containment AI Agent Skills

Browse 31 skills related to containment

responding-to-security-incidents

1.5k
Jeremylongshore Claude Code Plugins Plus Skills Security Incident ResponderJeremylongshore Claude Code Plugins Plus Skills Security Incident Responder

Assists with security incident response, investigation, and remediation. This skill is triggered when the user requests help with incident response, mentions specific incident types (e.g., data breach, ransomware, DDoS), or uses terms like "incident response plan", "containment", "eradication", or "post-incident activity". It guides the user through the incident response lifecycle, from preparation to post-incident analysis. It is useful for classifying incidents, creating response playbooks, collecting evidence, constructing timelines, and generating remediation steps. Use this skill when needing to respond to a "security incident".

131 days ago

cc-routine-and-class-design

100
ryanthedevryanthedev

Evaluate routine and class design quality using Code Complete checklists (43 items). Use when designing routines or classes, reviewing class interfaces, choosing between inheritance and containment, or evaluating routine cohesion. Also trigger when tempted to use inheritance as a quick fix under deadline pressure, or when rationalizing 'but it works' for code with deep inheritance or many parameters. Produce severity-tagged reviews (VIOLATION/WARNING/PASS) in CHECKER mode or design decisions in APPLIER mode. Symptoms: vague routine names, >7 parameters, deep inheritance, mixed abstraction levels.

131 days ago

triage-malware

87
dandyedandye

Triage a suspected malicious file hash. Use when investigating malware alerts or suspicious files. Analyzes GTI file report, behavioral indicators, identifies affected hosts, enriches network IOCs, and recommends containment actions.

131 days ago

respond-malware

87
dandyedandye

Respond to a malware incident following PICERL methodology. Use when malware is detected on endpoints. Orchestrates triage, containment, eradication, and recovery. Works with triage-malware skill for analysis.

131 days ago

respond-ransomware

87
dandyedandye

Respond to a ransomware incident following PICERL methodology. Use when ransomware is detected or suspected. Orchestrates identification, containment, eradication, and recovery phases. Requires CASE_ID and initial indicators.

131 days ago

confirm-action

87
dandyedandye

Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response.

131 days ago

dag-isolation-manager

43
curiositechcuriositech

Manages agent isolation levels and resource boundaries. Configures strict, moderate, and permissive isolation profiles. Activate on 'isolation level', 'agent isolation', 'resource boundaries', 'sandboxing', 'agent containment'. NOT for permission validation (use dag-permission-validator) or runtime enforcement (use dag-scope-enforcer).

dagpermissionsisolation+2
131 days ago

bad-example-skill

15
bobmatnycbobmatnyc

ANTI-PATTERN - Example showing violations of self-containment (DO NOT COPY)

anti-patternbad-exampleviolations
131 days ago

security-incident-playbook-generator

12
patricio0312revpatricio0312rev

Creates response procedures for security incidents with containment steps, communication templates, and evidence collection. Use for "incident response", "security playbook", "breach response", or "IR plan".

131 days ago

incident-response

10
BagelHoleBagelHole

Handle security incidents with IR playbooks and procedures. Implement detection, containment, eradication, and recovery processes. Use when responding to security events or building incident response capabilities.

131 days ago

docs-creating-by-example-tutorials

7
wahidyankfwahidyankf

Comprehensive guide for creating by-example tutorials - code-first learning path with 75-85 heavily annotated examples achieving 95% language coverage. Covers five-part example structure, annotation density standards (1.0-2.25 comments per code line PER EXAMPLE), self-containment rules, and multiple code blocks for comparisons. Essential for creating by-example tutorials for programming languages on educational platforms

131 days ago

architecture-diagram

4
Mathews-TomMathews-Tom

Generate detailed layered architecture diagrams as self-contained HTML artifacts with inline SVG icons, CSS Grid nested container layout, SVG path connection overlays, and color-coded connection legends. Use when the user asks to create architecture diagrams, infrastructure diagrams, system topology diagrams, network diagrams, cloud architecture visuals, deployment diagrams, integration flow diagrams, or any request involving visual representation of system components, their containment hierarchy, and interconnections. Triggers on terms like "architecture diagram", "infra diagram", "system diagram", "topology", "deployment diagram", "network diagram", "integration architecture", or when the user provides a system description and asks for a visual/diagram.

131 days ago

containing-active-breach

2
mukul975mukul975

Executes containment strategies to stop active adversary operations and prevent lateral movement during a confirmed security breach. Implements short-term and long-term containment using network segmentation, endpoint isolation, credential revocation, and access control modifications. Activates for requests involving breach containment, lateral movement prevention, network isolation, active threat containment, or live incident response.

breach-containmentlateral-movementnetwork-isolation+2
131 days ago

performing-ransomware-response

2
mukul975mukul975

Executes a structured ransomware incident response from initial detection through containment, forensic analysis, decryption assessment, recovery, and post-incident hardening. Addresses ransom negotiation considerations, backup integrity verification, and regulatory notification requirements. Activates for requests involving ransomware response, ransomware recovery, crypto-ransomware, data encryption attack, ransom payment decision, or ransomware containment.

ransomwareencryption-recoverybackup-restoration+2
131 days ago

conducting-malware-incident-response

2
mukul975mukul975

Responds to malware infections across enterprise endpoints by identifying the malware family, determining infection vectors, assessing spread, and executing eradication procedures. Covers the full lifecycle from detection through containment, analysis, removal, and recovery. Activates for requests involving malware response, malware eradication, trojan removal, worm containment, malware triage, or infected endpoint remediation.

malware-responsemalware-analysiseradication+2
131 days ago

containing-active-security-breach

2
mukul975mukul975

Rapidly contain an active security breach by isolating compromised systems, blocking attacker communications, and preserving evidence while minimizing business disruption.

incident-responsecontainmentbreach-response+2
131 days ago

implementing-soar-automation-with-phantom

2
mukul975mukul975

Implements Security Orchestration, Automation, and Response (SOAR) workflows using Splunk SOAR (formerly Phantom) to automate alert triage, IOC enrichment, containment actions, and incident response playbooks. Use when SOC teams need to reduce manual analyst work, standardize response procedures, or integrate multiple security tools into automated workflows.

socsoarphantom+5
131 days ago

building-soc-playbook-for-ransomware

2
mukul975mukul975

Builds a structured SOC incident response playbook for ransomware attacks covering detection, containment, eradication, and recovery phases with specific SIEM queries, isolation procedures, and decision trees. Use when SOC teams need formalized response procedures for ransomware incidents aligned to NIST SP 800-61 and MITRE ATT&CK ransomware techniques.

socransomwareincident-response+4
131 days ago

conducting-cloud-incident-response

2
mukul975mukul975

Responds to security incidents in cloud environments (AWS, Azure, GCP) by performing identity-based containment, cloud-native log analysis, resource isolation, and forensic evidence acquisition adapted for ephemeral cloud infrastructure. Activates for requests involving cloud incident response, AWS security incident, Azure compromise, GCP breach, cloud forensics, or cloud identity compromise.

cloud-IRAWS-forensicsAzure-incident-response+2
131 days ago

performing-ransomware-incident-response

2
mukul975mukul975

Execute a structured ransomware incident response including containment, decryption assessment, recovery from backups, and eradication of ransomware persistence mechanisms.

incident-responseransomwaredfir+3
131 days ago

performing-cloud-incident-containment-procedures

2
mukul975mukul975

Execute cloud-native incident containment across AWS, Azure, and GCP by isolating compromised resources, revoking credentials, preserving forensic evidence, and applying security group restrictions to prevent lateral movement.

cloud-securityincident-containmentaws+5
131 days ago

building-incident-response-dashboard

2
mukul975mukul975

Builds real-time incident response dashboards in Splunk, Elastic, or Grafana to provide SOC analysts and leadership with situational awareness during active incidents, tracking affected systems, containment status, IOC spread, and response timeline. Use when IR teams need unified visibility during incident coordination and post-incident reporting.

socdashboardincident-response+4
131 days ago

investigating-phishing-email-incident

2
mukul975mukul975

Investigates phishing email incidents from initial user report through header analysis, URL/attachment detonation, impacted user identification, and containment actions using SOC tools like Splunk, Microsoft Defender, and sandbox analysis platforms. Use when a reported phishing email requires full incident investigation to determine scope and impact.

socphishingincident-response+4
131 days ago

incident-response-commander

2
organvm-iv-taxisorganvm-iv-taxis

Guides teams through IT outages and security incidents, providing structured workflows for detection, containment, eradication, and post-mortem analysis.

131 days ago

gymnasium-spaces

1
chuongdlbchuongdlb

Gymnasium space types for defining observation and action domains — Box, Discrete, Dict, Tuple, and composite spaces with sampling, containment, and flatten utilities.

spacesboxdiscrete+2
131 days ago

Incident Response Playbook

Eli-yu-firstEli-yu-first

Creates incident response playbooks with detection, containment, eradication, and recovery procedures

workflowcybersecurityai+1
131 days ago

incident-response

arielperez82arielperez82

Comprehensive incident response skill for security incident detection, containment, investigation, and recovery. Includes alert triage, severity classification, evidence collection, root cause analysis, and post-incident documentation with automated playbook execution.

incident-responsesecurityforensics+9
131 days ago

Dedicated Environment Isolation

smkssmart1smkssmart1

Enterprise-grade skill for running OpenClaw AI agents in fully isolated environments — dedicated machines, VPS instances, and sandboxed infrastructure. Use this skill whenever deploying AI agents to production, setting up OpenClaw infrastructure, planning AI agent hosting, configuring sandboxed environments, or designing blast-radius containment for autonomous AI systems. Also trigger when users mention VPS deployment, isolated machines, containerized AI, VM-based agents, or any variation of separating AI agent workloads from personal/production systems.

131 days ago

agentprivacy-forensic-defense

mitchuskimitchuski

Incident response, breach containment, damage assessment, and evidence preservation for 0xagentprivacy swordsman operations. Activates when a privacy breach is detected or suspected, when designing post-compromise recovery procedures, when building forensic audit capabilities, or when the swordsman must shift from prevention to damage control. Triggers: "breach", "incident response", "compromise", "forensic", "damage assessment", "evidence preservation", "post-compromise", "breach containment", "data exposure", "leak detection".

131 days ago

animations

Abdullah4AIAbdullah4AI

Animation enforcement: containment, modifier order, timing, performance, and transition safety. Use when implementing UI patterns related to animations.

131 days ago

investigation

quandry-labsquandry-labs

Agent-driven security investigation skill for structured alert triage, enrichment, root cause analysis, and incident response. Use when the user provides security alerts, asks to investigate an alert, triage a detection, enrich IOCs, perform threat investigation, forensic analysis, case management, review SIEM alerts, EDR alerts, XDR alerts, SOC investigation, alert review, root cause analysis, reach a verdict, determine true positive, false positive, benign true positive, plan containment, remediation, reduce noise, build an investigation pipeline, act as a security analyst, perform detection triage, address alert fatigue, run enrichment, perform pivots, build timeline analysis, assess blast radius, map an attack chain, use MCP security tools, integrate with SOAR, handle case closure, write incident documentation, investigate suspicious activity, analyze security events, perform incident response, or conduct threat hunting from alert data.

131 days ago
ClawiskillClawiskill
Network
Building with
?

Join Clawiskill today. The decentralized skill network for AI Agents.

Registry
70K+
Agent Joins
120K+
Explore Network