Network Security Skills Suite
A comprehensive collection of AI skills for network security operations, covering audits, health checks, and incident response.
Network Security Skills Suite
AI agent skills for network security operations — device triage, configuration auditing, and incident response procedures for Cisco and multi-vendor environments.
What Is This?
This repository is a curated collection of Agent Skills for network security engineering. Each skill is a structured procedure that an AI coding agent can load and follow — covering device health checks, security audits, configuration reviews, and more.
Skills are written in the Agent Skills SKILL.md format and enhanced with network-specific conventions: safety tier metadata, threshold tables, decision trees, and structured report templates.
Install
Via skills.sh (Claude Code, Cursor, Codex, Copilot, Gemini CLI, etc.)
npx skills add vahagn-madatyan/netsec-skills-suite
This discovers and installs all skills from the suite. To list available skills without installing:
npx skills add vahagn-madatyan/netsec-skills-suite --list
Via ClawHub (OpenClaw)
clawhub install netsec-skills-suite
Via Git Submodule (NemoNet, OpenClaw forks, custom projects)
git submodule add https://github.com/vahagn-madatyan/netsec-skills-suite.git skills/netsec-skills-suite
See docs/SUBMODULE.md for update, version pinning, and OpenClaw extraDirs configuration.
Skill Catalog
| Skill | Description | Safety Tier |
|---|---|---|
| example-device-health | Cisco IOS-XE device health check and triage procedure (reference implementation) | read-only |
| cisco-device-health | Cisco IOS-XE and NX-OS dual-platform device health check with QFP/RP and VDC-aware triage | read-only |
| juniper-device-health | Juniper JunOS device health check with RE/PFE separation, alarm-first triage, and dual-RE failover detection | read-only |
| arista-device-health | Arista EOS device health check with agent monitoring, MLAG state validation, and VXLAN/EVPN DC extensions | read-only |
| bgp-analysis | BGP protocol analysis — peer state diagnosis, path selection, route filtering, convergence (Cisco/JunOS/EOS) | read-only |
| ospf-analysis | OSPF adjacency diagnosis, area design validation, LSA analysis, SPF convergence (Cisco/JunOS/EOS) | read-only |
| eigrp-analysis | EIGRP DUAL analysis — successor/feasible successor, stuck-in-active diagnosis, K-value validation (Cisco IOS-XE/NX-OS) | read-only |
| isis-analysis | IS-IS adjacency diagnosis, LSPDB analysis, level 1/2 routing, NET validation (Cisco/JunOS/EOS) | read-only |
| change-verification | Pre/post change verification with baseline capture, diff analysis, and rollback guidance (Cisco/JunOS/EOS) | read-write |
| config-management | Config backup, drift detection, and golden config validation with compliance checking (Cisco/JunOS/EOS) | read-write |
| interface-health | Interface error analysis — CRC, discards, resets, optical power monitoring with threshold tables (Cisco/JunOS/EOS) | read-only |
| network-topology-discovery | Network topology discovery via CDP/LLDP, ARP/MAC tables, and routing table analysis (Cisco/JunOS/EOS) | read-only |
| Security Skills | ||
| palo-alto-firewall-audit | PAN-OS zone-based security policy audit — App-ID/Content-ID analysis, Security Profile Group validation, zone protection assessment | read-only |
| fortigate-firewall-audit | FortiGate/FortiOS policy audit — VDOM segmentation analysis, UTM profile binding validation, SD-WAN security assessment | read-only |
| checkpoint-firewall-audit | Check Point R80+ security policy audit — rulebase layer analysis, blade activation audit, SmartConsole management validation | read-only |
| cisco-firewall-audit | Cisco ASA/FTD dual-platform audit — ASA ACL/security-level analysis, FTD Access Control Policy and Snort IPS assessment | read-only |
| acl-rule-analysis | Vendor-agnostic ACL/firewall rule analysis — shadowed rule detection, overly permissive rule flagging, unused rule cleanup, rule ordering optimization | read-only |
| cis-benchmark-audit | CIS benchmark compliance assessment — Management/Control/Data Plane audit for Cisco IOS, PAN-OS, JunOS, Check Point with copyright-safe control references | read-only |
| nist-compliance-assessment | NIST CSF and 800-53 compliance mapping — AC, AU, CM, IA, SC, SI control family assessment for network device security posture | read-only |
| vulnerability-assessment | CVE assessment for network devices — version-to-CVE mapping, CVSS scoring, remediation prioritization across Cisco, JunOS, EOS, PAN-OS, FortiGate | read-only |
| siem-log-analysis | Network security SIEM analysis — syslog parsing, event correlation, alert triage with Splunk SPL, ELK KQL, and QRadar AQL query patterns | read-only |
| incident-response-network | Network forensics during incident response — packet capture, flow analysis, lateral movement detection, evidence preservation (Cisco/JunOS/EOS) | read-only |
| vpn-ipsec-troubleshooting | IPSec/IKE troubleshooting — IKE SA state machine diagnosis, crypto mismatch analysis, NAT-T detection, DPD tuning (Cisco/JunOS/PAN-OS/FortiGate) | read-only |
| zero-trust-assessment | Zero-trust maturity assessment — 5-pillar scoring rubric (identity, device, network, application, data), NIST 800-207 alignment, micro-segmentation validation | read-only |
| zscaler-zia-zpa-audit | Zscaler ZIA+ZPA SASE audit — URL filtering policy analysis, SSL inspection coverage, Cloud Firewall rules, ZPA application segments, access policy evaluation, connector health | read-only |
