← Back to Skills Marketplace
Pilot Security Operations Center Setup
by
Calin Teodor
· GitHub ↗
· v1.0.0
· MIT-0
64
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install pilot-security-operations-center-setup
Description
Deploy a security operations center pipeline with 4 agents. Use this skill when: 1. User wants to set up a SOC or security monitoring pipeline 2. User is con...
README (SKILL.md)
Security Operations Center Setup
Deploy 4 agents: collector, analyzer, enforcer, and dashboard.
Roles
| Role | Hostname | Skills | Purpose |
|---|---|---|---|
| collector | \x3Cprefix>-collector |
pilot-event-log, pilot-audit-log, pilot-stream-data, pilot-cron | Aggregates security events |
| analyzer | \x3Cprefix>-analyzer |
pilot-event-filter, pilot-event-replay, pilot-alert, pilot-priority-queue | Detects and classifies threats |
| enforcer | \x3Cprefix>-enforcer |
pilot-blocklist, pilot-quarantine, pilot-webhook-bridge, pilot-audit-log | Blocks threats, quarantines nodes |
| dashboard | \x3Cprefix>-dashboard |
pilot-metrics, pilot-slack-bridge, pilot-network-map, pilot-mesh-status | Visualizes security posture |
Setup Procedure
Step 1: Ask the user which role and prefix.
Step 2: Install skills:
# collector:
clawhub install pilot-event-log pilot-audit-log pilot-stream-data pilot-cron
# analyzer:
clawhub install pilot-event-filter pilot-event-replay pilot-alert pilot-priority-queue
# enforcer:
clawhub install pilot-blocklist pilot-quarantine pilot-webhook-bridge pilot-audit-log
# dashboard:
clawhub install pilot-metrics pilot-slack-bridge pilot-network-map pilot-mesh-status
Step 3: Set hostname and write manifest to ~/.pilot/setups/security-operations-center.json.
Step 4: Handshake with adjacent agents.
Manifest Templates Per Role
collector
{
"setup": "security-operations-center", "role": "collector", "role_name": "Log Collector",
"hostname": "\x3Cprefix>-collector",
"skills": {
"pilot-event-log": "Aggregate security events from all nodes.",
"pilot-audit-log": "Maintain tamper-evident event log.",
"pilot-stream-data": "Stream events to analyzer in real time.",
"pilot-cron": "Schedule periodic log sweeps."
},
"data_flows": [{ "direction": "send", "peer": "\x3Cprefix>-analyzer", "port": 1002, "topic": "security-event", "description": "Raw security events" }],
"handshakes_needed": ["\x3Cprefix>-analyzer"]
}
analyzer
{
"setup": "security-operations-center", "role": "analyzer", "role_name": "Threat Analyzer",
"hostname": "\x3Cprefix>-analyzer",
"skills": {
"pilot-event-filter": "Filter and correlate events, detect patterns.",
"pilot-event-replay": "Replay past events for forensic investigation.",
"pilot-alert": "Emit classified threat alerts.",
"pilot-priority-queue": "Prioritize threats by severity."
},
"data_flows": [
{ "direction": "receive", "peer": "\x3Cprefix>-collector", "port": 1002, "topic": "security-event", "description": "Raw events" },
{ "direction": "send", "peer": "\x3Cprefix>-enforcer", "port": 1002, "topic": "threat-verdict", "description": "Threat verdicts" },
{ "direction": "send", "peer": "\x3Cprefix>-dashboard", "port": 1002, "topic": "threat-alert", "description": "Classified threats" }
],
"handshakes_needed": ["\x3Cprefix>-collector", "\x3Cprefix>-enforcer", "\x3Cprefix>-dashboard"]
}
enforcer
{
"setup": "security-operations-center", "role": "enforcer", "role_name": "Threat Enforcer",
"hostname": "\x3Cprefix>-enforcer",
"skills": {
"pilot-blocklist": "Add malicious IPs/agents to deny list.",
"pilot-quarantine": "Isolate compromised agents.",
"pilot-webhook-bridge": "Trigger incident webhooks.",
"pilot-audit-log": "Log all enforcement actions."
},
"data_flows": [
{ "direction": "receive", "peer": "\x3Cprefix>-analyzer", "port": 1002, "topic": "threat-verdict", "description": "Threat verdicts" },
{ "direction": "send", "peer": "\x3Cprefix>-dashboard", "port": 1002, "topic": "enforcement-action", "description": "Actions taken" }
],
"handshakes_needed": ["\x3Cprefix>-analyzer", "\x3Cprefix>-dashboard"]
}
dashboard
{
"setup": "security-operations-center", "role": "dashboard", "role_name": "SOC Dashboard",
"hostname": "\x3Cprefix>-dashboard",
"skills": {
"pilot-metrics": "Display threat counts, response times.",
"pilot-slack-bridge": "Send security summaries to Slack.",
"pilot-network-map": "Visualize network topology and threats.",
"pilot-mesh-status": "Show peer connectivity and encryption status."
},
"data_flows": [
{ "direction": "receive", "peer": "\x3Cprefix>-analyzer", "port": 1002, "topic": "threat-alert", "description": "Classified threats" },
{ "direction": "receive", "peer": "\x3Cprefix>-enforcer", "port": 1002, "topic": "enforcement-action", "description": "Actions taken" }
],
"handshakes_needed": ["\x3Cprefix>-analyzer", "\x3Cprefix>-enforcer"]
}
Data Flows
collector → analyzer: raw security events (port 1002)analyzer → enforcer: threat verdicts (port 1002)analyzer → dashboard: classified threats (port 1002)enforcer → dashboard: enforcement actions (port 1002)
Workflow Example
# On collector:
pilotctl --json publish \x3Cprefix>-analyzer security-event '{"type":"port_scan","source":"203.0.113.42","ports":1024}'
# On analyzer:
pilotctl --json publish \x3Cprefix>-enforcer threat-verdict '{"source":"203.0.113.42","severity":"high","action":"block"}'
# On enforcer:
pilotctl --json publish \x3Cprefix>-dashboard enforcement-action '{"source":"203.0.113.42","action":"blocked"}'
Dependencies
Requires pilot-protocol skill, pilotctl binary, clawhub binary, and a running daemon.
Usage Guidance
This skill is an orchestration recipe that runs pilotctl and clawhub to install many other pilot-* skills and to establish trust between agents. Before installing: (1) verify pilotctl and clawhub are official and trusted binaries for your environment; (2) be aware clawhub will fetch and install additional packages (review their sources and required credentials); (3) understand the handshake behavior (it auto-approves trust when both sides exchange handshakes) and restrict this to isolated or well-segmented networks until you’re confident; (4) expect to supply credentials for connectors like Slack or webhooks at the sub-skill level — confirm how those secrets are stored/used; and (5) inspect the manifests written to ~/.pilot and the network ports (1002) used for internal communications. If any of these points are unacceptable, do not run the orchestration on production hosts without further review.
Capability Analysis
Type: OpenClaw Skill
Name: pilot-security-operations-center-setup
Version: 1.0.0
The skill bundle provides a legitimate orchestration framework for deploying a Security Operations Center (SOC) using the pilot-protocol ecosystem. It defines roles for log collection, threat analysis, enforcement, and visualization, using standard tools like pilotctl and clawhub to manage agent configurations and communication handshakes. No indicators of malicious intent, data exfiltration, or unauthorized command execution were found in SKILL.md or README.md.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description (SOC setup) align with the declared binaries (pilotctl, clawhub) and the SKILL.md: it installs pilot-* skills, sets hostnames, writes a manifest, and establishes agent handshakes — all expected for a multi‑agent SOC deployment.
Instruction Scope
Instructions are CLI-driven and narrowly scoped to installing sub-skills, setting hostnames, writing a manifest to ~/.pilot/setups/security-operations-center.json, and exchanging handshakes. This is appropriate for the purpose, but the doc explicitly states trust is auto-approved when both sides handshake — a security behavior you should be aware of before enabling on production hosts.
Install Mechanism
The skill is instruction-only (no install spec). It relies on clawhub to fetch and install many other pilot-* skills; that is expected but increases risk surface because clawhub will pull code from external sources. The skill itself does not download or extract archives directly.
Credentials
This skill requests no environment variables, which is reasonable for an orchestrator. However some installed sub-skills referenced (e.g., pilot-slack-bridge, pilot-webhook-bridge) will likely require external credentials/endpoints; the SKILL.md does not document those credential needs — you should be prepared to provide them per sub-skill and confirm safe handling of secrets.
Persistence & Privilege
always is false and the skill does not request elevated/system-wide privileges. It will write a manifest under the user's home (~/.pilot) and instruct other agents to exchange handshakes and network traffic on port 1002, which are reasonable for a distributed SOC deployment.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install pilot-security-operations-center-setup - After installation, invoke the skill by name or use
/pilot-security-operations-center-setup - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Pilot Security Operations Center Setup?
Deploy a security operations center pipeline with 4 agents. Use this skill when: 1. User wants to set up a SOC or security monitoring pipeline 2. User is con... It is an AI Agent Skill for Claude Code / OpenClaw, with 64 downloads so far.
How do I install Pilot Security Operations Center Setup?
Run "/install pilot-security-operations-center-setup" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Pilot Security Operations Center Setup free?
Yes, Pilot Security Operations Center Setup is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Pilot Security Operations Center Setup support?
Pilot Security Operations Center Setup is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Pilot Security Operations Center Setup?
It is built and maintained by Calin Teodor (@teoslayer); the current version is v1.0.0.
More Skills