Azure compliance scanning, Key Vault expiration auditing, and resource configuration validation. Runs azqr (Azure Quick Review) for comprehensive compliance assessment against best practices across subscriptions and resource groups Monitors Key Vault keys, secrets, and certificates for expiration dates and identifies items without expiration policies Detects orphaned, misconfigured, and non-compliant resources using Resource Graph queries Classifies findings by priority (Critical, High, Medium, Low) with remediation guidance for each issue
Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, orā¦
Provision Microsoft Entra Agent Identity Blueprints, BlueprintPrincipals, and per-instance Agent Identities via Microsoft Graph, and configure OAuth 2.0 tokenā¦
A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules areā¦
A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules areā¦
Pre-install security vetting for OpenClaw skills using a structured red-flag checklist. Evaluates metadata, permission scope, and content against critical, warning, and informational risk categories Detects typosquatting, credential file references, obfuscated content, and command injection patterns Flags high-risk permission combinations like network + shell that enable data exfiltration Produces a standardized vetting report with verdict (Safe/Warning/Danger/Block) and install recommendation
email-and-password-best-practices ā an installable skill for AI agents, published by better-auth/skills.
Google Workspace IT administration with security monitoring and configuration capabilities. Requires three prerequisite skills: gws-gmail, gws-drive, and gws-calendar for full functionality Includes standup-report workflow to review pending IT requests and security alerts at the start of each day Supports monitoring of suspicious login activity, audit log review, and Drive sharing policy configuration Recommends using --dry-run flag before bulk operations and regular permission verification via gws auth status
Comprehensive security hardening for web applications covering HTTPS, input validation, authentication, and OWASP Top 10 vulnerabilities. Enforces HTTPS, security headers (CSP, HSTS), and rate limiting via Helmet and Express middleware to prevent DDoS and common attacks Prevents SQL Injection and XSS through parameterized queries, input validation with Joi, and output encoding with DOMPurify Implements CSRF token protection, JWT-based authentication with refresh token rotation, and secret management via environment variables Includes OWASP Top 10 checklist and best practices for access control, defense in depth, and principle of least privilege
Google Model Armor: Filter user-generated content for safety. Provides three core helper commands: sanitize prompts, sanitize responses, and create custom filtering templates Integrates with Google Workspace services via the gws CLI tool with shared authentication and security rules Requires schema inspection via gws schema to discover available resources, methods, and parameter requirements before executing API calls
Create Google Model Armor templates to filter prompts and responses for safety. Requires GCP project ID, location, and template ID; supports preset templates (jailbreak) or custom JSON configuration Templates work with companion sanitize-prompt and sanitize-response commands for comprehensive content filtering Write operation requiring user confirmation before execution Defaults to jailbreak preset if no preset or JSON configuration is specified
Sanitize user prompts through Google Model Armor safety templates. Requires a Model Armor template resource name and accepts text input via flag, stdin, or full JSON request body Designed for inbound prompt safety; use the companion +sanitize-response command for outbound response filtering Integrates with Google Cloud authentication and global flags defined in gws-shared
Sanitize model responses through Google Model Armor templates for outbound safety. Applies Model Armor templates to filter model outputs before delivery to users Accepts text input via --text flag or piped stdin, with optional full JSON request body override Requires template resource name in format projects/PROJECT/locations/LOCATION/templates/TEMPLATE Complements the +sanitize-prompt command for inbound user input safety
better-auth-security-best-practices ā an installable skill for AI agents, published by better-auth/skills.
Transform threat analysis into actionable security requirements. Converts STRIDE threat categories into functional, non-functional, and constraint requirements with automatic priority calculation based on impact and likelihood Generates security user stories, acceptance criteria, and test cases directly from threats; includes traceability matrices linking threats to requirements Maps requirements to compliance frameworks (PCI-DSS, HIPAA, GDPR, SOC2, NIST, ISO 27001, OWASP) and identifies coverage gaps Organizes requirements by security domain (authentication, authorization, data protection, audit logging, input validation, cryptography, and six others) with built-in filtering and export to markdown
Comprehensive smart contract security patterns, vulnerability prevention, and secure Solidity development practices. Covers critical vulnerabilities including reentrancy, integer overflow/underflow, access control failures, and front-running with vulnerable code examples and secure patterns Teaches Checks-Effects-Interactions pattern, pull-over-push payment design, input validation, and emergency stop mechanisms for production-ready contracts Includes gas optimization techniques such as storage packing, calldata usage, and event-based data storage Provides security checklist, Hardhat testing examples for vulnerability detection, and audit preparation guidelines with proper documentation standards
Defense-in-depth Kubernetes security through network policies, pod security standards, RBAC, and admission control. Covers three pod security levels (Privileged, Baseline, Restricted) enforced via namespace labels for graduated security posture Provides NetworkPolicy templates for default-deny, service-to-service communication, and DNS egress patterns Includes RBAC configuration examples for roles, cluster roles, and bindings to implement least-privilege access Demonstrates OPA Gatekeeper constraint templates and Istio mTLS/AuthorizationPolicy for policy enforcement and service mesh security References CIS Kubernetes Benchmark and NIST Cybersecurity Framework compliance patterns with troubleshooting commands for NetworkPolicy and RBAC validation
GDPR-compliant data handling with consent management, data subject rights, and privacy controls. Implements consent management with audit trails, data subject access requests (DSARs), erasure, portability, and rectification workflows Provides data retention policies with legal basis tracking, anonymization options, and automated enforcement Includes breach notification handling with 72-hour authority reporting and affected individual notification workflows Covers privacy-by-design patterns including data minimization, encryption, pseudonymization, and separation of PII from behavioral data Offers compliance checklist and best practices for legal bases, transparency, security, and documentation requirements
Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.