Skip to content

Skillselionwith God's help

By phase

IdeaResearch & spot demand
ValidateScope & prototype
BuildFrontend, backend, MCP
ShipTest, review, deploy
LaunchDistribution, SEO, ASO
GrowAnalytics & retention
OperateMonitoring & uptime

By type

Skills
Marketplaces
MCP servers
Workflows

Skills Marketplaces MCP Learn Brief

Browse all tools →By phase

Idea Validate Build Ship Launch Grow Operate

Explore

Skills
Marketplaces
MCP
Learn
Brief

This week for builders

Five minutes, every Monday — the tools, releases and tactics for shipping solo.

Email address

unsubscribe anytime.

Skillselion

An independent, curated directory of AI-coding tools for solo builders - skills, MCP servers, marketplaces and workflows for Claude Code, Codex and Cursor, organized by the indie build journey from idea to operate.

ResourcesBrowse Skills Browse MCP Servers Browse Marketplaces Browse Workflows Best-of shortlists Glossary State of AI Skills 2026 Weekly Brief

CommunityAbout Learn Feedback Privacy Policy Terms Cookie Policy Accessibility Cookie settings

Last updated June 10, 2026 · © 2026 Skillselion. Skillselion is an independent project and is not affiliated with Anthropic, OpenAI, Cursor, Claude, Claude Code, or Codex.

