← 返回 Skills 市场

Pilot Threat Intelligence Setup

Name: Pilot Threat Intelligence Setup
Author: teoslayer

作者 Calin Teodor · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

总下载

当前安装

版本数

在 OpenClaw 中安装

/install pilot-threat-intelligence-setup

功能描述

Deploy a threat intelligence platform with 4 agents. Use this skill when: 1. User wants to set up a threat intelligence pipeline for IOC collection and distr...

使用说明 (SKILL.md)

Threat Intelligence Setup

Deploy 4 agents: collector, enricher, analyzer, and distributor.

Roles

Role	Hostname	Skills	Purpose
collector	`\x3Cprefix>-collector`	pilot-stream-data, pilot-cron, pilot-archive	Aggregates threat feeds from OSINT, honeypots, CVE databases
enricher	`\x3Cprefix>-enricher`	pilot-dataset, pilot-task-router, pilot-event-filter	Correlates IOCs, enriches with WHOIS/GeoIP, maps to MITRE
analyzer	`\x3Cprefix>-analyzer`	pilot-metrics, pilot-consensus, pilot-alert	Scores severity, identifies campaigns and APT groups
distributor	`\x3Cprefix>-distributor`	pilot-webhook-bridge, pilot-announce, pilot-audit-log	Publishes STIX/TAXII feeds, pushes IOCs to SIEM

Setup Procedure

Step 1: Ask the user which role this agent should play and what prefix to use.

Step 2: Install the skills for the chosen role:

# For collector:
clawhub install pilot-stream-data pilot-cron pilot-archive
# For enricher:
clawhub install pilot-dataset pilot-task-router pilot-event-filter
# For analyzer:
clawhub install pilot-metrics pilot-consensus pilot-alert
# For distributor:
clawhub install pilot-webhook-bridge pilot-announce pilot-audit-log

Step 3: Set the hostname and write the manifest to ~/.pilot/setups/threat-intelligence.json.

Step 4: Tell the user to initiate handshakes with the peers for their role.

Manifest Templates Per Role

collector

{
  "setup": "threat-intelligence", "role": "collector", "role_name": "Intel Collector",
  "hostname": "\x3Cprefix>-collector",
  "skills": {
    "pilot-stream-data": "Ingest real-time threat feeds from OSINT and honeypots.",
    "pilot-cron": "Schedule periodic CVE database and dark web scans.",
    "pilot-archive": "Store raw indicator history for retrospective analysis."
  },
  "data_flows": [{ "direction": "send", "peer": "\x3Cprefix>-enricher", "port": 1002, "topic": "raw-ioc", "description": "Normalized IOCs from threat feeds" }],
  "handshakes_needed": ["\x3Cprefix>-enricher"]
}

enricher

{
  "setup": "threat-intelligence", "role": "enricher", "role_name": "Threat Enricher",
  "hostname": "\x3Cprefix>-enricher",
  "skills": {
    "pilot-dataset": "Cross-reference IOCs against known threat databases.",
    "pilot-task-router": "Route enrichment tasks to specialized lookup services.",
    "pilot-event-filter": "Filter low-confidence indicators before analysis."
  },
  "data_flows": [
    { "direction": "receive", "peer": "\x3Cprefix>-collector", "port": 1002, "topic": "raw-ioc", "description": "Raw IOCs to enrich" },
    { "direction": "send", "peer": "\x3Cprefix>-analyzer", "port": 1002, "topic": "enriched-ioc", "description": "IOCs with WHOIS, GeoIP, MITRE context" }
  ],
  "handshakes_needed": ["\x3Cprefix>-collector", "\x3Cprefix>-analyzer"]
}

analyzer

{
  "setup": "threat-intelligence", "role": "analyzer", "role_name": "Threat Analyzer",
  "hostname": "\x3Cprefix>-analyzer",
  "skills": {
    "pilot-metrics": "Track threat volumes, severity distribution, and response times.",
    "pilot-consensus": "Correlate multi-source verdicts for high-confidence scoring.",
    "pilot-alert": "Emit critical threat alerts for immediate action."
  },
  "data_flows": [
    { "direction": "receive", "peer": "\x3Cprefix>-enricher", "port": 1002, "topic": "enriched-ioc", "description": "Enriched IOCs to analyze" },
    { "direction": "send", "peer": "\x3Cprefix>-distributor", "port": 1002, "topic": "threat-verdict", "description": "Scored verdicts with campaign attribution" }
  ],
  "handshakes_needed": ["\x3Cprefix>-enricher", "\x3Cprefix>-distributor"]
}

distributor

{
  "setup": "threat-intelligence", "role": "distributor", "role_name": "Intel Distributor",
  "hostname": "\x3Cprefix>-distributor",
  "skills": {
    "pilot-webhook-bridge": "Push IOC updates to firewalls, IDS, and SIEM.",
    "pilot-announce": "Broadcast threat advisories to subscribed consumers.",
    "pilot-audit-log": "Log all published intelligence with distribution timestamps."
  },
  "data_flows": [
    { "direction": "receive", "peer": "\x3Cprefix>-analyzer", "port": 1002, "topic": "threat-verdict", "description": "Threat verdicts to distribute" },
    { "direction": "send", "peer": "external", "port": 443, "topic": "threat-feed", "description": "STIX/TAXII feeds to security infrastructure" }
  ],
  "handshakes_needed": ["\x3Cprefix>-analyzer"]
}

Data Flows

collector -> enricher : raw IOCs normalized from threat feeds (port 1002)
enricher -> analyzer : enriched IOCs with context and confidence scores (port 1002)
analyzer -> distributor : threat verdicts with severity and campaign data (port 1002)
distributor -> external : published threat feeds to security infrastructure (port 443)

Workflow Example

# On collector -- forward raw IOC:
pilotctl --json publish \x3Cprefix>-enricher raw-ioc '{"type":"ip","value":"198.51.100.23","source":"honeypot-east","tags":["c2","cobalt-strike"]}'
# On enricher -- forward enriched IOC:
pilotctl --json publish \x3Cprefix>-analyzer enriched-ioc '{"type":"ip","value":"198.51.100.23","whois":{"asn":"AS62904","country":"RU"},"mitre":["T1071.001"],"confidence":0.87}'
# On analyzer -- send verdict:
pilotctl --json publish \x3Cprefix>-distributor threat-verdict '{"ioc":"198.51.100.23","severity":"critical","campaign":"APT-THUNDER-BEAR","action":"block"}'

Dependencies

Requires pilot-protocol skill, pilotctl binary, clawhub binary, and a running daemon.

安全使用建议

This skill is coherent for deploying a Pilot-based threat-intelligence pipeline, but take these precautions before installing: 1) Verify 'pilotctl' and 'clawhub' are the legitimate, expected binaries on your system and understand what versions/sources they use. 2) The skill runs 'clawhub install' to pull many 'pilot-*' components—inspect those packages (their sources, maintainers, and install steps) before allowing them to be installed. 3) The procedure writes a manifest to ~/.pilot/setups/threat-intelligence.json and performs automatic handshakes that can auto-approve trust between peers—ensure you only handshake with hosts you control/trust. 4) If possible, test the setup in an isolated environment (VM or staging network) first. 5) The registry metadata omitted the declared config path (~/.pilot); consider this a minor metadata mismatch and verify file writes before proceeding.

功能分析

Type: OpenClaw Skill Name: pilot-threat-intelligence-setup Version: 1.0.0 The skill bundle provides a legitimate framework for deploying a multi-agent threat intelligence pipeline consisting of collector, enricher, analyzer, and distributor roles. It utilizes standard framework commands (pilotctl, clawhub) to manage agent communication and skill installation, with all data flows and manifest templates in SKILL.md and README.md aligning strictly with the stated purpose of IOC processing and STIX/TAXII distribution.

能力标签

crypto

能力评估

✓ Purpose & Capability

Name/description match the actions in SKILL.md: the skill uses pilotctl and clawhub to install and configure four agent roles and their 'pilot-*' subskills. Requested binaries (pilotctl, clawhub) are exactly the tools the instructions use. Minor inconsistency: SKILL.md writes a manifest to ~/.pilot/setups/threat-intelligence.json but the registry metadata lists no required config paths.

ℹ Instruction Scope

Runtime instructions are narrowly scoped to installing role-specific pilot-* skills (via clawhub), setting hostnames (pilotctl), writing a manifest in the user's home (~/.pilot/...), and performing peer handshakes/publishes. The instructions do not request secrets or read unrelated system files. Note: the skill instructs the agent to create files under the user's home and to initiate network handshakes (auto-approved trust when both sides handshake), which may have operational security implications—this is expected for a distributed TI setup but should be understood before running.

ℹ Install Mechanism

There is no SKILL install spec (instruction-only), which is low-risk for this package itself. However, the instructions invoke 'clawhub install' to fetch many pilot-* components; those installers are external actions not captured here and may download/execute code. The skill does not provide or pin the sources for those pilot-* packages.

✓ Credentials

The skill requests no environment variables or credentials. That is proportionate to the described purpose. It will, however, perform network operations (handshakes, publishes, and outbound feeds) as part of normal operation—no hidden credential access is requested by the skill itself.

✓ Persistence & Privilege

always: false and autonomous invocation defaults are unchanged. The skill instructs creating a manifest under ~/.pilot (per-user), and it triggers installation of other skills via clawhub; it does not request system-wide privileges or modify other skills' configurations directly. These actions are consistent with setup behavior.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install pilot-threat-intelligence-setup
安装完成后，直接呼叫该 Skill 的名称或使用 /pilot-threat-intelligence-setup 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release

元数据

Slug pilot-threat-intelligence-setup

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题