diff --git a/CATALOG.md b/CATALOG.md index 88444eac..1c6be89e 100644 --- a/CATALOG.md +++ b/CATALOG.md @@ -2,14 +2,14 @@ Generated at: 2026-02-08T00:00:00.000Z -Total skills: 885 +Total skills: 889 -## architecture (58) +## architecture (60) | Skill | Description | Tags | Triggers | | --- | --- | --- | --- | | `angular-state-management` | Master modern Angular state management with Signals, NgRx, and RxJS. Use when setting up global state, managing component stores, choosing between state solu... | angular, state | angular, state, signals, ngrx, rxjs, setting, up, global, managing, component, stores, choosing | -| `architect-review` | Master software architect specializing in modern architecture | | architect, review, software, specializing, architecture | +| `architect-review` | Master software architect specializing in modern architecture patterns, clean architecture, microservices, event-driven systems, and DDD. Reviews system desi... | | architect, review, software, specializing, architecture, clean, microservices, event, driven, ddd, reviews, designs | | `architecture` | Architectural decision-making framework. Requirements analysis, trade-off evaluation, ADR documentation. Use when making architecture decisions or analyzing ... | architecture | architecture, architectural, decision, making, framework, requirements, analysis, trade, off, evaluation, adr, documentation | | `architecture-decision-records` | Write and maintain Architecture Decision Records (ADRs) following best practices for technical decision documentation. Use when documenting significant techn... | architecture, decision, records | architecture, decision, records, write, maintain, adrs, following, technical, documentation, documenting, significant, decisions | | `avalonia-viewmodels-zafiro` | Optimal ViewModel and Wizard creation patterns for Avalonia using Zafiro and ReactiveUI. | avalonia, viewmodels, zafiro | avalonia, viewmodels, zafiro, optimal, viewmodel, wizard, creation, reactiveui | @@ -40,11 +40,13 @@ Total skills: 885 | `event-store-design` | Design and implement event stores for event-sourced systems. Use when building event sourcing infrastructure, choosing event store technologies, or implement... | event, store | event, store, stores, sourced, building, sourcing, infrastructure, choosing, technologies, implementing, persistence | | `game-development/multiplayer` | Multiplayer game development principles. Architecture, networking, synchronization. | game, development/multiplayer | game, development/multiplayer, multiplayer, development, principles, architecture, networking, synchronization | | `godot-gdscript-patterns` | Master Godot 4 GDScript patterns including signals, scenes, state machines, and optimization. Use when building Godot games, implementing game systems, or le... | godot, gdscript | godot, gdscript, including, signals, scenes, state, machines, optimization, building, games, implementing, game | +| `haskell-pro` | Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programm... | haskell | haskell, pro, engineer, specializing, type, pure, functional, high, reliability, software, proactively, level | | `hig-patterns` | > | hig | hig | | `i18n-localization` | Internationalization and localization patterns. Detecting hardcoded strings, managing translations, locale files, RTL support. | i18n, localization | i18n, localization, internationalization, detecting, hardcoded, strings, managing, translations, locale, files, rtl | | `inngest` | Inngest expert for serverless-first background jobs, event-driven workflows, and durable execution without managing queues or workers. Use when: inngest, ser... | inngest | inngest, serverless, first, background, jobs, event, driven, durable, execution, without, managing, queues | | `monorepo-architect` | Expert in monorepo architecture, build systems, and dependency management at scale. Masters Nx, Turborepo, Bazel, and Lerna for efficient multi-project devel... | monorepo | monorepo, architect, architecture, dependency, scale, masters, nx, turborepo, bazel, lerna, efficient, multi | | `multi-agent-patterns` | Master orchestrator, peer-to-peer, and hierarchical multi-agent architectures | multi, agent | multi, agent, orchestrator, peer, hierarchical, architectures | +| `nerdzao-elite` | Senior Elite Software Engineer (15+) and Senior Product Designer. Full workflow with planning, architecture, TDD, clean code, and pixel-perfect UX validation. | nerdzao, elite | nerdzao, elite, senior, software, engineer, 15, product, designer, full, planning, architecture, tdd | | `nx-workspace-patterns` | Configure and optimize Nx monorepo workspaces. Use when setting up Nx, configuring project boundaries, optimizing build caching, or implementing affected com... | nx, workspace | nx, workspace, configure, optimize, monorepo, workspaces, setting, up, configuring, boundaries, optimizing, caching | | `on-call-handoff-patterns` | Master on-call shift handoffs with context transfer, escalation procedures, and documentation. Use when transitioning on-call responsibilities, documenting s... | on, call, handoff | on, call, handoff, shift, handoffs, context, transfer, escalation, procedures, documentation, transitioning, responsibilities | | `parallel-agents` | Multi-agent orchestration patterns. Use when multiple independent tasks can run with different domain expertise or when comprehensive analysis requires multi... | parallel, agents | parallel, agents, multi, agent, orchestration, multiple, independent, tasks, run, different, domain, expertise | @@ -111,7 +113,7 @@ Total skills: 885 | `startup-metrics-framework` | This skill should be used when the user asks about \"key startup | startup, metrics, framework | startup, metrics, framework, skill, should, used, user, asks, about, key | | `whatsapp-automation` | Automate WhatsApp Business tasks via Rube MCP (Composio): send messages, manage templates, upload media, and handle contacts. Always search tools first for c... | whatsapp | whatsapp, automation, automate, business, tasks, via, rube, mcp, composio, send, messages, upload | -## data-ai (144) +## data-ai (143) | Skill | Description | Tags | Triggers | | --- | --- | --- | --- | @@ -173,7 +175,6 @@ Total skills: 885 | `cc-skill-clickhouse-io` | ClickHouse database patterns, query optimization, analytics, and data engineering best practices for high-performance analytical workloads. | cc, skill, clickhouse, io | cc, skill, clickhouse, io, database, query, optimization, analytics, data, engineering, high, performance | | `clarity-gate` | Pre-ingestion verification for epistemic quality in RAG systems with 9-point verification and Two-Round HITL workflow | clarity, gate | clarity, gate, pre, ingestion, verification, epistemic, quality, rag, point, two, round, hitl | | `code-documentation-doc-generate` | You are a documentation expert specializing in creating comprehensive, maintainable documentation from code. Generate API docs, architecture diagrams, user g... | code, documentation, doc, generate | code, documentation, doc, generate, specializing, creating, maintainable, api, docs, architecture, diagrams, user | -| `code-reviewer` | Elite code review expert specializing in modern AI-powered code | code | code, reviewer, elite, review, specializing, ai, powered | | `codex-review` | Professional code review with auto CHANGELOG generation, integrated with Codex AI | codex | codex, review, professional, code, auto, changelog, generation, integrated, ai | | `computer-use-agents` | Build AI agents that interact with computers like humans do - viewing screens, moving cursors, clicking buttons, and typing text. Covers Anthropic's Computer... | computer, use, agents | computer, use, agents, ai, interact, computers, like, humans, do, viewing, screens, moving | | `content-marketer` | Elite content marketing strategist specializing in AI-powered | content, marketer | content, marketer, elite, marketing, strategist, specializing, ai, powered | @@ -406,7 +407,7 @@ Total skills: 885 | `webapp-testing` | Toolkit for interacting with and testing local web applications using Playwright. Supports verifying frontend functionality, debugging UI behavior, capturing... | webapp | webapp, testing, toolkit, interacting, local, web, applications, playwright, supports, verifying, frontend, functionality | | `zustand-store-ts` | Create Zustand stores with TypeScript, subscribeWithSelector middleware, and proper state/action separation. Use when building React state management, creati... | zustand, store, ts | zustand, store, ts, stores, typescript, subscribewithselector, middleware, proper, state, action, separation, building | -## general (217) +## general (214) | Skill | Description | Tags | Triggers | | --- | --- | --- | --- | @@ -455,7 +456,7 @@ Total skills: 885 | `brand-guidelines-anthropic` | Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand co... | brand, guidelines, anthropic | brand, guidelines, anthropic, applies, official, colors, typography, any, sort, artifact, may, benefit | | `brand-guidelines-community` | Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand co... | brand, guidelines, community | brand, guidelines, community, applies, anthropic, official, colors, typography, any, sort, artifact, may | | `busybox-on-windows` | How to use a Win32 build of BusyBox to run many of the standard UNIX command line tools on Windows. | busybox, on, windows | busybox, on, windows, how, win32, run, many, standard, unix, command, line | -| `c-pro` | Write efficient C code with proper memory management, pointer | c | c, pro, write, efficient, code, proper, memory, pointer | +| `c-pro` | Write efficient C code with proper memory management, pointer arithmetic, and system calls. Handles embedded systems, kernel modules, and performance-critica... | c | c, pro, write, efficient, code, proper, memory, pointer, arithmetic, calls, embedded, kernel | | `canvas-design` | Create beautiful visual art in .png and .pdf documents using design philosophy. You should use this skill when the user asks to create a poster, piece of art... | canvas | canvas, beautiful, visual, art, png, pdf, documents, philosophy, should, skill, user, asks | | `cc-skill-continuous-learning` | Development skill from everything-claude-code | cc, skill, continuous, learning | cc, skill, continuous, learning, development, everything, claude, code | | `cc-skill-project-guidelines-example` | Project Guidelines Skill (Example) | cc, skill, guidelines, example | cc, skill, guidelines, example | @@ -523,7 +524,6 @@ Total skills: 885 | `git-pushing` | Stage, commit, and push git changes with conventional commit messages. Use when user wants to commit and push changes, mentions pushing to remote, or asks to... | git, pushing | git, pushing, stage, commit, push, changes, conventional, messages, user, wants, mentions, remote | | `github-issue-creator` | Convert raw notes, error logs, voice dictation, or screenshots into crisp GitHub-flavored markdown issue reports. Use when the user pastes bug info, error me... | github, issue, creator | github, issue, creator, convert, raw, notes, error, logs, voice, dictation, screenshots, crisp | | `graphql-architect` | Master modern GraphQL with federation, performance optimization, | graphql | graphql, architect, federation, performance, optimization | -| `haskell-pro` | Expert Haskell engineer specializing in advanced type systems, pure | haskell | haskell, pro, engineer, specializing, type, pure | | `hig-components-content` | > | hig, components, content | hig, components, content | | `hig-components-controls` | >- | hig, components, controls | hig, components, controls | | `hig-components-dialogs` | >- | hig, components, dialogs | hig, components, dialogs | @@ -561,7 +561,6 @@ Total skills: 885 | `micro-saas-launcher` | Expert in launching small, focused SaaS products fast - the indie hacker approach to building profitable software. Covers idea validation, MVP development, p... | micro, saas, launcher | micro, saas, launcher, launching, small, products, fast, indie, hacker, approach, building, profitable | | `minecraft-bukkit-pro` | Master Minecraft server plugin development with Bukkit, Spigot, and | minecraft, bukkit | minecraft, bukkit, pro, server, plugin, development, spigot | | `monorepo-management` | Master monorepo management with Turborepo, Nx, and pnpm workspaces to build efficient, scalable multi-package repositories with optimized builds and dependen... | monorepo | monorepo, turborepo, nx, pnpm, workspaces, efficient, scalable, multi, package, repositories, optimized, dependency | -| `multi-agent-brainstorming` | > | multi, agent, brainstorming | multi, agent, brainstorming | | `n8n-mcp-tools-expert` | Expert guide for using n8n-mcp MCP tools effectively. Use when searching for nodes, validating configurations, accessing templates, managing workflows, or us... | n8n, mcp | n8n, mcp, effectively, searching, nodes, validating, configurations, accessing, managing, any, provides, sele | | `nft-standards` | Implement NFT standards (ERC-721, ERC-1155) with proper metadata handling, minting strategies, and marketplace integration. Use when creating NFT contracts, ... | nft, standards | nft, standards, erc, 721, 1155, proper, metadata, handling, minting, marketplace, integration, creating | | `nosql-expert` | Expert guidance for distributed NoSQL databases (Cassandra, DynamoDB). Focuses on mental models, query-first modeling, single-table design, and avoiding hot ... | nosql | nosql, guidance, distributed, databases, cassandra, dynamodb, mental, models, query, first, modeling, single | @@ -593,7 +592,7 @@ Total skills: 885 | `reverse-engineer` | Expert reverse engineer specializing in binary analysis, | reverse | reverse, engineer, specializing, binary, analysis | | `scala-pro` | Master enterprise-grade Scala development with functional | scala | scala, pro, enterprise, grade, development, functional | | `schema-markup` | > | schema, markup | schema, markup | -| `search-specialist` | Expert web researcher using advanced search techniques and | search | search, web, researcher, techniques | +| `search-specialist` | Expert web researcher using advanced search techniques and synthesis. Masters search operators, result filtering, and multi-source verification. Handles comp... | search | search, web, researcher, techniques, synthesis, masters, operators, result, filtering, multi, source, verification | | `sharp-edges` | Identify error-prone APIs and dangerous configurations | sharp, edges | sharp, edges, identify, error, prone, apis, dangerous, configurations | | `shellcheck-configuration` | Master ShellCheck static analysis configuration and usage for shell script quality. Use when setting up linting infrastructure, fixing code issues, or ensuri... | shellcheck, configuration | shellcheck, configuration, static, analysis, usage, shell, script, quality, setting, up, linting, infrastructure | | `shodan-reconnaissance` | This skill should be used when the user asks to "search for exposed devices on the internet," "perform Shodan reconnaissance," "find vulnerable services usin... | shodan, reconnaissance | shodan, reconnaissance, skill, should, used, user, asks, search, exposed, devices, internet, perform | @@ -701,7 +700,7 @@ Total skills: 885 | `observability-engineer` | Build production-ready monitoring, logging, and tracing systems. | observability | observability, engineer, monitoring, logging, tracing | | `observability-monitoring-monitor-setup` | You are a monitoring and observability expert specializing in implementing comprehensive monitoring solutions. Set up metrics collection, distributed tracing... | observability, monitoring, monitor, setup | observability, monitoring, monitor, setup, specializing, implementing, solutions, set, up, metrics, collection, distributed | | `observability-monitoring-slo-implement` | You are an SLO (Service Level Objective) expert specializing in implementing reliability standards and error budget-based practices. Design SLO frameworks, d... | observability, monitoring, slo, implement | observability, monitoring, slo, implement, level, objective, specializing, implementing, reliability, standards, error, budget | -| `performance-engineer` | Expert performance engineer specializing in modern observability, | performance | performance, engineer, specializing, observability | +| `performance-engineer` | Expert performance engineer specializing in modern observability, application optimization, and scalable system performance. Masters OpenTelemetry, distribut... | performance | performance, engineer, specializing, observability, application, optimization, scalable, masters, opentelemetry, distributed, tracing, load | | `performance-testing-review-ai-review` | You are an expert AI-powered code review specialist combining automated static analysis, intelligent pattern recognition, and modern DevOps practices. Levera... | performance, ai | performance, ai, testing, review, powered, code, combining, automated, static, analysis, intelligent, recognition | | `pipedrive-automation` | Automate Pipedrive CRM operations including deals, contacts, organizations, activities, notes, and pipeline management via Rube MCP (Composio). Always search... | pipedrive | pipedrive, automation, automate, crm, operations, including, deals, contacts, organizations, activities, notes, pipeline | | `prometheus-configuration` | Set up Prometheus for comprehensive metric collection, storage, and monitoring of infrastructure and applications. Use when implementing metrics collection, ... | prometheus, configuration | prometheus, configuration, set, up, metric, collection, storage, monitoring, infrastructure, applications, implementing, metrics | @@ -718,7 +717,7 @@ Total skills: 885 | `wireshark-analysis` | This skill should be used when the user asks to "analyze network traffic with Wireshark", "capture packets for troubleshooting", "filter PCAP files", "follow... | wireshark | wireshark, analysis, skill, should, used, user, asks, analyze, network, traffic, capture, packets | | `workflow-automation` | Workflow automation is the infrastructure that makes AI agents reliable. Without durable execution, a network hiccup during a 10-step payment flow means lost... | | automation, infrastructure, makes, ai, agents, reliable, without, durable, execution, network, hiccup, during | -## security (88) +## security (95) | Skill | Description | Tags | Triggers | | --- | --- | --- | --- | @@ -744,11 +743,13 @@ Total skills: 885 | `clerk-auth` | Expert patterns for Clerk auth implementation, middleware, organizations, webhooks, and user sync Use when: adding authentication, clerk auth, user authentic... | clerk, auth | clerk, auth, middleware, organizations, webhooks, user, sync, adding, authentication, sign, up | | `cloud-penetration-testing` | This skill should be used when the user asks to "perform cloud penetration testing", "assess Azure or AWS or GCP security", "enumerate cloud resources", "exp... | cloud, penetration | cloud, penetration, testing, skill, should, used, user, asks, perform, assess, azure, aws | | `code-review-checklist` | Comprehensive checklist for conducting thorough code reviews covering functionality, security, performance, and maintainability | code, checklist | code, checklist, review, conducting, thorough, reviews, covering, functionality, security, performance, maintainability | +| `code-reviewer` | Elite code review expert specializing in modern AI-powered code analysis, security vulnerabilities, performance optimization, and production reliability. Mas... | code | code, reviewer, elite, review, specializing, ai, powered, analysis, security, vulnerabilities, performance, optimization | | `codebase-cleanup-deps-audit` | You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for ... | codebase, cleanup, deps, audit | codebase, cleanup, deps, audit, dependency, security, specializing, vulnerability, scanning, license, compliance, supply | | `database-migration` | Execute database migrations across ORMs and platforms with zero-downtime strategies, data transformation, and rollback procedures. Use when migrating databas... | database, migration | database, migration, execute, migrations, orms, platforms, zero, downtime, data, transformation, rollback, procedures | | `database-migrations-sql-migrations` | SQL database migrations with zero-downtime strategies for | database, sql, migrations, postgresql, mysql, flyway, liquibase, alembic, zero-downtime | database, sql, migrations, postgresql, mysql, flyway, liquibase, alembic, zero-downtime, zero, downtime | | `dependency-management-deps-audit` | You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for ... | dependency, deps, audit | dependency, deps, audit, security, specializing, vulnerability, scanning, license, compliance, supply, chain, analyze | | `deployment-pipeline-design` | Design multi-stage CI/CD pipelines with approval gates, security checks, and deployment orchestration. Use when architecting deployment workflows, setting up... | deployment, pipeline | deployment, pipeline, multi, stage, ci, cd, pipelines, approval, gates, security, checks, orchestration | +| `design-orchestration` | Orchestrates design workflows by routing work through brainstorming, multi-agent review, and execution readiness in the correct order. Prevents premature imp... | | orchestration, orchestrates, routing, work, through, brainstorming, multi, agent, review, execution, readiness, correct | | `devops-troubleshooter` | Expert DevOps troubleshooter specializing in rapid incident | devops, troubleshooter | devops, troubleshooter, specializing, rapid, incident | | `docker-expert` | Docker containerization expert with deep knowledge of multi-stage builds, image optimization, container security, Docker Compose orchestration, and productio... | docker | docker, containerization, deep, knowledge, multi, stage, image, optimization, container, security, compose, orchestration | | `dotnet-backend` | Build ASP.NET Core 8+ backend services with EF Core, auth, background jobs, and production API patterns. | dotnet, backend | dotnet, backend, asp, net, core, ef, auth, background, jobs, api | @@ -774,6 +775,7 @@ Total skills: 885 | `memory-forensics` | Master memory forensics techniques including memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Use when analy... | memory, forensics | memory, forensics, techniques, including, acquisition, process, analysis, artifact, extraction, volatility, related, analyzing | | `mobile-security-coder` | Expert in secure mobile coding practices specializing in input | mobile, security, coder | mobile, security, coder, secure, coding, specializing, input | | `mtls-configuration` | Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing... | mtls, configuration | mtls, configuration, configure, mutual, tls, zero, trust, communication, implementing, networking, certificate, securing | +| `multi-agent-brainstorming` | Use this skill when a design or idea requires higher confidence, risk reduction, or formal review. This skill orchestrates a structured, sequential multi-age... | multi, agent, brainstorming | multi, agent, brainstorming, skill, idea, requires, higher, confidence, risk, reduction, formal, review | | `nestjs-expert` | Nest.js framework expert specializing in module architecture, dependency injection, middleware, guards, interceptors, testing with Jest/Supertest, TypeORM/Mo... | nestjs | nestjs, nest, js, framework, specializing, module, architecture, dependency, injection, middleware, guards, interceptors | | `nextjs-supabase-auth` | Expert integration of Supabase Auth with Next.js App Router Use when: supabase auth next, authentication next.js, login supabase, auth middleware, protected ... | nextjs, supabase, auth | nextjs, supabase, auth, integration, next, js, app, router, authentication, login, middleware, protected | | `nodejs-best-practices` | Node.js development principles and decision-making. Framework selection, async patterns, security, and architecture. Teaches thinking, not copying. | nodejs, best, practices | nodejs, best, practices, node, js, development, principles, decision, making, framework, selection, async | @@ -798,6 +800,10 @@ Total skills: 885 | `security-scanning-security-dependencies` | You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across eco... | security, scanning, dependencies | security, scanning, dependencies, specializing, dependency, vulnerability, analysis, sbom, generation, supply, chain, scan | | `security-scanning-security-hardening` | Coordinate multi-layer security scanning and hardening across application, infrastructure, and compliance controls. | security, scanning, hardening | security, scanning, hardening, coordinate, multi, layer, application, infrastructure, compliance, controls | | `security-scanning-security-sast` | Static Application Security Testing (SAST) for code vulnerability | security, scanning, sast | security, scanning, sast, static, application, testing, code, vulnerability | +| `security/aws-compliance-checker` | Automated compliance checking against CIS, PCI-DSS, HIPAA, and SOC 2 benchmarks | aws, compliance, audit, cis, pci-dss, hipaa, kiro-cli | aws, compliance, audit, cis, pci-dss, hipaa, kiro-cli, checker, automated, checking, against, pci | +| `security/aws-iam-best-practices` | IAM policy review, hardening, and least privilege implementation | aws, iam, security, access-control, kiro-cli, least-privilege | aws, iam, security, access-control, kiro-cli, least-privilege, policy, review, hardening, least, privilege | +| `security/aws-secrets-rotation` | Automate AWS secrets rotation for RDS, API keys, and credentials | aws, secrets-manager, security, automation, kiro-cli, credentials | aws, secrets-manager, security, automation, kiro-cli, credentials, secrets, rotation, automate, rds, api, keys | +| `security/aws-security-audit` | Comprehensive AWS security posture assessment using AWS CLI and security best practices | aws, security, audit, compliance, kiro-cli, security-assessment | aws, security, audit, compliance, kiro-cli, security-assessment, posture, assessment, cli | | `service-mesh-expert` | Expert service mesh architect specializing in Istio, Linkerd, and cloud-native networking patterns. Masters traffic management, security policies, observabil... | service, mesh | service, mesh, architect, specializing, istio, linkerd, cloud, native, networking, masters, traffic, security | | `solidity-security` | Master smart contract security best practices to prevent common vulnerabilities and implement secure Solidity patterns. Use when writing smart contracts, aud... | solidity, security | solidity, security, smart, contract, prevent, common, vulnerabilities, secure, writing, contracts, auditing, existing | | `stride-analysis-patterns` | Apply STRIDE methodology to systematically identify threats. Use when analyzing system security, conducting threat modeling sessions, or creating security do... | stride | stride, analysis, apply, methodology, systematically, identify, threats, analyzing, security, conducting, threat, modeling | @@ -878,7 +884,6 @@ Total skills: 885 | `convertkit-automation` | Automate ConvertKit (Kit) tasks via Rube MCP (Composio): manage subscribers, tags, broadcasts, and broadcast stats. Always search tools first for current sch... | convertkit | convertkit, automation, automate, kit, tasks, via, rube, mcp, composio, subscribers, tags, broadcasts | | `crewai` | Expert in CrewAI - the leading role-based multi-agent framework used by 60% of Fortune 500 companies. Covers agent design with roles and goals, task definiti... | crewai | crewai, leading, role, multi, agent, framework, used, 60, fortune, 500, companies, covers | | `datadog-automation` | Automate Datadog tasks via Rube MCP (Composio): query metrics, search logs, manage monitors/dashboards, create events and downtimes. Always search tools firs... | datadog | datadog, automation, automate, tasks, via, rube, mcp, composio, query, metrics, search, logs | -| `design-orchestration` | > | | orchestration | | `discord-automation` | Automate Discord tasks via Rube MCP (Composio): messages, channels, roles, webhooks, reactions. Always search tools first for current schemas. | discord | discord, automation, automate, tasks, via, rube, mcp, composio, messages, channels, roles, webhooks | | `docusign-automation` | Automate DocuSign tasks via Rube MCP (Composio): templates, envelopes, signatures, document management. Always search tools first for current schemas. | docusign | docusign, automation, automate, tasks, via, rube, mcp, composio, envelopes, signatures, document, always | | `dropbox-automation` | Automate Dropbox file management, sharing, search, uploads, downloads, and folder operations via Rube MCP (Composio). Always search tools first for current s... | dropbox | dropbox, automation, automate, file, sharing, search, uploads, downloads, folder, operations, via, rube | @@ -904,6 +909,7 @@ Total skills: 885 | `miro-automation` | Automate Miro tasks via Rube MCP (Composio): boards, items, sticky notes, frames, sharing, connectors. Always search tools first for current schemas. | miro | miro, automation, automate, tasks, via, rube, mcp, composio, boards, items, sticky, notes | | `mixpanel-automation` | Automate Mixpanel tasks via Rube MCP (Composio): events, segmentation, funnels, cohorts, user profiles, JQL queries. Always search tools first for current sc... | mixpanel | mixpanel, automation, automate, tasks, via, rube, mcp, composio, events, segmentation, funnels, cohorts | | `monday-automation` | Automate Monday.com work management including boards, items, columns, groups, subitems, and updates via Rube MCP (Composio). Always search tools first for cu... | monday | monday, automation, automate, com, work, including, boards, items, columns, groups, subitems, updates | +| `nerdzao-elite-gemini-high` | Modo Elite Coder + UX Pixel-Perfect otimizado especificamente para Gemini 3.1 Pro High. Workflow completo com foco em qualidade máxima e eficiência de tokens. | nerdzao, elite, gemini, high | nerdzao, elite, gemini, high, modo, coder, ux, pixel, perfect, otimizado, especificamente, para | | `notion-automation` | Automate Notion tasks via Rube MCP (Composio): pages, databases, blocks, comments, users. Always search tools first for current schemas. | notion | notion, automation, automate, tasks, via, rube, mcp, composio, pages, databases, blocks, comments | | `one-drive-automation` | Automate OneDrive file management, search, uploads, downloads, sharing, permissions, and folder operations via Rube MCP (Composio). Always search tools first... | one, drive | one, drive, automation, automate, onedrive, file, search, uploads, downloads, sharing, permissions, folder | | `outlook-automation` | Automate Outlook tasks via Rube MCP (Composio): emails, calendar, contacts, folders, attachments. Always search tools first for current schemas. | outlook | outlook, automation, automate, tasks, via, rube, mcp, composio, emails, calendar, contacts, folders | diff --git a/CHANGELOG.md b/CHANGELOG.md index 765b301a..9b985239 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,36 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 --- +## [6.0.0] - 2026-02-22 - "Codex YAML Fix & Community PRs" + +> **Major release: Codex frontmatter fixes, AWS Security & Compliance skills, Antigravity Workspace Manager CLI, and validation fixes.** + +This release addresses Codex invalid YAML warnings (issue #108) via frontmatter fixes, adds AWS Security & Compliance skills and the official Antigravity Workspace Manager CLI companion, and fixes validation for nerdzao-elite skills. + +## New Skills + +- **AWS Security & Compliance** (PR #106): `aws-compliance-checker`, `aws-iam-best-practices`, `aws-secrets-rotation`, `aws-security-audit`. +- **nerdzao-elite**, **nerdzao-elite-gemini-high**: Elite workflow skills (validation fixes in-repo). + +## Improvements + +- **Frontmatter**: Fixed YAML frontmatter in code-reviewer, architect-review, c-pro, design-orchestration, haskell-pro, multi-agent-brainstorming, performance-engineer, search-specialist (PR #111) — reduces Codex "invalid YAML" warnings (fixes #108). +- **Antigravity Workspace Manager**: Official CLI companion to auto-provision skill subsets across environments (PR #110); documented in Community Contributors. +- **Registry**: Now tracking 889 skills. +- **Validation**: Added frontmatter and "When to Use" for nerdzao-elite / nerdzao-elite-gemini-high. + +## Credits + +- **@Vonfry** for frontmatter YAML fixes (PR #111) +- **@ssumanbiswas** for AWS Security & Compliance skills (PR #106) +- **@amartelr** for Antigravity Workspace Manager CLI (PR #110) +- **@fernandorych** for branch sync (PR #109) +- **@Rodrigolmti** for reporting Codex YAML issue (#108) + +--- + +_Upgrade now: `git pull origin main` to fetch the latest skills._ + ## [5.10.0] - 2026-02-21 - "AWS Kiro CLI Integration" > **Native support and integration guide for AWS Kiro CLI, expanding the repository's reach to the AWS developer community.** diff --git a/README.md b/README.md index 026fef19..6f49f753 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -# 🌌 Antigravity Awesome Skills: 885+ Agentic Skills for Claude Code, Gemini CLI, Cursor, Copilot & More +# 🌌 Antigravity Awesome Skills: 889+ Agentic Skills for Claude Code, Gemini CLI, Cursor, Copilot & More -> **The Ultimate Collection of 885+ Universal Agentic Skills for AI Coding Assistants — Claude Code, Gemini CLI, Codex CLI, Antigravity IDE, GitHub Copilot, Cursor, OpenCode, AdaL** +> **The Ultimate Collection of 889+ Universal Agentic Skills for AI Coding Assistants — Claude Code, Gemini CLI, Codex CLI, Antigravity IDE, GitHub Copilot, Cursor, OpenCode, AdaL** [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![Claude Code](https://img.shields.io/badge/Claude%20Code-Anthropic-purple)](https://claude.ai) @@ -17,12 +17,12 @@ If this project helps you, you can [support it here](https://buymeacoffee.com/sickn33) or simply ⭐ the repo. -**Antigravity Awesome Skills** is a curated, battle-tested library of **885 high-performance agentic skills** designed to work seamlessly across all major AI coding assistants: +**Antigravity Awesome Skills** is a curated, battle-tested library of **889 high-performance agentic skills** designed to work seamlessly across all major AI coding assistants: - 🟣 **Claude Code** (Anthropic CLI) - 🔵 **Gemini CLI** (Google DeepMind) - 🟢 **Codex CLI** (OpenAI) -- 🟠 **Kiro CLI** (AWS) +https://github.com/sickn33/antigravity-awesome-skills/pull/107/conflict?name=skills_index.json&ancestor_oid=9aa6336a54e7308ff8b34c222969d18c89576c8d&base_oid=dab694b49578ec5f4a24879ce75d873b9b6cd113&head_oid=7c986794ed9f0666e004f8900cdce3c42ce393b1- 🟠 **Kiro CLI** (AWS) - 🔴 **Antigravity IDE** (Google DeepMind) - 🩵 **GitHub Copilot** (VSCode Extension) - 🟠 **Cursor** (AI-native IDE) @@ -41,7 +41,7 @@ This repository provides essential skills to transform your AI assistant into a - [🎁 Curated Collections (Bundles)](#curated-collections) - [🧭 Antigravity Workflows](#antigravity-workflows) - [📦 Features & Categories](#features--categories) -- [📚 Browse 885+ Skills](#browse-885-skills) +- [📚 Browse 889+ Skills](#browse-889-skills) - [🤝 How to Contribute](#how-to-contribute) - [🤝 Community](#community) - [☕ Support the Project](#support-the-project) @@ -55,11 +55,11 @@ This repository provides essential skills to transform your AI assistant into a ## New Here? Start Here! -**Welcome to the V5.10.0 Workflows Edition.** This isn't just a list of scripts; it's a complete operating system for your AI Agent. +**Welcome to the V6.0.0 Workflows Edition.** This isn't just a list of scripts; it's a complete operating system for your AI Agent. ### 1. 🐣 Context: What is this? -**Antigravity Awesome Skills** (Release 5.10.0) is a massive upgrade to your AI's capabilities. +**Antigravity Awesome Skills** (Release 6.0.0) is a massive upgrade to your AI's capabilities. AI Agents (like Claude Code, Cursor, or Gemini) are smart, but they lack **specific tools**. They don't know your company's "Deployment Protocol" or the specific syntax for "AWS CloudFormation". **Skills** are small markdown files that teach them how to do these specific tasks perfectly, every time. @@ -246,7 +246,7 @@ npx antigravity-awesome-skills **Bundles** are curated groups of skills for a specific role or goal (for example: `Web Wizard`, `Security Engineer`, `OSS Maintainer`). -They help you avoid picking from 883+ skills one by one. +They help you avoid picking from 889+ skills one by one. ### ⚠️ Important: Bundles Are NOT Separate Installations! @@ -318,7 +318,7 @@ The repository is organized into specialized domains to transform your AI into a Counts change as new skills are added. For the current full registry, see [CATALOG.md](CATALOG.md). -## Browse 885+ Skills +## Browse 889+ Skills We have moved the full skill registry to a dedicated catalog to keep this README clean. @@ -399,6 +399,7 @@ This collection would not be possible without the incredible work of the Claude ### Community Contributors - **[rmyndharis/antigravity-skills](https://github.com/rmyndharis/antigravity-skills)**: For the massive contribution of 300+ Enterprise skills and the catalog generation logic. +- **[amartelr/antigravity-workspace-manager](https://github.com/amartelr/antigravity-workspace-manager)**: Official Workspace Manager CLI companion to dynamically auto-provision subsets of skills across unlimited local development environments. - **[obra/superpowers](https://github.com/obra/superpowers)**: The original "Superpowers" by Jesse Vincent. - **[guanyang/antigravity-skills](https://github.com/guanyang/antigravity-skills)**: Core Antigravity extensions. @@ -479,6 +480,10 @@ We officially thank the following contributors for their help in making this rep - [@Nguyen-Van-Chan](https://github.com/Nguyen-Van-Chan) - [@8hrsk](https://github.com/8hrsk) - [@Wittlesus](https://github.com/Wittlesus) +- [@Vonfry](https://github.com/Vonfry) +- [@ssumanbiswas](https://github.com/ssumanbiswas) +- [@amartelr](https://github.com/amartelr) +- [@fernandorych](https://github.com/fernandorych) --- diff --git a/assets/star-history.png b/assets/star-history.png index aeaa81de..2863e759 100644 Binary files a/assets/star-history.png and b/assets/star-history.png differ diff --git a/data/aliases.json b/data/aliases.json index 557cc4ba..8d82fcc5 100644 --- a/data/aliases.json +++ b/data/aliases.json @@ -95,6 +95,11 @@ "security-scanning-dependencies": "security-scanning-security-dependencies", "security-scanning-hardening": "security-scanning-security-hardening", "security-scanning-sast": "security-scanning-security-sast", + "aws-compliance-checker": "security/aws-compliance-checker", + "aws-iam-best-practices": "security/aws-iam-best-practices", + "security/aws-iam-practices": "security/aws-iam-best-practices", + "aws-secrets-rotation": "security/aws-secrets-rotation", + "aws-security-audit": "security/aws-security-audit", "startup-business-case": "startup-business-analyst-business-case", "startup-business-projections": "startup-business-analyst-financial-projections", "startup-business-opportunity": "startup-business-analyst-market-opportunity", diff --git a/data/bundles.json b/data/bundles.json index 0fa7a83f..018f7f49 100644 --- a/data/bundles.json +++ b/data/bundles.json @@ -163,6 +163,7 @@ "ruby-pro", "rust-async-patterns", "rust-pro", + "security/aws-secrets-rotation", "senior-architect", "senior-fullstack", "shopify-apps", @@ -213,9 +214,11 @@ "clerk-auth", "cloud-penetration-testing", "code-review-checklist", + "code-reviewer", "codebase-cleanup-deps-audit", "dependency-management-deps-audit", "deployment-pipeline-design", + "design-orchestration", "docker-expert", "dotnet-backend", "ethical-hacking-methodology", @@ -233,6 +236,7 @@ "linkerd-patterns", "loki-mode", "mobile-security-coder", + "multi-agent-brainstorming", "nestjs-expert", "nextjs-supabase-auth", "nodejs-best-practices", @@ -253,6 +257,10 @@ "security-scanning-security-dependencies", "security-scanning-security-hardening", "security-scanning-security-sast", + "security/aws-compliance-checker", + "security/aws-iam-best-practices", + "security/aws-secrets-rotation", + "security/aws-security-audit", "service-mesh-expert", "solidity-security", "stride-analysis-patterns", diff --git a/data/catalog.json b/data/catalog.json index f1cb7258..0eabde2c 100644 --- a/data/catalog.json +++ b/data/catalog.json @@ -1055,7 +1055,7 @@ { "id": "architect-review", "name": "architect-review", - "description": "Master software architect specializing in modern architecture", + "description": "Master software architect specializing in modern architecture patterns, clean architecture, microservices, event-driven systems, and DDD. Reviews system designs and code changes for architectural integrity, scalability, and maintainability. Use PROACTIVELY for architectural decisions.", "category": "architecture", "tags": [], "triggers": [ @@ -1063,7 +1063,14 @@ "review", "software", "specializing", - "architecture" + "architecture", + "clean", + "microservices", + "event", + "driven", + "ddd", + "reviews", + "designs" ], "path": "skills/architect-review/SKILL.md" }, @@ -4768,7 +4775,7 @@ { "id": "c-pro", "name": "c-pro", - "description": "Write efficient C code with proper memory management, pointer", + "description": "Write efficient C code with proper memory management, pointer arithmetic, and system calls. Handles embedded systems, kernel modules, and performance-critical code. Use PROACTIVELY for C optimization, memory issues, or system programming.", "category": "general", "tags": [ "c" @@ -4781,7 +4788,11 @@ "code", "proper", "memory", - "pointer" + "pointer", + "arithmetic", + "calls", + "embedded", + "kernel" ], "path": "skills/c-pro/SKILL.md" }, @@ -5783,8 +5794,8 @@ { "id": "code-reviewer", "name": "code-reviewer", - "description": "Elite code review expert specializing in modern AI-powered code", - "category": "data-ai", + "description": "Elite