Skills/MUKUL975/ANTHROPIC CYBERSECURITY SKILLS

mukul975/anthropic-cybersecurity-skills

83 skills · 83 installs · 1M stars · GitHub

Install

npx skills add https://github.com/mukul975/anthropic-cybersecurity-skills

Skills in this repo

1Acquiring Disk Image With Dd And DcflddAcquiring Disk Image with dd and dcfldd is an agent skill for solo builders and small teams who must preserve storage media in a forensically defensible way during security incidents or compliance-driven investigations. It centers on Linux block-device imaging using dd and dcfldd, emphasizing correct source and destination device handling, progress visibility, and the habit of recording exact commands and hashes for later verification. The skill fits operators who wear the security hat alongside shipping product—when a laptop, VPS, or container host may be compromised and you need a bit-accurate copy before remediation. Expect advanced terminal work, elevated privileges, and strict attention to write-blocking and destination sizing. It is not everyday backup software; it is evidence-oriented imaging. Pair results with separate analysis skills or tooling once the image is sealed and logged.1installs 2Analyzing Active Directory Acl AbuseAnalyzing Active Directory ACL Abuse is a security agent skill aimed at practitioners who must interpret discretionary access control lists that silently grant takeover paths in Windows estates. Solo builders rarely touch AD, but indie consultants and small teams doing MSSP-style assessments install it when they need repeatable agent guidance for ACE abuse patterns instead of improvising from memory. The skill sits in Ship security because conclusions inform remediation before wider rollout or during periodic audit, and it complements broader hardening checklists rather than replacing BloodHound or manual tooling. Prism’s ingested excerpt is license text only, so treat operational steps as defined in the full SKILL.md in mukul975’s anthropic-cybersecurity-skills repo. Use with agents that can reason over graph-like permission narratives, export findings into your ticketing workflow, and never substitute automated chat output for regulated penetration-test sign-off.1installs 3Analyzing Android Malware With ApktoolAnalyzing Android Malware with Apktool is a phase-specific security skill for solo builders, indie security researchers, and small teams who must understand what an Android package actually contains before shipping integrations or supporting user-reported suspicious apps. It steers agents through apktool-oriented decompilation and inspection so you can reason about manifests, resources, and disassembled code paths rather than trusting store metadata alone. Use it in Ship when you are validating mobile supply chain risk, reviewing a questionable APK, or learning malware indicators on your own projects. It is not a substitute for full dynamic analysis sandboxes or enterprise SOC pipelines. Pair it with strict host isolation because decompilation and reverse-engineering workflows often touch untrusted binaries and local tooling.1installs 4Analyzing Api Gateway Access LogsThis skill teaches how to parse, query, and interpret API Gateway access logs to understand request/response patterns, identify bottlenecks, and troubleshoot issues. Solo builders use it when their APIs start exhibiting unexpected behavior or when they need visibility into who's calling their endpoints and how. Understanding these logs is crucial for maintaining reliability, improving performance, and catching security issues before they escalate.1installs 5Analyzing Apt Group With Mitre NavigatorAnalyzing APT Group with MITRE Navigator is an agent skill for security-minded solo builders who need to turn vague “advanced persistent threat” stories into concrete technique mappings. Instead of ad-hoc bullet lists, the workflow centers MITRE ATT&CK Navigator: you structure layers, tie behaviors to techniques and tactics, and produce a matrix others can scan in seconds. It fits when you are validating a niche B2B product’s threat model, preparing a ship checklist for a SaaS handling sensitive data, or documenting why certain controls matter for compliance conversations. The skill does not replace a SOC or formal red team; it gives you a disciplined, citable way to reason about named threat actors and their tradecraft using the same vocabulary large security teams use. Pair it with your own threat intel sources and environment-specific assumptions.1installs 6Analyzing Azure Activity Logs For ThreatsThis skill teaches you how to leverage Azure Activity Logs to identify and investigate security threats within your cloud infrastructure. Solo builders use this skill when they need to monitor Azure environments for unauthorized access, suspicious behavior, or policy violations. It matters because proactive threat detection and audit trails are essential for maintaining cloud security, meeting compliance requirements, and responding quickly to incidents.1installs 7Analyzing Bootkit And Rootkit SamplesAnalyzing Bootkit and Rootkit Samples is an agent skill for security-minded builders and analysts who must explain infections that live below the operating system. It structures investigation when antivirus and EDR still show compromise symptoms, Secure Boot or firmware integrity looks wrong, or memory forensics suggests kernel-level hiding. The skill focuses on Master Boot Record and Volume Boot Record malware, UEFI module inspection, and techniques that standard endpoint scans cannot reach. You get a disciplined path from imaging boot sectors through firmware volume review and rootkit-aware detection, aligned to cybersecurity malware-analysis practice. Use it during deep incident response or malware research—not for everyday application bugs or normal file-based malware triage, which the skill explicitly excludes.1installs 8Analyzing Browser Forensics With HindsightAnalyzing Browser Forensics with Hindsight is an agent skill that formats browser forensic reviews into a clear, sectioned report solo security practitioners can hand to clients or legal reviewers. It targets investigators who already extracted or summarized Chromium-family (or similar) profile data and need consistent documentation of browsing activity rather than messy chat dumps. The template drives activity counts—visits, downloads, saved passwords, cookies—and forces notable URL and download rows with timestamps so timelines are auditable. Indie builders might use it when a founder laptop is implicated in a credential leak or when validating what sites were hit before a production key exposure. The skill does not replace Hindsight or manual SQLite parsing; it standardizes how findings are written once data exists. Expect advanced familiarity with chain of custody and browser artifact locations before invoking the skill.1installs 9Analyzing Campaign Attribution EvidenceAnalyzing Campaign Attribution Evidence is an agent skill packaged as a cyber threat intelligence report template for turning raw campaign clues into a shareable attribution narrative. It targets solo builders, indie SaaS operators, and small security-conscious teams who wear analyst hats without a full CTI desk—especially when you need to document who likely ran a campaign, what techniques they used, and what to do next. The workflow centers on a CTI-style report with executive summary, evidence-backed findings, MITRE ATT&CK linkage, an IOC table, and phased recommendations under a TLP label. Use it after you have collected logs, malware samples, network indicators, or third-party intel and need consistent structure before escalating to partners, insurers, or customers. It does not replace automated enrichment or legal attribution standards; it gives your coding agent a repeatable document shape so attribution reasoning stays auditable and actionable inside Claude Code, Cursor, or similar environments.1installs 10Analyzing Certificate Transparency For PhishingAnalyzing Certificate Transparency for Phishing is a security-oriented agent skill aimed at solo builders and small teams who operate a branded product on the public web and cannot afford a full threat-intel desk. Certificate Transparency logs publish every publicly trusted TLS certificate as it is issued; attackers routinely register typosquats and homoglyph domains minutes before a campaign. This skill is meant to guide an AI agent through querying and interpreting CT data to find certificates that mimic your product, login paths, or executive names—so you can block, warn users, or initiate takedowns early. Catalog detail here is inferred from the skill name and repo placement because the ingested readme fragment was license text only; treat operational commands as something to confirm in the full SKILL.md after install. Use when you are validating launch readiness, responding to user reports of fake login pages, or running periodic brand-protection sweeps.1installs 11Analyzing Cloud Storage Access PatternsAnalyzing Cloud Storage Access Patterns is an agent skill aimed at indie builders and small teams who rely on object storage for uploads, backups, or static assets. It guides structured review of how identities, services, and anonymous principals touch buckets and prefixes—so you can catch public reads, overly broad IAM, and suspicious access cadence without hiring a full cloud security team. Use it when you are shipping a SaaS with file storage, migrating buckets, or responding to a compliance checklist that asks who can read or write what. The skill sits in the ship phase as security work: it turns vague “check S3” todos into a repeatable conversation with your coding agent about logs, policy documents, and access trails. Pair it with your cloud console or CLI exports; expect procedural guidance rather than a single automated scanner. Outcomes are clearer risk notes and remediation priorities you can implement in Terraform, console, or IAM policy edits before you go live or after an incident scare.1installs 12Analyzing Cobalt Strike Beacon ConfigurationAnalyzing Cobalt Strike Beacon Configuration is an agent skill that guides defenders and security engineers through documenting parsed beacon settings in a consistent report template. Solo builders running small SaaS or internal APIs rarely need this daily, but it matters when you are doing threat hunting, IR after a compromise, or validating detections before ship. The skill organizes beacon type, callback endpoints, sleep and jitter, spawn configuration, named pipes, host headers, and crypto scheme alongside malleable C2 GET and POST sections so network and EDR teams can align on the same facts. Watermark attribution and detection signature placeholders bridge analysis to Suricata-style rules without inventing audit pass rates or vendor scores. Use when you already have beacon configuration extraction output and need a shareable TLP:AMBER style artifact for your team or customers.1installs 13Analyzing Cobaltstrike Malleable C2 ProfilesAnalyzing Cobaltstrike Malleable C2 Profiles is a security agent skill aimed at defenders, solo security engineers, and indie SaaS operators who must understand how adversary-controlled C2 profiles alter HTTP traffic, headers, and staging behavior—without treating profile dissection as offensive tradecraft. Prism lists it for builders who run authorized labs, parse captured profiles, or tune WAF and EDR rules when red-team exercises surface realistic Beacon configurations. Public SKILL.md body in the ingest snapshot is license text