← 返回 Skills 市场

Pilot Security Operations Center Setup

Name: Pilot Security Operations Center Setup
Author: teoslayer

作者 Calin Teodor · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

总下载

当前安装

版本数

在 OpenClaw 中安装

/install pilot-security-operations-center-setup

功能描述

Deploy a security operations center pipeline with 4 agents. Use this skill when: 1. User wants to set up a SOC or security monitoring pipeline 2. User is con...

使用说明 (SKILL.md)

Security Operations Center Setup

Deploy 4 agents: collector, analyzer, enforcer, and dashboard.

Roles

Role	Hostname	Skills	Purpose
collector	`\x3Cprefix>-collector`	pilot-event-log, pilot-audit-log, pilot-stream-data, pilot-cron	Aggregates security events
analyzer	`\x3Cprefix>-analyzer`	pilot-event-filter, pilot-event-replay, pilot-alert, pilot-priority-queue	Detects and classifies threats
enforcer	`\x3Cprefix>-enforcer`	pilot-blocklist, pilot-quarantine, pilot-webhook-bridge, pilot-audit-log	Blocks threats, quarantines nodes
dashboard	`\x3Cprefix>-dashboard`	pilot-metrics, pilot-slack-bridge, pilot-network-map, pilot-mesh-status	Visualizes security posture

Setup Procedure

Step 1: Ask the user which role and prefix.

Step 2: Install skills:

# collector:
clawhub install pilot-event-log pilot-audit-log pilot-stream-data pilot-cron
# analyzer:
clawhub install pilot-event-filter pilot-event-replay pilot-alert pilot-priority-queue
# enforcer:
clawhub install pilot-blocklist pilot-quarantine pilot-webhook-bridge pilot-audit-log
# dashboard:
clawhub install pilot-metrics pilot-slack-bridge pilot-network-map pilot-mesh-status

Step 3: Set hostname and write manifest to ~/.pilot/setups/security-operations-center.json.

Step 4: Handshake with adjacent agents.

Manifest Templates Per Role

collector

{
  "setup": "security-operations-center", "role": "collector", "role_name": "Log Collector",
  "hostname": "\x3Cprefix>-collector",
  "skills": {
    "pilot-event-log": "Aggregate security events from all nodes.",
    "pilot-audit-log": "Maintain tamper-evident event log.",
    "pilot-stream-data": "Stream events to analyzer in real time.",
    "pilot-cron": "Schedule periodic log sweeps."
  },
  "data_flows": [{ "direction": "send", "peer": "\x3Cprefix>-analyzer", "port": 1002, "topic": "security-event", "description": "Raw security events" }],
  "handshakes_needed": ["\x3Cprefix>-analyzer"]
}

analyzer

{
  "setup": "security-operations-center", "role": "analyzer", "role_name": "Threat Analyzer",
  "hostname": "\x3Cprefix>-analyzer",
  "skills": {
    "pilot-event-filter": "Filter and correlate events, detect patterns.",
    "pilot-event-replay": "Replay past events for forensic investigation.",
    "pilot-alert": "Emit classified threat alerts.",
    "pilot-priority-queue": "Prioritize threats by severity."
  },
  "data_flows": [
    { "direction": "receive", "peer": "\x3Cprefix>-collector", "port": 1002, "topic": "security-event", "description": "Raw events" },
    { "direction": "send", "peer": "\x3Cprefix>-enforcer", "port": 1002, "topic": "threat-verdict", "description": "Threat verdicts" },
    { "direction": "send", "peer": "\x3Cprefix>-dashboard", "port": 1002, "topic": "threat-alert", "description": "Classified threats" }
  ],
  "handshakes_needed": ["\x3Cprefix>-collector", "\x3Cprefix>-enforcer", "\x3Cprefix>-dashboard"]
}

enforcer

{
  "setup": "security-operations-center", "role": "enforcer", "role_name": "Threat Enforcer",
  "hostname": "\x3Cprefix>-enforcer",
  "skills": {
    "pilot-blocklist": "Add malicious IPs/agents to deny list.",
    "pilot-quarantine": "Isolate compromised agents.",
    "pilot-webhook-bridge": "Trigger incident webhooks.",
    "pilot-audit-log": "Log all enforcement actions."
  },
  "data_flows": [
    { "direction": "receive", "peer": "\x3Cprefix>-analyzer", "port": 1002, "topic": "threat-verdict", "description": "Threat verdicts" },
    { "direction": "send", "peer": "\x3Cprefix>-dashboard", "port": 1002, "topic": "enforcement-action", "description": "Actions taken" }
  ],
  "handshakes_needed": ["\x3Cprefix>-analyzer", "\x3Cprefix>-dashboard"]
}

dashboard

{
  "setup": "security-operations-center", "role": "dashboard", "role_name": "SOC Dashboard",
  "hostname": "\x3Cprefix>-dashboard",
  "skills": {
    "pilot-metrics": "Display threat counts, response times.",
    "pilot-slack-bridge": "Send security summaries to Slack.",
    "pilot-network-map": "Visualize network topology and threats.",
    "pilot-mesh-status": "Show peer connectivity and encryption status."
  },
  "data_flows": [
    { "direction": "receive", "peer": "\x3Cprefix>-analyzer", "port": 1002, "topic": "threat-alert", "description": "Classified threats" },
    { "direction": "receive", "peer": "\x3Cprefix>-enforcer", "port": 1002, "topic": "enforcement-action", "description": "Actions taken" }
  ],
  "handshakes_needed": ["\x3Cprefix>-analyzer", "\x3Cprefix>-enforcer"]
}

Data Flows

collector → analyzer : raw security events (port 1002)
analyzer → enforcer : threat verdicts (port 1002)
analyzer → dashboard : classified threats (port 1002)
enforcer → dashboard : enforcement actions (port 1002)

Workflow Example

# On collector:
pilotctl --json publish \x3Cprefix>-analyzer security-event '{"type":"port_scan","source":"203.0.113.42","ports":1024}'
# On analyzer:
pilotctl --json publish \x3Cprefix>-enforcer threat-verdict '{"source":"203.0.113.42","severity":"high","action":"block"}'
# On enforcer:
pilotctl --json publish \x3Cprefix>-dashboard enforcement-action '{"source":"203.0.113.42","action":"blocked"}'

Dependencies

Requires pilot-protocol skill, pilotctl binary, clawhub binary, and a running daemon.

安全使用建议

This skill is an orchestration recipe that runs pilotctl and clawhub to install many other pilot-* skills and to establish trust between agents. Before installing: (1) verify pilotctl and clawhub are official and trusted binaries for your environment; (2) be aware clawhub will fetch and install additional packages (review their sources and required credentials); (3) understand the handshake behavior (it auto-approves trust when both sides exchange handshakes) and restrict this to isolated or well-segmented networks until you’re confident; (4) expect to supply credentials for connectors like Slack or webhooks at the sub-skill level — confirm how those secrets are stored/used; and (5) inspect the manifests written to ~/.pilot and the network ports (1002) used for internal communications. If any of these points are unacceptable, do not run the orchestration on production hosts without further review.

功能分析

Type: OpenClaw Skill Name: pilot-security-operations-center-setup Version: 1.0.0 The skill bundle provides a legitimate orchestration framework for deploying a Security Operations Center (SOC) using the pilot-protocol ecosystem. It defines roles for log collection, threat analysis, enforcement, and visualization, using standard tools like pilotctl and clawhub to manage agent configurations and communication handshakes. No indicators of malicious intent, data exfiltration, or unauthorized command execution were found in SKILL.md or README.md.

能力标签

crypto

能力评估

✓ Purpose & Capability

Name/description (SOC setup) align with the declared binaries (pilotctl, clawhub) and the SKILL.md: it installs pilot-* skills, sets hostnames, writes a manifest, and establishes agent handshakes — all expected for a multi‑agent SOC deployment.

ℹ Instruction Scope

Instructions are CLI-driven and narrowly scoped to installing sub-skills, setting hostnames, writing a manifest to ~/.pilot/setups/security-operations-center.json, and exchanging handshakes. This is appropriate for the purpose, but the doc explicitly states trust is auto-approved when both sides handshake — a security behavior you should be aware of before enabling on production hosts.

ℹ Install Mechanism

The skill is instruction-only (no install spec). It relies on clawhub to fetch and install many other pilot-* skills; that is expected but increases risk surface because clawhub will pull code from external sources. The skill itself does not download or extract archives directly.

ℹ Credentials

This skill requests no environment variables, which is reasonable for an orchestrator. However some installed sub-skills referenced (e.g., pilot-slack-bridge, pilot-webhook-bridge) will likely require external credentials/endpoints; the SKILL.md does not document those credential needs — you should be prepared to provide them per sub-skill and confirm safe handling of secrets.

✓ Persistence & Privilege

always is false and the skill does not request elevated/system-wide privileges. It will write a manifest under the user's home (~/.pilot) and instruct other agents to exchange handshakes and network traffic on port 1002, which are reasonable for a distributed SOC deployment.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install pilot-security-operations-center-setup
安装完成后，直接呼叫该 Skill 的名称或使用 /pilot-security-operations-center-setup 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release

元数据

Slug pilot-security-operations-center-setup

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题