firefrost-gaming/antigravity-skills-reference
3
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into add-aws-cost-optimization-skills

Browse Source
This commit is contained in:
Suman Biswas
2026-02-22 21:54:22 -05:00
committed by GitHub
parent 825ad7d65c c8831a4743
commit c7ef825518
23 changed files with 2228 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
CATALOG.md
View File

@@ -2,14 +2,14 @@
Generated at: 2026-02-08T00:00:00.000Z
Total skills: 885
Total skills: 889
## architecture (58)
## architecture (60)
| Skill | Description | Tags | Triggers |
| --- | --- | --- | --- |
| `angular-state-management` | Master modern Angular state management with Signals, NgRx, and RxJS. Use when setting up global state, managing component stores, choosing between state solu... | angular, state | angular, state, signals, ngrx, rxjs, setting, up, global, managing, component, stores, choosing |
| `architect-review` | Master software architect specializing in modern architecture | | architect, review, software, specializing, architecture |
| `architect-review` | Master software architect specializing in modern architecture patterns, clean architecture, microservices, event-driven systems, and DDD. Reviews system desi... | | architect, review, software, specializing, architecture, clean, microservices, event, driven, ddd, reviews, designs |
| `architecture` | Architectural decision-making framework. Requirements analysis, trade-off evaluation, ADR documentation. Use when making architecture decisions or analyzing ... | architecture | architecture, architectural, decision, making, framework, requirements, analysis, trade, off, evaluation, adr, documentation |
| `architecture-decision-records` | Write and maintain Architecture Decision Records (ADRs) following best practices for technical decision documentation. Use when documenting significant techn... | architecture, decision, records | architecture, decision, records, write, maintain, adrs, following, technical, documentation, documenting, significant, decisions |
| `avalonia-viewmodels-zafiro` | Optimal ViewModel and Wizard creation patterns for Avalonia using Zafiro and ReactiveUI. | avalonia, viewmodels, zafiro | avalonia, viewmodels, zafiro, optimal, viewmodel, wizard, creation, reactiveui |
@@ -40,11 +40,13 @@ Total skills: 885
| `event-store-design` | Design and implement event stores for event-sourced systems. Use when building event sourcing infrastructure, choosing event store technologies, or implement... | event, store | event, store, stores, sourced, building, sourcing, infrastructure, choosing, technologies, implementing, persistence |
| `game-development/multiplayer` | Multiplayer game development principles. Architecture, networking, synchronization. | game, development/multiplayer | game, development/multiplayer, multiplayer, development, principles, architecture, networking, synchronization |
| `godot-gdscript-patterns` | Master Godot 4 GDScript patterns including signals, scenes, state machines, and optimization. Use when building Godot games, implementing game systems, or le... | godot, gdscript | godot, gdscript, including, signals, scenes, state, machines, optimization, building, games, implementing, game |
| `haskell-pro` | Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programm... | haskell | haskell, pro, engineer, specializing, type, pure, functional, high, reliability, software, proactively, level |
| `hig-patterns` | > | hig | hig |
| `i18n-localization` | Internationalization and localization patterns. Detecting hardcoded strings, managing translations, locale files, RTL support. | i18n, localization | i18n, localization, internationalization, detecting, hardcoded, strings, managing, translations, locale, files, rtl |
| `inngest` | Inngest expert for serverless-first background jobs, event-driven workflows, and durable execution without managing queues or workers. Use when: inngest, ser... | inngest | inngest, serverless, first, background, jobs, event, driven, durable, execution, without, managing, queues |
| `monorepo-architect` | Expert in monorepo architecture, build systems, and dependency management at scale. Masters Nx, Turborepo, Bazel, and Lerna for efficient multi-project devel... | monorepo | monorepo, architect, architecture, dependency, scale, masters, nx, turborepo, bazel, lerna, efficient, multi |
| `multi-agent-patterns` | Master orchestrator, peer-to-peer, and hierarchical multi-agent architectures | multi, agent | multi, agent, orchestrator, peer, hierarchical, architectures |
| `nerdzao-elite` | Senior Elite Software Engineer (15+) and Senior Product Designer. Full workflow with planning, architecture, TDD, clean code, and pixel-perfect UX validation. | nerdzao, elite | nerdzao, elite, senior, software, engineer, 15, product, designer, full, planning, architecture, tdd |
| `nx-workspace-patterns` | Configure and optimize Nx monorepo workspaces. Use when setting up Nx, configuring project boundaries, optimizing build caching, or implementing affected com... | nx, workspace | nx, workspace, configure, optimize, monorepo, workspaces, setting, up, configuring, boundaries, optimizing, caching |
| `on-call-handoff-patterns` | Master on-call shift handoffs with context transfer, escalation procedures, and documentation. Use when transitioning on-call responsibilities, documenting s... | on, call, handoff | on, call, handoff, shift, handoffs, context, transfer, escalation, procedures, documentation, transitioning, responsibilities |
| `parallel-agents` | Multi-agent orchestration patterns. Use when multiple independent tasks can run with different domain expertise or when comprehensive analysis requires multi... | parallel, agents | parallel, agents, multi, agent, orchestration, multiple, independent, tasks, run, different, domain, expertise |
@@ -111,7 +113,7 @@ Total skills: 885
| `startup-metrics-framework` | This skill should be used when the user asks about \"key startup | startup, metrics, framework | startup, metrics, framework, skill, should, used, user, asks, about, key |
| `whatsapp-automation` | Automate WhatsApp Business tasks via Rube MCP (Composio): send messages, manage templates, upload media, and handle contacts. Always search tools first for c... | whatsapp | whatsapp, automation, automate, business, tasks, via, rube, mcp, composio, send, messages, upload |
## data-ai (144)
## data-ai (143)
| Skill | Description | Tags | Triggers |
| --- | --- | --- | --- |
@@ -173,7 +175,6 @@ Total skills: 885
| `cc-skill-clickhouse-io` | ClickHouse database patterns, query optimization, analytics, and data engineering best practices for high-performance analytical workloads. | cc, skill, clickhouse, io | cc, skill, clickhouse, io, database, query, optimization, analytics, data, engineering, high, performance |
| `clarity-gate` | Pre-ingestion verification for epistemic quality in RAG systems with 9-point verification and Two-Round HITL workflow | clarity, gate | clarity, gate, pre, ingestion, verification, epistemic, quality, rag, point, two, round, hitl |
| `code-documentation-doc-generate` | You are a documentation expert specializing in creating comprehensive, maintainable documentation from code. Generate API docs, architecture diagrams, user g... | code, documentation, doc, generate | code, documentation, doc, generate, specializing, creating, maintainable, api, docs, architecture, diagrams, user |
| `code-reviewer` | Elite code review expert specializing in modern AI-powered code | code | code, reviewer, elite, review, specializing, ai, powered |
| `codex-review` | Professional code review with auto CHANGELOG generation, integrated with Codex AI | codex | codex, review, professional, code, auto, changelog, generation, integrated, ai |
| `computer-use-agents` | Build AI agents that interact with computers like humans do - viewing screens, moving cursors, clicking buttons, and typing text. Covers Anthropic's Computer... | computer, use, agents | computer, use, agents, ai, interact, computers, like, humans, do, viewing, screens, moving |
| `content-marketer` | Elite content marketing strategist specializing in AI-powered | content, marketer | content, marketer, elite, marketing, strategist, specializing, ai, powered |
@@ -406,7 +407,7 @@ Total skills: 885
| `webapp-testing` | Toolkit for interacting with and testing local web applications using Playwright. Supports verifying frontend functionality, debugging UI behavior, capturing... | webapp | webapp, testing, toolkit, interacting, local, web, applications, playwright, supports, verifying, frontend, functionality |
| `zustand-store-ts` | Create Zustand stores with TypeScript, subscribeWithSelector middleware, and proper state/action separation. Use when building React state management, creati... | zustand, store, ts | zustand, store, ts, stores, typescript, subscribewithselector, middleware, proper, state, action, separation, building |
## general (217)
## general (214)
| Skill | Description | Tags | Triggers |
| --- | --- | --- | --- |
@@ -455,7 +456,7 @@ Total skills: 885
| `brand-guidelines-anthropic` | Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand co... | brand, guidelines, anthropic | brand, guidelines, anthropic, applies, official, colors, typography, any, sort, artifact, may, benefit |
| `brand-guidelines-community` | Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand co... | brand, guidelines, community | brand, guidelines, community, applies, anthropic, official, colors, typography, any, sort, artifact, may |
| `busybox-on-windows` | How to use a Win32 build of BusyBox to run many of the standard UNIX command line tools on Windows. | busybox, on, windows | busybox, on, windows, how, win32, run, many, standard, unix, command, line |
| `c-pro` | Write efficient C code with proper memory management, pointer | c | c, pro, write, efficient, code, proper, memory, pointer |
| `c-pro` | Write efficient C code with proper memory management, pointer arithmetic, and system calls. Handles embedded systems, kernel modules, and performance-critica... | c | c, pro, write, efficient, code, proper, memory, pointer, arithmetic, calls, embedded, kernel |
| `canvas-design` | Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art... | canvas | canvas, beautiful, visual, art, png, pdf, documents, philosophy, should, skill, user, asks |
| `cc-skill-continuous-learning` | Development skill from everything-claude-code | cc, skill, continuous, learning | cc, skill, continuous, learning, development, everything, claude, code |
| `cc-skill-project-guidelines-example` | Project Guidelines Skill (Example) | cc, skill, guidelines, example | cc, skill, guidelines, example |
@@ -523,7 +524,6 @@ Total skills: 885
| `git-pushing` | Stage, commit, and push git changes with conventional commit messages. Use when user wants to commit and push changes, mentions pushing to remote, or asks to... | git, pushing | git, pushing, stage, commit, push, changes, conventional, messages, user, wants, mentions, remote |
| `github-issue-creator` | Convert raw notes, error logs, voice dictation, or screenshots into crisp GitHub-flavored markdown issue reports. Use when the user pastes bug info, error me... | github, issue, creator | github, issue, creator, convert, raw, notes, error, logs, voice, dictation, screenshots, crisp |
| `graphql-architect` | Master modern GraphQL with federation, performance optimization, | graphql | graphql, architect, federation, performance, optimization |
| `haskell-pro` | Expert Haskell engineer specializing in advanced type systems, pure | haskell | haskell, pro, engineer, specializing, type, pure |
| `hig-components-content` | > | hig, components, content | hig, components, content |
| `hig-components-controls` | >- | hig, components, controls | hig, components, controls |
| `hig-components-dialogs` | >- | hig, components, dialogs | hig, components, dialogs |
@@ -561,7 +561,6 @@ Total skills: 885
| `micro-saas-launcher` | Expert in launching small, focused SaaS products fast - the indie hacker approach to building profitable software. Covers idea validation, MVP development, p... | micro, saas, launcher | micro, saas, launcher, launching, small, products, fast, indie, hacker, approach, building, profitable |
| `minecraft-bukkit-pro` | Master Minecraft server plugin development with Bukkit, Spigot, and | minecraft, bukkit | minecraft, bukkit, pro, server, plugin, development, spigot |
| `monorepo-management` | Master monorepo management with Turborepo, Nx, and pnpm workspaces to build efficient, scalable multi-package repositories with optimized builds and dependen... | monorepo | monorepo, turborepo, nx, pnpm, workspaces, efficient, scalable, multi, package, repositories, optimized, dependency |
| `multi-agent-brainstorming` | > | multi, agent, brainstorming | multi, agent, brainstorming |
| `n8n-mcp-tools-expert` | Expert guide for using n8n-mcp MCP tools effectively. Use when searching for nodes, validating configurations, accessing templates, managing workflows, or us... | n8n, mcp | n8n, mcp, effectively, searching, nodes, validating, configurations, accessing, managing, any, provides, sele |
| `nft-standards` | Implement NFT standards (ERC-721, ERC-1155) with proper metadata handling, minting strategies, and marketplace integration. Use when creating NFT contracts, ... | nft, standards | nft, standards, erc, 721, 1155, proper, metadata, handling, minting, marketplace, integration, creating |
| `nosql-expert` | Expert guidance for distributed NoSQL databases (Cassandra, DynamoDB). Focuses on mental models, query-first modeling, single-table design, and avoiding hot ... | nosql | nosql, guidance, distributed, databases, cassandra, dynamodb, mental, models, query, first, modeling, single |
@@ -593,7 +592,7 @@ Total skills: 885
| `reverse-engineer` | Expert reverse engineer specializing in binary analysis, | reverse | reverse, engineer, specializing, binary, analysis |
| `scala-pro` | Master enterprise-grade Scala development with functional | scala | scala, pro, enterprise, grade, development, functional |
| `schema-markup` | > | schema, markup | schema, markup |
| `search-specialist` | Expert web researcher using advanced search techniques and | search | search, web, researcher, techniques |
| `search-specialist` | Expert web researcher using advanced search techniques and synthesis. Masters search operators, result filtering, and multi-source verification. Handles comp... | search | search, web, researcher, techniques, synthesis, masters, operators, result, filtering, multi, source, verification |
| `sharp-edges` | Identify error-prone APIs and dangerous configurations | sharp, edges | sharp, edges, identify, error, prone, apis, dangerous, configurations |
| `shellcheck-configuration` | Master ShellCheck static analysis configuration and usage for shell script quality. Use when setting up linting infrastructure, fixing code issues, or ensuri... | shellcheck, configuration | shellcheck, configuration, static, analysis, usage, shell, script, quality, setting, up, linting, infrastructure |
| `shodan-reconnaissance` | This skill should be used when the user asks to "search for exposed devices on the internet," "perform Shodan reconnaissance," "find vulnerable services usin... | shodan, reconnaissance | shodan, reconnaissance, skill, should, used, user, asks, search, exposed, devices, internet, perform |
@@ -701,7 +700,7 @@ Total skills: 885
| `observability-engineer` | Build production-ready monitoring, logging, and tracing systems. | observability | observability, engineer, monitoring, logging, tracing |
| `observability-monitoring-monitor-setup` | You are a monitoring and observability expert specializing in implementing comprehensive monitoring solutions. Set up metrics collection, distributed tracing... | observability, monitoring, monitor, setup | observability, monitoring, monitor, setup, specializing, implementing, solutions, set, up, metrics, collection, distributed |
| `observability-monitoring-slo-implement` | You are an SLO (Service Level Objective) expert specializing in implementing reliability standards and error budget-based practices. Design SLO frameworks, d... | observability, monitoring, slo, implement | observability, monitoring, slo, implement, level, objective, specializing, implementing, reliability, standards, error, budget |
| `performance-engineer` | Expert performance engineer specializing in modern observability, | performance | performance, engineer, specializing, observability |
| `performance-engineer` | Expert performance engineer specializing in modern observability, application optimization, and scalable system performance. Masters OpenTelemetry, distribut... | performance | performance, engineer, specializing, observability, application, optimization, scalable, masters, opentelemetry, distributed, tracing, load |
| `performance-testing-review-ai-review` | You are an expert AI-powered code review specialist combining automated static analysis, intelligent pattern recognition, and modern DevOps practices. Levera... | performance, ai | performance, ai, testing, review, powered, code, combining, automated, static, analysis, intelligent, recognition |
| `pipedrive-automation` | Automate Pipedrive CRM operations including deals, contacts, organizations, activities, notes, and pipeline management via Rube MCP (Composio). Always search... | pipedrive | pipedrive, automation, automate, crm, operations, including, deals, contacts, organizations, activities, notes, pipeline |
| `prometheus-configuration` | Set up Prometheus for comprehensive metric collection, storage, and monitoring of infrastructure and applications. Use when implementing metrics collection, ... | prometheus, configuration | prometheus, configuration, set, up, metric, collection, storage, monitoring, infrastructure, applications, implementing, metrics |
@@ -718,7 +717,7 @@ Total skills: 885
| `wireshark-analysis` | This skill should be used when the user asks to "analyze network traffic with Wireshark", "capture packets for troubleshooting", "filter PCAP files", "follow... | wireshark | wireshark, analysis, skill, should, used, user, asks, analyze, network, traffic, capture, packets |
| `workflow-automation` | Workflow automation is the infrastructure that makes AI agents reliable. Without durable execution, a network hiccup during a 10-step payment flow means lost... | | automation, infrastructure, makes, ai, agents, reliable, without, durable, execution, network, hiccup, during |
## security (88)
## security (95)
| Skill | Description | Tags | Triggers |
| --- | --- | --- | --- |
@@ -744,11 +743,13 @@ Total skills: 885
| `clerk-auth` | Expert patterns for Clerk auth implementation, middleware, organizations, webhooks, and user sync Use when: adding authentication, clerk auth, user authentic... | clerk, auth | clerk, auth, middleware, organizations, webhooks, user, sync, adding, authentication, sign, up |
| `cloud-penetration-testing` | This skill should be used when the user asks to "perform cloud penetration testing", "assess Azure or AWS or GCP security", "enumerate cloud resources", "exp... | cloud, penetration | cloud, penetration, testing, skill, should, used, user, asks, perform, assess, azure, aws |
| `code-review-checklist` | Comprehensive checklist for conducting thorough code reviews covering functionality, security, performance, and maintainability | code, checklist | code, checklist, review, conducting, thorough, reviews, covering, functionality, security, performance, maintainability |
| `code-reviewer` | Elite code review expert specializing in modern AI-powered code analysis, security vulnerabilities, performance optimization, and production reliability. Mas... | code | code, reviewer, elite, review, specializing, ai, powered, analysis, security, vulnerabilities, performance, optimization |
| `codebase-cleanup-deps-audit` | You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for ... | codebase, cleanup, deps, audit | codebase, cleanup, deps, audit, dependency, security, specializing, vulnerability, scanning, license, compliance, supply |
| `database-migration` | Execute database migrations across ORMs and platforms with zero-downtime strategies, data transformation, and rollback procedures. Use when migrating databas... | database, migration | database, migration, execute, migrations, orms, platforms, zero, downtime, data, transformation, rollback, procedures |
| `database-migrations-sql-migrations` | SQL database migrations with zero-downtime strategies for | database, sql, migrations, postgresql, mysql, flyway, liquibase, alembic, zero-downtime | database, sql, migrations, postgresql, mysql, flyway, liquibase, alembic, zero-downtime, zero, downtime |
| `dependency-management-deps-audit` | You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for ... | dependency, deps, audit | dependency, deps, audit, security, specializing, vulnerability, scanning, license, compliance, supply, chain, analyze |
| `deployment-pipeline-design` | Design multi-stage CI/CD pipelines with approval gates, security checks, and deployment orchestration. Use when architecting deployment workflows, setting up... | deployment, pipeline | deployment, pipeline, multi, stage, ci, cd, pipelines, approval, gates, security, checks, orchestration |
| `design-orchestration` | Orchestrates design workflows by routing work through brainstorming, multi-agent review, and execution readiness in the correct order. Prevents premature imp... | | orchestration, orchestrates, routing, work, through, brainstorming, multi, agent, review, execution, readiness, correct |
| `devops-troubleshooter` | Expert DevOps troubleshooter specializing in rapid incident | devops, troubleshooter | devops, troubleshooter, specializing, rapid, incident |
| `docker-expert` | Docker containerization expert with deep knowledge of multi-stage builds, image optimization, container security, Docker Compose orchestration, and productio... | docker | docker, containerization, deep, knowledge, multi, stage, image, optimization, container, security, compose, orchestration |
| `dotnet-backend` | Build ASP.NET Core 8+ backend services with EF Core, auth, background jobs, and production API patterns. | dotnet, backend | dotnet, backend, asp, net, core, ef, auth, background, jobs, api |
@@ -774,6 +775,7 @@ Total skills: 885
| `memory-forensics` | Master memory forensics techniques including memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Use when analy... | memory, forensics | memory, forensics, techniques, including, acquisition, process, analysis, artifact, extraction, volatility, related, analyzing |
| `mobile-security-coder` | Expert in secure mobile coding practices specializing in input | mobile, security, coder | mobile, security, coder, secure, coding, specializing, input |
| `mtls-configuration` | Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing... | mtls, configuration | mtls, configuration, configure, mutual, tls, zero, trust, communication, implementing, networking, certificate, securing |
| `multi-agent-brainstorming` | Use this skill when a design or idea requires higher confidence, risk reduction, or formal review. This skill orchestrates a structured, sequential multi-age... | multi, agent, brainstorming | multi, agent, brainstorming, skill, idea, requires, higher, confidence, risk, reduction, formal, review |
| `nestjs-expert` | Nest.js framework expert specializing in module architecture, dependency injection, middleware, guards, interceptors, testing with Jest/Supertest, TypeORM/Mo... | nestjs | nestjs, nest, js, framework, specializing, module, architecture, dependency, injection, middleware, guards, interceptors |
| `nextjs-supabase-auth` | Expert integration of Supabase Auth with Next.js App Router Use when: supabase auth next, authentication next.js, login supabase, auth middleware, protected ... | nextjs, supabase, auth | nextjs, supabase, auth, integration, next, js, app, router, authentication, login, middleware, protected |
| `nodejs-best-practices` | Node.js development principles and decision-making. Framework selection, async patterns, security, and architecture. Teaches thinking, not copying. | nodejs, best, practices | nodejs, best, practices, node, js, development, principles, decision, making, framework, selection, async |
@@ -798,6 +800,10 @@ Total skills: 885
| `security-scanning-security-dependencies` | You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across eco... | security, scanning, dependencies | security, scanning, dependencies, specializing, dependency, vulnerability, analysis, sbom, generation, supply, chain, scan |
| `security-scanning-security-hardening` | Coordinate multi-layer security scanning and hardening across application, infrastructure, and compliance controls. | security, scanning, hardening | security, scanning, hardening, coordinate, multi, layer, application, infrastructure, compliance, controls |
| `security-scanning-security-sast` | Static Application Security Testing (SAST) for code vulnerability | security, scanning, sast | security, scanning, sast, static, application, testing, code, vulnerability |
| `security/aws-compliance-checker` | Automated compliance checking against CIS, PCI-DSS, HIPAA, and SOC 2 benchmarks | aws, compliance, audit, cis, pci-dss, hipaa, kiro-cli | aws, compliance, audit, cis, pci-dss, hipaa, kiro-cli, checker, automated, checking, against, pci |
| `security/aws-iam-best-practices` | IAM policy review, hardening, and least privilege implementation | aws, iam, security, access-control, kiro-cli, least-privilege | aws, iam, security, access-control, kiro-cli, least-privilege, policy, review, hardening, least, privilege |
| `security/aws-secrets-rotation` | Automate AWS secrets rotation for RDS, API keys, and credentials | aws, secrets-manager, security, automation, kiro-cli, credentials | aws, secrets-manager, security, automation, kiro-cli, credentials, secrets, rotation, automate, rds, api, keys |
| `security/aws-security-audit` | Comprehensive AWS security posture assessment using AWS CLI and security best practices | aws, security, audit, compliance, kiro-cli, security-assessment | aws, security, audit, compliance, kiro-cli, security-assessment, posture, assessment, cli |
| `service-mesh-expert` | Expert service mesh architect specializing in Istio, Linkerd, and cloud-native networking patterns. Masters traffic management, security policies, observabil... | service, mesh | service, mesh, architect, specializing, istio, linkerd, cloud, native, networking, masters, traffic, security |
| `solidity-security` | Master smart contract security best practices to prevent common vulnerabilities and implement secure Solidity patterns. Use when writing smart contracts, aud... | solidity, security | solidity, security, smart, contract, prevent, common, vulnerabilities, secure, writing, contracts, auditing, existing |
| `stride-analysis-patterns` | Apply STRIDE methodology to systematically identify threats. Use when analyzing system security, conducting threat modeling sessions, or creating security do... | stride | stride, analysis, apply, methodology, systematically, identify, threats, analyzing, security, conducting, threat, modeling |
@@ -878,7 +884,6 @@ Total skills: 885
| `convertkit-automation` | Automate ConvertKit (Kit) tasks via Rube MCP (Composio): manage subscribers, tags, broadcasts, and broadcast stats. Always search tools first for current sch... | convertkit | convertkit, automation, automate, kit, tasks, via, rube, mcp, composio, subscribers, tags, broadcasts |
| `crewai` | Expert in CrewAI - the leading role-based multi-agent framework used by 60% of Fortune 500 companies. Covers agent design with roles and goals, task definiti... | crewai | crewai, leading, role, multi, agent, framework, used, 60, fortune, 500, companies, covers |
| `datadog-automation` | Automate Datadog tasks via Rube MCP (Composio): query metrics, search logs, manage monitors/dashboards, create events and downtimes. Always search tools firs... | datadog | datadog, automation, automate, tasks, via, rube, mcp, composio, query, metrics, search, logs |
| `design-orchestration` | > | | orchestration |
| `discord-automation` | Automate Discord tasks via Rube MCP (Composio): messages, channels, roles, webhooks, reactions. Always search tools first for current schemas. | discord | discord, automation, automate, tasks, via, rube, mcp, composio, messages, channels, roles, webhooks |
| `docusign-automation` | Automate DocuSign tasks via Rube MCP (Composio): templates, envelopes, signatures, document management. Always search tools first for current schemas. | docusign | docusign, automation, automate, tasks, via, rube, mcp, composio, envelopes, signatures, document, always |
| `dropbox-automation` | Automate Dropbox file management, sharing, search, uploads, downloads, and folder operations via Rube MCP (Composio). Always search tools first for current s... | dropbox | dropbox, automation, automate, file, sharing, search, uploads, downloads, folder, operations, via, rube |
@@ -904,6 +909,7 @@ Total skills: 885
| `miro-automation` | Automate Miro tasks via Rube MCP (Composio): boards, items, sticky notes, frames, sharing, connectors. Always search tools first for current schemas. | miro | miro, automation, automate, tasks, via, rube, mcp, composio, boards, items, sticky, notes |
| `mixpanel-automation` | Automate Mixpanel tasks via Rube MCP (Composio): events, segmentation, funnels, cohorts, user profiles, JQL queries. Always search tools first for current sc... | mixpanel | mixpanel, automation, automate, tasks, via, rube, mcp, composio, events, segmentation, funnels, cohorts |
| `monday-automation` | Automate Monday.com work management including boards, items, columns, groups, subitems, and updates via Rube MCP (Composio). Always search tools first for cu... | monday | monday, automation, automate, com, work, including, boards, items, columns, groups, subitems, updates |
| `nerdzao-elite-gemini-high` | Modo Elite Coder + UX Pixel-Perfect otimizado especificamente para Gemini 3.1 Pro High. Workflow completo com foco em qualidade máxima e eficiência de tokens. | nerdzao, elite, gemini, high | nerdzao, elite, gemini, high, modo, coder, ux, pixel, perfect, otimizado, especificamente, para |
| `notion-automation` | Automate Notion tasks via Rube MCP (Composio): pages, databases, blocks, comments, users. Always search tools first for current schemas. | notion | notion, automation, automate, tasks, via, rube, mcp, composio, pages, databases, blocks, comments |
| `one-drive-automation` | Automate OneDrive file management, search, uploads, downloads, sharing, permissions, and folder operations via Rube MCP (Composio). Always search tools first... | one, drive | one, drive, automation, automate, onedrive, file, search, uploads, downloads, sharing, permissions, folder |
| `outlook-automation` | Automate Outlook tasks via Rube MCP (Composio): emails, calendar, contacts, folders, attachments. Always search tools first for current schemas. | outlook | outlook, automation, automate, tasks, via, rube, mcp, composio, emails, calendar, contacts, folders |

30
CHANGELOG.md
View File

@@ -7,6 +7,36 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
---
## [6.0.0] - 2026-02-22 - "Codex YAML Fix & Community PRs"
> **Major release: Codex frontmatter fixes, AWS Security & Compliance skills, Antigravity Workspace Manager CLI, and validation fixes.**
This release addresses Codex invalid YAML warnings (issue #108) via frontmatter fixes, adds AWS Security & Compliance skills and the official Antigravity Workspace Manager CLI companion, and fixes validation for nerdzao-elite skills.
## New Skills
- **AWS Security & Compliance** (PR #106): `aws-compliance-checker`, `aws-iam-best-practices`, `aws-secrets-rotation`, `aws-security-audit`.
- **nerdzao-elite**, **nerdzao-elite-gemini-high**: Elite workflow skills (validation fixes in-repo).
## Improvements
- **Frontmatter**: Fixed YAML frontmatter in code-reviewer, architect-review, c-pro, design-orchestration, haskell-pro, multi-agent-brainstorming, performance-engineer, search-specialist (PR #111) — reduces Codex "invalid YAML" warnings (fixes #108).
- **Antigravity Workspace Manager**: Official CLI companion to auto-provision skill subsets across environments (PR #110); documented in Community Contributors.
- **Registry**: Now tracking 889 skills.
- **Validation**: Added frontmatter and "When to Use" for nerdzao-elite / nerdzao-elite-gemini-high.
## Credits
- **@Vonfry** for frontmatter YAML fixes (PR #111)
- **@ssumanbiswas** for AWS Security & Compliance skills (PR #106)
- **@amartelr** for Antigravity Workspace Manager CLI (PR #110)
- **@fernandorych** for branch sync (PR #109)
- **@Rodrigolmti** for reporting Codex YAML issue (#108)
---
_Upgrade now: `git pull origin main` to fetch the latest skills._
## [5.10.0] - 2026-02-21 - "AWS Kiro CLI Integration"
> **Native support and integration guide for AWS Kiro CLI, expanding the repository's reach to the AWS developer community.**

23
README.md
View File

@@ -1,6 +1,6 @@
# 🌌 Antigravity Awesome Skills: 885+ Agentic Skills for Claude Code, Gemini CLI, Cursor, Copilot & More
# 🌌 Antigravity Awesome Skills: 889+ Agentic Skills for Claude Code, Gemini CLI, Cursor, Copilot & More
> **The Ultimate Collection of 885+ Universal Agentic Skills for AI Coding Assistants — Claude Code, Gemini CLI, Codex CLI, Antigravity IDE, GitHub Copilot, Cursor, OpenCode, AdaL**
> **The Ultimate Collection of 889+ Universal Agentic Skills for AI Coding Assistants — Claude Code, Gemini CLI, Codex CLI, Antigravity IDE, GitHub Copilot, Cursor, OpenCode, AdaL**
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![Claude Code](https://img.shields.io/badge/Claude%20Code-Anthropic-purple)](https://claude.ai)
@@ -17,12 +17,12 @@
If this project helps you, you can [support it here](https://buymeacoffee.com/sickn33) or simply ⭐ the repo.
**Antigravity Awesome Skills** is a curated, battle-tested library of **885 high-performance agentic skills** designed to work seamlessly across all major AI coding assistants:
**Antigravity Awesome Skills** is a curated, battle-tested library of **889 high-performance agentic skills** designed to work seamlessly across all major AI coding assistants:
- 🟣 **Claude Code** (Anthropic CLI)
- 🔵 **Gemini CLI** (Google DeepMind)
- 🟢 **Codex CLI** (OpenAI)
- 🟠 **Kiro CLI** (AWS)
https://github.com/sickn33/antigravity-awesome-skills/pull/107/conflict?name=skills_index.json&ancestor_oid=9aa6336a54e7308ff8b34c222969d18c89576c8d&base_oid=dab694b49578ec5f4a24879ce75d873b9b6cd113&head_oid=7c986794ed9f0666e004f8900cdce3c42ce393b1- 🟠 **Kiro CLI** (AWS)
- 🔴 **Antigravity IDE** (Google DeepMind)
- 🩵 **GitHub Copilot** (VSCode Extension)
- 🟠 **Cursor** (AI-native IDE)
@@ -41,7 +41,7 @@ This repository provides essential skills to transform your AI assistant into a
- [🎁 Curated Collections (Bundles)](#curated-collections)
- [🧭 Antigravity Workflows](#antigravity-workflows)
- [📦 Features & Categories](#features--categories)
- [📚 Browse 885+ Skills](#browse-885-skills)
- [📚 Browse 889+ Skills](#browse-889-skills)
- [🤝 How to Contribute](#how-to-contribute)
- [🤝 Community](#community)
- [☕ Support the Project](#support-the-project)
@@ -55,11 +55,11 @@ This repository provides essential skills to transform your AI assistant into a
## New Here? Start Here!
**Welcome to the V5.10.0 Workflows Edition.** This isn't just a list of scripts; it's a complete operating system for your AI Agent.
**Welcome to the V6.0.0 Workflows Edition.** This isn't just a list of scripts; it's a complete operating system for your AI Agent.
### 1. 🐣 Context: What is this?
**Antigravity Awesome Skills** (Release 5.10.0) is a massive upgrade to your AI's capabilities.
**Antigravity Awesome Skills** (Release 6.0.0) is a massive upgrade to your AI's capabilities.
AI Agents (like Claude Code, Cursor, or Gemini) are smart, but they lack **specific tools**. They don't know your company's "Deployment Protocol" or the specific syntax for "AWS CloudFormation".
**Skills** are small markdown files that teach them how to do these specific tasks perfectly, every time.
@@ -246,7 +246,7 @@ npx antigravity-awesome-skills
**Bundles** are curated groups of skills for a specific role or goal (for example: `Web Wizard`, `Security Engineer`, `OSS Maintainer`).
They help you avoid picking from 883+ skills one by one.
They help you avoid picking from 889+ skills one by one.
### ⚠️ Important: Bundles Are NOT Separate Installations!
@@ -318,7 +318,7 @@ The repository is organized into specialized domains to transform your AI into a
Counts change as new skills are added. For the current full registry, see [CATALOG.md](CATALOG.md).
## Browse 885+ Skills
## Browse 889+ Skills
We have moved the full skill registry to a dedicated catalog to keep this README clean.
@@ -399,6 +399,7 @@ This collection would not be possible without the incredible work of the Claude
### Community Contributors
- **[rmyndharis/antigravity-skills](https://github.com/rmyndharis/antigravity-skills)**: For the massive contribution of 300+ Enterprise skills and the catalog generation logic.
- **[amartelr/antigravity-workspace-manager](https://github.com/amartelr/antigravity-workspace-manager)**: Official Workspace Manager CLI companion to dynamically auto-provision subsets of skills across unlimited local development environments.
- **[obra/superpowers](https://github.com/obra/superpowers)**: The original "Superpowers" by Jesse Vincent.
- **[guanyang/antigravity-skills](https://github.com/guanyang/antigravity-skills)**: Core Antigravity extensions.
@@ -479,6 +480,10 @@ We officially thank the following contributors for their help in making this rep
- [@Nguyen-Van-Chan](https://github.com/Nguyen-Van-Chan)
- [@8hrsk](https://github.com/8hrsk)
- [@Wittlesus](https://github.com/Wittlesus)
- [@Vonfry](https://github.com/Vonfry)
- [@ssumanbiswas](https://github.com/ssumanbiswas)
- [@amartelr](https://github.com/amartelr)
- [@fernandorych](https://github.com/fernandorych)
---

BIN
assets/star-history.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 51 KiB

After

Width:  |  Height:  |  Size: 52 KiB

5
data/aliases.json
View File

@@ -95,6 +95,11 @@
"security-scanning-dependencies": "security-scanning-security-dependencies",
"security-scanning-hardening": "security-scanning-security-hardening",
"security-scanning-sast": "security-scanning-security-sast",
"aws-compliance-checker": "security/aws-compliance-checker",
"aws-iam-best-practices": "security/aws-iam-best-practices",
"security/aws-iam-practices": "security/aws-iam-best-practices",
"aws-secrets-rotation": "security/aws-secrets-rotation",
"aws-security-audit": "security/aws-security-audit",
"startup-business-case": "startup-business-analyst-business-case",
"startup-business-projections": "startup-business-analyst-financial-projections",
"startup-business-opportunity": "startup-business-analyst-market-opportunity",

8
data/bundles.json
View File

@@ -163,6 +163,7 @@
"ruby-pro",
"rust-async-patterns",
"rust-pro",
"security/aws-secrets-rotation",
"senior-architect",
"senior-fullstack",
"shopify-apps",
@@ -213,9 +214,11 @@
"clerk-auth",
"cloud-penetration-testing",
"code-review-checklist",
"code-reviewer",
"codebase-cleanup-deps-audit",
"dependency-management-deps-audit",
"deployment-pipeline-design",
"design-orchestration",
"docker-expert",
"dotnet-backend",
"ethical-hacking-methodology",
@@ -233,6 +236,7 @@
"linkerd-patterns",
"loki-mode",
"mobile-security-coder",
"multi-agent-brainstorming",
"nestjs-expert",
"nextjs-supabase-auth",
"nodejs-best-practices",
@@ -253,6 +257,10 @@
"security-scanning-security-dependencies",
"security-scanning-security-hardening",
"security-scanning-security-sast",
"security/aws-compliance-checker",
"security/aws-iam-best-practices",
"security/aws-secrets-rotation",
"security/aws-security-audit",
"service-mesh-expert",
"solidity-security",
"stride-analysis-patterns",

263
data/catalog.json
View File

@@ -1055,7 +1055,7 @@
{
"id": "architect-review",
"name": "architect-review",
"description": "Master software architect specializing in modern architecture",
"description": "Master software architect specializing in modern architecture patterns, clean architecture, microservices, event-driven systems, and DDD. Reviews system designs and code changes for architectural integrity, scalability, and maintainability. Use PROACTIVELY for architectural decisions.",
"category": "architecture",
"tags": [],
"triggers": [
@@ -1063,7 +1063,14 @@
"review",
"software",
"specializing",
"architecture"
"architecture",
"clean",
"microservices",
"event",
"driven",
"ddd",
"reviews",
"designs"
],
"path": "skills/architect-review/SKILL.md"
},
@@ -4768,7 +4775,7 @@
{
"id": "c-pro",
"name": "c-pro",
"description": "Write efficient C code with proper memory management, pointer",
"description": "Write efficient C code with proper memory management, pointer arithmetic, and system calls. Handles embedded systems, kernel modules, and performance-critical code. Use PROACTIVELY for C optimization, memory issues, or system programming.",
"category": "general",
"tags": [
"c"
@@ -4781,7 +4788,11 @@
"code",
"proper",
"memory",
"pointer"
"pointer",
"arithmetic",
"calls",
"embedded",
"kernel"
],
"path": "skills/c-pro/SKILL.md"
},
@@ -5783,8 +5794,8 @@
{
"id": "code-reviewer",
"name": "code-reviewer",
"description": "Elite code review expert specializing in modern AI-powered code",
"category": "data-ai",
"description": "Elite code review expert specializing in modern AI-powered code analysis, security vulnerabilities, performance optimization, and production reliability. Masters static analysis tools, security scanning, and configuration review with 2024/2025 best practices. Use PROACTIVELY for code quality assurance.",
"category": "security",
"tags": [
"code"
],
@@ -5795,7 +5806,12 @@
"review",
"specializing",
"ai",
"powered"
"powered",
"analysis",
"security",
"vulnerabilities",
"performance",
"optimization"
],
"path": "skills/code-reviewer/SKILL.md"
},
@@ -7669,11 +7685,22 @@
{
"id": "design-orchestration",
"name": "design-orchestration",
"description": ">",
"category": "workflow",
"description": "Orchestrates design workflows by routing work through brainstorming, multi-agent review, and execution readiness in the correct order. Prevents premature implementation, skipped validation, and unreviewed high-risk designs.",
"category": "security",
"tags": [],
"triggers": [
"orchestration"
"orchestration",
"orchestrates",
"routing",
"work",
"through",
"brainstorming",
"multi",
"agent",
"review",
"execution",
"readiness",
"correct"
],
"path": "skills/design-orchestration/SKILL.md"
},
@@ -10536,8 +10563,8 @@
{
"id": "haskell-pro",
"name": "haskell-pro",
"description": "Expert Haskell engineer specializing in advanced type systems, pure",
"category": "general",
"description": "Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programming, concurrency, and architecture guidance.",
"category": "architecture",
"tags": [
"haskell"
],
@@ -10547,7 +10574,13 @@
"engineer",
"specializing",
"type",
"pure"
"pure",
"functional",
"high",
"reliability",
"software",
"proactively",
"level"
],
"path": "skills/haskell-pro/SKILL.md"
},
@@ -13202,8 +13235,8 @@
{
"id": "multi-agent-brainstorming",
"name": "multi-agent-brainstorming",
"description": ">",
"category": "general",
"description": "Use this skill when a design or idea requires higher confidence, risk reduction, or formal review. This skill orchestrates a structured, sequential multi-agent design review where each agent has a strict, non-overlapping role. It prevents blind spots, false confidence, and premature convergence.",
"category": "security",
"tags": [
"multi",
"agent",
@@ -13212,7 +13245,16 @@
"triggers": [
"multi",
"agent",
"brainstorming"
"brainstorming",
"skill",
"idea",
"requires",
"higher",
"confidence",
"risk",
"reduction",
"formal",
"review"
],
"path": "skills/multi-agent-brainstorming/SKILL.md"
},
@@ -13411,6 +13453,58 @@
],
"path": "skills/neon-postgres/SKILL.md"
},
{
"id": "nerdzao-elite",
"name": "nerdzao-elite",
"description": "Senior Elite Software Engineer (15+) and Senior Product Designer. Full workflow with planning, architecture, TDD, clean code, and pixel-perfect UX validation.",
"category": "architecture",
"tags": [
"nerdzao",
"elite"
],
"triggers": [
"nerdzao",
"elite",
"senior",
"software",
"engineer",
"15",
"product",
"designer",
"full",
"planning",
"architecture",
"tdd"
],
"path": "skills/nerdzao-elite/SKILL.md"
},
{
"id": "nerdzao-elite-gemini-high",
"name": "nerdzao-elite-gemini-high",
"description": "Modo Elite Coder + UX Pixel-Perfect otimizado especificamente para Gemini 3.1 Pro High. Workflow completo com foco em qualidade máxima e eficiência de tokens.",
"category": "workflow",
"tags": [
"nerdzao",
"elite",
"gemini",
"high"
],
"triggers": [
"nerdzao",
"elite",
"gemini",
"high",
"modo",
"coder",
"ux",
"pixel",
"perfect",
"otimizado",
"especificamente",
"para"
],
"path": "skills/nerdzao-elite-gemini-high/SKILL.md"
},
{
"id": "nestjs-expert",
"name": "nestjs-expert",
@@ -14312,7 +14406,7 @@
{
"id": "performance-engineer",
"name": "performance-engineer",
"description": "Expert performance engineer specializing in modern observability,",
"description": "Expert performance engineer specializing in modern observability, application optimization, and scalable system performance. Masters OpenTelemetry, distributed tracing, load testing, multi-tier caching, Core Web Vitals, and performance monitoring. Handles end-to-end optimization, real user monitoring, and scalability patterns. Use PROACTIVELY for performance optimization, observability, or scalability challenges.",
"category": "infrastructure",
"tags": [
"performance"
@@ -14321,7 +14415,15 @@
"performance",
"engineer",
"specializing",
"observability"
"observability",
"application",
"optimization",
"scalable",
"masters",
"opentelemetry",
"distributed",
"tracing",
"load"
],
"path": "skills/performance-engineer/SKILL.md"
},
@@ -16254,7 +16356,7 @@
{
"id": "search-specialist",
"name": "search-specialist",
"description": "Expert web researcher using advanced search techniques and",
"description": "Expert web researcher using advanced search techniques and synthesis. Masters search operators, result filtering, and multi-source verification. Handles competitive analysis and fact-checking. Use PROACTIVELY for deep research, information gathering, or trend analysis.",
"category": "general",
"tags": [
"search"
@@ -16263,7 +16365,15 @@
"search",
"web",
"researcher",
"techniques"
"techniques",
"synthesis",
"masters",
"operators",
"result",
"filtering",
"multi",
"source",
"verification"
],
"path": "skills/search-specialist/SKILL.md"
},
@@ -16453,6 +16563,119 @@
],
"path": "skills/security-scanning-security-sast/SKILL.md"
},
{
"id": "security/aws-compliance-checker",
"name": "aws-compliance-checker",
"description": "Automated compliance checking against CIS, PCI-DSS, HIPAA, and SOC 2 benchmarks",
"category": "security",
"tags": [
"aws",
"compliance",
"audit",
"cis",
"pci-dss",
"hipaa",
"kiro-cli"
],
"triggers": [
"aws",
"compliance",
"audit",
"cis",
"pci-dss",
"hipaa",
"kiro-cli",
"checker",
"automated",
"checking",
"against",
"pci"
],
"path": "skills/security/aws-compliance-checker/SKILL.md"
},
{
"id": "security/aws-iam-best-practices",
"name": "aws-iam-best-practices",
"description": "IAM policy review, hardening, and least privilege implementation",
"category": "security",
"tags": [
"aws",
"iam",
"security",
"access-control",
"kiro-cli",
"least-privilege"
],
"triggers": [
"aws",
"iam",
"security",
"access-control",
"kiro-cli",
"least-privilege",
"policy",
"review",
"hardening",
"least",
"privilege"
],
"path": "skills/security/aws-iam-best-practices/SKILL.md"
},
{
"id": "security/aws-secrets-rotation",
"name": "aws-secrets-rotation",
"description": "Automate AWS secrets rotation for RDS, API keys, and credentials",
"category": "security",
"tags": [
"aws",
"secrets-manager",
"security",
"automation",
"kiro-cli",
"credentials"
],
"triggers": [
"aws",
"secrets-manager",
"security",
"automation",
"kiro-cli",
"credentials",
"secrets",
"rotation",
"automate",
"rds",
"api",
"keys"
],
"path": "skills/security/aws-secrets-rotation/SKILL.md"
},
{
"id": "security/aws-security-audit",
"name": "aws-security-audit",
"description": "Comprehensive AWS security posture assessment using AWS CLI and security best practices",
"category": "security",
"tags": [
"aws",
"security",
"audit",
"compliance",
"kiro-cli",
"security-assessment"
],
"triggers": [
"aws",
"security",
"audit",
"compliance",
"kiro-cli",
"security-assessment",
"posture",
"assessment",
"cli"
],
"path": "skills/security/aws-security-audit/SKILL.md"
},
{
"id": "segment-automation",
"name": "segment-automation",

2
package.json
View File

@@ -1,6 +1,6 @@
{
"name": "antigravity-awesome-skills",
"version": "5.10.0",
"version": "6.0.0",
"description": "883+ agentic skills for Claude Code, Gemini CLI, Cursor, Antigravity & more. Installer CLI.",
"license": "MIT",
"scripts": {

2
skills/architect-review/SKILL.md
View File

@@ -1,6 +1,6 @@
---
name: architect-review
description: "Master software architect specializing in modern architecture"
description: Master software architect specializing in modern architecture
patterns, clean architecture, microservices, event-driven systems, and DDD.
Reviews system designs and code changes for architectural integrity,
scalability, and maintainability. Use PROACTIVELY for architectural decisions.

2
skills/c-pro/SKILL.md
View File

@@ -1,6 +1,6 @@
---
name: c-pro
description: "Write efficient C code with proper memory management, pointer"
description: Write efficient C code with proper memory management, pointer
arithmetic, and system calls. Handles embedded systems, kernel modules, and
performance-critical code. Use PROACTIVELY for C optimization, memory issues,
or system programming.

2
skills/code-reviewer/SKILL.md
View File

@@ -1,6 +1,6 @@
---
name: code-reviewer
description: "Elite code review expert specializing in modern AI-powered code"
description: Elite code review expert specializing in modern AI-powered code
analysis, security vulnerabilities, performance optimization, and production
reliability. Masters static analysis tools, security scanning, and
configuration review with 2024/2025 best practices. Use PROACTIVELY for code

2
skills/design-orchestration/SKILL.md
View File

@@ -1,6 +1,6 @@
---
name: design-orchestration
description: ">"
description:
Orchestrates design workflows by routing work through
brainstorming, multi-agent review, and execution readiness
in the correct order. Prevents premature implementation,

2
skills/haskell-pro/SKILL.md
View File

@@ -1,6 +1,6 @@
---
name: haskell-pro
description: "Expert Haskell engineer specializing in advanced type systems, pure"
description: Expert Haskell engineer specializing in advanced type systems, pure
functional design, and high-reliability software. Use PROACTIVELY for
type-level programming, concurrency, and architecture guidance.
metadata:

2
skills/multi-agent-brainstorming/SKILL.md
View File

@@ -1,6 +1,6 @@
---
name: multi-agent-brainstorming
description: ">"
description:
Use this skill when a design or idea requires higher confidence,
risk reduction, or formal review. This skill orchestrates a
structured, sequential multi-agent design review where each agent

50
skills/nerdzao-elite-gemini-high/SKILL.md Normal file
View File

@@ -0,0 +1,50 @@
---
name: nerdzao-elite-gemini-high
description: "Modo Elite Coder + UX Pixel-Perfect otimizado especificamente para Gemini 3.1 Pro High. Workflow completo com foco em qualidade máxima e eficiência de tokens."
risk: "safe"
source: "community"
---
# @nerdzao-elite-gemini-high
Você é um Engenheiro de Software Sênior Elite (15+ anos) + Designer de Produto Senior, operando no modo Gemini 3.1 Pro (High).
Ative automaticamente este workflow completo em TODA tarefa:
1. **Planejamento ultra-rápido**
@concise-planning + @brainstorming
2. **Arquitetura sólida**
@senior-architect + @architecture
3. **Implementação TDD**
@test-driven-development + @testing-patterns
4. **Código produção-grade**
@refactor-clean-code + @clean-code
5. **Validação técnica**
@lint-and-validate + @production-code-audit + @code-reviewer
6. **Validação Visual & UX OBRIGATÓRIA (High priority)**
@ui-visual-validator + @ui-ux-pro-max + @frontend-design
Analise e corrija IMEDIATAMENTE: duplicação de elementos, inconsistência de cores/labels, formatação de moeda (R$ XX,XX com vírgula), alinhamento, spacing, hierarquia visual e responsividade.
Se qualquer coisa estiver quebrada, conserte antes de mostrar o código final.
7. **Verificação final**
@verification-before-completion + @kaizen
**Regras específicas para Gemini 3.1 Pro High:**
- Sempre pense passo a passo de forma clara e numerada (chain-of-thought).
- Seja extremamente preciso com UI/UX — nunca entregue interface com qualquer quebra visual.
- Responda de forma concisa: mostre apenas o código final + explicação breve de mudanças visuais corrigidas.
- Nunca adicione comentários ou texto longo desnecessário.
- Priorize: pixel-perfect + código limpo + performance + segurança.
Você está no modo High: máximo de qualidade com mínimo de tokens desperdiçados.
## When to Use
Use when you need maximum quality output with Gemini 3.1 Pro High, pixel-perfect UI, and token-efficient workflow.

31
skills/nerdzao-elite/SKILL.md Normal file
View File

@@ -0,0 +1,31 @@
---
name: nerdzao-elite
description: "Senior Elite Software Engineer (15+) and Senior Product Designer. Full workflow with planning, architecture, TDD, clean code, and pixel-perfect UX validation."
risk: safe
source: community
---
# @nerdzao-elite
Você é um Engenheiro de Software Sênior Elite (15+ anos) + Designer de Produto Senior.
Ative automaticamente TODAS as skills abaixo em toda tarefa:
@concise-planning @brainstorming @senior-architect @architecture @test-driven-development @testing-patterns @refactor-clean-code @clean-code @lint-and-validate @ui-visual-validator @ui-ux-pro-max @frontend-design @web-design-guidelines @production-code-audit @code-reviewer @systematic-debugging @error-handling-patterns @kaizen @verification-before-completion
Workflow obrigatório (sempre na ordem):
1. Planejamento (@concise-planning + @brainstorming)
2. Arquitetura sólida
3. Implementação com TDD completo
4. Código limpo
5. Validação técnica
6. Validação visual UX OBRIGATÓRIA (@ui-visual-validator + @ui-ux-pro-max) → corrija imediatamente qualquer duplicação, inconsistência de cor/label, formatação de moeda, alinhamento etc.
7. Revisão de produção
8. Verificação final
Nunca entregue UI quebrada. Priorize sempre pixel-perfect + produção-grade.
## When to Use
Use when you need a full senior engineering workflow with planning, architecture, TDD, clean code, and pixel-perfect UX validation in Portuguese (Brazil).

2
skills/performance-engineer/SKILL.md
View File

@@ -1,6 +1,6 @@
---
name: performance-engineer
description: "Expert performance engineer specializing in modern observability,"
description: Expert performance engineer specializing in modern observability,
application optimization, and scalable system performance. Masters
OpenTelemetry, distributed tracing, load testing, multi-tier caching, Core Web
Vitals, and performance monitoring. Handles end-to-end optimization, real user

2
skills/search-specialist/SKILL.md
View File

@@ -1,6 +1,6 @@
---
name: search-specialist
description: "Expert web researcher using advanced search techniques and"
description: Expert web researcher using advanced search techniques and
synthesis. Masters search operators, result filtering, and multi-source
verification. Handles competitive analysis and fact-checking. Use PROACTIVELY
for deep research, information gathering, or trend analysis.

516
skills/security/aws-compliance-checker/SKILL.md Normal file
View File

@@ -0,0 +1,516 @@
---
name: aws-compliance-checker
description: Automated compliance checking against CIS, PCI-DSS, HIPAA, and SOC 2 benchmarks
risk: safe
source: community
category: security
tags: [aws, compliance, audit, cis, pci-dss, hipaa, kiro-cli]
---
# AWS Compliance Checker
Automated compliance validation against industry standards including CIS AWS Foundations, PCI-DSS, HIPAA, and SOC 2.
## When to Use
Use this skill when you need to validate AWS compliance against industry standards, prepare for audits, or maintain continuous compliance monitoring.
## Supported Frameworks
**CIS AWS Foundations Benchmark**
- Identity and Access Management
- Logging and Monitoring
- Networking
- Data Protection
**PCI-DSS (Payment Card Industry)**
- Network security
- Access controls
- Encryption
- Monitoring and logging
**HIPAA (Healthcare)**
- Access controls
- Audit controls
- Data encryption
- Transmission security
**SOC 2**
- Security
- Availability
- Confidentiality
- Privacy
## CIS AWS Foundations Checks
### Identity & Access Management (1.x)
```bash
#!/bin/bash
# cis-iam-checks.sh
echo "=== CIS IAM Compliance Checks ==="
# 1.1: Root account usage
echo "1.1: Checking root account usage..."
root_usage=$(aws iam get-credential-report --output text | \
awk -F, 'NR==2 {print $5,$11}')
echo " Root password last used: $root_usage"
# 1.2: MFA on root account
echo "1.2: Checking root MFA..."
root_mfa=$(aws iam get-account-summary \
--query 'SummaryMap.AccountMFAEnabled' --output text)
echo " Root MFA enabled: $root_mfa"
# 1.3: Unused credentials
echo "1.3: Checking for unused credentials (>90 days)..."
aws iam get-credential-report --output text | \
awk -F, 'NR>1 {
if ($5 != "N/A" && $5 != "no_information") {
cmd = "date -d \"" $5 "\" +%s"
cmd | getline last_used
close(cmd)
now = systime()
days = (now - last_used) / 86400
if (days > 90) print " ⚠️ " $1 ": " int(days) " days inactive"
}
}'
# 1.4: Access keys rotated
echo "1.4: Checking access key age..."
aws iam list-users --query 'Users[*].UserName' --output text | \
while read user; do
aws iam list-access-keys --user-name "$user" \
--query 'AccessKeyMetadata[*].[AccessKeyId,CreateDate]' \
--output text | \
while read key_id create_date; do
age_days=$(( ($(date +%s) - $(date -d "$create_date" +%s)) / 86400 ))
if [ $age_days -gt 90 ]; then
echo " ⚠️ $user: Key $key_id is $age_days days old"
fi
done
done
# 1.5-1.11: Password policy
echo "1.5-1.11: Checking password policy..."
policy=$(aws iam get-account-password-policy 2>&1)
if echo "$policy" | grep -q "NoSuchEntity"; then
echo " ❌ No password policy configured"
else
echo " ✓ Password policy exists"
echo "$policy" | jq '.PasswordPolicy | {
MinimumPasswordLength,
RequireSymbols,
RequireNumbers,
RequireUppercaseCharacters,
RequireLowercaseCharacters,
MaxPasswordAge,
PasswordReusePrevention
}'
fi
# 1.12-1.14: MFA for IAM users
echo "1.12-1.14: Checking IAM user MFA..."
aws iam get-credential-report --output text | \
awk -F, 'NR>1 && $4=="false" {print " ⚠️ " $1 ": No MFA"}'
```
### Logging (2.x)
```bash
#!/bin/bash
# cis-logging-checks.sh
echo "=== CIS Logging Compliance Checks ==="
# 2.1: CloudTrail enabled
echo "2.1: Checking CloudTrail..."
trails=$(aws cloudtrail describe-trails \
--query 'trailList[*].[Name,IsMultiRegionTrail,LogFileValidationEnabled]' \
--output text)
if [ -z "$trails" ]; then
echo " ❌ No CloudTrail configured"
else
echo "$trails" | while read name multi_region validation; do
echo " Trail: $name"
echo " Multi-region: $multi_region"
echo " Log validation: $validation"
# Check if logging
status=$(aws cloudtrail get-trail-status --name "$name" \
--query 'IsLogging' --output text)
echo " Is logging: $status"
done
fi
# 2.2: CloudTrail log file validation
echo "2.2: Checking log file validation..."
aws cloudtrail describe-trails \
--query 'trailList[?LogFileValidationEnabled==`false`].Name' \
--output text | \
while read trail; do
echo " ⚠️ $trail: Log validation disabled"
done
# 2.3: S3 bucket for CloudTrail
echo "2.3: Checking CloudTrail S3 bucket access..."
aws cloudtrail describe-trails \
--query 'trailList[*].S3BucketName' --output text | \
while read bucket; do
public=$(aws s3api get-bucket-acl --bucket "$bucket" 2>&1 | \
grep -c "AllUsers")
if [ "$public" -gt 0 ]; then
echo "$bucket: Publicly accessible"
else
echo "$bucket: Not public"
fi
done
# 2.4: CloudTrail integrated with CloudWatch Logs
echo "2.4: Checking CloudWatch Logs integration..."
aws cloudtrail describe-trails \
--query 'trailList[*].[Name,CloudWatchLogsLogGroupArn]' \
--output text | \
while read name log_group; do
if [ "$log_group" = "None" ]; then
echo " ⚠️ $name: Not integrated with CloudWatch Logs"
else
echo "$name: Integrated with CloudWatch"
fi
done
# 2.5: AWS Config enabled
echo "2.5: Checking AWS Config..."
recorders=$(aws configservice describe-configuration-recorders \
--query 'ConfigurationRecorders[*].name' --output text)
if [ -z "$recorders" ]; then
echo " ❌ AWS Config not enabled"
else
echo " ✓ AWS Config enabled: $recorders"
fi
# 2.6: S3 bucket logging
echo "2.6: Checking S3 bucket logging..."
aws s3api list-buckets --query 'Buckets[*].Name' --output text | \
while read bucket; do
logging=$(aws s3api get-bucket-logging --bucket "$bucket" 2>&1)
if ! echo "$logging" | grep -q "LoggingEnabled"; then
echo " ⚠️ $bucket: Access logging disabled"
fi
done
# 2.7: VPC Flow Logs
echo "2.7: Checking VPC Flow Logs..."
aws ec2 describe-vpcs --query 'Vpcs[*].VpcId' --output text | \
while read vpc; do
flow_logs=$(aws ec2 describe-flow-logs \
--filter "Name=resource-id,Values=$vpc" \
--query 'FlowLogs[*].FlowLogId' --output text)
if [ -z "$flow_logs" ]; then
echo " ⚠️ $vpc: No flow logs enabled"
else
echo "$vpc: Flow logs enabled"
fi
done
```
### Monitoring (3.x)
```bash
#!/bin/bash
# cis-monitoring-checks.sh
echo "=== CIS Monitoring Compliance Checks ==="
# Check for required CloudWatch metric filters and alarms
required_filters=(
"unauthorized-api-calls"
"no-mfa-console-signin"
"root-usage"
"iam-changes"
"cloudtrail-changes"
"console-signin-failures"
"cmk-changes"
"s3-bucket-policy-changes"
"aws-config-changes"
"security-group-changes"
"nacl-changes"
"network-gateway-changes"
"route-table-changes"
"vpc-changes"
)
log_group=$(aws cloudtrail describe-trails \
--query 'trailList[0].CloudWatchLogsLogGroupArn' \
--output text | cut -d: -f7)
if [ -z "$log_group" ] || [ "$log_group" = "None" ]; then
echo " ❌ CloudTrail not integrated with CloudWatch Logs"
else
echo "Checking metric filters for log group: $log_group"
existing_filters=$(aws logs describe-metric-filters \
--log-group-name "$log_group" \
--query 'metricFilters[*].filterName' --output text)
for filter in "${required_filters[@]}"; do
if echo "$existing_filters" | grep -q "$filter"; then
echo "$filter: Configured"
else
echo " ⚠️ $filter: Missing"
fi
done
fi
```
### Networking (4.x)
```bash
#!/bin/bash
# cis-networking-checks.sh
echo "=== CIS Networking Compliance Checks ==="
# 4.1: No security groups allow 0.0.0.0/0 ingress to port 22
echo "4.1: Checking SSH access (port 22)..."
aws ec2 describe-security-groups \
--query 'SecurityGroups[*].[GroupId,GroupName,IpPermissions]' \
--output json | \
jq -r '.[] | select(.[2][]? |
select(.FromPort == 22 and .IpRanges[]?.CidrIp == "0.0.0.0/0")) |
" ⚠️ \(.[0]): \(.[1]) allows SSH from 0.0.0.0/0"'
# 4.2: No security groups allow 0.0.0.0/0 ingress to port 3389
echo "4.2: Checking RDP access (port 3389)..."
aws ec2 describe-security-groups \
--query 'SecurityGroups[*].[GroupId,GroupName,IpPermissions]' \
--output json | \
jq -r '.[] | select(.[2][]? |
select(.FromPort == 3389 and .IpRanges[]?.CidrIp == "0.0.0.0/0")) |
" ⚠️ \(.[0]): \(.[1]) allows RDP from 0.0.0.0/0"'
# 4.3: Default security group restricts all traffic
echo "4.3: Checking default security groups..."
aws ec2 describe-security-groups \
--filters Name=group-name,Values=default \
--query 'SecurityGroups[*].[GroupId,IpPermissions,IpPermissionsEgress]' \
--output json | \
jq -r '.[] | select((.[1] | length) > 0 or (.[2] | length) > 1) |
" ⚠️ \(.[0]): Default SG has rules"'
```
## PCI-DSS Compliance Checks
```python
#!/usr/bin/env python3
# pci-dss-checker.py
import boto3
def check_pci_compliance():
"""Check PCI-DSS requirements"""
ec2 = boto3.client('ec2')
rds = boto3.client('rds')
s3 = boto3.client('s3')
issues = []
# Requirement 1: Network security
sgs = ec2.describe_security_groups()
for sg in sgs['SecurityGroups']:
for perm in sg.get('IpPermissions', []):
for ip_range in perm.get('IpRanges', []):
if ip_range.get('CidrIp') == '0.0.0.0/0':
issues.append(f"PCI 1.2: {sg['GroupId']} open to internet")
# Requirement 2: Secure configurations
# Check for default passwords, etc.
# Requirement 3: Protect cardholder data
volumes = ec2.describe_volumes()
for vol in volumes['Volumes']:
if not vol['Encrypted']:
issues.append(f"PCI 3.4: Volume {vol['VolumeId']} not encrypted")
# Requirement 4: Encrypt transmission
# Check for SSL/TLS on load balancers
# Requirement 8: Access controls
iam = boto3.client('iam')
users = iam.list_users()
for user in users['Users']:
mfa = iam.list_mfa_devices(UserName=user['UserName'])
if not mfa['MFADevices']:
issues.append(f"PCI 8.3: {user['UserName']} no MFA")
# Requirement 10: Logging
cloudtrail = boto3.client('cloudtrail')
trails = cloudtrail.describe_trails()
if not trails['trailList']:
issues.append("PCI 10.1: No CloudTrail enabled")
return issues
if __name__ == "__main__":
print("PCI-DSS Compliance Check")
print("=" * 50)
issues = check_pci_compliance()
if not issues:
print("✓ No PCI-DSS issues found")
else:
print(f"Found {len(issues)} issues:\n")
for issue in issues:
print(f" ⚠️ {issue}")
```
## HIPAA Compliance Checks
```bash
#!/bin/bash
# hipaa-checker.sh
echo "=== HIPAA Compliance Checks ==="
# Access Controls (164.308(a)(3))
echo "Access Controls:"
aws iam get-credential-report --output text | \
awk -F, 'NR>1 && $4=="false" {print " ⚠️ " $1 ": No MFA (164.312(a)(2)(i))"}'
# Audit Controls (164.312(b))
echo ""
echo "Audit Controls:"
trails=$(aws cloudtrail describe-trails --query 'trailList[*].Name' --output text)
if [ -z "$trails" ]; then
echo " ❌ No CloudTrail (164.312(b))"
else
echo " ✓ CloudTrail enabled"
fi
# Encryption (164.312(a)(2)(iv))
echo ""
echo "Encryption at Rest:"
aws ec2 describe-volumes \
--query 'Volumes[?Encrypted==`false`].VolumeId' \
--output text | \
while read vol; do
echo " ⚠️ $vol: Not encrypted (164.312(a)(2)(iv))"
done
aws rds describe-db-instances \
--query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' \
--output text | \
while read db; do
echo " ⚠️ $db: Not encrypted (164.312(a)(2)(iv))"
done
# Transmission Security (164.312(e)(1))
echo ""
echo "Transmission Security:"
echo " Check: All data in transit uses TLS 1.2+"
```
## Automated Compliance Reporting
```python
#!/usr/bin/env python3
# compliance-report.py
import boto3
import json
from datetime import datetime
def generate_compliance_report(framework='cis'):
"""Generate comprehensive compliance report"""
report = {
'framework': framework,
'generated': datetime.now().isoformat(),
'checks': [],
'summary': {
'total': 0,
'passed': 0,
'failed': 0,
'score': 0
}
}
# Run all checks based on framework
if framework == 'cis':
checks = run_cis_checks()
elif framework == 'pci':
checks = run_pci_checks()
elif framework == 'hipaa':
checks = run_hipaa_checks()
report['checks'] = checks
report['summary']['total'] = len(checks)
report['summary']['passed'] = sum(1 for c in checks if c['status'] == 'PASS')
report['summary']['failed'] = report['summary']['total'] - report['summary']['passed']
report['summary']['score'] = (report['summary']['passed'] / report['summary']['total']) * 100
return report
def run_cis_checks():
# Implement CIS checks
return []
def run_pci_checks():
# Implement PCI checks
return []
def run_hipaa_checks():
# Implement HIPAA checks
return []
if __name__ == "__main__":
import sys
framework = sys.argv[1] if len(sys.argv) > 1 else 'cis'
report = generate_compliance_report(framework)
print(f"\n{framework.upper()} Compliance Report")
print("=" * 50)
print(f"Score: {report['summary']['score']:.1f}%")
print(f"Passed: {report['summary']['passed']}/{report['summary']['total']}")
print(f"Failed: {report['summary']['failed']}/{report['summary']['total']}")
# Save to file
with open(f'compliance-{framework}-{datetime.now().strftime("%Y%m%d")}.json', 'w') as f:
json.dump(report, f, indent=2)
```
## Example Prompts
- "Run CIS AWS Foundations compliance check"
- "Generate a PCI-DSS compliance report"
- "Check HIPAA compliance for my AWS account"
- "Audit against SOC 2 requirements"
- "Create a compliance dashboard"
## Best Practices
- Run compliance checks weekly
- Automate with Lambda/EventBridge
- Track compliance trends over time
- Document exceptions with justification
- Integrate with AWS Security Hub
- Use AWS Config Rules for continuous monitoring
## Kiro CLI Integration
```bash
kiro-cli chat "Use aws-compliance-checker to run CIS benchmark"
kiro-cli chat "Generate PCI-DSS report with aws-compliance-checker"
```
## Additional Resources
- [CIS AWS Foundations Benchmark](https://www.cisecurity.org/benchmark/amazon_web_services)
- [AWS Security Hub](https://aws.amazon.com/security-hub/)
- [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/)

397
skills/security/aws-iam-best-practices/SKILL.md Normal file
View File

@@ -0,0 +1,397 @@
---
name: aws-iam-best-practices
description: IAM policy review, hardening, and least privilege implementation
risk: safe
source: community
category: security
tags: [aws, iam, security, access-control, kiro-cli, least-privilege]
---
# AWS IAM Best Practices
Review and harden IAM policies following AWS security best practices and least privilege principles.
## When to Use
Use this skill when you need to review IAM policies, implement least privilege access, or harden IAM security.
## Core Principles
**Least Privilege**
- Grant minimum permissions needed
- Use managed policies when possible
- Avoid wildcard (*) permissions
- Regular access reviews
**Defense in Depth**
- Enable MFA for all users
- Use IAM roles instead of access keys
- Implement service control policies (SCPs)
- Enable CloudTrail for audit
**Separation of Duties**
- Separate admin and user roles
- Use different roles for different environments
- Implement approval workflows
- Regular permission audits
## IAM Security Checks
### Find Overly Permissive Policies
```bash
# List policies with full admin access
aws iam list-policies --scope Local \
--query 'Policies[*].[PolicyName,Arn]' --output table | \
grep -i admin
# Find policies with wildcard actions
aws iam list-policies --scope Local --query 'Policies[*].Arn' --output text | \
while read arn; do
version=$(aws iam get-policy --policy-arn "$arn" \
--query 'Policy.DefaultVersionId' --output text)
doc=$(aws iam get-policy-version --policy-arn "$arn" \
--version-id "$version" --query 'PolicyVersion.Document')
if echo "$doc" | grep -q '"Action": "\*"'; then
echo "Wildcard action in: $arn"
fi
done
# Find inline policies (should use managed policies)
aws iam list-users --query 'Users[*].UserName' --output text | \
while read user; do
policies=$(aws iam list-user-policies --user-name "$user" \
--query 'PolicyNames' --output text)
if [ -n "$policies" ]; then
echo "Inline policies on user $user: $policies"
fi
done
```
### MFA Enforcement
```bash
# List users without MFA
aws iam get-credential-report --output text | \
awk -F, 'NR>1 && $4=="false" {print $1}'
# Check if MFA is required in policies
aws iam list-policies --scope Local --query 'Policies[*].Arn' --output text | \
while read arn; do
version=$(aws iam get-policy --policy-arn "$arn" \
--query 'Policy.DefaultVersionId' --output text)
doc=$(aws iam get-policy-version --policy-arn "$arn" \
--version-id "$version" --query 'PolicyVersion.Document')
if echo "$doc" | grep -q "aws:MultiFactorAuthPresent"; then
echo "MFA enforced in: $arn"
fi
done
# Enable MFA for a user (returns QR code)
aws iam create-virtual-mfa-device \
--virtual-mfa-device-name user-mfa \
--outfile /tmp/qr.png \
--bootstrap-method QRCodePNG
```
### Access Key Management
```bash
# Find old access keys (>90 days)
aws iam list-users --query 'Users[*].UserName' --output text | \
while read user; do
aws iam list-access-keys --user-name "$user" \
--query 'AccessKeyMetadata[*].[AccessKeyId,CreateDate,Status]' \
--output text | \
while read key_id create_date status; do
age_days=$(( ($(date +%s) - $(date -d "$create_date" +%s)) / 86400 ))
if [ $age_days -gt 90 ]; then
echo "$user: Key $key_id is $age_days days old"
fi
done
done
# Rotate access key
OLD_KEY="AKIAIOSFODNN7EXAMPLE"
USER="myuser"
# Create new key
NEW_KEY=$(aws iam create-access-key --user-name "$USER")
echo "New key created. Update applications, then run:"
echo "aws iam delete-access-key --user-name $USER --access-key-id $OLD_KEY"
# Deactivate old key (test first)
aws iam update-access-key \
--user-name "$USER" \
--access-key-id "$OLD_KEY" \
--status Inactive
```
### Role and Policy Analysis
```bash
# List unused roles (no activity in 90 days)
aws iam list-roles --query 'Roles[*].[RoleName,RoleLastUsed.LastUsedDate]' \
--output text | \
while read role last_used; do
if [ "$last_used" = "None" ]; then
echo "Never used: $role"
fi
done
# Find roles with trust relationships to external accounts
aws iam list-roles --query 'Roles[*].RoleName' --output text | \
while read role; do
trust=$(aws iam get-role --role-name "$role" \
--query 'Role.AssumeRolePolicyDocument')
if echo "$trust" | grep -q '"AWS":'; then
echo "External trust: $role"
fi
done
# Analyze policy permissions
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::123456789012:user/myuser \
--action-names s3:GetObject s3:PutObject \
--resource-arns arn:aws:s3:::mybucket/*
```
## IAM Policy Templates
### Least Privilege S3 Access
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/user-data/${aws:username}/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket",
"Condition": {
"StringLike": {
"s3:prefix": "user-data/${aws:username}/*"
}
}
}
]
}
```
### MFA-Required Policy
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
```
### Time-Based Access
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2026-01-01T00:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime": "2026-12-31T23:59:59Z"
}
}
}
]
}
```
### IP-Restricted Access
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"203.0.113.0/24",
"198.51.100.0/24"
]
}
}
}
]
}
```
## IAM Hardening Checklist
**User Management**
- [ ] Enable MFA for all users
- [ ] Remove unused IAM users
- [ ] Rotate access keys every 90 days
- [ ] Use IAM roles instead of long-term credentials
- [ ] Implement password policy (length, complexity, rotation)
**Policy Management**
- [ ] Replace inline policies with managed policies
- [ ] Remove wildcard (*) permissions
- [ ] Implement least privilege
- [ ] Use policy conditions (MFA, IP, time)
- [ ] Regular policy reviews
**Role Management**
- [ ] Use roles for EC2 instances
- [ ] Implement cross-account roles properly
- [ ] Review trust relationships
- [ ] Remove unused roles
- [ ] Use session tags for fine-grained access
**Monitoring**
- [ ] Enable CloudTrail for IAM events
- [ ] Set up CloudWatch alarms for IAM changes
- [ ] Use AWS IAM Access Analyzer
- [ ] Regular access reviews
- [ ] Monitor for privilege escalation
## Automated IAM Hardening
```python
#!/usr/bin/env python3
# iam-hardening.py
import boto3
from datetime import datetime, timedelta
iam = boto3.client('iam')
def enforce_mfa():
"""Identify users without MFA"""
users = iam.list_users()['Users']
no_mfa = []
for user in users:
mfa_devices = iam.list_mfa_devices(
UserName=user['UserName']
)['MFADevices']
if not mfa_devices:
no_mfa.append(user['UserName'])
return no_mfa
def rotate_old_keys():
"""Find access keys older than 90 days"""
users = iam.list_users()['Users']
old_keys = []
for user in users:
keys = iam.list_access_keys(
UserName=user['UserName']
)['AccessKeyMetadata']
for key in keys:
age = datetime.now(key['CreateDate'].tzinfo) - key['CreateDate']
if age.days > 90:
old_keys.append({
'user': user['UserName'],
'key_id': key['AccessKeyId'],
'age_days': age.days
})
return old_keys
def find_overpermissive_policies():
"""Find policies with wildcard actions"""
policies = iam.list_policies(Scope='Local')['Policies']
overpermissive = []
for policy in policies:
version = iam.get_policy_version(
PolicyArn=policy['Arn'],
VersionId=policy['DefaultVersionId']
)
doc = version['PolicyVersion']['Document']
for statement in doc.get('Statement', []):
if statement.get('Action') == '*':
overpermissive.append(policy['PolicyName'])
break
return overpermissive
if __name__ == "__main__":
print("IAM Hardening Report")
print("=" * 50)
print("\nUsers without MFA:")
for user in enforce_mfa():
print(f" - {user}")
print("\nOld access keys (>90 days):")
for key in rotate_old_keys():
print(f" - {key['user']}: {key['age_days']} days")
print("\nOverpermissive policies:")
for policy in find_overpermissive_policies():
print(f" - {policy}")
```
## Example Prompts
- "Review my IAM policies for security issues"
- "Find users without MFA enabled"
- "Create a least privilege policy for S3 access"
- "Identify overly permissive IAM roles"
- "Generate an IAM hardening report"
## Best Practices
- Use AWS managed policies when possible
- Implement policy versioning
- Test policies in non-production first
- Document policy purposes
- Regular access reviews (quarterly)
- Use IAM Access Analyzer
- Implement SCPs for organization-wide controls
## Kiro CLI Integration
```bash
kiro-cli chat "Use aws-iam-best-practices to review my IAM setup"
kiro-cli chat "Create a least privilege policy with aws-iam-best-practices"
```
## Additional Resources
- [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
- [IAM Policy Simulator](https://policysim.aws.amazon.com/)
- [IAM Access Analyzer](https://aws.amazon.com/iam/features/analyze-access/)

465
skills/security/aws-secrets-rotation/SKILL.md Normal file
View File

@@ -0,0 +1,465 @@
---
name: aws-secrets-rotation
description: Automate AWS secrets rotation for RDS, API keys, and credentials
risk: safe
source: community
category: security
tags: [aws, secrets-manager, security, automation, kiro-cli, credentials]
---
# AWS Secrets Rotation
Automate rotation of secrets, credentials, and API keys using AWS Secrets Manager and Lambda.
## When to Use
Use this skill when you need to implement automated secrets rotation, manage credentials securely, or comply with security policies requiring regular key rotation.
## Supported Secret Types
**AWS Services**
- RDS database credentials
- DocumentDB credentials
- Redshift credentials
- ElastiCache credentials
**Third-Party Services**
- API keys
- OAuth tokens
- SSH keys
- Custom credentials
## Secrets Manager Setup
### Create a Secret
```bash
# Create RDS secret
aws secretsmanager create-secret \
--name prod/db/mysql \
--description "Production MySQL credentials" \
--secret-string '{
"username": "admin",
"password": "CHANGE_ME",
"engine": "mysql",
"host": "mydb.cluster-abc.us-east-1.rds.amazonaws.com",
"port": 3306,
"dbname": "myapp"
}'
# Create API key secret
aws secretsmanager create-secret \
--name prod/api/stripe \
--secret-string '{
"api_key": "sk_live_xxxxx",
"webhook_secret": "whsec_xxxxx"
}'
# Create secret from file
aws secretsmanager create-secret \
--name prod/ssh/private-key \
--secret-binary fileb://~/.ssh/id_rsa
```
### Retrieve Secrets
```bash
# Get secret value
aws secretsmanager get-secret-value \
--secret-id prod/db/mysql \
--query 'SecretString' --output text
# Get specific field
aws secretsmanager get-secret-value \
--secret-id prod/db/mysql \
--query 'SecretString' --output text | \
jq -r '.password'
# Get binary secret
aws secretsmanager get-secret-value \
--secret-id prod/ssh/private-key \
--query 'SecretBinary' --output text | \
base64 -d > private-key.pem
```
## Automatic Rotation Setup
### Enable RDS Rotation
```bash
# Enable automatic rotation (30 days)
aws secretsmanager rotate-secret \
--secret-id prod/db/mysql \
--rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:SecretsManagerRDSMySQLRotation \
--rotation-rules AutomaticallyAfterDays=30
# Rotate immediately
aws secretsmanager rotate-secret \
--secret-id prod/db/mysql
# Check rotation status
aws secretsmanager describe-secret \
--secret-id prod/db/mysql \
--query 'RotationEnabled'
```
### Lambda Rotation Function
```python
# lambda_rotation.py
import boto3
import json
import os
secrets_client = boto3.client('secretsmanager')
rds_client = boto3.client('rds')
def lambda_handler(event, context):
"""Rotate RDS MySQL password"""
secret_arn = event['SecretId']
token = event['ClientRequestToken']
step = event['Step']
# Get current secret
current = secrets_client.get_secret_value(SecretId=secret_arn)
secret = json.loads(current['SecretString'])
if step == "createSecret":
# Generate new password
new_password = generate_password()
secret['password'] = new_password
# Store as pending
secrets_client.put_secret_value(
SecretId=secret_arn,
ClientRequestToken=token,
SecretString=json.dumps(secret),
VersionStages=['AWSPENDING']
)
elif step == "setSecret":
# Update RDS password
rds_client.modify_db_instance(
DBInstanceIdentifier=secret['dbInstanceIdentifier'],
MasterUserPassword=secret['password'],
ApplyImmediately=True
)
elif step == "testSecret":
# Test new credentials
import pymysql
conn = pymysql.connect(
host=secret['host'],
user=secret['username'],
password=secret['password'],
database=secret['dbname']
)
conn.close()
elif step == "finishSecret":
# Mark as current
secrets_client.update_secret_version_stage(
SecretId=secret_arn,
VersionStage='AWSCURRENT',
MoveToVersionId=token,
RemoveFromVersionId=current['VersionId']
)
return {'statusCode': 200}
def generate_password(length=32):
import secrets
import string
alphabet = string.ascii_letters + string.digits + "!@#$%^&*()"
return ''.join(secrets.choice(alphabet) for _ in range(length))
```
### Custom Rotation for API Keys
```python
# api_key_rotation.py
import boto3
import requests
import json
secrets_client = boto3.client('secretsmanager')
def rotate_stripe_key(secret_arn, token, step):
"""Rotate Stripe API key"""
current = secrets_client.get_secret_value(SecretId=secret_arn)
secret = json.loads(current['SecretString'])
if step == "createSecret":
# Create new Stripe key via API
response = requests.post(
'https://api.stripe.com/v1/api_keys',
auth=(secret['api_key'], ''),
data={'name': f'rotated-{token[:8]}'}
)
new_key = response.json()['secret']
secret['api_key'] = new_key
secrets_client.put_secret_value(
SecretId=secret_arn,
ClientRequestToken=token,
SecretString=json.dumps(secret),
VersionStages=['AWSPENDING']
)
elif step == "testSecret":
# Test new key
response = requests.get(
'https://api.stripe.com/v1/balance',
auth=(secret['api_key'], '')
)
if response.status_code != 200:
raise Exception("New key failed validation")
elif step == "finishSecret":
# Revoke old key
old_key = json.loads(current['SecretString'])['api_key']
requests.delete(
f'https://api.stripe.com/v1/api_keys/{old_key}',
auth=(secret['api_key'], '')
)
# Promote to current
secrets_client.update_secret_version_stage(
SecretId=secret_arn,
VersionStage='AWSCURRENT',
MoveToVersionId=token
)
```
## Rotation Monitoring
### CloudWatch Alarms
```bash
# Create alarm for rotation failures
aws cloudwatch put-metric-alarm \
--alarm-name secrets-rotation-failures \
--alarm-description "Alert on secrets rotation failures" \
--metric-name RotationFailed \
--namespace AWS/SecretsManager \
--statistic Sum \
--period 300 \
--evaluation-periods 1 \
--threshold 1 \
--comparison-operator GreaterThanThreshold \
--alarm-actions arn:aws:sns:us-east-1:123456789012:alerts
```
### Rotation Audit Script
```bash
#!/bin/bash
# audit-rotations.sh
echo "Secrets Rotation Audit"
echo "====================="
aws secretsmanager list-secrets --query 'SecretList[*].[Name,RotationEnabled,LastRotatedDate]' \
--output text | \
while read name enabled last_rotated; do
echo ""
echo "Secret: $name"
echo " Rotation Enabled: $enabled"
echo " Last Rotated: $last_rotated"
if [ "$enabled" = "True" ]; then
# Check rotation schedule
rules=$(aws secretsmanager describe-secret --secret-id "$name" \
--query 'RotationRules.AutomaticallyAfterDays' --output text)
echo " Rotation Schedule: Every $rules days"
# Calculate days since last rotation
if [ "$last_rotated" != "None" ]; then
days_ago=$(( ($(date +%s) - $(date -d "$last_rotated" +%s)) / 86400 ))
echo " Days Since Rotation: $days_ago"
if [ $days_ago -gt $rules ]; then
echo " ⚠️ OVERDUE for rotation!"
fi
fi
fi
done
```
## Application Integration
### Python SDK
```python
import boto3
import json
def get_secret(secret_name):
"""Retrieve secret from Secrets Manager"""
client = boto3.client('secretsmanager')
try:
response = client.get_secret_value(SecretId=secret_name)
return json.loads(response['SecretString'])
except Exception as e:
print(f"Error retrieving secret: {e}")
raise
# Usage
db_creds = get_secret('prod/db/mysql')
connection = pymysql.connect(
host=db_creds['host'],
user=db_creds['username'],
password=db_creds['password'],
database=db_creds['dbname']
)
```
### Node.js SDK
```javascript
const AWS = require('aws-sdk');
const secretsManager = new AWS.SecretsManager();
async function getSecret(secretName) {
try {
const data = await secretsManager.getSecretValue({
SecretId: secretName
}).promise();
return JSON.parse(data.SecretString);
} catch (err) {
console.error('Error retrieving secret:', err);
throw err;
}
}
// Usage
const dbCreds = await getSecret('prod/db/mysql');
const connection = mysql.createConnection({
host: dbCreds.host,
user: dbCreds.username,
password: dbCreds.password,
database: dbCreds.dbname
});
```
## Rotation Best Practices
**Planning**
- [ ] Identify all secrets requiring rotation
- [ ] Define rotation schedules (30, 60, 90 days)
- [ ] Test rotation in non-production first
- [ ] Document rotation procedures
- [ ] Plan for emergency rotation
**Implementation**
- [ ] Use AWS managed rotation when possible
- [ ] Implement proper error handling
- [ ] Add CloudWatch monitoring
- [ ] Test application compatibility
- [ ] Implement gradual rollout
**Operations**
- [ ] Monitor rotation success/failure
- [ ] Set up alerts for failures
- [ ] Regular rotation audits
- [ ] Document troubleshooting steps
- [ ] Maintain rotation runbooks
## Emergency Rotation
```bash
# Immediate rotation (compromise detected)
aws secretsmanager rotate-secret \
--secret-id prod/db/mysql \
--rotate-immediately
# Force rotation even if recently rotated
aws secretsmanager rotate-secret \
--secret-id prod/api/stripe \
--rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:RotateStripeKey \
--rotate-immediately
# Verify rotation completed
aws secretsmanager describe-secret \
--secret-id prod/db/mysql \
--query 'LastRotatedDate'
```
## Compliance Tracking
```python
#!/usr/bin/env python3
# compliance-report.py
import boto3
from datetime import datetime, timedelta
client = boto3.client('secretsmanager')
def generate_compliance_report():
secrets = client.list_secrets()['SecretList']
compliant = []
non_compliant = []
for secret in secrets:
name = secret['Name']
rotation_enabled = secret.get('RotationEnabled', False)
last_rotated = secret.get('LastRotatedDate')
if not rotation_enabled:
non_compliant.append({
'name': name,
'issue': 'Rotation not enabled'
})
continue
if last_rotated:
days_ago = (datetime.now(last_rotated.tzinfo) - last_rotated).days
if days_ago > 90:
non_compliant.append({
'name': name,
'issue': f'Not rotated in {days_ago} days'
})
else:
compliant.append(name)
else:
non_compliant.append({
'name': name,
'issue': 'Never rotated'
})
print(f"Compliant Secrets: {len(compliant)}")
print(f"Non-Compliant Secrets: {len(non_compliant)}")
print("\nNon-Compliant Details:")
for item in non_compliant:
print(f" - {item['name']}: {item['issue']}")
if __name__ == "__main__":
generate_compliance_report()
```
## Example Prompts
- "Set up automatic rotation for my RDS credentials"
- "Create a Lambda function to rotate API keys"
- "Audit all secrets for rotation compliance"
- "Implement emergency rotation for compromised credentials"
- "Generate a secrets rotation report"
## Kiro CLI Integration
```bash
kiro-cli chat "Use aws-secrets-rotation to set up RDS credential rotation"
kiro-cli chat "Create a rotation audit report with aws-secrets-rotation"
```
## Additional Resources
- [AWS Secrets Manager Rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html)
- [Rotation Lambda Templates](https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas)
- [Best Practices for Secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html)

369
skills/security/aws-security-audit/SKILL.md Normal file
View File

@@ -0,0 +1,369 @@
---
name: aws-security-audit
description: Comprehensive AWS security posture assessment using AWS CLI and security best practices
risk: safe
source: community
category: security
tags: [aws, security, audit, compliance, kiro-cli, security-assessment]
---
# AWS Security Audit
Perform comprehensive security assessments of AWS environments to identify vulnerabilities and misconfigurations.
## When to Use
Use this skill when you need to audit AWS security posture, identify vulnerabilities, or prepare for compliance assessments.
## Audit Categories
**Identity & Access Management**
- Overly permissive IAM policies
- Unused IAM users and roles
- MFA enforcement gaps
- Root account usage
- Access key rotation
**Network Security**
- Open security groups (0.0.0.0/0)
- Public S3 buckets
- Unencrypted data in transit
- VPC flow logs disabled
- Network ACL misconfigurations
**Data Protection**
- Unencrypted EBS volumes
- Unencrypted RDS instances
- S3 bucket encryption disabled
- Backup policies missing
- KMS key rotation disabled
**Logging & Monitoring**
- CloudTrail disabled
- CloudWatch alarms missing
- VPC Flow Logs disabled
- S3 access logging disabled
- Config recording disabled
## Security Audit Commands
### IAM Security Checks
```bash
# List users without MFA
aws iam get-credential-report --output text | \
awk -F, '$4=="false" && $1!="<root_account>" {print $1}'
# Find unused IAM users (no activity in 90 days)
aws iam list-users --query 'Users[*].[UserName]' --output text | \
while read user; do
last_used=$(aws iam get-user --user-name "$user" \
--query 'User.PasswordLastUsed' --output text)
echo "$user: $last_used"
done
# List overly permissive policies (AdministratorAccess)
aws iam list-policies --scope Local \
--query 'Policies[?PolicyName==`AdministratorAccess`]'
# Find access keys older than 90 days
aws iam list-users --query 'Users[*].UserName' --output text | \
while read user; do
aws iam list-access-keys --user-name "$user" \
--query 'AccessKeyMetadata[*].[AccessKeyId,CreateDate]' \
--output text
done
# Check root account access keys
aws iam get-account-summary \
--query 'SummaryMap.AccountAccessKeysPresent'
```
### Network Security Checks
```bash
# Find security groups open to the world
aws ec2 describe-security-groups \
--query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]].[GroupId,GroupName]' \
--output table
# List public S3 buckets
aws s3api list-buckets --query 'Buckets[*].Name' --output text | \
while read bucket; do
acl=$(aws s3api get-bucket-acl --bucket "$bucket" 2>/dev/null)
if echo "$acl" | grep -q "AllUsers"; then
echo "PUBLIC: $bucket"
fi
done
# Check VPC Flow Logs status
aws ec2 describe-vpcs --query 'Vpcs[*].VpcId' --output text | \
while read vpc; do
flow_logs=$(aws ec2 describe-flow-logs \
--filter "Name=resource-id,Values=$vpc" \
--query 'FlowLogs[*].FlowLogId' --output text)
if [ -z "$flow_logs" ]; then
echo "No flow logs: $vpc"
fi
done
# Find RDS instances without encryption
aws rds describe-db-instances \
--query 'DBInstances[?StorageEncrypted==`false`].[DBInstanceIdentifier]' \
--output table
```
### Data Protection Checks
```bash
# Find unencrypted EBS volumes
aws ec2 describe-volumes \
--query 'Volumes[?Encrypted==`false`].[VolumeId,Size,State]' \
--output table
# Check S3 bucket encryption
aws s3api list-buckets --query 'Buckets[*].Name' --output text | \
while read bucket; do
encryption=$(aws s3api get-bucket-encryption \
--bucket "$bucket" 2>&1)
if echo "$encryption" | grep -q "ServerSideEncryptionConfigurationNotFoundError"; then
echo "No encryption: $bucket"
fi
done
# Find RDS snapshots that are public
aws rds describe-db-snapshots \
--query 'DBSnapshots[*].[DBSnapshotIdentifier]' --output text | \
while read snapshot; do
attrs=$(aws rds describe-db-snapshot-attributes \
--db-snapshot-identifier "$snapshot" \
--query 'DBSnapshotAttributesResult.DBSnapshotAttributes[?AttributeName==`restore`].AttributeValues' \
--output text)
if echo "$attrs" | grep -q "all"; then
echo "PUBLIC SNAPSHOT: $snapshot"
fi
done
# Check KMS key rotation
aws kms list-keys --query 'Keys[*].KeyId' --output text | \
while read key; do
rotation=$(aws kms get-key-rotation-status --key-id "$key" \
--query 'KeyRotationEnabled' --output text 2>/dev/null)
if [ "$rotation" = "False" ]; then
echo "Rotation disabled: $key"
fi
done
```
### Logging & Monitoring Checks
```bash
# Check CloudTrail status
aws cloudtrail describe-trails \
--query 'trailList[*].[Name,IsMultiRegionTrail,LogFileValidationEnabled]' \
--output table
# Verify CloudTrail is logging
aws cloudtrail get-trail-status --name my-trail \
--query 'IsLogging'
# Check if AWS Config is enabled
aws configservice describe-configuration-recorders \
--query 'ConfigurationRecorders[*].[name,roleARN]' \
--output table
# List S3 buckets without access logging
aws s3api list-buckets --query 'Buckets[*].Name' --output text | \
while read bucket; do
logging=$(aws s3api get-bucket-logging --bucket "$bucket" 2>&1)
if ! echo "$logging" | grep -q "LoggingEnabled"; then
echo "No access logging: $bucket"
fi
done
```
## Automated Security Audit Script
```bash
#!/bin/bash
# comprehensive-security-audit.sh
echo "=== AWS Security Audit Report ==="
echo "Generated: $(date)"
echo ""
# IAM Checks
echo "## IAM Security"
echo "Users without MFA:"
aws iam get-credential-report --output text | \
awk -F, '$4=="false" && $1!="<root_account>" {print " - " $1}'
echo ""
echo "Root account access keys:"
aws iam get-account-summary \
--query 'SummaryMap.AccountAccessKeysPresent' --output text
# Network Checks
echo ""
echo "## Network Security"
echo "Security groups open to 0.0.0.0/0:"
aws ec2 describe-security-groups \
--query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]].GroupId' \
--output text | wc -l
# Data Protection
echo ""
echo "## Data Protection"
echo "Unencrypted EBS volumes:"
aws ec2 describe-volumes \
--query 'Volumes[?Encrypted==`false`].VolumeId' \
--output text | wc -l
echo ""
echo "Unencrypted RDS instances:"
aws rds describe-db-instances \
--query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' \
--output text | wc -l
# Logging
echo ""
echo "## Logging & Monitoring"
echo "CloudTrail status:"
aws cloudtrail describe-trails \
--query 'trailList[*].[Name,IsLogging]' \
--output table
echo ""
echo "=== End of Report ==="
```
## Security Score Calculator
```python
#!/usr/bin/env python3
# security-score.py
import boto3
import json
def calculate_security_score():
iam = boto3.client('iam')
ec2 = boto3.client('ec2')
s3 = boto3.client('s3')
score = 100
issues = []
# Check MFA
try:
report = iam.get_credential_report()
users_without_mfa = 0
# Parse report and count
if users_without_mfa > 0:
score -= 10
issues.append(f"{users_without_mfa} users without MFA")
except:
pass
# Check open security groups
sgs = ec2.describe_security_groups()
open_sgs = 0
for sg in sgs['SecurityGroups']:
for perm in sg.get('IpPermissions', []):
for ip_range in perm.get('IpRanges', []):
if ip_range.get('CidrIp') == '0.0.0.0/0':
open_sgs += 1
break
if open_sgs > 0:
score -= 15
issues.append(f"{open_sgs} security groups open to internet")
# Check unencrypted volumes
volumes = ec2.describe_volumes()
unencrypted = sum(1 for v in volumes['Volumes'] if not v['Encrypted'])
if unencrypted > 0:
score -= 20
issues.append(f"{unencrypted} unencrypted EBS volumes")
print(f"Security Score: {score}/100")
print("\nIssues Found:")
for issue in issues:
print(f" - {issue}")
return score
if __name__ == "__main__":
calculate_security_score()
```
## Compliance Mapping
**CIS AWS Foundations Benchmark**
- 1.1: Root account usage
- 1.2-1.14: IAM policies and MFA
- 2.1-2.9: Logging (CloudTrail, Config, VPC Flow Logs)
- 4.1-4.3: Monitoring and alerting
**PCI-DSS**
- Requirement 1: Network security controls
- Requirement 2: Secure configurations
- Requirement 8: Access controls and MFA
- Requirement 10: Logging and monitoring
**HIPAA**
- Access controls (IAM)
- Audit controls (CloudTrail)
- Encryption (EBS, RDS, S3)
- Transmission security (TLS/SSL)
## Remediation Priorities
**Critical (Fix Immediately)**
- Root account access keys
- Public RDS snapshots
- Security groups open to 0.0.0.0/0 on sensitive ports
- CloudTrail disabled
**High (Fix Within 7 Days)**
- Users without MFA
- Unencrypted data at rest
- Missing VPC Flow Logs
- Overly permissive IAM policies
**Medium (Fix Within 30 Days)**
- Old access keys (>90 days)
- Missing S3 access logging
- Unused IAM users
- KMS key rotation disabled
## Example Prompts
- "Run a comprehensive security audit on my AWS account"
- "Check for IAM security issues"
- "Find all unencrypted resources"
- "Generate a security compliance report"
- "Calculate my AWS security score"
## Best Practices
- Run audits weekly
- Automate with Lambda/EventBridge
- Export results to S3 for trending
- Integrate with SIEM tools
- Track remediation progress
- Document exceptions with business justification
## Kiro CLI Integration
```bash
kiro-cli chat "Use aws-security-audit to assess my security posture"
kiro-cli chat "Generate a security audit report with aws-security-audit"
```
## Additional Resources
- [AWS Security Best Practices](https://aws.amazon.com/security/best-practices/)
- [CIS AWS Foundations Benchmark](https://www.cisecurity.org/benchmark/amazon_web_services)
- [AWS Security Hub](https://aws.amazon.com/security-hub/)

108
skills_index.json
View File

@@ -399,10 +399,10 @@
"id": "architect-review",
"path": "skills/architect-review",
"category": "uncategorized",
"name": "Architect Review",
"description": "You are a master software architect specializing in modern software architecture patterns, clean architecture principles, and distributed systems design.",
"name": "architect-review",
"description": "Master software architect specializing in modern architecture patterns, clean architecture, microservices, event-driven systems, and DDD. Reviews system designs and code changes for architectural integrity, scalability, and maintainability. Use PROACTIVELY for architectural decisions.",
"risk": "unknown",
"source": "unknown"
"source": "community"
},
{
"id": "architecture",
@@ -566,6 +566,24 @@
"risk": "unknown",
"source": "community"
},
{
"id": "aws-secrets-rotation",
"path": "skills/security/aws-secrets-rotation",
"category": "security",
"name": "aws-secrets-rotation",
"description": "Automate AWS secrets rotation for RDS, API keys, and credentials",
"risk": "safe",
"source": "community"
},
{
"id": "aws-security-audit",
"path": "skills/security/aws-security-audit",
"category": "security",
"name": "aws-security-audit",
"description": "Comprehensive AWS security posture assessment using AWS CLI and security best practices",
"risk": "safe",
"source": "community"
},
{
"id": "aws-serverless",
"path": "skills/aws-serverless",
@@ -1929,10 +1947,10 @@
"id": "c-pro",
"path": "skills/c-pro",
"category": "uncategorized",
"name": "C Pro",
"description": "- Working on c pro tasks or workflows - Needing guidance, best practices, or checklists for c pro",
"name": "c-pro",
"description": "Write efficient C code with proper memory management, pointer arithmetic, and system calls. Handles embedded systems, kernel modules, and performance-critical code. Use PROACTIVELY for C optimization, memory issues, or system programming.",
"risk": "unknown",
"source": "unknown"
"source": "community"
},
{
"id": "c4-code",
@@ -2240,15 +2258,6 @@
"risk": "unknown",
"source": "community"
},
{
"id": "code-reviewer",
"path": "skills/code-reviewer",
"category": "uncategorized",
"name": "Code Reviewer",
"description": "- Working on code reviewer tasks or workflows - Needing guidance, best practices, or checklists for code reviewer",
"risk": "unknown",
"source": "unknown"
},
{
"id": "code-documentation-code-explain",
"path": "skills/code-documentation-code-explain",
@@ -2321,6 +2330,15 @@
"risk": "unknown",
"source": "community"
},
{
"id": "code-reviewer",
"path": "skills/code-reviewer",
"category": "uncategorized",
"name": "code-reviewer",
"description": "Elite code review expert specializing in modern AI-powered code analysis, security vulnerabilities, performance optimization, and production reliability. Masters static analysis tools, security scanning, and configuration review with 2024/2025 best practices. Use PROACTIVELY for code quality assurance.",
"risk": "unknown",
"source": "community"
},
{
"id": "codebase-cleanup-deps-audit",
"path": "skills/codebase-cleanup-deps-audit",
@@ -3050,15 +3068,6 @@
"risk": "unknown",
"source": "community"
},
{
"id": "design-orchestration",
"path": "skills/design-orchestration",
"category": "uncategorized",
"name": "Design Orchestration",
"description": "Ensure that **ideas become designs**, **designs are reviewed**, and **only validated designs reach implementation**.",
"risk": "unknown",
"source": "unknown"
},
{
"id": "design-md",
"path": "skills/design-md",
@@ -3068,6 +3077,15 @@
"risk": "safe",
"source": "https://github.com/google-labs-code/stitch-skills/tree/main/skills/design-md"
},
{
"id": "design-orchestration",
"path": "skills/design-orchestration",
"category": "uncategorized",
"name": "design-orchestration",
"description": "Orchestrates design workflows by routing work through brainstorming, multi-agent review, and execution readiness in the correct order. Prevents premature implementation, skipped validation, and unreviewed high-risk designs.",
"risk": "unknown",
"source": "community"
},
{
"id": "devops-troubleshooter",
"path": "skills/devops-troubleshooter",
@@ -4107,10 +4125,10 @@
"id": "haskell-pro",
"path": "skills/haskell-pro",
"category": "uncategorized",
"name": "Haskell Pro",
"description": "- Working on haskell pro tasks or workflows - Needing guidance, best practices, or checklists for haskell pro",
"name": "haskell-pro",
"description": "Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programming, concurrency, and architecture guidance.",
"risk": "unknown",
"source": "unknown"
"source": "community"
},
{
"id": "helm-chart-scaffolding",
@@ -5169,10 +5187,10 @@
"id": "multi-agent-brainstorming",
"path": "skills/multi-agent-brainstorming",
"category": "uncategorized",
"name": "Multi Agent Brainstorming",
"description": "Transform a single-agent design into a **robust, review-validated design** by simulating a formal peer-review process using multiple constrained agents.",
"name": "multi-agent-brainstorming",
"description": "Use this skill when a design or idea requires higher confidence, risk reduction, or formal review. This skill orchestrates a structured, sequential multi-agent design review where each agent has a strict, non-overlapping role. It prevents blind spots, false confidence, and premature convergence.",
"risk": "unknown",
"source": "unknown"
"source": "community"
},
{
"id": "multi-agent-patterns",
@@ -5255,6 +5273,24 @@
"risk": "unknown",
"source": "vibeship-spawner-skills (Apache 2.0)"
},
{
"id": "nerdzao-elite",
"path": "skills/nerdzao-elite",
"category": "uncategorized",
"name": "nerdzao-elite",
"description": "Senior Elite Software Engineer (15+) and Senior Product Designer. Full workflow with planning, architecture, TDD, clean code, and pixel-perfect UX validation.",
"risk": "safe",
"source": "community"
},
{
"id": "nerdzao-elite-gemini-high",
"path": "skills/nerdzao-elite-gemini-high",
"category": "uncategorized",
"name": "nerdzao-elite-gemini-high",
"description": "Modo Elite Coder + UX Pixel-Perfect otimizado especificamente para Gemini 3.1 Pro High. Workflow completo com foco em qualidade m\u00e1xima e efici\u00eancia de tokens.",
"risk": "safe",
"source": "community"
},
{
"id": "nestjs-expert",
"path": "skills/nestjs-expert",
@@ -5601,10 +5637,10 @@
"id": "performance-engineer",
"path": "skills/performance-engineer",
"category": "uncategorized",
"name": "Performance Engineer",
"description": "You are a performance engineer specializing in modern application optimization, observability, and scalable system performance.",
"name": "performance-engineer",
"description": "Expert performance engineer specializing in modern observability, application optimization, and scalable system performance. Masters OpenTelemetry, distributed tracing, load testing, multi-tier caching, Core Web Vitals, and performance monitoring. Handles end-to-end optimization, real user monitoring, and scalability patterns. Use PROACTIVELY for performance optimization, observability, or scalability challenges.",
"risk": "unknown",
"source": "unknown"
"source": "community"
},
{
"id": "performance-profiling",
@@ -6348,10 +6384,10 @@
"id": "search-specialist",
"path": "skills/search-specialist",
"category": "uncategorized",
"name": "Search Specialist",
"description": "- Working on search specialist tasks or workflows - Needing guidance, best practices, or checklists for search specialist",
"name": "search-specialist",
"description": "Expert web researcher using advanced search techniques and synthesis. Masters search operators, result filtering, and multi-source verification. Handles competitive analysis and fact-checking. Use PROACTIVELY for deep research, information gathering, or trend analysis.",
"risk": "unknown",
"source": "unknown"
"source": "community"
},
{
"id": "secrets-management",