code review expert specializing in modern AI-powered code analysis, security vulnerabilities, performance optimization, and production reliability. Masters static analysis tools, security scanning, and configuration review with 2024/2025 best practices. Use PROACTIVELY for code quality assurance.", + "category": "security", "tags": [ "code" ], @@ -5795,7 +5806,12 @@ "review", "specializing", "ai", - "powered" + "powered", + "analysis", + "security", + "vulnerabilities", + "performance", + "optimization" ], "path": "skills/code-reviewer/SKILL.md" }, @@ -7669,11 +7685,22 @@ { "id": "design-orchestration", "name": "design-orchestration", - "description": ">", - "category": "workflow", + "description": "Orchestrates design workflows by routing work through brainstorming, multi-agent review, and execution readiness in the correct order. Prevents premature implementation, skipped validation, and unreviewed high-risk designs.", + "category": "security", "tags": [], "triggers": [ - "orchestration" + "orchestration", + "orchestrates", + "routing", + "work", + "through", + "brainstorming", + "multi", + "agent", + "review", + "execution", + "readiness", + "correct" ], "path": "skills/design-orchestration/SKILL.md" }, @@ -10536,8 +10563,8 @@ { "id": "haskell-pro", "name": "haskell-pro", - "description": "Expert Haskell engineer specializing in advanced type systems, pure", - "category": "general", + "description": "Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programming, concurrency, and architecture guidance.", + "category": "architecture", "tags": [ "haskell" ], @@ -10547,7 +10574,13 @@ "engineer", "specializing", "type", - "pure" + "pure", + "functional", + "high", + "reliability", + "software", + "proactively", + "level" ], "path": "skills/haskell-pro/SKILL.md" }, @@ -13202,8 +13235,8 @@ { "id": "multi-agent-brainstorming", "name": "multi-agent-brainstorming", - "description": ">", - "category": "general", + "description": "Use this skill when a design or idea requires higher confidence, risk reduction, or formal review. This skill orchestrates a structured, sequential multi-agent design review where each agent has a strict, non-overlapping role. It prevents blind spots, false confidence, and premature convergence.", + "category": "security", "tags": [ "multi", "agent", @@ -13212,7 +13245,16 @@ "triggers": [ "multi", "agent", - "brainstorming" + "brainstorming", + "skill", + "idea", + "requires", + "higher", + "confidence", + "risk", + "reduction", + "formal", + "review" ], "path": "skills/multi-agent-brainstorming/SKILL.md" }, @@ -13411,6 +13453,58 @@ ], "path": "skills/neon-postgres/SKILL.md" }, + { + "id": "nerdzao-elite", + "name": "nerdzao-elite", + "description": "Senior Elite Software Engineer (15+) and Senior Product Designer. Full workflow with planning, architecture, TDD, clean code, and pixel-perfect UX validation.", + "category": "architecture", + "tags": [ + "nerdzao", + "elite" + ], + "triggers": [ + "nerdzao", + "elite", + "senior", + "software", + "engineer", + "15", + "product", + "designer", + "full", + "planning", + "architecture", + "tdd" + ], + "path": "skills/nerdzao-elite/SKILL.md" + }, + { + "id": "nerdzao-elite-gemini-high", + "name": "nerdzao-elite-gemini-high", + "description": "Modo Elite Coder + UX Pixel-Perfect otimizado especificamente para Gemini 3.1 Pro High. Workflow completo com foco em qualidade máxima e eficiência de tokens.", + "category": "workflow", + "tags": [ + "nerdzao", + "elite", + "gemini", + "high" + ], + "triggers": [ + "nerdzao", + "elite", + "gemini", + "high", + "modo", + "coder", + "ux", + "pixel", + "perfect", + "otimizado", + "especificamente", + "para" + ], + "path": "skills/nerdzao-elite-gemini-high/SKILL.md" + }, { "id": "nestjs-expert", "name": "nestjs-expert", @@ -14312,7 +14406,7 @@ { "id": "performance-engineer", "name": "performance-engineer", - "description": "Expert performance engineer specializing in modern observability,", + "description": "Expert performance engineer specializing in modern observability, application optimization, and scalable system performance. Masters OpenTelemetry, distributed tracing, load testing, multi-tier caching, Core Web Vitals, and performance monitoring. Handles end-to-end optimization, real user monitoring, and scalability patterns. Use PROACTIVELY for performance optimization, observability, or scalability challenges.", "category": "infrastructure", "tags": [ "performance" @@ -14321,7 +14415,15 @@ "performance", "engineer", "specializing", - "observability" + "observability", + "application", + "optimization", + "scalable", + "masters", + "opentelemetry", + "distributed", + "tracing", + "load" ], "path": "skills/performance-engineer/SKILL.md" }, @@ -16254,7 +16356,7 @@ { "id": "search-specialist", "name": "search-specialist", - "description": "Expert web researcher using advanced search techniques and", + "description": "Expert web researcher using advanced search techniques and synthesis. Masters search operators, result filtering, and multi-source verification. Handles competitive analysis and fact-checking. Use PROACTIVELY for deep research, information gathering, or trend analysis.", "category": "general", "tags": [ "search" @@ -16263,7 +16365,15 @@ "search", "web", "researcher", - "techniques" + "techniques", + "synthesis", + "masters", + "operators", + "result", + "filtering", + "multi", + "source", + "verification" ], "path": "skills/search-specialist/SKILL.md" }, @@ -16453,6 +16563,119 @@ ], "path": "skills/security-scanning-security-sast/SKILL.md" }, + { + "id": "security/aws-compliance-checker", + "name": "aws-compliance-checker", + "description": "Automated compliance checking against CIS, PCI-DSS, HIPAA, and SOC 2 benchmarks", + "category": "security", + "tags": [ + "aws", + "compliance", + "audit", + "cis", + "pci-dss", + "hipaa", + "kiro-cli" + ], + "triggers": [ + "aws", + "compliance", + "audit", + "cis", + "pci-dss", + "hipaa", + "kiro-cli", + "checker", + "automated", + "checking", + "against", + "pci" + ], + "path": "skills/security/aws-compliance-checker/SKILL.md" + }, + { + "id": "security/aws-iam-best-practices", + "name": "aws-iam-best-practices", + "description": "IAM policy review, hardening, and least privilege implementation", + "category": "security", + "tags": [ + "aws", + "iam", + "security", + "access-control", + "kiro-cli", + "least-privilege" + ], + "triggers": [ + "aws", + "iam", + "security", + "access-control", + "kiro-cli", + "least-privilege", + "policy", + "review", + "hardening", + "least", + "privilege" + ], + "path": "skills/security/aws-iam-best-practices/SKILL.md" + }, + { + "id": "security/aws-secrets-rotation", + "name": "aws-secrets-rotation", + "description": "Automate AWS secrets rotation for RDS, API keys, and credentials", + "category": "security", + "tags": [ + "aws", + "secrets-manager", + "security", + "automation", + "kiro-cli", + "credentials" + ], + "triggers": [ + "aws", + "secrets-manager", + "security", + "automation", + "kiro-cli", + "credentials", + "secrets", + "rotation", + "automate", + "rds", + "api", + "keys" + ], + "path": "skills/security/aws-secrets-rotation/SKILL.md" + }, + { + "id": "security/aws-security-audit", + "name": "aws-security-audit", + "description": "Comprehensive AWS security posture assessment using AWS CLI and security best practices", + "category": "security", + "tags": [ + "aws", + "security", + "audit", + "compliance", + "kiro-cli", + "security-assessment" + ], + "triggers": [ + "aws", + "security", + "audit", + "compliance", + "kiro-cli", + "security-assessment", + "posture", + "assessment", + "cli" + ], + "path": "skills/security/aws-security-audit/SKILL.md" + }, { "id": "segment-automation", "name": "segment-automation", diff --git a/package.json b/package.json index 6ccc937a..01ae0ae0 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "antigravity-awesome-skills", - "version": "5.10.0", + "version": "6.0.0", "description": "883+ agentic skills for Claude Code, Gemini CLI, Cursor, Antigravity & more. Installer CLI.", "license": "MIT", "scripts": { diff --git a/skills/architect-review/SKILL.md b/skills/architect-review/SKILL.md index 1af17c57..2067f790 100644 --- a/skills/architect-review/SKILL.md +++ b/skills/architect-review/SKILL.md @@ -1,6 +1,6 @@ --- name: architect-review -description: "Master software architect specializing in modern architecture" +description: Master software architect specializing in modern architecture patterns, clean architecture, microservices, event-driven systems, and DDD. Reviews system designs and code changes for architectural integrity, scalability, and maintainability. Use PROACTIVELY for architectural decisions. diff --git a/skills/c-pro/SKILL.md b/skills/c-pro/SKILL.md index cf6c1547..eaeaa980 100644 --- a/skills/c-pro/SKILL.md +++ b/skills/c-pro/SKILL.md @@ -1,6 +1,6 @@ --- name: c-pro -description: "Write efficient C code with proper memory management, pointer" +description: Write efficient C code with proper memory management, pointer arithmetic, and system calls. Handles embedded systems, kernel modules, and performance-critical code. Use PROACTIVELY for C optimization, memory issues, or system programming. diff --git a/skills/code-reviewer/SKILL.md b/skills/code-reviewer/SKILL.md index 3c65fad7..335740f8 100644 --- a/skills/code-reviewer/SKILL.md +++ b/skills/code-reviewer/SKILL.md @@ -1,6 +1,6 @@ --- name: code-reviewer -description: "Elite code review expert specializing in modern AI-powered code" +description: Elite code review expert specializing in modern AI-powered code analysis, security vulnerabilities, performance optimization, and production reliability. Masters static analysis tools, security scanning, and configuration review with 2024/2025 best practices. Use PROACTIVELY for code diff --git a/skills/design-orchestration/SKILL.md b/skills/design-orchestration/SKILL.md index cf7104db..f41b654a 100644 --- a/skills/design-orchestration/SKILL.md +++ b/skills/design-orchestration/SKILL.md @@ -1,6 +1,6 @@ --- name: design-orchestration -description: ">" +description: Orchestrates design workflows by routing work through brainstorming, multi-agent review, and execution readiness in the correct order. Prevents premature implementation, diff --git a/skills/haskell-pro/SKILL.md b/skills/haskell-pro/SKILL.md index 648aeeec..f29160b1 100644 --- a/skills/haskell-pro/SKILL.md +++ b/skills/haskell-pro/SKILL.md @@ -1,6 +1,6 @@ --- name: haskell-pro -description: "Expert Haskell engineer specializing in advanced type systems, pure" +description: Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programming, concurrency, and architecture guidance. metadata: diff --git a/skills/multi-agent-brainstorming/SKILL.md b/skills/multi-agent-brainstorming/SKILL.md index aa8a3de2..bb4b173b 100644 --- a/skills/multi-agent-brainstorming/SKILL.md +++ b/skills/multi-agent-brainstorming/SKILL.md @@ -1,6 +1,6 @@ --- name: multi-agent-brainstorming -description: ">" +description: Use this skill when a design or idea requires higher confidence, risk reduction, or formal review. This skill orchestrates a structured, sequential multi-agent design review where each agent diff --git a/skills/nerdzao-elite-gemini-high/SKILL.md b/skills/nerdzao-elite-gemini-high/SKILL.md new file mode 100644 index 00000000..e05013b6 --- /dev/null +++ b/skills/nerdzao-elite-gemini-high/SKILL.md @@ -0,0 +1,50 @@ +--- +name: nerdzao-elite-gemini-high +description: "Modo Elite Coder + UX Pixel-Perfect otimizado especificamente para Gemini 3.1 Pro High. Workflow completo com foco em qualidade máxima e eficiência de tokens." +risk: "safe" +source: "community" +--- + +# @nerdzao-elite-gemini-high + +Você é um Engenheiro de Software Sênior Elite (15+ anos) + Designer de Produto Senior, operando no modo Gemini 3.1 Pro (High). + +Ative automaticamente este workflow completo em TODA tarefa: + +1. **Planejamento ultra-rápido** + @concise-planning + @brainstorming + +2. **Arquitetura sólida** + @senior-architect + @architecture + +3. **Implementação TDD** + @test-driven-development + @testing-patterns + +4. **Código produção-grade** + @refactor-clean-code + @clean-code + +5. **Validação técnica** + @lint-and-validate + @production-code-audit + @code-reviewer + +6. **Validação Visual & UX OBRIGATÓRIA (High priority)** + @ui-visual-validator + @ui-ux-pro-max + @frontend-design + + Analise e corrija IMEDIATAMENTE: duplicação de elementos, inconsistência de cores/labels, formatação de moeda (R$ XX,XX com vírgula), alinhamento, spacing, hierarquia visual e responsividade. + Se qualquer coisa estiver quebrada, conserte antes de mostrar o código final. + +7. **Verificação final** + @verification-before-completion + @kaizen + +**Regras específicas para Gemini 3.1 Pro High:** + +- Sempre pense passo a passo de forma clara e numerada (chain-of-thought). +- Seja extremamente preciso com UI/UX — nunca entregue interface com qualquer quebra visual. +- Responda de forma concisa: mostre apenas o código final + explicação breve de mudanças visuais corrigidas. +- Nunca adicione comentários ou texto longo desnecessário. +- Priorize: pixel-perfect + código limpo + performance + segurança. + +Você está no modo High: máximo de qualidade com mínimo de tokens desperdiçados. + +## When to Use + +Use when you need maximum quality output with Gemini 3.1 Pro High, pixel-perfect UI, and token-efficient workflow. diff --git a/skills/nerdzao-elite/SKILL.md b/skills/nerdzao-elite/SKILL.md new file mode 100644 index 00000000..b3b02d28 --- /dev/null +++ b/skills/nerdzao-elite/SKILL.md @@ -0,0 +1,31 @@ +--- +name: nerdzao-elite +description: "Senior Elite Software Engineer (15+) and Senior Product Designer. Full workflow with planning, architecture, TDD, clean code, and pixel-perfect UX validation." +risk: safe +source: community +--- + +# @nerdzao-elite + +Você é um Engenheiro de Software Sênior Elite (15+ anos) + Designer de Produto Senior. + +Ative automaticamente TODAS as skills abaixo em toda tarefa: + +@concise-planning @brainstorming @senior-architect @architecture @test-driven-development @testing-patterns @refactor-clean-code @clean-code @lint-and-validate @ui-visual-validator @ui-ux-pro-max @frontend-design @web-design-guidelines @production-code-audit @code-reviewer @systematic-debugging @error-handling-patterns @kaizen @verification-before-completion + +Workflow obrigatório (sempre na ordem): + +1. Planejamento (@concise-planning + @brainstorming) +2. Arquitetura sólida +3. Implementação com TDD completo +4. Código limpo +5. Validação técnica +6. Validação visual UX OBRIGATÓRIA (@ui-visual-validator + @ui-ux-pro-max) → corrija imediatamente qualquer duplicação, inconsistência de cor/label, formatação de moeda, alinhamento etc. +7. Revisão de produção +8. Verificação final + +Nunca entregue UI quebrada. Priorize sempre pixel-perfect + produção-grade. + +## When to Use + +Use when you need a full senior engineering workflow with planning, architecture, TDD, clean code, and pixel-perfect UX validation in Portuguese (Brazil). diff --git a/skills/performance-engineer/SKILL.md b/skills/performance-engineer/SKILL.md index e67e5399..a463deec 100644 --- a/skills/performance-engineer/SKILL.md +++ b/skills/performance-engineer/SKILL.md @@ -1,6 +1,6 @@ --- name: performance-engineer -description: "Expert performance engineer specializing in modern observability," +description: Expert performance engineer specializing in modern observability, application optimization, and scalable system performance. Masters OpenTelemetry, distributed tracing, load testing, multi-tier caching, Core Web Vitals, and performance monitoring. Handles end-to-end optimization, real user diff --git a/skills/search-specialist/SKILL.md b/skills/search-specialist/SKILL.md index c9844e62..75dbee62 100644 --- a/skills/search-specialist/SKILL.md +++ b/skills/search-specialist/SKILL.md @@ -1,6 +1,6 @@ --- name: search-specialist -description: "Expert web researcher using advanced search techniques and" +description: Expert web researcher using advanced search techniques and synthesis. Masters search operators, result filtering, and multi-source verification. Handles competitive analysis and fact-checking. Use PROACTIVELY for deep research, information gathering, or trend analysis. diff --git a/skills/security/aws-compliance-checker/SKILL.md b/skills/security/aws-compliance-checker/SKILL.md new file mode 100644 index 00000000..b15bea11 --- /dev/null +++ b/skills/security/aws-compliance-checker/SKILL.md @@ -0,0 +1,516 @@ +--- +name: aws-compliance-checker +description: Automated compliance checking against CIS, PCI-DSS, HIPAA, and SOC 2 benchmarks +risk: safe +source: community +category: security +tags: [aws, compliance, audit, cis, pci-dss, hipaa, kiro-cli] +--- + +# AWS Compliance Checker + +Automated compliance validation against industry standards including CIS AWS Foundations, PCI-DSS, HIPAA, and SOC 2. + +## When to Use + +Use this skill when you need to validate AWS compliance against industry standards, prepare for audits, or maintain continuous compliance monitoring. + +## Supported Frameworks + +**CIS AWS Foundations Benchmark** +- Identity and Access Management +- Logging and Monitoring +- Networking +- Data Protection + +**PCI-DSS (Payment Card Industry)** +- Network security +- Access controls +- Encryption +- Monitoring and logging + +**HIPAA (Healthcare)** +- Access controls +- Audit controls +- Data encryption +- Transmission security + +**SOC 2** +- Security +- Availability +- Confidentiality +- Privacy + +## CIS AWS Foundations Checks + +### Identity & Access Management (1.x) + +```bash +#!/bin/bash +# cis-iam-checks.sh + +echo "=== CIS IAM Compliance Checks ===" + +# 1.1: Root account usage +echo "1.1: Checking root account usage..." +root_usage=$(aws iam get-credential-report --output text | \ + awk -F, 'NR==2 {print $5,$11}') +echo " Root password last used: $root_usage" + +# 1.2: MFA on root account +echo "1.2: Checking root MFA..." +root_mfa=$(aws iam get-account-summary \ + --query 'SummaryMap.AccountMFAEnabled' --output text) +echo " Root MFA enabled: $root_mfa" + +# 1.3: Unused credentials +echo "1.3: Checking for unused credentials (>90 days)..." +aws iam get-credential-report --output text | \ + awk -F, 'NR>1 { + if ($5 != "N/A" && $5 != "no_information") { + cmd = "date -d \"" $5 "\" +%s" + cmd | getline last_used + close(cmd) + now = systime() + days = (now - last_used) / 86400 + if (days > 90) print " ⚠️ " $1 ": " int(days) " days inactive" + } + }' + +# 1.4: Access keys rotated +echo "1.4: Checking access key age..." +aws iam list-users --query 'Users[*].UserName' --output text | \ +while read user; do + aws iam list-access-keys --user-name "$user" \ + --query 'AccessKeyMetadata[*].[AccessKeyId,CreateDate]' \ + --output text | \ + while read key_id create_date; do + age_days=$(( ($(date +%s) - $(date -d "$create_date" +%s)) / 86400 )) + if [ $age_days -gt 90 ]; then + echo " ⚠️ $user: Key $key_id is $age_days days old" + fi + done +done + +# 1.5-1.11: Password policy +echo "1.5-1.11: Checking password policy..." +policy=$(aws iam get-account-password-policy 2>&1) +if echo "$policy" | grep -q "NoSuchEntity"; then + echo " ❌ No password policy configured" +else + echo " ✓ Password policy exists" + echo "$policy" | jq '.PasswordPolicy | { + MinimumPasswordLength, + RequireSymbols, + RequireNumbers, + RequireUppercaseCharacters, + RequireLowercaseCharacters, + MaxPasswordAge, + PasswordReusePrevention + }' +fi + +# 1.12-1.14: MFA for IAM users +echo "1.12-1.14: Checking IAM user MFA..." +aws iam get-credential-report --output text | \ + awk -F, 'NR>1 && $4=="false" {print " ⚠️ " $1 ": No MFA"}' +``` + +### Logging (2.x) + +```bash +#!/bin/bash +# cis-logging-checks.sh + +echo "=== CIS Logging Compliance Checks ===" + +# 2.1: CloudTrail enabled +echo "2.1: Checking CloudTrail..." +trails=$(aws cloudtrail describe-trails \ + --query 'trailList[*].[Name,IsMultiRegionTrail,LogFileValidationEnabled]' \ + --output text) + +if [ -z "$trails" ]; then + echo " ❌ No CloudTrail configured" +else + echo "$trails" | while read name multi_region validation; do + echo " Trail: $name" + echo " Multi-region: $multi_region" + echo " Log validation: $validation" + + # Check if logging + status=$(aws cloudtrail get-trail-status --name "$name" \ + --query 'IsLogging' --output text) + echo " Is logging: $status" + done +fi + +# 2.2: CloudTrail log file validation +echo "2.2: Checking log file validation..." +aws cloudtrail describe-trails \ + --query 'trailList[?LogFileValidationEnabled==`false`].Name' \ + --output text | \ +while read trail; do + echo " ⚠️ $trail: Log validation disabled" +done + +# 2.3: S3 bucket for CloudTrail +echo "2.3: Checking CloudTrail S3 bucket access..." +aws cloudtrail describe-trails \ + --query 'trailList[*].S3BucketName' --output text | \ +while read bucket; do + public=$(aws s3api get-bucket-acl --bucket "$bucket" 2>&1 | \ + grep -c "AllUsers") + if [ "$public" -gt 0 ]; then + echo " ❌ $bucket: Publicly accessible" + else + echo " ✓ $bucket: Not public" + fi +done + +# 2.4: CloudTrail integrated with CloudWatch Logs +echo "2.4: Checking CloudWatch Logs integration..." +aws cloudtrail describe-trails \ + --query 'trailList[*].[Name,CloudWatchLogsLogGroupArn]' \ + --output text | \ +while read name log_group; do + if [ "$log_group" = "None" ]; then + echo " ⚠️ $name: Not integrated with CloudWatch Logs" + else + echo " ✓ $name: Integrated with CloudWatch" + fi +done + +# 2.5: AWS Config enabled +echo "2.5: Checking AWS Config..." +recorders=$(aws configservice describe-configuration-recorders \ + --query 'ConfigurationRecorders[*].name' --output text) + +if [ -z "$recorders" ]; then + echo " ❌ AWS Config not enabled" +else + echo " ✓ AWS Config enabled: $recorders" +fi + +# 2.6: S3 bucket logging +echo "2.6: Checking S3 bucket logging..." +aws s3api list-buckets --query 'Buckets[*].Name' --output text | \ +while read bucket; do + logging=$(aws s3api get-bucket-logging --bucket "$bucket" 2>&1) + if ! echo "$logging" | grep -q "LoggingEnabled"; then + echo " ⚠️ $bucket: Access logging disabled" + fi +done + +# 2.7: VPC Flow Logs +echo "2.7: Checking VPC Flow Logs..." +aws ec2 describe-vpcs --query 'Vpcs[*].VpcId' --output text | \ +while read vpc; do + flow_logs=$(aws ec2 describe-flow-logs \ + --filter "Name=resource-id,Values=$vpc" \ + --query 'FlowLogs[*].FlowLogId' --output text) + if [ -z "$flow_logs" ]; then + echo " ⚠️ $vpc: No flow logs enabled" + else + echo " ✓ $vpc: Flow logs enabled" + fi +done +``` + +### Monitoring (3.x) + +```bash +#!/bin/bash +# cis-monitoring-checks.sh + +echo "=== CIS Monitoring Compliance Checks ===" + +# Check for required CloudWatch metric filters and alarms +required_filters=( + "unauthorized-api-calls" + "no-mfa-console-signin" + "root-usage" + "iam-changes" + "cloudtrail-changes" + "console-signin-failures" + "cmk-changes" + "s3-bucket-policy-changes" + "aws-config-changes" + "security-group-changes" + "nacl-changes" + "network-gateway-changes" + "route-table-changes" + "vpc-changes" +) + +log_group=$(aws cloudtrail describe-trails \ + --query 'trailList[0].CloudWatchLogsLogGroupArn' \ + --output text | cut -d: -f7) + +if [ -z "$log_group" ] || [ "$log_group" = "None" ]; then + echo " ❌ CloudTrail not integrated with CloudWatch Logs" +else + echo "Checking metric filters for log group: $log_group" + + existing_filters=$(aws logs describe-metric-filters \ + --log-group-name "$log_group" \ + --query 'metricFilters[*].filterName' --output text) + + for filter in "${required_filters[@]}"; do + if echo "$existing_filters" | grep -q "$filter"; then + echo " ✓ $filter: Configured" + else + echo " ⚠️ $filter: Missing" + fi + done +fi +``` + +### Networking (4.x) + +```bash +#!/bin/bash +# cis-networking-checks.sh + +echo "=== CIS Networking Compliance Checks ===" + +# 4.1: No security groups allow 0.0.0.0/0 ingress to port 22 +echo "4.1: Checking SSH access (port 22)..." +aws ec2 describe-security-groups \ + --query 'SecurityGroups[*].[GroupId,GroupName,IpPermissions]' \ + --output json | \ +jq -r '.[] | select(.[2][]? | + select(.FromPort == 22 and .IpRanges[]?.CidrIp == "0.0.0.0/0")) | + " ⚠️ \(.[0]): \(.[1]) allows SSH from 0.0.0.0/0"' + +# 4.2: No security groups allow 0.0.0.0/0 ingress to port 3389 +echo "4.2: Checking RDP access (port 3389)..." +aws ec2 describe-security-groups \ + --query 'SecurityGroups[*].[GroupId,GroupName,IpPermissions]' \ + --output json | \ +jq -r '.[] | select(.[2][]? | + select(.FromPort == 3389 and .IpRanges[]?.CidrIp == "0.0.0.0/0")) | + " ⚠️ \(.[0]): \(.[1]) allows RDP from 0.0.0.0/0"' + +# 4.3: Default security group restricts all traffic +echo "4.3: Checking default security groups..." +aws ec2 describe-security-groups \ + --filters Name=group-name,Values=default \ + --query 'SecurityGroups[*].[GroupId,IpPermissions,IpPermissionsEgress]' \ + --output json | \ +jq -r '.[] | select((.[1] | length) > 0 or (.[2] | length) > 1) | + " ⚠️ \(.[0]): Default SG has rules"' +``` + +## PCI-DSS Compliance Checks + +```python +#!/usr/bin/env python3 +# pci-dss-checker.py + +import boto3 + +def check_pci_compliance(): + """Check PCI-DSS requirements""" + + ec2 = boto3.client('ec2') + rds = boto3.client('rds') + s3 = boto3.client('s3') + + issues = [] + + # Requirement 1: Network security + sgs = ec2.describe_security_groups() + for sg in sgs['SecurityGroups']: + for perm in sg.get('IpPermissions', []): + for ip_range in perm.get('IpRanges', []): + if ip_range.get('CidrIp') == '0.0.0.0/0': + issues.append(f"PCI 1.2: {sg['GroupId']} open to internet") + + # Requirement 2: Secure configurations + # Check for default passwords, etc. + + # Requirement 3: Protect cardholder data + volumes = ec2.describe_volumes() + for vol in volumes['Volumes']: + if not vol['Encrypted']: + issues.append(f"PCI 3.4: Volume {vol['VolumeId']} not encrypted") + + # Requirement 4: Encrypt transmission + # Check for SSL/TLS on load balancers + + # Requirement 8: Access controls + iam = boto3.client('iam') + users = iam.list_users() + for user in users['Users']: + mfa = iam.list_mfa_devices(UserName=user['UserName']) + if not mfa['MFADevices']: + issues.append(f"PCI 8.3: {user['UserName']} no MFA") + + # Requirement 10: Logging + cloudtrail = boto3.client('cloudtrail') + trails = cloudtrail.describe_trails() + if not trails['trailList']: + issues.append("PCI 10.1: No CloudTrail enabled") + + return issues + +if __name__ == "__main__": + print("PCI-DSS Compliance Check") + print("=" * 50) + + issues = check_pci_compliance() + + if not issues: + print("✓ No PCI-DSS issues found") + else: + print(f"Found {len(issues)} issues:\n") + for issue in issues: + print(f" ⚠️ {issue}") +``` + +## HIPAA Compliance Checks + +```bash +#!/bin/bash +# hipaa-checker.sh + +echo "=== HIPAA Compliance Checks ===" + +# Access Controls (164.308(a)(3)) +echo "Access Controls:" +aws iam get-credential-report --output text | \ + awk -F, 'NR>1 && $4=="false" {print " ⚠️ " $1 ": No MFA (164.312(a)(2)(i))"}' + +# Audit Controls (164.312(b)) +echo "" +echo "Audit Controls:" +trails=$(aws cloudtrail describe-trails --query 'trailList[*].Name' --output text) +if [ -z "$trails" ]; then + echo " ❌ No CloudTrail (164.312(b))" +else + echo " ✓ CloudTrail enabled" +fi + +# Encryption (164.312(a)(2)(iv)) +echo "" +echo "Encryption at Rest:" +aws ec2 describe-volumes \ + --query 'Volumes[?Encrypted==`false`].VolumeId' \ + --output text | \ +while read vol; do + echo " ⚠️ $vol: Not encrypted (164.312(a)(2)(iv))" +done + +aws rds describe-db-instances \ + --query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' \ + --output text | \ +while read db; do + echo " ⚠️ $db: Not encrypted (164.312(a)(2)(iv))" +done + +# Transmission Security (164.312(e)(1)) +echo "" +echo "Transmission Security:" +echo " Check: All data in transit uses TLS 1.2+" +``` + +## Automated Compliance Reporting + +```python +#!/usr/bin/env python3 +# compliance-report.py + +import boto3 +import json +from datetime import datetime + +def generate_compliance_report(framework='cis'): + """Generate comprehensive compliance report""" + + report = { + 'framework': framework, + 'generated': datetime.now().isoformat(), + 'checks': [], + 'summary': { + 'total': 0, + 'passed': 0, + 'failed': 0, + 'score': 0 + } + } + + # Run all checks based on framework + if framework == 'cis': + checks = run_cis_checks() + elif framework == 'pci': + checks = run_pci_checks() + elif framework == 'hipaa': + checks = run_hipaa_checks() + + report['checks'] = checks + report['summary']['total'] = len(checks) + report['summary']['passed'] = sum(1 for c in checks if c['status'] == 'PASS') + report['summary']['failed'] = report['summary']['total'] - report['summary']['passed'] + report['summary']['score'] = (report['summary']['passed'] / report['summary']['total']) * 100 + + return report + +def run_cis_checks(): + # Implement CIS checks + return [] + +def run_pci_checks(): + # Implement PCI checks + return [] + +def run_hipaa_checks(): + # Implement HIPAA checks + return [] + +if __name__ == "__main__": + import sys + framework = sys.argv[1] if len(sys.argv) > 1 else 'cis' + + report = generate_compliance_report(framework) + + print(f"\n{framework.upper()} Compliance Report") + print("=" * 50) + print(f"Score: {report['summary']['score']:.1f}%") + print(f"Passed: {report['summary']['passed']}/{report['summary']['total']}") + print(f"Failed: {report['summary']['failed']}/{report['summary']['total']}") + + # Save to file + with open(f'compliance-{framework}-{datetime.now().strftime("%Y%m%d")}.json', 'w') as f: + json.dump(report, f, indent=2) +``` + +## Example Prompts + +- "Run CIS AWS Foundations compliance check" +- "Generate a PCI-DSS compliance report" +- "Check HIPAA compliance for my AWS account" +- "Audit against SOC 2 requirements" +- "Create a compliance dashboard" + +## Best Practices + +- Run compliance checks weekly +- Automate with Lambda/EventBridge +- Track compliance trends over time +- Document exceptions with justification +- Integrate with AWS Security Hub +- Use AWS Config Rules for continuous monitoring + +## Kiro CLI Integration + +```bash +kiro-cli chat "Use aws-compliance-checker to run CIS benchmark" +kiro-cli chat "Generate PCI-DSS report with aws-compliance-checker" +``` + +## Additional Resources + +- [CIS AWS Foundations Benchmark](https://www.cisecurity.org/benchmark/amazon_web_services) +- [AWS Security Hub](https://aws.amazon.com/security-hub/) +- [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/) diff --git a/skills/security/aws-iam-best-practices/SKILL.md b/skills/security/aws-iam-best-practices/SKILL.md new file mode 100644 index 00000000..381c8fa0 --- /dev/null +++ b/skills/security/aws-iam-best-practices/SKILL.md @@ -0,0 +1,397 @@ +--- +name: aws-iam-best-practices +description: IAM policy review, hardening, and least privilege implementation +risk: safe +source: community +category: security +tags: [aws, iam, security, access-control, kiro-cli, least-privilege] +--- + +# AWS IAM Best Practices + +Review and harden IAM policies following AWS security best practices and least privilege principles. + +## When to Use + +Use this skill when you need to review IAM policies, implement least privilege access, or harden IAM security. + +## Core Principles + +**Least Privilege** +- Grant minimum permissions needed +- Use managed policies when possible +- Avoid wildcard (*) permissions +- Regular access reviews + +**Defense in Depth** +- Enable MFA for all users +- Use IAM roles instead of access keys +- Implement service control policies (SCPs) +- Enable CloudTrail for audit + +**Separation of Duties** +- Separate admin and user roles +- Use different roles for different environments +- Implement approval workflows +- Regular permission audits + +## IAM Security Checks + +### Find Overly Permissive Policies + +```bash +# List policies with full admin access +aws iam list-policies --scope Local \ + --query 'Policies[*].[PolicyName,Arn]' --output table | \ + grep -i admin + +# Find policies with wildcard actions +aws iam list-policies --scope Local --query 'Policies[*].Arn' --output text | \ +while read arn; do + version=$(aws iam get-policy --policy-arn "$arn" \ + --query 'Policy.DefaultVersionId' --output text) + doc=$(aws iam get-policy-version --policy-arn "$arn" \ + --version-id "$version" --query 'PolicyVersion.Document') + if echo "$doc" | grep -q '"Action": "\*"'; then + echo "Wildcard action in: $arn" + fi +done + +# Find inline policies (should use managed policies) +aws iam list-users --query 'Users[*].UserName' --output text | \ +while read user; do + policies=$(aws iam list-user-policies --user-name "$user" \ + --query 'PolicyNames' --output text) + if [ -n "$policies" ]; then + echo "Inline policies on user $user: $policies" + fi +done +``` + +### MFA Enforcement + +```bash +# List users without MFA +aws iam get-credential-report --output text | \ + awk -F, 'NR>1 && $4=="false" {print $1}' + +# Check if MFA is required in policies +aws iam list-policies --scope Local --query 'Policies[*].Arn' --output text | \ +while read arn; do + version=$(aws iam get-policy --policy-arn "$arn" \ + --query 'Policy.DefaultVersionId' --output text) + doc=$(aws iam get-policy-version --policy-arn "$arn" \ + --version-id "$version" --query 'PolicyVersion.Document') + if echo "$doc" | grep -q "aws:MultiFactorAuthPresent"; then + echo "MFA enforced in: $arn" + fi +done + +# Enable MFA for a user (returns QR code) +aws iam create-virtual-mfa-device \ + --virtual-mfa-device-name user-mfa \ + --outfile /tmp/qr.png \ + --bootstrap-method QRCodePNG +``` + +### Access Key Management + +```bash +# Find old access keys (>90 days) +aws iam list-users --query 'Users[*].UserName' --output text | \ +while read user; do + aws iam list-access-keys --user-name "$user" \ + --query 'AccessKeyMetadata[*].[AccessKeyId,CreateDate,Status]' \ + --output text | \ + while read key_id create_date status; do + age_days=$(( ($(date +%s) - $(date -d "$create_date" +%s)) / 86400 )) + if [ $age_days -gt 90 ]; then + echo "$user: Key $key_id is $age_days days old" + fi + done +done + +# Rotate access key +OLD_KEY="AKIAIOSFODNN7EXAMPLE" +USER="myuser" + +# Create new key +NEW_KEY=$(aws iam create-access-key --user-name "$USER") +echo "New key created. Update applications, then run:" +echo "aws iam delete-access-key --user-name $USER --access-key-id $OLD_KEY" + +# Deactivate old key (test first) +aws iam update-access-key \ + --user-name "$USER" \ + --access-key-id "$OLD_KEY" \ + --status Inactive +``` + +### Role and Policy Analysis + +```bash +# List unused roles (no activity in 90 days) +aws iam list-roles --query 'Roles[*].[RoleName,RoleLastUsed.LastUsedDate]' \ + --output text | \ +while read role last_used; do + if [ "$last_used" = "None" ]; then + echo "Never used: $role" + fi +done + +# Find roles with trust relationships to external accounts +aws iam list-roles --query 'Roles[*].RoleName' --output text | \ +while read role; do + trust=$(aws iam get-role --role-name "$role" \ + --query 'Role.AssumeRolePolicyDocument') + if echo "$trust" | grep -q '"AWS":'; then + echo "External trust: $role" + fi +done + +# Analyze policy permissions +aws iam simulate-principal-policy \ + --policy-source-arn arn:aws:iam::123456789012:user/myuser \ + --action-names s3:GetObject s3:PutObject \ + --resource-arns arn:aws:s3:::mybucket/* +``` + +## IAM Policy Templates + +### Least Privilege S3 Access + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:PutObject" + ], + "Resource": "arn:aws:s3:::my-bucket/user-data/${aws:username}/*" + }, + { + "Effect": "Allow", + "Action": "s3:ListBucket", + "Resource": "arn:aws:s3:::my-bucket", + "Condition": { + "StringLike": { + "s3:prefix": "user-data/${aws:username}/*" + } + } + } + ] +} +``` + +### MFA-Required Policy + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Deny", + "Action": "*", + "Resource": "*", + "Condition": { + "BoolIfExists": { + "aws:MultiFactorAuthPresent": "false" + } + } + } + ] +} +``` + +### Time-Based Access + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "ec2:*", + "Resource": "*", + "Condition": { + "DateGreaterThan": { + "aws:CurrentTime": "2026-01-01T00:00:00Z" + }, + "DateLessThan": { + "aws:CurrentTime": "2026-12-31T23:59:59Z" + } + } + } + ] +} +``` + +### IP-Restricted Access + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Deny", + "Action": "*", + "Resource": "*", + "Condition": { + "NotIpAddress": { + "aws:SourceIp": [ + "203.0.113.0/24", + "198.51.100.0/24" + ] + } + } + } + ] +} +``` + +## IAM Hardening Checklist + +**User Management** +- [ ] Enable MFA for all users +- [ ] Remove unused IAM users +- [ ] Rotate access keys every 90 days +- [ ] Use IAM roles instead of long-term credentials +- [ ] Implement password policy (length, complexity, rotation) + +**Policy Management** +- [ ] Replace inline policies with managed policies +- [ ] Remove wildcard (*) permissions +- [ ] Implement least privilege +- [ ] Use policy conditions (MFA, IP, time) +- [ ] Regular policy reviews + +**Role Management** +- [ ] Use roles for EC2 instances +- [ ] Implement cross-account roles properly +- [ ] Review trust relationships +- [ ] Remove unused roles +- [ ] Use session tags for fine-grained access + +**Monitoring** +- [ ] Enable CloudTrail for IAM events +- [ ] Set up CloudWatch alarms for IAM changes +- [ ] Use AWS IAM Access Analyzer +- [ ] Regular access reviews +- [ ] Monitor for privilege escalation + +## Automated IAM Hardening + +```python +#!/usr/bin/env python3 +# iam-hardening.py + +import boto3 +from datetime import datetime, timedelta + +iam = boto3.client('iam') + +def enforce_mfa(): + """Identify users without MFA""" + users = iam.list_users()['Users'] + no_mfa = [] + + for user in users: + mfa_devices = iam.list_mfa_devices( + UserName=user['UserName'] + )['MFADevices'] + + if not mfa_devices: + no_mfa.append(user['UserName']) + + return no_mfa + +def rotate_old_keys(): + """Find access keys older than 90 days""" + users = iam.list_users()['Users'] + old_keys = [] + + for user in users: + keys = iam.list_access_keys( + UserName=user['UserName'] + )['AccessKeyMetadata'] + + for key in keys: + age = datetime.now(key['CreateDate'].tzinfo) - key['CreateDate'] + if age.days > 90: + old_keys.append({ + 'user': user['UserName'], + 'key_id': key['AccessKeyId'], + 'age_days': age.days + }) + + return old_keys + +def find_overpermissive_policies(): + """Find policies with wildcard actions""" + policies = iam.list_policies(Scope='Local')['Policies'] + overpermissive = [] + + for policy in policies: + version = iam.get_policy_version( + PolicyArn=policy['Arn'], + VersionId=policy['DefaultVersionId'] + ) + + doc = version['PolicyVersion']['Document'] + for statement in doc.get('Statement', []): + if statement.get('Action') == '*': + overpermissive.append(policy['PolicyName']) + break + + return overpermissive + +if __name__ == "__main__": + print("IAM Hardening Report") + print("=" * 50) + + print("\nUsers without MFA:") + for user in enforce_mfa(): + print(f" - {user}") + + print("\nOld access keys (>90 days):") + for key in rotate_old_keys(): + print(f" - {key['user']}: {key['age_days']} days") + + print("\nOverpermissive policies:") + for policy in find_overpermissive_policies(): + print(f" - {policy}") +``` + +## Example Prompts + +- "Review my IAM policies for security issues" +- "Find users without MFA enabled" +- "Create a least privilege policy for S3 access" +- "Identify overly permissive IAM roles" +- "Generate an IAM hardening report" + +## Best Practices + +- Use AWS managed policies when possible +- Implement policy versioning +- Test policies in non-production first +- Document policy purposes +- Regular access reviews (quarterly) +- Use IAM Access Analyzer +- Implement SCPs for organization-wide controls + +## Kiro CLI Integration + +```bash +kiro-cli chat "Use aws-iam-best-practices to review my IAM setup" +kiro-cli chat "Create a least privilege policy with aws-iam-best-practices" +``` + +## Additional Resources + +- [IAM Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) +- [IAM Policy Simulator](https://policysim.aws.amazon.com/) +- [IAM Access Analyzer](https://aws.amazon.com/iam/features/analyze-access/) diff --git a/skills/security/aws-secrets-rotation/SKILL.md b/skills/security/aws-secrets-rotation/SKILL.md new file mode 100644 index 00000000..663dfb73 --- /dev/null +++ b/skills/security/aws-secrets-rotation/SKILL.md @@ -0,0 +1,465 @@ +--- +name: aws-secrets-rotation +description: Automate AWS secrets rotation for RDS, API keys, and credentials +risk: safe +source: community +category: security +tags: [aws, secrets-manager, security, automation, kiro-cli, credentials] +--- + +# AWS Secrets Rotation + +Automate rotation of secrets, credentials, and API keys using AWS Secrets Manager and Lambda. + +## When to Use + +Use this skill when you need to implement automated secrets rotation, manage credentials securely, or comply with security policies requiring regular key rotation. + +## Supported Secret Types + +**AWS Services** +- RDS database credentials +- DocumentDB credentials +- Redshift credentials +- ElastiCache credentials + +**Third-Party Services** +- API keys +- OAuth tokens +- SSH keys +- Custom credentials + +## Secrets Manager Setup + +### Create a Secret + +```bash +# Create RDS secret +aws secretsmanager create-secret \ + --name prod/db/mysql \ + --description "Production MySQL credentials" \ + --secret-string '{ + "username": "admin", + "password": "CHANGE_ME", + "engine": "mysql", + "host": "mydb.cluster-abc.us-east-1.rds.amazonaws.com", + "port": 3306, + "dbname": "myapp" + }' + +# Create API key secret +aws secretsmanager create-secret \ + --name prod/api/stripe \ + --secret-string '{ + "api_key": "sk_live_xxxxx", + "webhook_secret": "whsec_xxxxx" + }' + +# Create secret from file +aws secretsmanager create-secret \ + --name prod/ssh/private-key \ + --secret-binary fileb://~/.ssh/id_rsa +``` + +### Retrieve Secrets + +```bash +# Get secret value +aws secretsmanager get-secret-value \ + --secret-id prod/db/mysql \ + --query 'SecretString' --output text + +# Get specific field +aws secretsmanager get-secret-value \ + --secret-id prod/db/mysql \ + --query 'SecretString' --output text | \ + jq -r '.password' + +# Get binary secret +aws secretsmanager get-secret-value \ + --secret-id prod/ssh/private-key \ + --query 'SecretBinary' --output text | \ + base64 -d > private-key.pem +``` + +## Automatic Rotation Setup + +### Enable RDS Rotation + +```bash +# Enable automatic rotation (30 days) +aws secretsmanager rotate-secret \ + --secret-id prod/db/mysql \ + --rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:SecretsManagerRDSMySQLRotation \ + --rotation-rules AutomaticallyAfterDays=30 + +# Rotate immediately +aws secretsmanager rotate-secret \ + --secret-id prod/db/mysql + +# Check rotation status +aws secretsmanager describe-secret \ + --secret-id prod/db/mysql \ + --query 'RotationEnabled' +``` + +### Lambda Rotation Function + +```python +# lambda_rotation.py +import boto3 +import json +import os + +secrets_client = boto3.client('secretsmanager') +rds_client = boto3.client('rds') + +def lambda_handler(event, context): + """Rotate RDS MySQL password""" + + secret_arn = event['SecretId'] + token = event['ClientRequestToken'] + step = event['Step'] + + # Get current secret + current = secrets_client.get_secret_value(SecretId=secret_arn) + secret = json.loads(current['SecretString']) + + if step == "createSecret": + # Generate new password + new_password = generate_password() + secret['password'] = new_password + + # Store as pending + secrets_client.put_secret_value( + SecretId=secret_arn, + ClientRequestToken=token, + SecretString=json.dumps(secret), + VersionStages=['AWSPENDING'] + ) + + elif step == "setSecret": + # Update RDS password + rds_client.modify_db_instance( + DBInstanceIdentifier=secret['dbInstanceIdentifier'], + MasterUserPassword=secret['password'], + ApplyImmediately=True + ) + + elif step == "testSecret": + # Test new credentials + import pymysql + conn = pymysql.connect( + host=secret['host'], + user=secret['username'], + password=secret['password'], + database=secret['dbname'] + ) + conn.close() + + elif step == "finishSecret": + # Mark as current + secrets_client.update_secret_version_stage( + SecretId=secret_arn, + VersionStage='AWSCURRENT', + MoveToVersionId=token, + RemoveFromVersionId=current['VersionId'] + ) + + return {'statusCode': 200} + +def generate_password(length=32): + import secrets + import string + alphabet = string.ascii_letters + string.digits + "!@#$%^&*()" + return ''.join(secrets.choice(alphabet) for _ in range(length)) +``` + +### Custom Rotation for API Keys + +```python +# api_key_rotation.py +import boto3 +import requests +import json + +secrets_client = boto3.client('secretsmanager') + +def rotate_stripe_key(secret_arn, token, step): + """Rotate Stripe API key""" + + current = secrets_client.get_secret_value(SecretId=secret_arn) + secret = json.loads(current['SecretString']) + + if step == "createSecret": + # Create new Stripe key via API + response = requests.post( + 'https://api.stripe.com/v1/api_keys', + auth=(secret['api_key'], ''), + data={'name': f'rotated-{token[:8]}'} + ) + new_key = response.json()['secret'] + + secret['api_key'] = new_key + secrets_client.put_secret_value( + SecretId=secret_arn, + ClientRequestToken=token, + SecretString=json.dumps(secret), + VersionStages=['AWSPENDING'] + ) + + elif step == "testSecret": + # Test new key + response = requests.get( + 'https://api.stripe.com/v1/balance', + auth=(secret['api_key'], '') + ) + if response.status_code != 200: + raise Exception("New key failed validation") + + elif step == "finishSecret": + # Revoke old key + old_key = json.loads(current['SecretString'])['api_key'] + requests.delete( + f'https://api.stripe.com/v1/api_keys/{old_key}', + auth=(secret['api_key'], '') + ) + + # Promote to current + secrets_client.update_secret_version_stage( + SecretId=secret_arn, + VersionStage='AWSCURRENT', + MoveToVersionId=token + ) +``` + +## Rotation Monitoring + +### CloudWatch Alarms + +```bash +# Create alarm for rotation failures +aws cloudwatch put-metric-alarm \ + --alarm-name secrets-rotation-failures \ + --alarm-description "Alert on secrets rotation failures" \ + --metric-name RotationFailed \ + --namespace AWS/SecretsManager \ + --statistic Sum \ + --period 300 \ + --evaluation-periods 1 \ + --threshold 1 \ + --comparison-operator GreaterThanThreshold \ + --alarm-actions arn:aws:sns:us-east-1:123456789012:alerts +``` + +### Rotation Audit Script + +```bash +#!/bin/bash +# audit-rotations.sh + +echo "Secrets Rotation Audit" +echo "=====================" + +aws secretsmanager list-secrets --query 'SecretList[*].[Name,RotationEnabled,LastRotatedDate]' \ + --output text | \ +while read name enabled last_rotated; do + echo "" + echo "Secret: $name" + echo " Rotation Enabled: $enabled" + echo " Last Rotated: $last_rotated" + + if [ "$enabled" = "True" ]; then + # Check rotation schedule + rules=$(aws secretsmanager describe-secret --secret-id "$name" \ + --query 'RotationRules.AutomaticallyAfterDays' --output text) + echo " Rotation Schedule: Every $rules days" + + # Calculate days since last rotation + if [ "$last_rotated" != "None" ]; then + days_ago=$(( ($(date +%s) - $(date -d "$last_rotated" +%s)) / 86400 )) + echo " Days Since Rotation: $days_ago" + + if [ $days_ago -gt $rules ]; then + echo " ⚠️ OVERDUE for rotation!" + fi + fi + fi +done +``` + +## Application Integration + +### Python SDK + +```python +import boto3 +import json + +def get_secret(secret_name): + """Retrieve secret from Secrets Manager""" + client = boto3.client('secretsmanager') + + try: + response = client.get_secret_value(SecretId=secret_name) + return json.loads(response['SecretString']) + except Exception as e: + print(f"Error retrieving secret: {e}") + raise + +# Usage +db_creds = get_secret('prod/db/mysql') +connection = pymysql.connect( + host=db_creds['host'], + user=db_creds['username'], + password=db_creds['password'], + database=db_creds['dbname'] +) +``` + +### Node.js SDK + +```javascript +const AWS = require('aws-sdk'); +const secretsManager = new AWS.SecretsManager(); + +async function getSecret(secretName) { + try { + const data = await secretsManager.getSecretValue({ + SecretId: secretName + }).promise(); + + return JSON.parse(data.SecretString); + } catch (err) { + console.error('Error retrieving secret:', err); + throw err; + } +} + +// Usage +const dbCreds = await getSecret('prod/db/mysql'); +const connection = mysql.createConnection({ + host: dbCreds.host, + user: dbCreds.username, + password: dbCreds.password, + database: dbCreds.dbname +}); +``` + +## Rotation Best Practices + +**Planning** +- [ ] Identify all secrets requiring rotation +- [ ] Define rotation schedules (30, 60, 90 days) +- [ ] Test rotation in non-production first +- [ ] Document rotation procedures +- [ ] Plan for emergency rotation + +**Implementation** +- [ ] Use AWS managed rotation when possible +- [ ] Implement proper error handling +- [ ] Add CloudWatch monitoring +- [ ] Test application compatibility +- [ ] Implement gradual rollout + +**Operations** +- [ ] Monitor rotation success/failure +- [ ] Set up alerts for failures +- [ ] Regular rotation audits +- [ ] Document troubleshooting steps +- [ ] Maintain rotation runbooks + +## Emergency Rotation + +```bash +# Immediate rotation (compromise detected) +aws secretsmanager rotate-secret \ + --secret-id prod/db/mysql \ + --rotate-immediately + +# Force rotation even if recently rotated +aws secretsmanager rotate-secret \ + --secret-id prod/api/stripe \ + --rotation-lambda-arn arn:aws:lambda:us-east-1:123456789012:function:RotateStripeKey \ + --rotate-immediately + +# Verify rotation completed +aws secretsmanager describe-secret \ + --secret-id prod/db/mysql \ + --query 'LastRotatedDate' +``` + +## Compliance Tracking + +```python +#!/usr/bin/env python3 +# compliance-report.py + +import boto3 +from datetime import datetime, timedelta + +client = boto3.client('secretsmanager') + +def generate_compliance_report(): + secrets = client.list_secrets()['SecretList'] + + compliant = [] + non_compliant = [] + + for secret in secrets: + name = secret['Name'] + rotation_enabled = secret.get('RotationEnabled', False) + last_rotated = secret.get('LastRotatedDate') + + if not rotation_enabled: + non_compliant.append({ + 'name': name, + 'issue': 'Rotation not enabled' + }) + continue + + if last_rotated: + days_ago = (datetime.now(last_rotated.tzinfo) - last_rotated).days + if days_ago > 90: + non_compliant.append({ + 'name': name, + 'issue': f'Not rotated in {days_ago} days' + }) + else: + compliant.append(name) + else: + non_compliant.append({ + 'name': name, + 'issue': 'Never rotated' + }) + + print(f"Compliant Secrets: {len(compliant)}") + print(f"Non-Compliant Secrets: {len(non_compliant)}") + print("\nNon-Compliant Details:") + for item in non_compliant: + print(f" - {item['name']}: {item['issue']}") + +if __name__ == "__main__": + generate_compliance_report() +``` + +## Example Prompts + +- "Set up automatic rotation for my RDS credentials" +- "Create a Lambda function to rotate API keys" +- "Audit all secrets for rotation compliance" +- "Implement emergency rotation for compromised credentials" +- "Generate a secrets rotation report" + +## Kiro CLI Integration + +```bash +kiro-cli chat "Use aws-secrets-rotation to set up RDS credential rotation" +kiro-cli chat "Create a rotation audit report with aws-secrets-rotation" +``` + +## Additional Resources + +- [AWS Secrets Manager Rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html) +- [Rotation Lambda Templates](https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas) +- [Best Practices for Secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html) diff --git a/skills/security/aws-security-audit/SKILL.md b/skills/security/aws-security-audit/SKILL.md new file mode 100644 index 00000000..350d976f --- /dev/null +++ b/skills/security/aws-security-audit/SKILL.md @@ -0,0 +1,369 @@ +--- +name: aws-security-audit +description: Comprehensive AWS security posture assessment using AWS CLI and security best practices +risk: safe +source: community +category: security +tags: [aws, security, audit, compliance, kiro-cli, security-assessment] +--- + +# AWS Security Audit + +Perform comprehensive security assessments of AWS environments to identify vulnerabilities and misconfigurations. + +## When to Use + +Use this skill when you need to audit AWS security posture, identify vulnerabilities, or prepare for compliance assessments. + +## Audit Categories + +**Identity & Access Management** +- Overly permissive IAM policies +- Unused IAM users and roles +- MFA enforcement gaps +- Root account usage +- Access key rotation + +**Network Security** +- Open security groups (0.0.0.0/0) +- Public S3 buckets +- Unencrypted data in transit +- VPC flow logs disabled +- Network ACL misconfigurations + +**Data Protection** +- Unencrypted EBS volumes +- Unencrypted RDS instances +- S3 bucket encryption disabled +- Backup policies missing +- KMS key rotation disabled + +**Logging & Monitoring** +- CloudTrail disabled +- CloudWatch alarms missing +- VPC Flow Logs disabled +- S3 access logging disabled +- Config recording disabled + +## Security Audit Commands + +### IAM Security Checks + +```bash +# List users without MFA +aws iam get-credential-report --output text | \ + awk -F, '$4=="false" && $1!="" {print $1}' + +# Find unused IAM users (no activity in 90 days) +aws iam list-users --query 'Users[*].[UserName]' --output text | \ +while read user; do + last_used=$(aws iam get-user --user-name "$user" \ + --query 'User.PasswordLastUsed' --output text) + echo "$user: $last_used" +done + +# List overly permissive policies (AdministratorAccess) +aws iam list-policies --scope Local \ + --query 'Policies[?PolicyName==`AdministratorAccess`]' + +# Find access keys older than 90 days +aws iam list-users --query 'Users[*].UserName' --output text | \ +while read user; do + aws iam list-access-keys --user-name "$user" \ + --query 'AccessKeyMetadata[*].[AccessKeyId,CreateDate]' \ + --output text +done + +# Check root account access keys +aws iam get-account-summary \ + --query 'SummaryMap.AccountAccessKeysPresent' +``` + +### Network Security Checks + +```bash +# Find security groups open to the world +aws ec2 describe-security-groups \ + --query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]].[GroupId,GroupName]' \ + --output table + +# List public S3 buckets +aws s3api list-buckets --query 'Buckets[*].Name' --output text | \ +while read bucket; do + acl=$(aws s3api get-bucket-acl --bucket "$bucket" 2>/dev/null) + if echo "$acl" | grep -q "AllUsers"; then + echo "PUBLIC: $bucket" + fi +done + +# Check VPC Flow Logs status +aws ec2 describe-vpcs --query 'Vpcs[*].VpcId' --output text | \ +while read vpc; do + flow_logs=$(aws ec2 describe-flow-logs \ + --filter "Name=resource-id,Values=$vpc" \ + --query 'FlowLogs[*].FlowLogId' --output text) + if [ -z "$flow_logs" ]; then + echo "No flow logs: $vpc" + fi +done + +# Find RDS instances without encryption +aws rds describe-db-instances \ + --query 'DBInstances[?StorageEncrypted==`false`].[DBInstanceIdentifier]' \ + --output table +``` + +### Data Protection Checks + +```bash +# Find unencrypted EBS volumes +aws ec2 describe-volumes \ + --query 'Volumes[?Encrypted==`false`].[VolumeId,Size,State]' \ + --output table + +# Check S3 bucket encryption +aws s3api list-buckets --query 'Buckets[*].Name' --output text | \ +while read bucket; do + encryption=$(aws s3api get-bucket-encryption \ + --bucket "$bucket" 2>&1) + if echo "$encryption" | grep -q "ServerSideEncryptionConfigurationNotFoundError"; then + echo "No encryption: $bucket" + fi +done + +# Find RDS snapshots that are public +aws rds describe-db-snapshots \ + --query 'DBSnapshots[*].