← Back to Skills Marketplace
solomonneas

Soc Deploy Misp

by Solomon Neas · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
155
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install soc-deploy-misp
Description
Deploy MISP threat intelligence platform on any Docker-ready Linux host. Official misp-docker project with automatic MariaDB memory tuning (prevents OOM on s...
README (SKILL.md)

SOC Deploy: MISP (Malware Information Sharing Platform)

Deploy MISP threat intelligence platform on any Docker-ready Linux host using the official misp-docker project.

This skill does NOT create VMs. It expects an SSH target with Docker installed. Use hyperv-create-vm or proxmox-create-vm first if you need infrastructure.

When to Use

  • "deploy misp"
  • "set up misp"
  • "install misp"
  • "threat intel platform"
  • "ioc sharing platform"

User Inputs

Parameter Default Required
SSH target - Yes (user@host)
Admin email [email protected] No
Admin password ChangeMe123! No
Host RAM (for buffer pool) 4GB No

Prerequisites Check

# SSH works
ssh \x3Ctarget> "echo OK"

# Docker + Compose v2
ssh \x3Ctarget> "docker --version && docker compose version"

# RAM check (need 3GB+ free)
ssh \x3Ctarget> "free -h | grep Mem"

Execution

Single command deployment

scp scripts/setup.sh \x3Ctarget>:~/
ssh \x3Ctarget> "bash ~/setup.sh '[email protected]' '\x3Cpassword>'"

What setup.sh does

  1. Clone official misp-docker from GitHub
  2. Configure .env:
    • MISP_BASEURL, MISP_ADMIN_EMAIL, MISP_ADMIN_PASSPHRASE
    • Generate random MySQL passwords
    • Set INNODB_BUFFER_POOL_SIZE based on host RAM (CRITICAL)
  3. docker compose up -d
  4. Poll for MISP readiness (5-10 min on first boot for DB migrations)
  5. Generate API key via cake CLI: 
    docker compose exec -T misp /var/www/MISP/app/Console/cake user change_authkey \x3Cemail>
  6. Verify API with /servers/getVersion
  7. Save credentials to ~/misp/api-key.txt

Output to User

MISP deployed!

URL: https://\x3Ctarget>
Admin: [email protected] / \x3Cpassword>
API Key: \x3Ckey>

MCP Connection:
  MISP_URL=https://\x3Ctarget>
  MISP_API_KEY=\x3Ckey>
  MISP_VERIFY_SSL=false

Note: Self-signed HTTPS. Use curl -k for API calls.
Credentials saved to: ~/misp/api-key.txt

InnoDB Buffer Pool Sizing

The #1 failure on small VMs. Default buffer pool is 2GB, which kills MariaDB on 4GB hosts.

Host RAM INNODB_BUFFER_POOL_SIZE
4 GB 512M
8 GB 2048M
16 GB 4096M

Critical Gotchas

See references/gotchas.md for full details:

  1. MariaDB OOM (showstopper): Default InnoDB buffer pool is 2GB. On 4GB hosts, MariaDB crashes instantly. MUST set INNODB_BUFFER_POOL_SIZE in .env
  2. Recovery from OOM: docker compose down -v to wipe failed DB volume, fix .env, restart
  3. First boot is slow: 5-10 min for DB schema creation and initial data load
  4. Self-signed HTTPS: Use curl -k for all API calls
  5. Advanced authkeys: Enabled by default. cake CLI is the most reliable key generation method
  6. MISP web UI: https://\x3Cip> (port 443, not 80)

Timeout Strategy

Total: ~12-15 min (docker pull + first boot + setup). Split:

  • Turn 1: Clone, configure, docker compose up -d (~3 min + pull time)
  • Turn 2: Wait for health + generate API key (~5-7 min)

