portability-skills/.codex-plugin/plugin.json index 0e784d7c..5982c9c6 100644 --- a/plugins/agent-portability-skills/.codex-plugin/plugin.json +++ b/plugins/agent-portability-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "agent-portability-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Maintainer skills for Socket-owned agent skill portability, Codex plugin surfaces, and host adapter guidance.", "author": { "name": "Gale", diff --git a/plugins/agent-portability-skills/pyproject.toml b/plugins/agent-portability-skills/pyproject.toml index 881007ee..b339a7d9 100644 --- a/plugins/agent-portability-skills/pyproject.toml +++ b/plugins/agent-portability-skills/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "agent-portability-skills-maintenance" -version = "9.12.0" +version = "9.13.0" description = "Maintainer-only Python tooling baseline for Agent Portability Skills." requires-python = ">=3.11" dependencies = [] diff --git a/plugins/agent-portability-skills/uv.lock b/plugins/agent-portability-skills/uv.lock index c0eca0f9..d4526da7 100644 --- a/plugins/agent-portability-skills/uv.lock +++ b/plugins/agent-portability-skills/uv.lock @@ -8,7 +8,7 @@ resolution-markers = [ [[package]] name = "agent-portability-skills-maintenance" -version = "9.12.0" +version = "9.13.0" source = { virtual = "." } [package.dev-dependencies] diff --git a/plugins/agentdeck/.codex-plugin/plugin.json b/plugins/agentdeck/.codex-plugin/plugin.json index 35107cae..86a73462 100644 --- a/plugins/agentdeck/.codex-plugin/plugin.json +++ b/plugins/agentdeck/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "agentdeck", - "version": "9.12.0", + "version": "9.13.0", "description": "Local Codex runtime utilities for thread, hook, and app-server workflows.", "author": { "name": "Gale", diff --git a/plugins/android-dev-skills/.codex-plugin/plugin.json b/plugins/android-dev-skills/.codex-plugin/plugin.json index 7eda07cd..a77f56e4 100644 --- a/plugins/android-dev-skills/.codex-plugin/plugin.json +++ b/plugins/android-dev-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "android-dev-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Android, Kotlin, Java, Gradle, Android Gradle Plugin, testing, lint, UI implementation, and release-readiness workflow skills.", "author": { "name": "Gale", diff --git a/plugins/apple-creator-studio-skills/.codex-plugin/plugin.json b/plugins/apple-creator-studio-skills/.codex-plugin/plugin.json index 849ff083..a60bd846 100644 --- a/plugins/apple-creator-studio-skills/.codex-plugin/plugin.json +++ b/plugins/apple-creator-studio-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "apple-creator-studio-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Human-facing and Computer Use-aware Apple Creator Studio workflows for Final Cut Pro editing, Motion templates, Compressor delivery, Logic Pro production, MainStage concert preparation, and GarageBand projects.", "author": { "name": "Gale", diff --git a/plugins/apple-dev-skills/.codex-plugin/plugin.json b/plugins/apple-dev-skills/.codex-plugin/plugin.json index 633dd8c9..8b713f46 100644 --- a/plugins/apple-dev-skills/.codex-plugin/plugin.json +++ b/plugins/apple-dev-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "apple-dev-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Apple development workflows for Codex, including app extensions, MailKit, File Provider, Finder Sync, App Intents, Liquid Glass, PhotosUI/PhotoKit, VideoToolbox codecs, ARKit spatial/face/body sensing, camera/depth capture, Core Image, Image I/O, Vision/Core ML recognition, media/audio repair, local Tips/HelpViewer guide discovery, provisioning, CloudKit, TipKit, SwiftData, SwiftUI, XcodeGen, Core Animation, AppKit, Safari, security, OpenAPI, and DocC.", "author": { "name": "Gale", diff --git a/plugins/apple-dev-skills/pyproject.toml b/plugins/apple-dev-skills/pyproject.toml index 9218ec09..57c6deb5 100644 --- a/plugins/apple-dev-skills/pyproject.toml +++ b/plugins/apple-dev-skills/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "apple-dev-skills-maintainer" -version = "9.12.0" +version = "9.13.0" description = "Maintainer tooling for the apple-dev-skills repository" requires-python = ">=3.10" dependencies = [] diff --git a/plugins/apple-dev-skills/uv.lock b/plugins/apple-dev-skills/uv.lock index 1fcb35a5..7b19783f 100644 --- a/plugins/apple-dev-skills/uv.lock +++ b/plugins/apple-dev-skills/uv.lock @@ -4,7 +4,7 @@ requires-python = ">=3.10" [[package]] name = "apple-dev-skills-maintainer" -version = "9.12.0" +version = "9.13.0" source = { virtual = "." } [package.dev-dependencies] diff --git a/plugins/cardhop-app/.codex-plugin/plugin.json b/plugins/cardhop-app/.codex-plugin/plugin.json index 5bccd40f..43e1cb4f 100644 --- a/plugins/cardhop-app/.codex-plugin/plugin.json +++ b/plugins/cardhop-app/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "cardhop-app", - "version": "9.12.0", + "version": "9.13.0", "description": "Cardhop.app workflow guidance plus a bundled local MCP server for contact capture and updates on macOS.", "author": { "name": "Gale", diff --git a/plugins/cardhop-app/mcp/pyproject.toml b/plugins/cardhop-app/mcp/pyproject.toml index 0a30ca2a..adfaf590 100644 --- a/plugins/cardhop-app/mcp/pyproject.toml +++ b/plugins/cardhop-app/mcp/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "cardhop-app-mcp" -version = "9.12.0" +version = "9.13.0" requires-python = ">=3.13" dependencies = [ "fastmcp>=3.0.2", diff --git a/plugins/cardhop-app/mcp/uv.lock b/plugins/cardhop-app/mcp/uv.lock index 06f30b2c..26c01a6b 100644 --- a/plugins/cardhop-app/mcp/uv.lock +++ b/plugins/cardhop-app/mcp/uv.lock @@ -138,7 +138,7 @@ wheels = [ [[package]] name = "cardhop-app-mcp" -version = "9.12.0" +version = "9.13.0" source = { virtual = "." } dependencies = [ { name = "fastmcp" }, diff --git a/plugins/cloud-deployment-skills/.codex-plugin/plugin.json b/plugins/cloud-deployment-skills/.codex-plugin/plugin.json index b3eade2b..21dcfdfa 100644 --- a/plugins/cloud-deployment-skills/.codex-plugin/plugin.json +++ b/plugins/cloud-deployment-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "cloud-deployment-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Codex skills for routing cloud deployment work through official provider plugins, MCP servers, CLIs, and Socket-owned deployment guidance.", "author": { "name": "Gale", diff --git a/plugins/cloud-inference-skills/.codex-plugin/plugin.json b/plugins/cloud-inference-skills/.codex-plugin/plugin.json index ddc695b1..75f1bc30 100644 --- a/plugins/cloud-inference-skills/.codex-plugin/plugin.json +++ b/plugins/cloud-inference-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "cloud-inference-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Cloud AI inference workflow skills for routing model serving, training, conversion, and GPU infrastructure work across Runpod, Hugging Face, AWS, Vast.ai, CoreWeave, and similar providers.", "author": { "name": "Gale", diff --git a/plugins/cybersecurity-skills/.codex-plugin/plugin.json b/plugins/cybersecurity-skills/.codex-plugin/plugin.json index 1bd61e9c..54f011c0 100644 --- a/plugins/cybersecurity-skills/.codex-plugin/plugin.json +++ b/plugins/cybersecurity-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "cybersecurity-skills", - "version": "9.11.0", + "version": "9.13.0", "description": "Defensive cybersecurity, suspicious-content, malware-analysis, macOS, vulnerability, pentest, and incident-response workflows.", "skills": "./skills/", "author": { diff --git a/plugins/dotnet-skills/.codex-plugin/plugin.json b/plugins/dotnet-skills/.codex-plugin/plugin.json index 36508957..1da984c7 100644 --- a/plugins/dotnet-skills/.codex-plugin/plugin.json +++ b/plugins/dotnet-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "dotnet-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Codex skills for choosing, bootstrapping, building, testing, packaging, diagnosing, and maintaining .NET projects with F# and C# as equal first-party languages.", "author": { "name": "Gale", diff --git a/plugins/game-dev-skills/.codex-plugin/plugin.json b/plugins/game-dev-skills/.codex-plugin/plugin.json index 2f81e432..4eb2a1df 100644 --- a/plugins/game-dev-skills/.codex-plugin/plugin.json +++ b/plugins/game-dev-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "game-dev-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Apple platform game development workflow skills for SpriteKit, SceneKit, GameplayKit, controller input, haptics, profiling, and game-stack routing.", "author": { "name": "Gale", diff --git a/plugins/messaging-collaboration-skills/.codex-plugin/plugin.json b/plugins/messaging-collaboration-skills/.codex-plugin/plugin.json index 2059f8ac..d5f32a14 100644 --- a/plugins/messaging-collaboration-skills/.codex-plugin/plugin.json +++ b/plugins/messaging-collaboration-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "messaging-collaboration-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Codex workflows for chat apps, bots, collaboration, iMessage, Apple notifications and Push to Talk, VoIP, and default communication-app planning.", "author": { "name": "Gale", diff --git a/plugins/network-protocol-skills/.codex-plugin/plugin.json b/plugins/network-protocol-skills/.codex-plugin/plugin.json index 231428df..77e8bb2a 100644 --- a/plugins/network-protocol-skills/.codex-plugin/plugin.json +++ b/plugins/network-protocol-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "network-protocol-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Codex skills for choosing, planning, implementing, and diagnosing modern application transports and real-time networking protocols, including QUIC, HTTP/3, WebRTC, Media over QUIC, WebTransport-adjacent handoffs, protocol maturity checks, and stack-specific implementation routing.", "author": { "name": "Gale", diff --git a/plugins/productivity-skills/.codex-plugin/plugin.json b/plugins/productivity-skills/.codex-plugin/plugin.json index 8c70faeb..454ee6ba 100644 --- a/plugins/productivity-skills/.codex-plugin/plugin.json +++ b/plugins/productivity-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "productivity-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Broadly useful productivity workflows for Codex.", "author": { "name": "Gale", diff --git a/plugins/productivity-skills/pyproject.toml b/plugins/productivity-skills/pyproject.toml index 6a7b8a56..486ef7b7 100644 --- a/plugins/productivity-skills/pyproject.toml +++ b/plugins/productivity-skills/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "productivity-skills-maintenance" -version = "9.12.0" +version = "9.13.0" description = "Maintainer-only Python tooling baseline for productivity-skills." requires-python = ">=3.11" dependencies = [] diff --git a/plugins/productivity-skills/uv.lock b/plugins/productivity-skills/uv.lock index 46bad497..17f7af2f 100644 --- a/plugins/productivity-skills/uv.lock +++ b/plugins/productivity-skills/uv.lock @@ -228,7 +228,7 @@ wheels = [ [[package]] name = "productivity-skills-maintenance" -version = "9.12.0" +version = "9.13.0" source = { virtual = "." } [package.dev-dependencies] diff --git a/plugins/python-skills/.codex-plugin/plugin.json b/plugins/python-skills/.codex-plugin/plugin.json index 02c7aa30..79a18de8 100644 --- a/plugins/python-skills/.codex-plugin/plugin.json +++ b/plugins/python-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "python-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Bundled Python-focused Codex skills for uv bootstrapping, project implementation, diagnostics, packaging, tooling, CI, upgrades, FastAPI, FastMCP, and pytest workflows.", "author": { "name": "Gale", diff --git a/plugins/python-skills/pyproject.toml b/plugins/python-skills/pyproject.toml index 2963649d..c2854d06 100644 --- a/plugins/python-skills/pyproject.toml +++ b/plugins/python-skills/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "python-skills-maintainer" -version = "9.12.0" +version = "9.13.0" description = "Maintainer tooling for the python-skills repository" requires-python = ">=3.11" dependencies = [] diff --git a/plugins/python-skills/uv.lock b/plugins/python-skills/uv.lock index 2d2b98de..e5b87f39 100644 --- a/plugins/python-skills/uv.lock +++ b/plugins/python-skills/uv.lock @@ -251,7 +251,7 @@ wheels = [ [[package]] name = "python-skills-maintainer" -version = "9.12.0" +version = "9.13.0" source = { virtual = "." } [package.dev-dependencies] diff --git a/plugins/reverse-engineering-skills/.codex-plugin/plugin.json b/plugins/reverse-engineering-skills/.codex-plugin/plugin.json index ef6e35c3..67752775 100644 --- a/plugins/reverse-engineering-skills/.codex-plugin/plugin.json +++ b/plugins/reverse-engineering-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "reverse-engineering-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Workflow skills for reverse engineering, decompilation, disassembly, symbol, and artifact-analysis tasks.", "skills": "./skills/", "author": { diff --git a/plugins/rust-skills/.codex-plugin/plugin.json b/plugins/rust-skills/.codex-plugin/plugin.json index e68947a7..b32c056d 100644 --- a/plugins/rust-skills/.codex-plugin/plugin.json +++ b/plugins/rust-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "rust-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Rust, Cargo, rustup, crate, workspace, CLI, library, package, CI, testing, linting, and formatting workflow skills.", "skills": "./skills/", "author": { diff --git a/plugins/server-side-jvm/.codex-plugin/plugin.json b/plugins/server-side-jvm/.codex-plugin/plugin.json index 57021839..9753c1d5 100644 --- a/plugins/server-side-jvm/.codex-plugin/plugin.json +++ b/plugins/server-side-jvm/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "server-side-jvm", - "version": "9.12.0", + "version": "9.13.0", "description": "Codex skills for choosing, building, testing, and maintaining server-side JVM backend projects with Java and Scala as equal first-party languages and future Clojure support planned.", "author": { "name": "Gale", diff --git a/plugins/server-side-swift/.codex-plugin/plugin.json b/plugins/server-side-swift/.codex-plugin/plugin.json index 6c15e81f..9b9f80c2 100644 --- a/plugins/server-side-swift/.codex-plugin/plugin.json +++ b/plugins/server-side-swift/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "server-side-swift", - "version": "9.12.0", + "version": "9.13.0", "description": "Codex skills for bootstrapping, syncing, building, running, containerizing, deploying, and maintaining server-side Swift services, including Vapor, Hummingbird, hb, persistence, Swift OpenAPI, RPC-fit decisions, SwiftNIO, observability, auth, app sync, Docker, Apple Containerization, Fly.io, and SwiftPM-first workflows.", "author": { "name": "Gale", diff --git a/plugins/spotify/.codex-plugin/plugin.json b/plugins/spotify/.codex-plugin/plugin.json index 5efd8210..8264f748 100644 --- a/plugins/spotify/.codex-plugin/plugin.json +++ b/plugins/spotify/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "spotify", - "version": "9.12.0", + "version": "9.13.0", "description": "Placeholder plugin repository for future Spotify-focused Codex workflows.", "author": { "name": "Gale", diff --git a/plugins/swift-lang/.codex-plugin/plugin.json b/plugins/swift-lang/.codex-plugin/plugin.json index 5b3e9a64..6e11e90a 100644 --- a/plugins/swift-lang/.codex-plugin/plugin.json +++ b/plugins/swift-lang/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "swift-lang", - "version": "9.12.0", + "version": "9.13.0", "description": "Shared Swift language skills for API style, error handling, functional pipelines, formatting, source organization, and modernization cleanup.", "skills": "./skills/", "author": { diff --git a/plugins/swiftasb-skills/.codex-plugin/plugin.json b/plugins/swiftasb-skills/.codex-plugin/plugin.json index 0ea979eb..98c8d1ed 100644 --- a/plugins/swiftasb-skills/.codex-plugin/plugin.json +++ b/plugins/swiftasb-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "swiftasb-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Codex skills for explaining SwiftASB and building SwiftUI, AppKit, and Swift package integrations on top of it.", "author": { "name": "Gale", diff --git a/plugins/things-app/.codex-plugin/plugin.json b/plugins/things-app/.codex-plugin/plugin.json index c864da53..40c3af6c 100644 --- a/plugins/things-app/.codex-plugin/plugin.json +++ b/plugins/things-app/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "things-app", - "version": "9.12.0", + "version": "9.13.0", "description": "Things.app skills and a bundled local MCP server for reminders, planning digests, and structured task workflows.", "author": { "name": "Gale", diff --git a/plugins/things-app/mcp/pyproject.toml b/plugins/things-app/mcp/pyproject.toml index 49865676..f3e2bcf8 100644 --- a/plugins/things-app/mcp/pyproject.toml +++ b/plugins/things-app/mcp/pyproject.toml @@ -7,7 +7,7 @@ packages = ["app"] [project] name = "things-mcp" -version = "9.12.0" +version = "9.13.0" requires-python = ">=3.13" dependencies = [ "fastmcp>=3.0.2", diff --git a/plugins/things-app/mcp/uv.lock b/plugins/things-app/mcp/uv.lock index c3b2ba0b..3cfd8c44 100644 --- a/plugins/things-app/mcp/uv.lock +++ b/plugins/things-app/mcp/uv.lock @@ -1241,7 +1241,7 @@ wheels = [ [[package]] name = "things-mcp" -version = "9.12.0" +version = "9.13.0" source = { editable = "." } dependencies = [ { name = "fastmcp" }, diff --git a/plugins/things-app/pyproject.toml b/plugins/things-app/pyproject.toml index a295e780..54837a42 100644 --- a/plugins/things-app/pyproject.toml +++ b/plugins/things-app/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "things-app-maintenance" -version = "9.12.0" +version = "9.13.0" description = "Maintainer-only Python tooling baseline for things-app skills and plugin packaging." requires-python = ">=3.11" dependencies = [] diff --git a/plugins/things-app/uv.lock b/plugins/things-app/uv.lock index 77d3faf1..fd0b8c36 100644 --- a/plugins/things-app/uv.lock +++ b/plugins/things-app/uv.lock @@ -120,7 +120,7 @@ wheels = [ [[package]] name = "things-app-maintenance" -version = "9.12.0" +version = "9.13.0" source = { virtual = "." } [package.dev-dependencies] diff --git a/plugins/web-dev-skills/.codex-plugin/plugin.json b/plugins/web-dev-skills/.codex-plugin/plugin.json index bce4e434..0b86138f 100644 --- a/plugins/web-dev-skills/.codex-plugin/plugin.json +++ b/plugins/web-dev-skills/.codex-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "web-dev-skills", - "version": "9.12.0", + "version": "9.13.0", "description": "Codex skills for focused web and Expo native-boundary workflows.", "author": { "name": "Gale", diff --git a/pyproject.toml b/pyproject.toml index 4b0ab266..6c32398f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "socket-maintenance" -version = "9.12.0" +version = "9.13.0" description = "Root uv tooling baseline for the socket superproject." requires-python = ">=3.11" dependencies = [] diff --git a/uv.lock b/uv.lock index a2a35287..b3c4f576 100644 --- a/uv.lock +++ b/uv.lock @@ -286,7 +286,7 @@ wheels = [ [[package]] name = "socket-maintenance" -version = "9.12.0" +version = "9.13.0" source = { virtual = "." } [package.dev-dependencies]