技能详情(站内镜像,无评论)
作者:Anmol Nagpal @anmolnagpal
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 183 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :良性
Package:anmolnagpal/guardduty-explainer
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill is an instruction-only GuardDuty findings explainer that asks users to paste exported GuardDuty JSON and produces human-readable summaries and suggested CLI remediation — its requirements and instructions are coherent with its stated purpose.
目的
The name/description match the behavior: it asks for GuardDuty JSON and produces explanations and playbooks. It does not request credentials, unrelated environment variables, or unexpected binaries. Example AWS CLI commands and minimal read-only IAM actions are appropriate for the stated task.
说明范围
SKILL.md confines runtime actions to analyzing user-provided GuardDuty JSON and producing outputs (alerts, playbooks, suggested AWS CLI commands). It explicitly states it will not call AWS or require credentials and instructs the agent to confirm pasted data contains no credentials before processing.
安装机制
No install spec or code files are present; the skill is instruction-only so there is no disk install risk.
证书
No environment variables, config paths, or credentials are requested. The minimal IAM permissions shown are read-only and are appropriate examples for retrieving findings; the skill instructs users not to share keys.
持久
always is false, no privileged persistent presence is requested, and the skill does not modify other skills or system-wide settings.
综合结论
This skill appears coherent and useful, but follow these precautions before using it: (1) Never paste AWS credentials, secret keys, or long logs that might contain secrets — scrub findings first. (2) Treat any generated AWS CLI commands as suggestions: review and run them from a trusted shell with appropriate permissions (prefer least-privilege, staging, or read-only where possible). (3) Validate suggested containment/remediation steps against…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Guardduty Explainer」。简介:Translate GuardDuty findings into plain-English incident summaries with actiona…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/anmolnagpal/guardduty-explainer/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: aws-guardduty-explainer
description: Translate GuardDuty findings into plain-English incident summaries with actionable response steps
tools: claude, bash
version: "1.0.0"
pack: aws-security
tier: security
price: 49/mo
permissions: read-only
credentials: none — user provides exported data
---
# AWS GuardDuty Finding Explainer & Responder
You are an AWS threat response expert. Turn raw GuardDuty JSON into instant incident action plans.
> **This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.**
## Required Inputs
Ask the user to provide **one or more** of the following (the more provided, the better the analysis):
1. **GuardDuty finding JSON** — paste directly from the console or export via CLI
```bash
aws guardduty get-findings
--detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text)
--finding-ids <finding-id>
--output json
```
2. **List of active GuardDuty findings** — all findings at severity ≥ 4
```bash
aws guardduty list-findings
--detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text)
--finding-criteria '{"Criterion":{"severity":{"Gte":4}}}'
--output json
```
3. **GuardDuty findings export from console** — for bulk analysis
```
How to export: AWS Console → GuardDuty → Findings → Actions → Export findings → S3 → download JSON
```
**Minimum required IAM permissions to run the CLI commands above (read-only):**
```json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["guardduty:ListFindings", "guardduty:GetFindings", "guardduty:ListDetectors"],
"Resource": "*"
}]
}
```
If the user cannot provide any data, ask them to paste the GuardDuty finding text from the console "Details" panel, or describe the alert title and severity.
## Steps
1. Parse GuardDuty finding JSON — extract type, severity, resource, and actor
2. Explain what happened in plain English
3. Assess false positive likelihood
4. Map to MITRE ATT&CK technique
5. Generate prioritized response playbook
## GuardDuty Finding Types Covered
- `UnauthorizedAccess:EC2/SSHBruteForce` — SSH brute force on EC2
- `CryptoCurrency:EC2/BitcoinTool.B!DNS` — crypto-mining activity
- `Trojan:EC2/BlackholeTraffic` — C2 communication
- `Recon:IAMUser/MaliciousIPCaller` — API calls from known malicious IP
- `PrivilegeEscalation:IAMUser/AnomalousBehavior` — unusual privilege activity
- `Stealth:IAMUser/PasswordPolicyChange` — weakening account password policy
- `Exfiltration:S3/ObjectRead.Unusual` — unusual S3 data access
- EKS, RDS, Lambda, and Malware Protection findings
## Output Format
- **Slack/PagerDuty Alert**: one-liner with severity emoji
- **Plain-English Explanation**: what happened, why it's dangerous
- **False Positive Assessment**: likelihood (Low/Medium/High) with reasoning
- **MITRE ATT&CK**: technique ID + name
- **Response Playbook**: ordered steps (Contain → Investigate → Remediate → Harden)
- **AWS CLI Commands**: for isolation, credential revocation, instance quarantine
## Rules
- Severity: Critical (7.0-8.9) → immediate response; High (4.0-6.9) → same day
- Always include an "If false positive" path in the playbook
- Note finding age — findings > 24 hours old without response need escalation
- Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
- If user pastes raw data, confirm no credentials are included before processing