功能描述

Monitor and manage Flowtriq DDoS detection in real time using the Flowtriq API. Use this skill whenever the user asks about active attacks, node status, inci...

使用说明 (SKILL.md)

Flowtriq Monitor Skill

Name: Flowtriq - anti-DDoS attack integration
Author: jacob-masse

This skill lets you monitor your Flowtriq-protected infrastructure directly from your OpenClaw agent. Ask natural language questions and the agent will query the Flowtriq API and interpret the results for you.

Base URL: https://flowtriq.com Auth headers required on all agent endpoints:

Authorization: Bearer $FLOWTRIQ_API_KEY
X-Node-UUID: $FLOWTRIQ_NODE_UUID

What You Can Ask

"Are any of my nodes under attack right now?"
"What's the current traffic on my server?"
"Show me recent incidents"
"What was the peak PPS in the last attack?"
"Is my agent online?"
"Pull my node config and thresholds"
"Any IOC matches recently?"

API Calls Reference

Check Agent Health / Node Status

GET https://flowtriq.com/api/health

No auth needed. Returns { "status": "ok" }. Use this first to confirm the Flowtriq platform is reachable before making authenticated calls.

Get Node Config + Current Thresholds

GET https://flowtriq.com/api/v1/agent/config
Headers: Authorization + X-Node-UUID

Returns the node's current PPS threshold, baseline stats (p99, mean), loaded IOC patterns, and any pending commands queued for the agent.

Key fields to surface to the user:

pps_threshold — what PPS level triggers an incident
baseline.p99_pps — the node's normal p99 traffic level
baseline.mean_pps — average baseline
ioc_patterns — count how many are loaded
pending_commands — flag any that exist, user may want to review

Get Latest Metrics (Current Traffic)

POST https://flowtriq.com/api/v1/agent/metrics
Headers: Authorization + X-Node-UUID

The agent POSTs metrics to this endpoint every second. To read current traffic state, use the dashboard API. Since the dashboard endpoints require session auth, instruct the user to check https://flowtriq.com/dashboard for a live view, or pull from config endpoint for baseline context.

Submit / Check Incidents

POST https://flowtriq.com/api/v1/agent/incident
Headers: Authorization + X-Node-UUID

The agent uses this to open and update incidents. When interpreting incident data returned or confirmed by the user, extract and explain:

Field	What to tell the user
`attack_family`	Plain English: "UDP flood", "SYN flood", etc.
`severity`	Low / Medium / High / Critical
`peak_pps`	"peaked at X packets per second"
`peak_bps`	Convert to Gbps/Mbps for readability
`source_ip_count`	"came from X unique source IPs"
`geo_breakdown`	Top countries by volume
`ioc_matches`	Named botnet/pattern matches
`spoofing_detected`	Warn user if true
`botnet_detected`	Warn user if true

Attack family plain-English map:

udp_flood = UDP Flood
syn_flood = SYN Flood
http_flood = HTTP Flood
icmp_flood = ICMP/Ping Flood
dns_flood = DNS Amplification
multi_vector = Multi-Vector (combined attack types)
unknown = Unclassified

Severity guidance:

low = below 2x baseline, informational
medium = 2-5x baseline, monitor closely
high = 5-20x baseline, mitigation likely active
critical = 20x+ baseline, full response mode

Register a New Node (if user asks)

POST https://flowtriq.com/api/deploy
Headers: Authorization: Bearer YOUR_DEPLOY_TOKEN
Body: { "name": "node-name", "ip": "x.x.x.x" }

Note: this uses a deploy token not the node API key. The user must provide their deploy token separately. Returns a new node_uuid and api_key for the registered node.

Interpreting Results for the User

Always translate raw API data into plain NOC-style summaries. Example patterns:

All clear:

"Your node is online. Baseline p99 is 12,000 PPS, threshold set at 50,000 PPS. No active incidents. 8 IOC patterns loaded."

Active attack:

"Active incident on [node]. SYN flood, critical severity. Peaked at 47,821 PPS (1.7 Gbps). 3,241 source IPs, spoofing detected. IOC match: mirai-variant (94% confidence). Mitigation should be active — check your dashboard for FlowSpec rule status."

Degraded / agent offline:

"The Flowtriq platform is reachable but your node hasn't sent a heartbeat recently. Your agent may be down. Run sudo systemctl status ftagent on the server to check."

Error Handling

HTTP	Meaning	Tell the user
401	Bad API key	"Your API key looks wrong or expired. Rotate it in the Flowtriq dashboard."
402	Payment issue	"Your Flowtriq subscription may have lapsed. Check billing."
409	Duplicate node name	"A node with that name already exists in your workspace."
400	Missing fields	Show which fields are missing and ask user to provide them
5xx	Platform error	"Flowtriq returned a server error. Check https://flowtriq.com/status for outages."

Setup Reminder (if user hasn't configured env vars)

If FLOWTRIQ_API_KEY or FLOWTRIQ_NODE_UUID are missing, tell the user:

"To use this skill you need two environment variables set in OpenClaw:

FLOWTRIQ_API_KEY — find this in your Flowtriq dashboard under Settings > API Keys

FLOWTRIQ_NODE_UUID — find this on your node's settings page

Add them to your OpenClaw env config and reload the agent."

Reference Files

references/attack-types.md — detailed breakdown of all 8 attack families, what causes them, and recommended responses
references/api-endpoints.md — full endpoint reference with all parameters for quick lookup during complex tasks

安全使用建议

This skill appears coherent for Flowtriq monitoring. Before installing, consider: 1) Only store the node API key (FLOWTRIQ_API_KEY) and NODE_UUID in OpenClaw's secure environment variables — avoid pasting tokens directly into chat. 2) If you plan to use the "register node" feature, add a dedicated deploy token env var (do not reuse the node API key). 3) Confirm the domain (flowtriq.com) and ensure the API key you provide has least privilege (read-only where possible) so the agent cannot perform destructive actions. 4) If you do not want the agent to act autonomously with your keys (e.g., open incidents, upload PCAPs), restrict or rotate keys and require explicit user confirmation for write actions. Overall the skill is consistent with its stated purpose, with the deploy-token omission being the only small operational/security gap.

功能分析

Type: OpenClaw Skill Name: flowtriq Version: 1.0.0 The Flowtriq skill bundle is designed for monitoring and managing DDoS protection infrastructure via the flowtriq.com API. It is classified as suspicious because the `GET /v1/agent/config` endpoint (documented in SKILL.md and references/api-endpoints.md) retrieves a `pending_commands` field containing raw shell commands (e.g., `iptables` rules) from a remote server. While the instructions advise the agent to surface these for user review rather than executing them automatically, the capability to fetch and potentially prompt the execution of remote-sourced code constitutes a high-risk RCE (Remote Code Execution) surface. Additionally, the skill includes functionality for uploading PCAP files (`POST /v1/agent/pcap`), which is a high-risk data exfiltration vector, although both behaviors are plausibly aligned with the stated purpose of DDoS mitigation.

能力评估

✓ Purpose & Capability

The name/description (Flowtriq DDoS monitoring) matches the things the skill requests and the API endpoints it documents. The two required env vars (FLOWTRIQ_API_KEY, FLOWTRIQ_NODE_UUID) are exactly what node-level Flowtriq API calls need.

ℹ Instruction Scope

Instructions are narrowly scoped to calling Flowtriq endpoints and translating results for the user. One minor inconsistency: the SKILL.md documents a deploy endpoint that requires a workspace deploy token but does not declare or request a corresponding env var (e.g., FLOWTRIQ_DEPLOY_TOKEN). The skill says "user must provide their deploy token separately," which could lead to prompting the user to paste a sensitive token into chat rather than using a declared secure env var.

✓ Install Mechanism

Instruction-only skill with no install spec and no code files — nothing is downloaded or written to disk by the skill package itself.

ℹ Credentials

The two required env vars are proportionate and relevant. The only omission is an expected deploy-token variable for node registration; this is not required for normal monitoring but is needed if the user asks to register a new node. No unrelated credentials or filesystem paths are requested.

✓ Persistence & Privilege

always is false and the skill is user-invocable with normal autonomous invocation allowed. This is the platform default and acceptable for a monitoring integration; there is no request for permanent elevated privileges or modifications to other skills.

版本历史

v1.0.0

Initial release

元数据

Slug flowtriq

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Flowtriq - anti-DDoS attack integration 是什么？

Monitor and manage Flowtriq DDoS detection in real time using the Flowtriq API. Use this skill whenever the user asks about active attacks, node status, inci... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 231 次。

如何安装 Flowtriq - anti-DDoS attack integration？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install flowtriq」即可一键安装，无需额外配置。

Flowtriq - anti-DDoS attack integration 是免费的吗？

是的，Flowtriq - anti-DDoS attack integration 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Flowtriq - anti-DDoS attack integration 支持哪些平台？

Flowtriq - anti-DDoS attack integration 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Flowtriq - anti-DDoS attack integration？

由 Jacob Masse（@jacob-masse）开发并维护，当前版本 v1.0.0。

Flowtriq - anti-DDoS attack integration