Pairs With

  • hyperv-create-vm - create a Hyper-V VM, then deploy MISP on it
  • proxmox-create-vm - create a Proxmox LXC/VM, then deploy MISP on it
  • soc-deploy-thehive - deploy TheHive alongside for case management
Usage Guidance
This skill appears to do what it says, but review and validate before use: 1) Ensure you run setup.sh on a trusted target host with Docker and Compose v2 installed (the script expects git, docker, curl, openssl, etc.). 2) Provide a strong admin password and consider not using the defaults. 3) The script saves MySQL credentials and the MISP API key in plaintext at ~/misp/api-key.txt and in .env — move these to a secure secrets store or restrict access on the host. 4) Verify the cloned repo URL and inspect the upstream misp-docker repo (and any changes applied) before running. 5) For production, replace self-signed certs and avoid exposing the host publicly until you’ve hardened the instance. If you want higher assurance, ask the author for an explicit list of required host binaries and confirm the GitHub repo/commit used by the script.
Capability Analysis
Type: OpenClaw Skill Name: soc-deploy-misp Version: 1.0.0 The skill bundle provides a legitimate and well-documented automation for deploying the MISP threat intelligence platform via the official misp-docker repository. It includes specific logic in `scripts/setup.sh` to calculate MariaDB memory tuning (INNODB_BUFFER_POOL_SIZE) to prevent common OOM errors on small VMs and uses the internal `cake` CLI for secure API key generation. No evidence of data exfiltration, malicious persistence, or prompt injection was found; all actions are transparently aligned with the stated purpose of SOC infrastructure deployment.
Capability Assessment
Purpose & Capability
The skill's name/description match what the code does: cloning the official misp-docker repo, configuring .env, tuning InnoDB buffer pool, running docker compose, and generating an API key. Minor inconsistency: the manifest lists no required binaries, but the SKILL.md and scripts clearly expect git, docker (compose v2), curl, openssl, sed/grep/hostname, and ssh/scp for deployment.
Instruction Scope
Instructions stay within deployment scope: copy and run setup.sh on the target host, poll local endpoints, generate API key via cake CLI inside the container, and save credentials to ~/misp/api-key.txt. Nothing in the instructions reads or transmits unrelated system credentials or posts data to external endpoints.
Install Mechanism
No install spec is included (instruction-only) and the script clones the official GitHub repo (https://github.com/MISP/misp-docker.git). No downloads from unknown hosts or extract-from-arbitrary-URLs are used.
Credentials
The skill does not request external credentials (good). It generates and writes sensitive secrets (MySQL root/user passwords, admin password, API key) into the repo .env and into a plaintext file in the target user's home directory. This is expected for deployment, but users should be aware that credentials are stored in cleartext by default.
Persistence & Privilege
The skill does not request permanent platform privileges (always:false). It creates files under the target user's home (~/misp, ~/misp/misp-docker) and .env there, which is appropriate for a deploy script and does not modify other skills or global agent settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install soc-deploy-misp
  3. After installation, invoke the skill by name or use /soc-deploy-misp
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of soc-deploy-misp: deploy MISP threat intelligence platform via Docker with automatic MariaDB tuning. - Deploys MISP on any Docker-ready Linux host, using the official misp-docker project. - Automatically tunes MariaDB InnoDB buffer pool to avoid OOM on small VMs. - Handles admin account setup, credential generation, and API key creation with cake CLI. - Outputs all access details, API keys, and credentials upon completion. - Includes clear prerequisites, timeout strategy, and self-signed HTTPS warnings for API use. - Designed to work alongside infrastructure provisioning and related SOC automation skills.
Metadata
Slug soc-deploy-misp
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Soc Deploy Misp?

Deploy MISP threat intelligence platform on any Docker-ready Linux host. Official misp-docker project with automatic MariaDB memory tuning (prevents OOM on s... It is an AI Agent Skill for Claude Code / OpenClaw, with 155 downloads so far.

How do I install Soc Deploy Misp?

Run "/install soc-deploy-misp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Soc Deploy Misp free?

Yes, Soc Deploy Misp is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Soc Deploy Misp support?

Soc Deploy Misp is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Soc Deploy Misp?

It is built and maintained by Solomon Neas (@solomonneas); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments