Detect abuse of service accounts through anomalous interactive logons, privilege escalation, lateral movement,

'Detects typosquatting attacks in npm and PyPI package registries by analyzing package name similarity using

Detect C2 beaconing patterns in network traffic using frequency analysis, jitter detection, and domain reputation

Hunt for data exfiltration through network traffic analysis, detecting unusual data flows, DNS tunneling, cloud

Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests

Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse

Hunt for registry-based persistence mechanisms including Run keys, Winlogon modifications, IFEO injection, and

Hunt for adversary persistence via Windows Scheduled Tasks by analyzing task creation events, suspicious task

Hunt for Volume Shadow Copy deletion activity that indicates ransomware preparation or anti-forensics by monitoring

Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation,

Hunt for supply chain compromise indicators including trojanized software updates, compromised dependencies,

Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious

Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard

Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event

Configure IAM permission boundaries in AWS to delegate role creation to developers while enforcing maximum privilege

Implement Amazon Macie to automatically discover, classify, and protect sensitive data in S3 buckets using machine

Configure Microsoft Entra Privileged Identity Management to enforce just-in-time role activation, approval workflows,

Implement the CISA Zero Trust Maturity Model v2.0 across the five pillars of identity, devices, networks, applications,

Enforce Kubernetes network segmentation using Calico CNI network policies and global network policies to control

'Implements eBPF-based security monitoring using Cilium Tetragon for real-time process execution tracking, network

Deploy SailPoint IdentityNow or IdentityIQ for identity governance and administration. Covers identity lifecycle

Implement Just-In-Time (JIT) access provisioning to eliminate standing privileges by granting temporary, time-bound

'Implementing microsegmentation using Akamai Guardicore Segmentation to map application dependencies, create

'This skill covers implementing North American Electric Reliability Corporation Critical Infrastructure Protection

'Implements 802.1X port-based network access control using RADIUS authentication, PacketFence NAC, and switch

Configure and deploy Palo Alto Networks next-generation firewalls with App-ID, User-ID, zone-based policies,

Deploy CyberArk Privileged Access Management to discover, vault, rotate, and monitor privileged credentials across

Harden Kubernetes Role-Based Access Control by implementing least-privilege policies, auditing role bindings,

Implement eBPF-based runtime security observability and enforcement in Kubernetes clusters using Cilium Tetragon

Tune SIEM detection rules to reduce false positives by analyzing alert volumes, creating whitelists, adjusting

'Investigates phishing email incidents from initial user report through header analysis, URL/attachment detonation,

The Common Vulnerability Scoring System (CVSS) is the industry standard framework maintained by FIRST (Forum

'Reverse engineers malicious Android APK files using JADX decompiler to analyze Java/Kotlin source code, identify

Harbor is an open-source container registry that provides security features including vulnerability scanning

Create PR for feature branches targeting main.

>-

Identifies dependencies at heightened risk of exploitation or takeover. Use when assessing supply chain attack surface, evaluating dependency health, or scoping security engagements.

A 6-phase process for creating a workflow-based skill from scratch.

Plan for adding temporary ID support to safe output jobs

通用内容创作工作流：选题策划→主编审核→文案创作→主编审核，产出平台无关的Markdown定稿。触发词：写文章、内容创作、选题创作、启动创作流程。需先安装 content-creation。

- Every commit should be associated with the relevant GitHub issue when one exists.

>-

Autonomous financial research agent for stock analysis, financial statements, metrics, prices, SEC filings, and crypto data.

Reconciles data sources using stable identifiers (Pay Number, driving licence, driver card, and driver qualification card numbers), producing exception reports and “no silent failure” checks. Use when you need weekly matching with explicit reasons for non-joins and mismatches.

AI ecommerce operations manager

Prioritize vulnerability remediation using KEV-style exploitation context plus asset criticality. Use for CVE triage, patch order decisions, and remediation reporting.

论文倒读法：给一篇论文，递归找出它批判和改进的前序论文（最多5层），再找它之后的最新进展，从源头正向讲述问题演化史。以问题为轴，费曼式讲解每篇论文看到的问题和解法创新。Use when user shares a paper and wants to understand its intellectual lineage, citation chain, problem evolution, or says '倒读', '论文溯源', '论文脉络', 'paper river', 'paper connects', 'trace back', '这篇论文的来龙去脉', '论文演化'. Also trigger when user wants to understand how a research problem evolved across multiple papers.

写作引擎。带着一个观点出发，在写的过程中把它想透。

Scan ClawHub skills for prompt injection and malicious content using Lakera Guard before installing them. Run automatically when the user asks to install a skill, or on-demand to audit any skill by slug or search query.

Execute cross-chain token trading on EVM and Solana with Particle Network Universal Account SDK. Use when users ask to set up universal-account-example, buy or sell tokens, run convert/swap flows, transfer assets, call custom transactions, query balances/history, or monitor transaction status via WebSocket.