| prisma-access-audit | Prisma Access SASE audit — mobile user/remote network policy evaluation, threat prevention profiles, GlobalProtect client compliance, service connection validation | read-only |
| fortisase-audit | FortiSASE audit — SWG policy review, ZTNA application gateway assessment, thin edge integration, FortiClient compliance, FortiGuard service validation | read-only |
| wireless-security-audit | Wireless security audit — SSID policy analysis, 802.1X/EAP validation, rogue AP detection, WPA3 assessment (Cisco WLC/Aruba/Meraki) | read-only |
| Cloud & Infrastructure Skills | ||
| aws-networking-audit | AWS VPC design analysis, Transit Gateway routing, security group/NACL audit, VPC flow log analysis | read-only |
| azure-networking-audit | Azure VNet architecture analysis, NSG rule audit, Azure Firewall policy, ExpressRoute/VPN gateway health | read-only |
| gcp-networking-audit | GCP VPC Network analysis, firewall rule audit, Cloud NAT, Cloud Interconnect, Shared VPC assessment | read-only |
| cloud-security-posture | Cross-cloud security posture assessment — IAM analysis, encryption audit, public exposure detection (AWS/Azure/GCP) | read-only |
| source-of-truth-audit | Network inventory reconciliation — SOT data quality scoring, intent vs reality comparison (NetBox/Nautobot) | read-only |
| ipam-dns-audit | IPAM/DNS audit — subnet utilization analysis, DNS record validation, IP conflict detection, capacity planning | read-only |
| Observability Skills | ||
| monitoring-dashboard-audit | Grafana dashboard analysis, PromQL query validation, alert rule assessment, SLA/SLO reporting | read-only |
| network-log-analysis | Device-level syslog analysis — pattern recognition, event correlation, anomaly detection, timeline reconstruction | read-only |
| incident-response-lifecycle | Incident response process management — NIST 800-61 lifecycle, escalation, communication, RCA, post-mortem | read-only |
Safety Tiers:
read-onlyskills only collect data and do not modify device state.read-writeskills may change configuration or operational state. See CONTRIBUTING.md for details.
Usage
Once installed, an agent loads a skill by name and follows its procedure. Here's how a typical interaction looks:
User: The core router is showing high CPU. Can you triage it?
Agent: Loading skill: example-device-health
I'll follow the Cisco IOS-XE Device Health Check procedure.
Step 1: Establish Baseline Context
Running: show version | include uptime|Version|bytes of memory
hostname: core-rtr-01
software: IOS-XE 17.6.3
uptime: 47 days, 3 hours
Step 2: CPU Utilization Assessment
Running: show processes cpu sorted | head 20
5-second: 92% ← CRITICAL (threshold: >90%)
1-minute: 78% ← WARNING
5-minute: 71% ← CRITICAL (threshold: >70%)
Top process: BGP Router (54%)
Decision tree → CPU critical → Top process is BGP Router
→ Check for route churn, peer flap, table size
Step 5: Routing Table Health
Running: show ip bgp summary
Neighbor 10.0.0.2: 847 state changes in last hour ← CRITICAL
Finding: BGP peer 10.0.0.2 is flapping, causing route churn
and sustained high CPU from BGP table recalculation.
Recommendation: Stabilize BGP peer 10.0.0.2 — check interface
to that neighbor for L1 errors, apply dampening if appropriate.
The agent follows the skill's procedure step by step, references threshold tables for classification, uses decision trees for triage logic, and produces a structured report.
Repository Structure
skills/
example-device-health/
SKILL.md # Skill definition (procedure, thresholds, decision trees)
references/ # Supporting reference material
threshold-tables.md
cli-reference.md
scripts/
validate.sh # Custom convention validator
skill_security_auditor.py # SkillCheck security scanner
.github/
workflows/
validate.yml # CI — spec + convention validation
skillcheck.yml # CI — security audit (prompt injection, cmd injection, safety tier)
virustotal-scan.yml # CI — VirusTotal 70+ engine scan on PRs and releases
scorecards.yml # CI — OpenSSF Scorecard (weekly)
claude-code-review.yml # CI — Claude Code AI review on PRs
Validation & Security
Every skill passes through a multi-layer validation and security pipeline:
- Spec validation —
agentskills validatechecks compliance with the Agent Skills SKILL.md specification (frontmatter schema, required fields). - Convention validation —
scripts/validate.shchecks network-security-specific conventions (safety tier metadata, required body sections,references/directory). - SkillCheck security audit —
scripts/skill_security_auditor.pyscans for command injection, prompt injection, safety tier mismatches, credential harvesting, obfuscation, and supply chain risks. - VirusTotal scan — Changed skill files are packaged and scanned by 70+ antivirus engines on every PR. Release assets are scanned on publish.
- OpenSSF Scorecard — Weekly automated evaluation of repository security posture (branch protection, dependency updates, CI tests, signed releases).
- Claude Code Review — AI-powered code review on pull requests.
To run validation and security checks locally:
pip install skills-ref==0.1.1
agentskills validate skills/
bash scripts/validate.sh
python3 scripts/skill_security_auditor.py skills/
All checks run automatically in CI on every push to main and on pull requests.
Contributing
See CONTRIBUTING.md for the complete guide on writing skills, format reference, and submission process.