← Back to Skills Marketplace
anmolnagpal

Cloudtrail Threat Detector

by Anmol Nagpal · GitHub ↗ · v1.0.0
cross-platform ✓ Security Clean
406
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install cloudtrail-threat-detector
Description
Analyze AWS CloudTrail logs for suspicious patterns, unauthorized changes, and MITRE ATT&CK indicators
README (SKILL.md)

AWS CloudTrail Threat Detector

You are an AWS threat detection expert. CloudTrail is your primary forensic record — use it to find attackers.

This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

  1. CloudTrail event export — JSON events from the suspicious time window 
    aws cloudtrail lookup-events \
  --start-time 2025-03-15T00:00:00Z \
  --end-time 2025-03-16T00:00:00Z \
  --output json > cloudtrail-events.json
  2. S3 CloudTrail log download — if CloudTrail writes to S3 
    How to export: S3 Console → your-cloudtrail-bucket → browse to date/region → download .json.gz files and extract
  3. CloudWatch Logs export — if CloudTrail is integrated with CloudWatch Logs 
    aws logs filter-log-events \
  --log-group-name CloudTrail/DefaultLogGroup \
  --start-time 1709251200000 \
  --end-time 1709337600000

Minimum required IAM permissions to run the CLI commands above (read-only):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["cloudtrail:LookupEvents", "cloudtrail:GetTrail", "logs:FilterLogEvents", "logs:GetLogEvents"],
    "Resource": "*"
  }]
}

If the user cannot provide any data, ask them to describe: the suspicious activity observed, which account and region, approximate time, and what resources may have been affected.

High-Risk Event Patterns

  • ConsoleLogin with additionalEventData.MFAUsed = No from root account
  • CreateAccessKey, CreateLoginProfile, UpdateAccessKey — credential creation
  • AttachUserPolicy, AttachRolePolicy with AdministratorAccess
  • PutBucketPolicy or PutBucketAcl making bucket public
  • DeleteTrail, StopLogging, UpdateTrail — defense evasion
  • RunInstances with large instance types from unfamiliar IP
  • AssumeRoleWithWebIdentity from unusual source
  • Rapid succession of GetSecretValue or DescribeSecretRotationPolicy calls
  • DescribeInstances + DescribeSecurityGroups from external IP — recon pattern

Steps

  1. Parse CloudTrail events — identify the who, what, when, where
  2. Flag events matching high-risk patterns
  3. Chain related events into attack timeline
  4. Map to MITRE ATT&CK Cloud techniques
  5. Recommend containment actions per finding

Output Format

  • Threat Summary: number of critical/high/medium findings
  • Incident Timeline: chronological sequence of suspicious events
  • Findings Table: event, principal, source IP, time, MITRE technique
  • Attack Narrative: plain-English story of what the attacker did
  • Containment Actions: immediate steps (revoke key, isolate instance, etc.)
  • Detection Gaps: CloudWatch alerts missing that would have caught this sooner

Rules

  • Always correlate unusual API calls with source IP geolocation
  • Flag any root account usage — root should never be used operationally
  • Note: failed API calls followed by success = credential stuffing or permission escalation attempt
  • Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
  • If user pastes raw data, confirm no credentials are included before processing
Usage Guidance
This skill is coherent and low-risk in how it is described, but before installing or using it: (1) only share the minimum logs needed and prefer redacted samples if possible (CloudTrail may include AccessKeyId, ARNs, or resource identifiers); (2) confirm whether IP geolocation lookups are allowed — they may involve external network calls to third-party services; (3) provide data via a secure channel, not public paste sites; (4) if you need the agent to run any local commands (the header lists 'bash'), confirm what will be executed and that no AWS credentials or unredacted secrets will be processed. If you want stronger assurance, request the skill author or publisher metadata (homepage/source) before trusting any uploaded data.
Capability Analysis
Type: OpenClaw Skill Name: cloudtrail-threat-detector Version: 1.0.0 The skill is designed for AWS CloudTrail threat detection, explicitly stating it is 'instruction-only' and 'does not execute any AWS CLI commands or access your AWS account directly.' It guides users to provide exported, read-only data and includes clear instructions for the AI agent in SKILL.md to 'Never ask for credentials, access keys, or secret keys' and to 'confirm no credentials are included before processing.' All provided CLI commands are read-only, and the overall design focuses on analysis without any execution or data exfiltration capabilities.
Capability Assessment
Purpose & Capability
Name/description (CloudTrail threat detection) align with the SKILL.md: it asks for CloudTrail/CloudWatch/S3 exports and gives analysis steps. It does not request unrelated credentials, binaries, or installs.
Instruction Scope
Instructions keep scope to user-provided CloudTrail data and analysis. Two minor points to be aware of: (1) a rule asks to 'correlate unusual API calls with source IP geolocation' — this implies the agent may perform external IP lookups (not detailed in the doc); (2) the header lists 'bash' as a tool while the skill also states it will not run AWS CLI against the user's account (the bash tool is plausibly for processing uploaded files locally, but this duality is worth noting).
Install Mechanism
No install spec and no code files (instruction-only). Lowest-risk delivery model: nothing is downloaded or written to disk by the skill itself.
Credentials
The skill requests no environment variables, credentials, or config paths. It explicitly instructs it will not ask for secrets and asks users to sanitize pasted data. CloudTrail exports can contain AccessKeyId/ARNs and other identifiers (not secret keys) — users should be aware and redact if desired.
Persistence & Privilege
'always' is false and the skill is user-invocable; it does not request persistent privileges or modify other skills or system settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install cloudtrail-threat-detector
  3. After installation, invoke the skill by name or use /cloudtrail-threat-detector
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of AWS CloudTrail Threat Detector skill. - Provides expert guidance to analyze AWS CloudTrail logs for suspicious activities and MITRE ATT&CK indicators. - Accepts CloudTrail event exports, S3 log downloads, or CloudWatch Logs exports as input (user-supplied data only). - Highlights high-risk event patterns such as unauthorized root usage, credential creation, privilege escalation, and defense evasion. - Delivers findings as a threat summary, incident timeline, detailed table, attack narrative, and containment recommendations. - Does not execute commands or access AWS accounts directly—strictly instruction and analysis based on provided data.
Metadata
Slug cloudtrail-threat-detector
Version 1.0.0
License
All-time Installs 2
Active Installs 2
Total Versions 1
Frequently Asked Questions

What is Cloudtrail Threat Detector?

Analyze AWS CloudTrail logs for suspicious patterns, unauthorized changes, and MITRE ATT&CK indicators. It is an AI Agent Skill for Claude Code / OpenClaw, with 406 downloads so far.

How do I install Cloudtrail Threat Detector?

Run "/install cloudtrail-threat-detector" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Cloudtrail Threat Detector free?

Yes, Cloudtrail Threat Detector is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Cloudtrail Threat Detector support?

Cloudtrail Threat Detector is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Cloudtrail Threat Detector?

It is built and maintained by Anmol Nagpal (@anmolnagpal); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments