Use when the user asks to analyze a project, understand the tech stack, detect frameworks, check what languages are used, identify runtimes or package managers, or as a first step before security/vulnerability scans
Generate all orchestrator report types — execution summaries, agent performance, workflow analytics, health, config audit, and HTML dashboard with charts. Use after task runs or for project status overview.
Real-time AI agent security scanner. Detects prompt injection, jailbreak attempts, credential/secret leaks, PII exposure, and dangerous tool calls. Activate when: (1) scanning inbound messages or tool outputs for prompt injection, (2) checking outbound content for credential leaks or PII, (3) auditing agent session logs for security events, (4) evaluating tool call safety before execution, (5) user asks about security scanning or threat detection. Covers OWASP Top 10 Agentic AI risks. --- # ClawMoat — Security Moat for AI Agents ## Scripts All scripts are in `scripts/`. They wrap the `clawmoat` CLI and log results to `clawmoat-scan.log`. ### Scan Text Scan any text for threats (prompt injection, secrets, PII, exfiltration): ```bash scripts/scan.sh "text to scan" ``` Returns JSON with findings. Logs to `clawmoat-scan.log`. Exits non-zero on CRITICAL/HIGH findings. ### Scan File ```bash scripts/scan.sh --file /path/to/file.txt ``` ### Audit Session
Bridge audit trails and memory frames for comprehensive session recording. Greek: ζ (zeta) — Decision Trail, η (eta) — Proof Store. Use when recording audit sessions, creating memory bundles, linking audit trails to memory, or finalizing session proofs with memory archives.
Pipeline de seguridad adversarial — Red Team, Blue Team, Auditor con scoring
Scan for and fix vulnerable npm dependencies in this Yarn Berry monorepo by updating the yarn.lock file. Use when user asks to fix vulnerabilities, run security audit, or update vulnerable dependencies.
Preflight security scanner for AI coding agents — scans deployment config, skills/MCP servers, memory/sessions, and AI agent config files (hooks injection) for secrets, PII, prompt injection, and dangerous patterns. Runs 4 model behavior probes (persuasion, sandbagging, deception, hallucination). Supports LLM-enhanced semantic analysis. Works with OpenClaw, Claude Code, Cursor, and Codex. Use when a user asks for a security audit, health check, or wants to scan their AI agent setup for vulnerabilities.
Audit all table and figure captions for language, notation, and formatting consistency
Full KYC customer onboarding with mandatory Step 0 independent verification (5+1 searches), 17 sequential stagegates requiring explicit analyst consent, deterministic four-factor risk scoring, case folder auto-creation, 4-sheet Excel dashboard, 17-section PDF report, and immutable audit trail. Covers UK/EU (AMLD5), US (FinCEN CDD), and MENA jurisdictions.
Review code changes for quality, security, and correctness. Use when the user says "review this PR", "review these changes", "check my code", "look at what I changed", or after implementing a feature. Produces a severity-organized report.
Analyze pull requests and diffs for bugs, security vulnerabilities, performance issues, style violations, and test coverage gaps — producing structured, actionable feedback
Comprehensive accessibility audit to identify WCAG compliance issues and barriers to inclusive design.
skill-sample/ ├─ SKILL.md ⭐ Required: skill entry doc (purpose / usage / examples / deps) ├─ manifest.sample.json ⭐ Recommended: machine-readable metadata (index / validation / autofill) ├─ LICENSE.sample ⭐ Recommended: license & scope (open source / restriction / commercial) ├─ scripts/ │ └─ example-run.py ✅ Runnable example script for quick verification ├─ assets/ │ ├─ example-formatting-guide.md 🧩 Output conventions: layout / structure / style │ └─ example-template.tex 🧩 Templates: quickly generate standardized output └─ references/ 🧩 Knowledge base: methods / guides / best practices ├─ example-ref-structure.md 🧩 Structure reference ├─ example-ref-analysis.md 🧩 Analysis reference └─ example-ref-visuals.md 🧩 Visual reference
More Agent Skills specs Anthropic docs: https://agentskills.io/home
├─ ⭐ Required: YAML Frontmatter (must be at top) │ ├─ ⭐ name : unique skill name, follow naming convention │ └─ ⭐ description : include trigger keywords for matching │ ├─ ✅ Optional: Frontmatter extension fields │ ├─ ✅ license : license identifier │ ├─ ✅ compatibility : runtime constraints when needed │ ├─ ✅ metadata : key-value fields (author/version/source_url...) │ └─ 🧩 allowed-tools : tool whitelist (experimental) │ └─ ✅ Recommended: Markdown body (progressive disclosure) ├─ ✅ Overview / Purpose ├─ ✅ When to use ├─ ✅ Step-by-step ├─ ✅ Inputs / Outputs ├─ ✅ Examples ├─ 🧩 Files & References ├─ 🧩 Edge cases ├─ 🧩 Troubleshooting └─ 🧩 Safety notes
Skill files are scattered across GitHub and communities, difficult to search, and hard to evaluate. SkillWink organizes open-source skills into a searchable, filterable library you can directly download and use.
We provide keyword search, version updates, multi-metric ranking (downloads / likes / comments / updates), and open SKILL.md standards. You can also discuss usage and improvements on skill detail pages.
Quick Start:
Import/download skills (.zip/.skill), then place locally:
~/.claude/skills/ (Claude Code)
~/.codex/skills/ (Codex CLI)
One SKILL.md can be reused across tools.
Everything you need to know: what skills are, how they work, how to find/import them, and how to contribute.
A skill is a reusable capability package, usually including SKILL.md (purpose/IO/how-to) and optional scripts/templates/examples.
Think of it as a plugin playbook + resource bundle for AI assistants/toolchains.
Skills use progressive disclosure: load brief metadata first, load full docs only when needed, then execute by guidance.
This keeps agents lightweight while preserving enough context for complex tasks.
Use these three together:
Note: file size for all methods should be within 10MB.
Typical paths (may vary by local setup):
One SKILL.md can usually be reused across tools.
Yes. Most skills are standardized docs + assets, so they can be reused where format is supported.
Example: retrieval + writing + automation scripts as one workflow.
Some skills come from public GitHub repositories and some are uploaded by SkillWink creators. Always review code before installing and own your security decisions.
Most common reasons:
We try to avoid that. Use ranking + comments to surface better skills:
