← Back to Skills Marketplace
teoslayer

Pilot Threat Intelligence Setup

by Calin Teodor · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
59
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install pilot-threat-intelligence-setup
Description
Deploy a threat intelligence platform with 4 agents. Use this skill when: 1. User wants to set up a threat intelligence pipeline for IOC collection and distr...
README (SKILL.md)

Threat Intelligence Setup

Deploy 4 agents: collector, enricher, analyzer, and distributor.

Roles

Role Hostname Skills Purpose
collector \x3Cprefix>-collector pilot-stream-data, pilot-cron, pilot-archive Aggregates threat feeds from OSINT, honeypots, CVE databases
enricher \x3Cprefix>-enricher pilot-dataset, pilot-task-router, pilot-event-filter Correlates IOCs, enriches with WHOIS/GeoIP, maps to MITRE
analyzer \x3Cprefix>-analyzer pilot-metrics, pilot-consensus, pilot-alert Scores severity, identifies campaigns and APT groups
distributor \x3Cprefix>-distributor pilot-webhook-bridge, pilot-announce, pilot-audit-log Publishes STIX/TAXII feeds, pushes IOCs to SIEM

Setup Procedure

Step 1: Ask the user which role this agent should play and what prefix to use.

Step 2: Install the skills for the chosen role:

# For collector:
clawhub install pilot-stream-data pilot-cron pilot-archive
# For enricher:
clawhub install pilot-dataset pilot-task-router pilot-event-filter
# For analyzer:
clawhub install pilot-metrics pilot-consensus pilot-alert
# For distributor:
clawhub install pilot-webhook-bridge pilot-announce pilot-audit-log

Step 3: Set the hostname and write the manifest to ~/.pilot/setups/threat-intelligence.json.

Step 4: Tell the user to initiate handshakes with the peers for their role.

Manifest Templates Per Role

collector

{
  "setup": "threat-intelligence", "role": "collector", "role_name": "Intel Collector",
  "hostname": "\x3Cprefix>-collector",
  "skills": {
    "pilot-stream-data": "Ingest real-time threat feeds from OSINT and honeypots.",
    "pilot-cron": "Schedule periodic CVE database and dark web scans.",
    "pilot-archive": "Store raw indicator history for retrospective analysis."
  },
  "data_flows": [{ "direction": "send", "peer": "\x3Cprefix>-enricher", "port": 1002, "topic": "raw-ioc", "description": "Normalized IOCs from threat feeds" }],
  "handshakes_needed": ["\x3Cprefix>-enricher"]
}

enricher

{
  "setup": "threat-intelligence", "role": "enricher", "role_name": "Threat Enricher",
  "hostname": "\x3Cprefix>-enricher",
  "skills": {
    "pilot-dataset": "Cross-reference IOCs against known threat databases.",
    "pilot-task-router": "Route enrichment tasks to specialized lookup services.",
    "pilot-event-filter": "Filter low-confidence indicators before analysis."
  },
  "data_flows": [
    { "direction": "receive", "peer": "\x3Cprefix>-collector", "port": 1002, "topic": "raw-ioc", "description": "Raw IOCs to enrich" },
    { "direction": "send", "peer": "\x3Cprefix>-analyzer", "port": 1002, "topic": "enriched-ioc", "description": "IOCs with WHOIS, GeoIP, MITRE context" }
  ],
  "handshakes_needed": ["\x3Cprefix>-collector", "\x3Cprefix>-analyzer"]
}

analyzer

{
  "setup": "threat-intelligence", "role": "analyzer", "role_name": "Threat Analyzer",
  "hostname": "\x3Cprefix>-analyzer",
  "skills": {
    "pilot-metrics": "Track threat volumes, severity distribution, and response times.",
    "pilot-consensus": "Correlate multi-source verdicts for high-confidence scoring.",
    "pilot-alert": "Emit critical threat alerts for immediate action."
  },
  "data_flows": [
    { "direction": "receive", "peer": "\x3Cprefix>-enricher", "port": 1002, "topic": "enriched-ioc", "description": "Enriched IOCs to analyze" },
    { "direction": "send", "peer": "\x3Cprefix>-distributor", "port": 1002, "topic": "threat-verdict", "description": "Scored verdicts with campaign attribution" }
  ],
  "handshakes_needed": ["\x3Cprefix>-enricher", "\x3Cprefix>-distributor"]
}

distributor

{
  "setup": "threat-intelligence", "role": "distributor", "role_name": "Intel Distributor",
  "hostname": "\x3Cprefix>-distributor",
  "skills": {
    "pilot-webhook-bridge": "Push IOC updates to firewalls, IDS, and SIEM.",
    "pilot-announce": "Broadcast threat advisories to subscribed consumers.",
    "pilot-audit-log": "Log all published intelligence with distribution timestamps."
  },
  "data_flows": [
    { "direction": "receive", "peer": "\x3Cprefix>-analyzer", "port": 1002, "topic": "threat-verdict", "description": "Threat verdicts to distribute" },
    { "direction": "send", "peer": "external", "port": 443, "topic": "threat-feed", "description": "STIX/TAXII feeds to security infrastructure" }
  ],
  "handshakes_needed": ["\x3Cprefix>-analyzer"]
}

Data Flows

  • collector -> enricher : raw IOCs normalized from threat feeds (port 1002)
  • enricher -> analyzer : enriched IOCs with context and confidence scores (port 1002)
  • analyzer -> distributor : threat verdicts with severity and campaign data (port 1002)
  • distributor -> external : published threat feeds to security infrastructure (port 443)

Workflow Example

# On collector -- forward raw IOC:
pilotctl --json publish \x3Cprefix>-enricher raw-ioc '{"type":"ip","value":"198.51.100.23","source":"honeypot-east","tags":["c2","cobalt-strike"]}'
# On enricher -- forward enriched IOC:
pilotctl --json publish \x3Cprefix>-analyzer enriched-ioc '{"type":"ip","value":"198.51.100.23","whois":{"asn":"AS62904","country":"RU"},"mitre":["T1071.001"],"confidence":0.87}'
# On analyzer -- send verdict:
pilotctl --json publish \x3Cprefix>-distributor threat-verdict '{"ioc":"198.51.100.23","severity":"critical","campaign":"APT-THUNDER-BEAR","action":"block"}'

Dependencies

Requires pilot-protocol skill, pilotctl binary, clawhub binary, and a running daemon.

Usage Guidance
This skill is coherent for deploying a Pilot-based threat-intelligence pipeline, but take these precautions before installing: 1) Verify 'pilotctl' and 'clawhub' are the legitimate, expected binaries on your system and understand what versions/sources they use. 2) The skill runs 'clawhub install' to pull many 'pilot-*' components—inspect those packages (their sources, maintainers, and install steps) before allowing them to be installed. 3) The procedure writes a manifest to ~/.pilot/setups/threat-intelligence.json and performs automatic handshakes that can auto-approve trust between peers—ensure you only handshake with hosts you control/trust. 4) If possible, test the setup in an isolated environment (VM or staging network) first. 5) The registry metadata omitted the declared config path (~/.pilot); consider this a minor metadata mismatch and verify file writes before proceeding.
Capability Analysis
Type: OpenClaw Skill Name: pilot-threat-intelligence-setup Version: 1.0.0 The skill bundle provides a legitimate framework for deploying a multi-agent threat intelligence pipeline consisting of collector, enricher, analyzer, and distributor roles. It utilizes standard framework commands (pilotctl, clawhub) to manage agent communication and skill installation, with all data flows and manifest templates in SKILL.md and README.md aligning strictly with the stated purpose of IOC processing and STIX/TAXII distribution.
Capability Tags
crypto
Capability Assessment
Purpose & Capability
Name/description match the actions in SKILL.md: the skill uses pilotctl and clawhub to install and configure four agent roles and their 'pilot-*' subskills. Requested binaries (pilotctl, clawhub) are exactly the tools the instructions use. Minor inconsistency: SKILL.md writes a manifest to ~/.pilot/setups/threat-intelligence.json but the registry metadata lists no required config paths.
Instruction Scope
Runtime instructions are narrowly scoped to installing role-specific pilot-* skills (via clawhub), setting hostnames (pilotctl), writing a manifest in the user's home (~/.pilot/...), and performing peer handshakes/publishes. The instructions do not request secrets or read unrelated system files. Note: the skill instructs the agent to create files under the user's home and to initiate network handshakes (auto-approved trust when both sides handshake), which may have operational security implications—this is expected for a distributed TI setup but should be understood before running.
Install Mechanism
There is no SKILL install spec (instruction-only), which is low-risk for this package itself. However, the instructions invoke 'clawhub install' to fetch many pilot-* components; those installers are external actions not captured here and may download/execute code. The skill does not provide or pin the sources for those pilot-* packages.
Credentials
The skill requests no environment variables or credentials. That is proportionate to the described purpose. It will, however, perform network operations (handshakes, publishes, and outbound feeds) as part of normal operation—no hidden credential access is requested by the skill itself.
Persistence & Privilege
always: false and autonomous invocation defaults are unchanged. The skill instructs creating a manifest under ~/.pilot (per-user), and it triggers installation of other skills via clawhub; it does not request system-wide privileges or modify other skills' configurations directly. These actions are consistent with setup behavior.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install pilot-threat-intelligence-setup
  3. After installation, invoke the skill by name or use /pilot-threat-intelligence-setup
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Slug pilot-threat-intelligence-setup
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Pilot Threat Intelligence Setup?

Deploy a threat intelligence platform with 4 agents. Use this skill when: 1. User wants to set up a threat intelligence pipeline for IOC collection and distr... It is an AI Agent Skill for Claude Code / OpenClaw, with 59 downloads so far.

How do I install Pilot Threat Intelligence Setup?

Run "/install pilot-threat-intelligence-setup" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Pilot Threat Intelligence Setup free?

Yes, Pilot Threat Intelligence Setup is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Pilot Threat Intelligence Setup support?

Pilot Threat Intelligence Setup is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Pilot Threat Intelligence Setup?

It is built and maintained by Calin Teodor (@teoslayer); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments