← Back to Skills Marketplace

Guardduty Explainer

Name: Guardduty Explainer
Author: anmolnagpal

by Anmol Nagpal · GitHub ↗ · v1.0.0

cross-platform ✓ Security Clean

293

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install guardduty-explainer

Description

Translate GuardDuty findings into plain-English incident summaries with actionable response steps

README (SKILL.md)

AWS GuardDuty Finding Explainer & Responder

You are an AWS threat response expert. Turn raw GuardDuty JSON into instant incident action plans.

This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

GuardDuty finding JSON — paste directly from the console or export via CLI

aws guardduty get-findings \
  --detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
  --finding-ids \x3Cfinding-id> \
  --output json

List of active GuardDuty findings — all findings at severity ≥ 4

aws guardduty list-findings \
  --detector-id $(aws guardduty list-detectors --query 'DetectorIds[0]' --output text) \
  --finding-criteria '{"Criterion":{"severity":{"Gte":4}}}' \
  --output json

GuardDuty findings export from console — for bulk analysis

How to export: AWS Console → GuardDuty → Findings → Actions → Export findings → S3 → download JSON

Minimum required IAM permissions to run the CLI commands above (read-only):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["guardduty:ListFindings", "guardduty:GetFindings", "guardduty:ListDetectors"],
    "Resource": "*"
  }]
}

If the user cannot provide any data, ask them to paste the GuardDuty finding text from the console "Details" panel, or describe the alert title and severity.

Steps

Parse GuardDuty finding JSON — extract type, severity, resource, and actor
Explain what happened in plain English
Assess false positive likelihood
Map to MITRE ATT&CK technique
Generate prioritized response playbook

GuardDuty Finding Types Covered

UnauthorizedAccess:EC2/SSHBruteForce — SSH brute force on EC2
CryptoCurrency:EC2/BitcoinTool.B!DNS — crypto-mining activity
Trojan:EC2/BlackholeTraffic — C2 communication
Recon:IAMUser/MaliciousIPCaller — API calls from known malicious IP
PrivilegeEscalation:IAMUser/AnomalousBehavior — unusual privilege activity
Stealth:IAMUser/PasswordPolicyChange — weakening account password policy
Exfiltration:S3/ObjectRead.Unusual — unusual S3 data access
EKS, RDS, Lambda, and Malware Protection findings

Output Format

Slack/PagerDuty Alert: one-liner with severity emoji
Plain-English Explanation: what happened, why it's dangerous
False Positive Assessment: likelihood (Low/Medium/High) with reasoning
MITRE ATT&CK: technique ID + name
Response Playbook: ordered steps (Contain → Investigate → Remediate → Harden)
AWS CLI Commands: for isolation, credential revocation, instance quarantine

Rules

Severity: Critical (7.0-8.9) → immediate response; High (4.0-6.9) → same day
Always include an "If false positive" path in the playbook
Note finding age — findings > 24 hours old without response need escalation
Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
If user pastes raw data, confirm no credentials are included before processing

Usage Guidance

This skill appears coherent and useful, but follow these precautions before using it: (1) Never paste AWS credentials, secret keys, or long logs that might contain secrets — scrub findings first. (2) Treat any generated AWS CLI commands as suggestions: review and run them from a trusted shell with appropriate permissions (prefer least-privilege, staging, or read-only where possible). (3) Validate suggested containment/remediation steps against your organization's runbooks and incident response policies. (4) For bulk or sensitive findings, consider sharing only minimally redacted JSON or using internal tools to extract the relevant fields before pasting.

Capability Analysis

Type: OpenClaw Skill Name: guardduty-explainer Version: 1.0.0 The skill is explicitly designed as 'instruction-only' and states it 'does not execute any AWS CLI commands or access your AWS account directly.' It guides the user on how to provide read-only GuardDuty findings and instructs the AI agent to analyze this data, generate incident summaries, and suggest response playbooks, including AWS CLI commands for the *user* to execute. Crucially, it includes rules for the agent to 'Never ask for credentials, access keys, or secret keys' and to 'confirm no credentials are included' in user-pasted data, indicating a strong intent to prevent credential exposure. All instructions in SKILL.md align with a helpful, read-only analytical tool.

Capability Assessment

✓ Purpose & Capability

The name/description match the behavior: it asks for GuardDuty JSON and produces explanations and playbooks. It does not request credentials, unrelated environment variables, or unexpected binaries. Example AWS CLI commands and minimal read-only IAM actions are appropriate for the stated task.

✓ Instruction Scope

SKILL.md confines runtime actions to analyzing user-provided GuardDuty JSON and producing outputs (alerts, playbooks, suggested AWS CLI commands). It explicitly states it will not call AWS or require credentials and instructs the agent to confirm pasted data contains no credentials before processing.

✓ Install Mechanism

No install spec or code files are present; the skill is instruction-only so there is no disk install risk.

✓ Credentials

No environment variables, config paths, or credentials are requested. The minimal IAM permissions shown are read-only and are appropriate examples for retrieving findings; the skill instructs users not to share keys.

✓ Persistence & Privilege

always is false, no privileged persistent presence is requested, and the skill does not modify other skills or system-wide settings.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install guardduty-explainer
After installation, invoke the skill by name or use /guardduty-explainer
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

- Initial release of the AWS GuardDuty Explainer skill. - Translates GuardDuty JSON findings into clear incident summaries with actionable response steps. - Supports findings for EC2, EKS, RDS, Lambda, Malware Protection, and more. - Provides plain-English explanations, severity assessments, MITRE ATT&CK mapping, and prioritized response playbooks. - Requires only exported/console data (never credentials); read-only analysis. - Output includes alert summaries, false positive assessment, CLI isolation commands, and escalation guidance.

Metadata

Slug guardduty-explainer

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Guardduty Explainer?

Translate GuardDuty findings into plain-English incident summaries with actionable response steps. It is an AI Agent Skill for Claude Code / OpenClaw, with 293 downloads so far.

How do I install Guardduty Explainer?

Run "/install guardduty-explainer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Guardduty Explainer free?

Yes, Guardduty Explainer is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Guardduty Explainer support?

Guardduty Explainer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Guardduty Explainer?

It is built and maintained by Anmol Nagpal (@anmolnagpal); the current version is v1.0.0.

More Skills