[DBSnapshotIdentifier]' --output text | \ +while read snapshot; do + attrs=$(aws rds describe-db-snapshot-attributes \ + --db-snapshot-identifier "$snapshot" \ + --query 'DBSnapshotAttributesResult.DBSnapshotAttributes[?AttributeName==`restore`].AttributeValues' \ + --output text) + if echo "$attrs" | grep -q "all"; then + echo "PUBLIC SNAPSHOT: $snapshot" + fi +done + +# Check KMS key rotation +aws kms list-keys --query 'Keys[*].KeyId' --output text | \ +while read key; do + rotation=$(aws kms get-key-rotation-status --key-id "$key" \ + --query 'KeyRotationEnabled' --output text 2>/dev/null) + if [ "$rotation" = "False" ]; then + echo "Rotation disabled: $key" + fi +done +``` + +### Logging & Monitoring Checks + +```bash +# Check CloudTrail status +aws cloudtrail describe-trails \ + --query 'trailList[*].[Name,IsMultiRegionTrail,LogFileValidationEnabled]' \ + --output table + +# Verify CloudTrail is logging +aws cloudtrail get-trail-status --name my-trail \ + --query 'IsLogging' + +# Check if AWS Config is enabled +aws configservice describe-configuration-recorders \ + --query 'ConfigurationRecorders[*].[name,roleARN]' \ + --output table + +# List S3 buckets without access logging +aws s3api list-buckets --query 'Buckets[*].Name' --output text | \ +while read bucket; do + logging=$(aws s3api get-bucket-logging --bucket "$bucket" 2>&1) + if ! echo "$logging" | grep -q "LoggingEnabled"; then + echo "No access logging: $bucket" + fi +done +``` + +## Automated Security Audit Script + +```bash +#!/bin/bash +# comprehensive-security-audit.sh + +echo "=== AWS Security Audit Report ===" +echo "Generated: $(date)" +echo "" + +# IAM Checks +echo "## IAM Security" +echo "Users without MFA:" +aws iam get-credential-report --output text | \ + awk -F, '$4=="false" && $1!="" {print " - " $1}' + +echo "" +echo "Root account access keys:" +aws iam get-account-summary \ + --query 'SummaryMap.AccountAccessKeysPresent' --output text + +# Network Checks +echo "" +echo "## Network Security" +echo "Security groups open to 0.0.0.0/0:" +aws ec2 describe-security-groups \ + --query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]].GroupId' \ + --output text | wc -l + +# Data Protection +echo "" +echo "## Data Protection" +echo "Unencrypted EBS volumes:" +aws ec2 describe-volumes \ + --query 'Volumes[?Encrypted==`false`].VolumeId' \ + --output text | wc -l + +echo "" +echo "Unencrypted RDS instances:" +aws rds describe-db-instances \ + --query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' \ + --output text | wc -l + +# Logging +echo "" +echo "## Logging & Monitoring" +echo "CloudTrail status:" +aws cloudtrail describe-trails \ + --query 'trailList[*].[Name,IsLogging]' \ + --output table + +echo "" +echo "=== End of Report ===" +``` + +## Security Score Calculator + +```python +#!/usr/bin/env python3 +# security-score.py + +import boto3 +import json + +def calculate_security_score(): + iam = boto3.client('iam') + ec2 = boto3.client('ec2') + s3 = boto3.client('s3') + + score = 100 + issues = [] + + # Check MFA + try: + report = iam.get_credential_report() + users_without_mfa = 0 + # Parse report and count + if users_without_mfa > 0: + score -= 10 + issues.append(f"{users_without_mfa} users without MFA") + except: + pass + + # Check open security groups + sgs = ec2.describe_security_groups() + open_sgs = 0 + for sg in sgs['SecurityGroups']: + for perm in sg.get('IpPermissions', []): + for ip_range in perm.get('IpRanges', []): + if ip_range.get('CidrIp') == '0.0.0.0/0': + open_sgs += 1 + break + + if open_sgs > 0: + score -= 15 + issues.append(f"{open_sgs} security groups open to internet") + + # Check unencrypted volumes + volumes = ec2.describe_volumes() + unencrypted = sum(1 for v in volumes['Volumes'] if not v['Encrypted']) + + if unencrypted > 0: + score -= 20 + issues.append(f"{unencrypted} unencrypted EBS volumes") + + print(f"Security Score: {score}/100") + print("\nIssues Found:") + for issue in issues: + print(f" - {issue}") + + return score + +if __name__ == "__main__": + calculate_security_score() +``` + +## Compliance Mapping + +**CIS AWS Foundations Benchmark** +- 1.1: Root account usage +- 1.2-1.14: IAM policies and MFA +- 2.1-2.9: Logging (CloudTrail, Config, VPC Flow Logs) +- 4.1-4.3: Monitoring and alerting + +**PCI-DSS** +- Requirement 1: Network security controls +- Requirement 2: Secure configurations +- Requirement 8: Access controls and MFA +- Requirement 10: Logging and monitoring + +**HIPAA** +- Access controls (IAM) +- Audit controls (CloudTrail) +- Encryption (EBS, RDS, S3) +- Transmission security (TLS/SSL) + +## Remediation Priorities + +**Critical (Fix Immediately)** +- Root account access keys +- Public RDS snapshots +- Security groups open to 0.0.0.0/0 on sensitive ports +- CloudTrail disabled + +**High (Fix Within 7 Days)** +- Users without MFA +- Unencrypted data at rest +- Missing VPC Flow Logs +- Overly permissive IAM policies + +**Medium (Fix Within 30 Days)** +- Old access keys (>90 days) +- Missing S3 access logging +- Unused IAM users +- KMS key rotation disabled + +## Example Prompts + +- "Run a comprehensive security audit on my AWS account" +- "Check for IAM security issues" +- "Find all unencrypted resources" +- "Generate a security compliance report" +- "Calculate my AWS security score" + +## Best Practices + +- Run audits weekly +- Automate with Lambda/EventBridge +- Export results to S3 for trending +- Integrate with SIEM tools +- Track remediation progress +- Document exceptions with business justification + +## Kiro CLI Integration + +```bash +kiro-cli chat "Use aws-security-audit to assess my security posture" +kiro-cli chat "Generate a security audit report with aws-security-audit" +``` + +## Additional Resources + +- [AWS Security Best Practices](https://aws.amazon.com/security/best-practices/) +- [CIS AWS Foundations Benchmark](https://www.cisecurity.org/benchmark/amazon_web_services) +- [AWS Security Hub](https://aws.amazon.com/security-hub/) diff --git a/skills_index.json b/skills_index.json index dab694b4..a55fecaf 100644 --- a/skills_index.json +++ b/skills_index.json @@ -399,10 +399,10 @@ "id": "architect-review", "path": "skills/architect-review", "category": "uncategorized", - "name": "Architect Review", - "description": "You are a master software architect specializing in modern software architecture patterns, clean architecture principles, and distributed systems design.", + "name": "architect-review", + "description": "Master software architect specializing in modern architecture patterns, clean architecture, microservices, event-driven systems, and DDD. Reviews system designs and code changes for architectural integrity, scalability, and maintainability. Use PROACTIVELY for architectural decisions.", "risk": "unknown", - "source": "unknown" + "source": "community" }, { "id": "architecture", @@ -566,6 +566,24 @@ "risk": "unknown", "source": "community" }, + { + "id": "aws-secrets-rotation", + "path": "skills/security/aws-secrets-rotation", + "category": "security", + "name": "aws-secrets-rotation", + "description": "Automate AWS secrets rotation for RDS, API keys, and credentials", + "risk": "safe", + "source": "community" + }, + { + "id": "aws-security-audit", + "path": "skills/security/aws-security-audit", + "category": "security", + "name": "aws-security-audit", + "description": "Comprehensive AWS security posture assessment using AWS CLI and security best practices", + "risk": "safe", + "source": "community" + }, { "id": "aws-serverless", "path": "skills/aws-serverless", @@ -1929,10 +1947,10 @@ "id": "c-pro", "path": "skills/c-pro", "category": "uncategorized", - "name": "C Pro", - "description": "- Working on c pro tasks or workflows - Needing guidance, best practices, or checklists for c pro", + "name": "c-pro", + "description": "Write efficient C code with proper memory management, pointer arithmetic, and system calls. Handles embedded systems, kernel modules, and performance-critical code. Use PROACTIVELY for C optimization, memory issues, or system programming.", "risk": "unknown", - "source": "unknown" + "source": "community" }, { "id": "c4-code", @@ -2240,15 +2258,6 @@ "risk": "unknown", "source": "community" }, - { - "id": "code-reviewer", - "path": "skills/code-reviewer", - "category": "uncategorized", - "name": "Code Reviewer", - "description": "- Working on code reviewer tasks or workflows - Needing guidance, best practices, or checklists for code reviewer", - "risk": "unknown", - "source": "unknown" - }, { "id": "code-documentation-code-explain", "path": "skills/code-documentation-code-explain", @@ -2321,6 +2330,15 @@ "risk": "unknown", "source": "community" }, + { + "id": "code-reviewer", + "path": "skills/code-reviewer", + "category": "uncategorized", + "name": "code-reviewer", + "description": "Elite code review expert specializing in modern AI-powered code analysis, security vulnerabilities, performance optimization, and production reliability. Masters static analysis tools, security scanning, and configuration review with 2024/2025 best practices. Use PROACTIVELY for code quality assurance.", + "risk": "unknown", + "source": "community" + }, { "id": "codebase-cleanup-deps-audit", "path": "skills/codebase-cleanup-deps-audit", @@ -3050,15 +3068,6 @@ "risk": "unknown", "source": "community" }, - { - "id": "design-orchestration", - "path": "skills/design-orchestration", - "category": "uncategorized", - "name": "Design Orchestration", - "description": "Ensure that **ideas become designs**, **designs are reviewed**, and **only validated designs reach implementation**.", - "risk": "unknown", - "source": "unknown" - }, { "id": "design-md", "path": "skills/design-md", @@ -3068,6 +3077,15 @@ "risk": "safe", "source": "https://github.com/google-labs-code/stitch-skills/tree/main/skills/design-md" }, + { + "id": "design-orchestration", + "path": "skills/design-orchestration", + "category": "uncategorized", + "name": "design-orchestration", + "description": "Orchestrates design workflows by routing work through brainstorming, multi-agent review, and execution readiness in the correct order. Prevents premature implementation, skipped validation, and unreviewed high-risk designs.", + "risk": "unknown", + "source": "community" + }, { "id": "devops-troubleshooter", "path": "skills/devops-troubleshooter", @@ -4107,10 +4125,10 @@ "id": "haskell-pro", "path": "skills/haskell-pro", "category": "uncategorized", - "name": "Haskell Pro", - "description": "- Working on haskell pro tasks or workflows - Needing guidance, best practices, or checklists for haskell pro", + "name": "haskell-pro", + "description": "Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programming, concurrency, and architecture guidance.", "risk": "unknown", - "source": "unknown" + "source": "community" }, { "id": "helm-chart-scaffolding", @@ -5169,10 +5187,10 @@ "id": "multi-agent-brainstorming", "path": "skills/multi-agent-brainstorming", "category": "uncategorized", - "name": "Multi Agent Brainstorming", - "description": "Transform a single-agent design into a **robust, review-validated design** by simulating a formal peer-review process using multiple constrained agents.", + "name": "multi-agent-brainstorming", + "description": "Use this skill when a design or idea requires higher confidence, risk reduction, or formal review. This skill orchestrates a structured, sequential multi-agent design review where each agent has a strict, non-overlapping role. It prevents blind spots, false confidence, and premature convergence.", "risk": "unknown", - "source": "unknown" + "source": "community" }, { "id": "multi-agent-patterns", @@ -5255,6 +5273,24 @@ "risk": "unknown", "source": "vibeship-spawner-skills (Apache 2.0)" }, + { + "id": "nerdzao-elite", + "path": "skills/nerdzao-elite", + "category": "uncategorized", + "name": "nerdzao-elite", + "description": "Senior Elite Software Engineer (15+) and Senior Product Designer. Full workflow with planning, architecture, TDD, clean code, and pixel-perfect UX validation.", + "risk": "safe", + "source": "community" + }, + { + "id": "nerdzao-elite-gemini-high", + "path": "skills/nerdzao-elite-gemini-high", + "category": "uncategorized", + "name": "nerdzao-elite-gemini-high", + "description": "Modo Elite Coder + UX Pixel-Perfect otimizado especificamente para Gemini 3.1 Pro High. Workflow completo com foco em qualidade m\u00e1xima e efici\u00eancia de tokens.", + "risk": "safe", + "source": "community" + }, { "id": "nestjs-expert", "path": "skills/nestjs-expert", @@ -5601,10 +5637,10 @@ "id": "performance-engineer", "path": "skills/performance-engineer", "category": "uncategorized", - "name": "Performance Engineer", - "description": "You are a performance engineer specializing in modern application optimization, observability, and scalable system performance.", + "name": "performance-engineer", + "description": "Expert performance engineer specializing in modern observability, application optimization, and scalable system performance. Masters OpenTelemetry, distributed tracing, load testing, multi-tier caching, Core Web Vitals, and performance monitoring. Handles end-to-end optimization, real user monitoring, and scalability patterns. Use PROACTIVELY for performance optimization, observability, or scalability challenges.", "risk": "unknown", - "source": "unknown" + "source": "community" }, { "id": "performance-profiling", @@ -6348,10 +6384,10 @@ "id": "search-specialist", "path": "skills/search-specialist", "category": "uncategorized", - "name": "Search Specialist", - "description": "- Working on search specialist tasks or workflows - Needing guidance, best practices, or checklists for search specialist", + "name": "search-specialist", + "description": "Expert web researcher using advanced search techniques and synthesis. Masters search operators, result filtering, and multi-source verification. Handles competitive analysis and fact-checking. Use PROACTIVELY for deep research, information gathering, or trend analysis.", "risk": "unknown", - "source": "unknown" + "source": "community" }, { "id": "secrets-management",