containment AI Agent Skills
Browse 31 skills related to containment
responding-to-security-incidents
Assists with security incident response, investigation, and remediation. This skill is triggered when the user requests help with incident response, mentions specific incident types (e.g., data breach, ransomware, DDoS), or uses terms like "incident response plan", "containment", "eradication", or "post-incident activity". It guides the user through the incident response lifecycle, from preparation to post-incident analysis. It is useful for classifying incidents, creating response playbooks, collecting evidence, constructing timelines, and generating remediation steps. Use this skill when needing to respond to a "security incident".
cc-routine-and-class-design
Evaluate routine and class design quality using Code Complete checklists (43 items). Use when designing routines or classes, reviewing class interfaces, choosing between inheritance and containment, or evaluating routine cohesion. Also trigger when tempted to use inheritance as a quick fix under deadline pressure, or when rationalizing 'but it works' for code with deep inheritance or many parameters. Produce severity-tagged reviews (VIOLATION/WARNING/PASS) in CHECKER mode or design decisions in APPLIER mode. Symptoms: vague routine names, >7 parameters, deep inheritance, mixed abstraction levels.
triage-malware
Triage a suspected malicious file hash. Use when investigating malware alerts or suspicious files. Analyzes GTI file report, behavioral indicators, identifies affected hosts, enriches network IOCs, and recommends containment actions.
respond-malware
Respond to a malware incident following PICERL methodology. Use when malware is detected on endpoints. Orchestrates triage, containment, eradication, and recovery. Works with triage-malware skill for analysis.
respond-ransomware
Respond to a ransomware incident following PICERL methodology. Use when ransomware is detected or suspected. Orchestrates identification, containment, eradication, and recovery phases. Requires CASE_ID and initial indicators.
confirm-action
Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response.
dag-isolation-manager
Manages agent isolation levels and resource boundaries. Configures strict, moderate, and permissive isolation profiles. Activate on 'isolation level', 'agent isolation', 'resource boundaries', 'sandboxing', 'agent containment'. NOT for permission validation (use dag-permission-validator) or runtime enforcement (use dag-scope-enforcer).
bad-example-skill
ANTI-PATTERN - Example showing violations of self-containment (DO NOT COPY)
security-incident-playbook-generator
Creates response procedures for security incidents with containment steps, communication templates, and evidence collection. Use for "incident response", "security playbook", "breach response", or "IR plan".
incident-response
Handle security incidents with IR playbooks and procedures. Implement detection, containment, eradication, and recovery processes. Use when responding to security events or building incident response capabilities.
docs-creating-by-example-tutorials
Comprehensive guide for creating by-example tutorials - code-first learning path with 75-85 heavily annotated examples achieving 95% language coverage. Covers five-part example structure, annotation density standards (1.0-2.25 comments per code line PER EXAMPLE), self-containment rules, and multiple code blocks for comparisons. Essential for creating by-example tutorials for programming languages on educational platforms
architecture-diagram
Generate detailed layered architecture diagrams as self-contained HTML artifacts with inline SVG icons, CSS Grid nested container layout, SVG path connection overlays, and color-coded connection legends. Use when the user asks to create architecture diagrams, infrastructure diagrams, system topology diagrams, network diagrams, cloud architecture visuals, deployment diagrams, integration flow diagrams, or any request involving visual representation of system components, their containment hierarchy, and interconnections. Triggers on terms like "architecture diagram", "infra diagram", "system diagram", "topology", "deployment diagram", "network diagram", "integration architecture", or when the user provides a system description and asks for a visual/diagram.
containing-active-breach
Executes containment strategies to stop active adversary operations and prevent lateral movement during a confirmed security breach. Implements short-term and long-term containment using network segmentation, endpoint isolation, credential revocation, and access control modifications. Activates for requests involving breach containment, lateral movement prevention, network isolation, active threat containment, or live incident response.
performing-ransomware-response
Executes a structured ransomware incident response from initial detection through containment, forensic analysis, decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment.
conducting-malware-incident-response
Responds to malware infections across enterprise endpoints by identifying the malware family, determining infection vectors, assessing spread, and executing eradication procedures. Covers the full lifecycle from detection through containment, analysis, removal, and recovery. Activates for requests involving malware response, malware eradication, trojan removal, worm containment, malware triage, or infected endpoint remediation.
containing-active-security-breach
Rapidly contain an active security breach by isolating compromised systems, blocking attacker communications, and preserving evidence while minimizing business disruption.
implementing-soar-automation-with-phantom
Implements Security Orchestration, Automation, and Response (SOAR) workflows using Splunk SOAR (formerly Phantom) to automate alert triage, IOC enrichment, containment actions, and incident response playbooks. Use when SOC teams need to reduce manual analyst work, standardize response procedures, or integrate multiple security tools into automated workflows.
building-soc-playbook-for-ransomware
Builds a structured SOC incident response playbook for ransomware attacks covering detection, containment, eradication, and recovery phases with specific SIEM queries, isolation procedures, and decision trees. Use when SOC teams need formalized response procedures for ransomware incidents aligned to NIST SP 800-61 and MITRE ATT&CK ransomware techniques.
conducting-cloud-incident-response
Responds to security incidents in cloud environments (AWS, Azure, GCP) by performing identity-based containment, cloud-native log analysis, resource isolation, and forensic evidence acquisition adapted for ephemeral cloud infrastructure. Activates for requests involving cloud incident response, AWS security incident, Azure compromise, GCP breach, cloud forensics, or cloud identity compromise.
performing-ransomware-incident-response
Execute a structured ransomware incident response including containment, decryption assessment, recovery from backups, and eradication of ransomware persistence mechanisms.
performing-cloud-incident-containment-procedures
Execute cloud-native incident containment across AWS, Azure, and GCP by isolating compromised resources, revoking credentials, preserving forensic evidence, and applying security group restrictions to prevent lateral movement.
building-incident-response-dashboard
Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC analysts and leadership with situational awareness during active incidents, tracking affected systems, containment status, IOC spread, and response timeline. Use when IR teams need unified visibility during incident coordination and post-incident reporting.
investigating-phishing-email-incident
Investigates phishing email incidents from initial user report through header analysis, URL/attachment detonation, impacted user identification, and containment actions using SOC tools like Splunk, Microsoft Defender, and sandbox analysis platforms. Use when a reported phishing email requires full incident investigation to determine scope and impact.
incident-response-commander
Guides teams through IT outages and security incidents, providing structured workflows for detection, containment, eradication, and post-mortem analysis.
gymnasium-spaces
Gymnasium space types for defining observation and action domains — Box, Discrete, Dict, Tuple, and composite spaces with sampling, containment, and flatten utilities.
Incident Response Playbook
Creates incident response playbooks with detection, containment, eradication, and recovery procedures
incident-response
Comprehensive incident response skill for security incident detection, containment, investigation, and recovery. Includes alert triage, severity classification, evidence collection, root cause analysis, and post-incident documentation with automated playbook execution.
Dedicated Environment Isolation
Enterprise-grade skill for running OpenClaw AI agents in fully isolated environments — dedicated machines, VPS instances, and sandboxed infrastructure. Use this skill whenever deploying AI agents to production, setting up OpenClaw infrastructure, planning AI agent hosting, configuring sandboxed environments, or designing blast-radius containment for autonomous AI systems. Also trigger when users mention VPS deployment, isolated machines, containerized AI, VM-based agents, or any variation of separating AI agent workloads from personal/production systems.
agentprivacy-forensic-defense
Incident response, breach containment, damage assessment, and evidence preservation for 0xagentprivacy swordsman operations. Activates when a privacy breach is detected or suspected, when designing post-compromise recovery procedures, when building forensic audit capabilities, or when the swordsman must shift from prevention to damage control. Triggers: "breach", "incident response", "compromise", "forensic", "damage assessment", "evidence preservation", "post-compromise", "breach containment", "data exposure", "leak detection".
animations
Animation enforcement: containment, modifier order, timing, performance, and transition safety. Use when implementing UI patterns related to animations.
investigation
Agent-driven security investigation skill for structured alert triage, enrichment, root cause analysis, and incident response. Use when the user provides security alerts, asks to investigate an alert, triage a detection, enrich IOCs, perform threat investigation, forensic analysis, case management, review SIEM alerts, EDR alerts, XDR alerts, SOC investigation, alert review, root cause analysis, reach a verdict, determine true positive, false positive, benign true positive, plan containment, remediation, reduce noise, build an investigation pipeline, act as a security analyst, perform detection triage, address alert fatigue, run enrichment, perform pivots, build timeline analysis, assess blast radius, map an attack chain, use MCP security tools, integrate with SOAR, handle case closure, write incident documentation, investigate suspicious activity, analyze security events, perform incident response, or conduct threat hunting from alert data.