only; placement and copy lean on the skill slug and repository lineage as a cybersecurity analysis module. Treat outputs as hypotheses to validate in your SOC tooling, never as instructions to deploy unauthorized C2. Intermediate-to-advanced practitioners benefit most. Pair with your org’s legal scope and isolation requirements before running against live samples.1installs 14Analyzing Command And Control CommunicationAnalyzing Command and Control Communication is a security-focused agent skill from the Anthropic cybersecurity skills collection, intended for solo builders and small teams who need structured help reasoning about how malware talks to external infrastructure. Use it when you are reviewing logs, designing detections, or documenting suspicious beaconing during ship-phase security work—not for casual feature coding. The catalog entry currently surfaces license metadata more than procedural SKILL.md text, so you should treat it as a specialized procedural companion your agent loads alongside concrete log samples and your own runbooks. It matters because misclassified C2 noise wastes nights and misses real breaches; a named skill nudges the agent toward consistent MITRE-aligned questions instead of generic “check the network” advice. Confirm scope and steps in the upstream repo before relying on it in production incident response.1installs 15Analyzing Disk Image With AutopsyAnalyzing Disk Image With Autopsy is a cybersecurity agent skill from the Anthropic-oriented collection that steers coding agents through forensic analysis of disk images using Autopsy—the standard open-source forensics suite for carving artifacts, timelines, and user activity from acquired drives. Solo builders rarely run full SOC teams, but when a laptop backup, server snapshot, or E01 image lands on your desk after a suspected breach, you need repeatable examination steps instead of clicking blindly through wizards. This skill packages procedural knowledge for loading images, navigating Autopsy modules, and interpreting common artifact types while staying in a defensible audit mindset. Use it in Ship when security review demands offline disk validation, or when you must document findings before wider launch or ops handoff. Pair with proper chain-of-custody practices and legal counsel when evidence may be used formally; the skill teaches tooling workflow, not jurisdiction-specific rules.1installs 16Analyzing Dns Logs For ExfiltrationAnalyzing DNS Logs for Exfiltration is an agent skill that walks solo builders and small teams through hunting command-and-control and data theft hidden in DNS queries. It is aimed at anyone who can access Zeek, Splunk ES, or resolver logs—not only enterprise SOCs—and need repeatable heuristics instead of ad-hoc grep. The workflow ties DNS tunneling indicators (entropy, label length, record types), C2 behaviors (DGA, beaconing, fast-flux), DoH anomalies, and zone-transfer probes to concrete checks and example scripts. You get guidance on baselines, alert thresholds, and enrichment with threat intelligence and domain permutation tools. Use it when incidents, suspicious egress, or routine operate-phase reviews suggest DNS might be the covert channel. It matters because DNS is often logged everywhere while exfiltration patterns are easy to miss without a structured rubric.1installs 17Analyzing Docker Container Forensicsanalyzing-docker-container-forensics is an agent skill aimed at structured investigation of Docker containers when you need to understand what changed, what ran, and what evidence remains after suspicious activity or operational failures. Indie builders running SaaS or APIs on containers often lack a dedicated DFIR team; this skill gives an agent a repeatable forensics-oriented playbook instead of improvised docker commands that destroy artifacts. Use it during Operate when alerts fire, pods behave oddly, or you must preserve narrative for compliance and postmortems. It complements Ship-phase security hardening by focusing on after-the-fact analysis—filesystem timelines, process and layer context, and careful handling of container state. Because the published excerpt in catalog ingest may be license text only, treat outputs as checklists your agent adapts to your orchestrator (Docker Engine, Kubernetes, managed cloud). Always snapshot volumes and images per your policy before destructive steps, and pair results with the Security Audits panel and your own runbooks.1installs 18Analyzing Email Headers For Phishing InvestigationAnalyzing Email Headers for Phishing Investigation is an agent skill for digital forensics-style email triage. Solo builders and indie teams running SaaS or internal tools use it when someone forwards a suspicious message, after a click on a phishing link, or when you need to prove whether the visible From address matches authenticated sending infrastructure. The skill walks through exporting Internet headers, reading Received chains and authentication results, and validating SPF, DKIM, and DMARC so you can separate legitimate misconfiguration from deliberate spoofing. It expects basic SMTP literacy, DNS lookup access, and optional Python parsing—not a full SOC. Outcomes are a documented origin trace, alignment verdicts, and evidence you can attach to a lightweight incident note or escalate to a provider. It complements broader app security work rather than replacing DMARC rollout or mailbox filtering policies.1installs 19Analyzing Ethereum Smart Contract VulnerabilitiesAnalyzing Ethereum Smart Contract Vulnerabilities is an agent skill for solo Web3 builders who must sanity-check Solidity before users’ funds are at risk. It packages cybersecurity-oriented procedural knowledge so Claude Code, Cursor, or similar agents can walk through vulnerability classes, dangerous patterns, and review checkpoints instead of improvising generic security advice. Use it when a contract is feature-complete but not yet blessed for mainnet—after local tests, alongside formal audits, or when validating a forked DeFi component. The skill emphasizes structured analysis over exploit scripting, helping indies who ship alone catch classic issues early. Prism lists it under Ship security with secondary Validate scope when you prototype on testnets and want the same rigor before scaling scope.1installs 20Analyzing Golang Malware With GhidraAnalyzing Golang Malware with Ghidra is a security-focused agent skill for builders and analysts who encounter unknown Go executables in incidents, vendor drops, or compromised environments. It standardizes how you capture sample metadata, recover categorized functions despite stripping or garble obfuscation, map module dependencies, and tabulate command-and-control indicators. The output follows a fixed report skeleton so you can hand findings to blocking, detection, and monitoring work without reinventing sections each time. It assumes comfort with Ghidra and offensive-security context; it is not a substitute for legal authorization or a full SOC playbook. Solo indie builders might use it rarely—mainly when investigating a compromised dependency, a suspicious CLI distributed in your ecosystem, or learning malware analysis—but the primary audience is security-minded operators shipping or operating software who must document Go-specific binary behavior credibly.1installs 21Analyzing Heap Spray ExploitationAnalyzing Heap Spray Exploitation is an agent skill for solo builders and small security-focused teams who need repeatable procedures for studying heap spray and related memory-corruption tactics in offensive-security contexts. It walks through gadget chain automation, spray size prediction, cross-platform heap metadata forensics, and optional Frida instrumentation, with Python examples tied to tooling such as Ghidra, ROPgadget, Volatility, and GDB. Use it when a binary or implant reference mentions heap spray, Cobalt Strike–style staging, or large controlled allocations and you need analysis artifacts rather than ad-hoc notes. The skill is advanced and native-focused; it complements broader AppSec checklists by going deep on allocator behavior and ROP/JOP preparation. Outputs are analytical summaries and scripted findings you can fold into threat models, incident notes, or hardening tasks before or after ship.1installs 22Analyzing Indicators Of CompromiseAnalyzing Indicators Of Compromise is a Security agent skill for solo and indie builders who need repeatable triage when something looks wrong in production or pre-launch monitoring. Instead of improvising in chat, you hand your coding agent concrete artifacts—hashes, IPs, domains, URLs, or pasted intel—and follow a procedural path to validate severity, link related indicators, and decide what to block, rotate, or patch. It fits the Ship security shelf and Operate incident moments when you are wearing every hat and cannot afford a vague “looks fine” answer. The skill emphasizes documentation-friendly conclusions you can attach to a ticket, share with a cofounder, or feed into a deeper forensics step. It does not replace commercial EDR or paid threat feeds; it gives you agent-native procedure so investigation stays consistent under time pressure.1installs 23Analyzing Ios App Security With ObjectionAnalyzing iOS App Security With Objection is an agent skill that turns Objection runtime findings into a repeatable security assessment report for solo builders and small teams shipping native iOS products. It is for developers who need App Store–adjacent assurance without hiring a full mobile pentest firm every sprint. Use it when you have a build on a jailbroken or instrumented device and want consistent tables for keychain secrets, local storage, network controls, and binary hardening instead of ad-hoc notes. The template forces explicit risk labels and check results so agents and humans can compare releases over time. It matters because mobile data leaks and weak TLS often surface only under dynamic analysis, and a fixed schema makes those issues citable for fix tickets and stakeholder sign-off.1installs 24Analyzing Kubernetes Audit LogsAnalyzing Kubernetes Audit Logs is a security-oriented agent skill for solo builders and small teams who run workloads on Kubernetes and need to understand control-plane activity beyond metrics dashboards. Audit logs record requests to the API server—who created roles, patched secrets, exec’d into pods, or changed network policies—making them essential for ship-phase security reviews and operate-phase incident response. Use the skill when you are hardening a cluster before launch, investigating suspicious changes, or documenting access for compliance. It emphasizes structured review of audit events rather than ad-hoc kubectl grepping. Pair it with your cluster’s audit policy configuration and log shipping setup; outputs are findings and timelines you can act on in RBAC, admission controls, or monitoring.1installs 25Analyzing Linux Audit Logs For IntrusionThis skill teaches how to parse, filter, and analyze Linux audit logs (auditd output) to identify security threats and intrusion indicators. Solo builders use it when deploying systems on Linux and need to monitor for breach attempts or investigate security incidents. It matters because early detection of intrusions can prevent data loss and system compromise, making it essential for any production application running on Linux infrastructure.1installs 26Analyzing Linux Elf MalwareAnalyzing Linux ELF Malware is an agent skill from the Anthropic cybersecurity skills lineage for solo and indie builders who need a repeatable way to examine Linux ELF files—not ad-hoc guessing from hexdumps. Install it when a binary, dependency, or incident artifact shows up and you want your coding agent to stay inside a security-first analysis frame instead of improvising dangerous commands. It targets the Ship phase security subphase: validating whether something is benign tooling, packed malware, or a supply-chain risk before you ship or while you respond. The catalog listing ships with minimal SKILL.md body in ingestion (license header only), so treat highlights as category- and name-aligned expectations and verify commands against your environment and the upstream repo before running anything on production hosts. It is advanced, not a substitute for professional IR, and complements generic code review skills by focusing on executable format and threat-oriented reasoning rather than application feature work.1installs 27Analyzing Linux Kernel RootkitsAnalyzing-linux-kernel-rootkits is a cybersecurity agent skill from the anthropic-cybersecurity-skills set, aimed at operators who suspect kernel-level persistence on Linux servers. Kernel rootkits alter trust in syscalls, modules, and integrity tooling, so the skill is meant to support structured analysis and detection reasoning rather than everyday application debugging. Solo builders running their own VPS, bare-metal, or self-hosted APIs use it when incident symptoms do not match userspace malware plays—missing processes, inconsistent module lists, or tools that disagree with each other. Prism lists it for advanced operate-phase security work alongside other specialized security skills. Because the published SKILL excerpt in catalog ingestion is minimal, treat it as a specialist procedural companion you invoke during active investigations, not a substitute for managed EDR or a commercial forensics retainer.1installs 28Analyzing Linux System ArtifactsAnalyzing Linux System Artifacts is an agent skill aimed at solo and indie builders who run their own Linux servers or ship backends on VPS and containers. When something looks wrong—a odd cron job, unfamiliar user, or suspicious binary path—you need a repeatable way to walk through system evidence without guessing. This skill packages cybersecurity-oriented procedural knowledge for Linux artifact analysis so your coding agent asks the right questions, cites the right locations, and keeps investigation steps consistent. It is most natural during security review before launch, after a dependency scare, or when operating production and chasing anomalies in monitoring alerts. It is not a replacement for professional incident response or automated EDR; it is a structured copilot for artifact-focused review. Pair it with your own backups, access controls, and the Security Audits panel on this Prism page before trusting any automated conclusions.1installs 29Analyzing Lnk File And Jump List ArtifactsAnalyzing LNK File and Jump List Artifacts is an agent skill that guides digital forensic examiners through documenting Windows shortcut and Recent Items evidence in a standardized report. Solo builders rarely need it unless they run security consulting or internal IR on Windows endpoints; for them it matters when proving what files and removable drives a user touched during a suspected compromise. The skill centers on filling structured tables—LNK file summary, Jump List summary by application, removable media references, and a findings narrative—so Claude or similar agents output court-ready structure instead of ad-hoc bullet lists. Use it when you have collected LNK/Jump List exports from an image or live response kit and need consistent case metadata (case number, examiner, evidence source) plus cross-referenced activity. It does not run parsers itself; it enforces the reporting workflow and field completeness that investigators expect in DFIR deliverables.1installs 30Analyzing Macro Malware In Office DocumentsAnalyzing Macro Malware in Office Documents is an agent skill from the Anthropic cybersecurity skills line aimed at solo and indie builders who receive Office attachments from customers, partners, or unknown senders. It walks you through interpreting macro-heavy documents so you can decide whether to quarantine, sandbox, or safely dispose of a file before it touches your machine or your app's upload pipeline. Use it when a .docm, .xlsm, or similar file shows unexpected enable-macro prompts, odd metadata, or you need a consistent checklist instead of ad-hoc guessing. The skill emphasizes application security context rather than enterprise SOC playbooks, so it scales down to one-person shops shipping SaaS with file uploads or document workflows. It does not replace a full malware lab; it gives your coding agent procedural knowledge to structure triage and document findings for later review.1installs 31Analyzing Malicious Pdf With PeepdfAnalyzing Malicious PDF with peepdf is an agent skill for solo builders and small security-minded teams who need to understand what is inside a questionable PDF before trusting previews, storage, or automated parsers. It centers on peepdf as the inspection lens for PDF internals—streams, objects, and common abuse patterns—so your coding agent can suggest a disciplined triage path instead of double-clicking unknown attachments. Use it when validating file-upload features, debugging customer-reported phishing samples, or pairing agent assistance with hands-on malware homework in the Ship security phase. It does not replace a full sandbox or enterprise SOC stack; it compresses procedural knowledge so you know which peepdf-oriented steps to run and what to look for next. Expect integration-style guidance that assumes you will execute commands locally and interpret output critically.1installs 32Analyzing Malicious Url With Urlscananalyzing-malicious-url-with-urlscan is a security agent skill that gives solo builders and small teams a repeatable URL analysis report aligned with URLScan workflows. When a suspicious link arrives from email gateway alerts, user reports, or SIEM, the skill walks through documenting the original and defanged URL, capture UUID, redirect chain, page fingerprint, TLS certificate age, and geographic hosting signals. It standardizes cross-reference rows for URLScan verdicts, VirusTotal engine counts, PhishTank, Google Safe Browsing, and AbuseIPDB so findings are comparable case to case. Extracted IOC tables cover domains, IPs, and SHA-256 hashes, then classification checkboxes for credential phishing, malware delivery, scam, benign, or inconclusive outcomes. Recommended actions include proxy, firewall, and email gateway blocks. The skill is template-driven documentation for human analysts using urlscan.io—not a substitute for enterprise SOAR automation.1installs 33Analyzing Malware Behavior With Cuckoo Sandboxanalyzing-malware-behavior-with-cuckoo-sandbox is an agent skill from a cybersecurity skills collection focused on driving Cuckoo Sandbox to observe how suspicious files behave in an isolated environment. Solo builders and small security-minded teams can invoke it when they need repeatable dynamic analysis rather than one-off reverse-engineering chat. Prism lists it for agents that orchestrate security tooling during release hardening or incident triage. Because the published SKILL body in catalog ingestion may be sparse, pair agent runs with your own Cuckoo deployment docs and org policies. It complements static analysis and is aimed at understanding network, file, and process activity from a sample run.1installs 34Analyzing Malware Family Relationships With MalpediaThis skill teaches how to analyze and map malware family relationships using Malpedia, a collaborative repository of malware intelligence. Security researchers and analysts use it to understand how different malware strains are connected—whether through shared code, authors, or tactics—which is critical for building comprehensive threat profiles. By mapping these relationships, teams can predict attack patterns, detect new variants faster, and respond more effectively to security incidents.1installs 35Analyzing Malware Persistence With AutorunsAnalyzing Malware Persistence With Autoruns is an agent skill that supplies a structured security analysis report template for documenting persistence discovered via Sysinternals Autoruns-style review. Solo builders and small security-minded teams use it when they need defensible, repeatable write-ups after suspicious startup entries, scheduled tasks, or lateral footholds on Windows endpoints—not a substitute for running Autoruns itself, but the editorial shell around what you found. The template forces explicit sample provenance, tabulated findings by severity, IOC tables for threat intel handoff, and ordered recommendations so an agent or analyst does not ship a vague narrative. It suits indie operators shipping internal tools, consultants producing client deliverables, or developers validating a compromised machine before restore. Pair it with your actual forensic commands and log pulls; the skill standardizes the markdown artifact your coding agent can fill incrementally as analysis proceeds.1installs 36Analyzing Malware Sandbox Evasion TechniquesAnalyzing Malware Sandbox Evasion Techniques is an agent skill aimed at security-conscious solo builders and small teams who encounter suspicious executables, cracked dependencies, or post-incident samples and need a structured lens on how malware avoids automated sandboxes. Public SKILL.md body in the indexed package is thin relative to the license block, so tagging emphasizes the declared name and cybersecurity domain: understanding evasion patterns helps you interpret sandbox misses, tune dynamic analysis environments, and write clearer severity notes when an agent or CLI tool flags odd behavior. This is not a drop-in virus scanner; it guides analytical thinking during Ship-phase security reviews. Pair it with formal sandbox products and your own isolation policies. Advanced complexity reflects VM/sandbox literacy and safe handling expectations.1installs 37Analyzing Memory Dumps With VolatilityAnalyzing memory dumps with Volatility is an agent skill aimed at solo and indie operators who need forensic depth when logs are incomplete or an endpoint may be compromised. It walks procedural knowledge for loading images, choosing plugins, and interpreting process lists, network artifacts, and injected code—work that is normally specialist SOC territory but increasingly relevant when you ship agents, workers, or small SaaS on VMs you administer yourself. Use it during Operate when an incident, crash, or abuse report forces you to validate what executed in memory rather than trusting surface telemetry. The packaged SKILL.md in this catalog entry is thin relative to the skill name; treat installs as a starting outline and cross-check commands against current Volatility 2/3 documentation before production decisions. Complexity is advanced: expect shell access, large binary artifacts on disk, and careful chain-of-custody habits even for personal infra.1installs 38Analyzing Memory Forensics With Lime And VolatilityAnalyzing Memory Forensics with LiME and Volatility is an agent skill aimed at builders and small teams who need to investigate suspected compromise on Linux systems using industry-standard memory capture and framework-based analysis. The catalog entry ships under Apache License 2.0 as part of a cybersecurity skills bundle; invoke it when you must preserve volatile evidence, parse process and network artifacts from a RAM image, and document findings for security review. It is advanced, hands-on work—expect kernel modules, analyst tooling, and careful chain-of-custody—not a substitute for a full SOC. Prism lists it so solo operators shipping APIs or internal services have a procedural anchor when escalating from app logs to host memory forensics during Ship-phase security reviews or post-incident validation.1installs 39Analyzing Mft For Deleted File RecoveryAnalyzing MFT for deleted file recovery is a security-oriented agent skill that guides you through documenting Windows NTFS Master File Table analysis in a standardized forensic report. Solo builders and small teams rarely run full DFIR shops, but the same structure helps when you self-audit a compromised laptop, validate backup integrity, or hand findings to a consultant. The skill centers on a case-information header, aggregate record counts, a prioritized table of deleted entries worth carving or exporting, and explicit timestomping indicators where standard information and filename timestamps disagree. Use it after you have extracted or parsed MFT data from tools in your chain—not as a substitute for imaging discipline or chain-of-custody process. Output is narrative-ready for compliance or incident notes while keeping examiners aligned on metrics and filenames.1installs 40Analyzing Network Covert Channels In MalwareAnalyzing Network Covert Channels in Malware is an agent skill for solo and indie security-minded builders who need a consistent written artifact after digging into suspicious binaries or traffic. The packaged SKILL content centers on a formal Analysis Report Template: you capture sample identifiers, document findings with severity, extract indicators of compromise in tabular form, and list prioritized recommendations—matching how small teams share limited-access (TLP:AMBER) research without ad-hoc chat logs. Use it when your agent has already performed or summarized technical analysis of covert C2 patterns (DNS tunneling, protocol steganography, timing channels) and you want the output normalized for reviewers, clients, or your own incident notes. It does not replace disassemblers, sandboxes, or PCAP tools; it standardizes the narrative layer so Ship-phase security reviews stay comparable across engagements. Confidence is moderate because the ingested readme emphasizes the template scaffold rather than step-by-step detection recipes—pair with your lab toolchain and human judgment on attribution and disclosure.1installs 41Analyzing Network Flow Data With NetflowNetFlow analysis is a technique for collecting and analyzing network traffic data to understand how data moves through your infrastructure. Solo builders use this skill to monitor network performance, detect unusual traffic patterns, and diagnose connectivity problems in production environments. It matters because network visibility is fundamental to maintaining reliable, performant systems and responding quickly when issues arise.1installs 42Analyzing Network Packets With Scapyanalyzing-network-packets-with-scapy is an agent skill from a cybersecurity skills bundle that guides solo builders through packet capture and analysis using Python’s Scapy library. Install it when you ship networked services—REST gateways, webhooks, agents calling third-party APIs—and need to confirm what actually crosses the wire instead of trusting application logs alone. The skill sits in the security lane of the journey: reproducing suspicious flows, validating TLS and protocol behavior, and supporting audit-style questions during ship and early operate. Prism’s excerpt emphasizes licensing and collection context; treat the skill as procedural knowledge for structured Scapy workflows rather than a hosted scanner. It suits intermediate builders comfortable running capture tooling locally or in lab environments. Use it alongside code review and monitoring skills when failures are intermittent or when you suspect misconfigured clients, DNS, or middleboxes.1installs 43Analyzing Network Traffic For IncidentsNetwork traffic analysis for incidents involves examining packet-level data and traffic flows to identify suspicious activity, security breaches, and malicious behavior. Solo builders use this skill when their systems experience potential security events and need to understand what happened. It's critical for incident response, forensics, and understanding the full scope of a security breach.1installs 44Analyzing Network Traffic Of MalwareAnalyzing Network Traffic of Malware is a specialized agent skill aimed at security-minded solo builders and small teams who need structured help interpreting network captures tied to malicious software. When you already have PCAPs, firewall logs, or proxy flows and need to explain what the malware is doing on the wire, the skill steers the agent toward systematic traffic review rather than guessing from filenames alone. It sits in the Ship phase under security because its value appears when you are validating exposure, hunting lateral movement, or documenting IOCs before you patch or redeploy. The published SKILL excerpt in the catalog is sparse beyond licensing, so treat capabilities as methodology for malware-oriented traffic analysis rather than a turnkey Wireshark automation. Pair it with broader incident response and hardening skills when you move from analysis to fix. Intermediate to advanced users who understand TCP/IP and basic malware lifecycles get the most from it.1installs 45Analyzing Network Traffic With Wiresharkanalyzing-network-traffic-with-wireshark is an agent skill from the anthropic-cybersecurity-skills collection that steers solo builders and small teams through packet capture analysis using Wireshark-style workflows. Use it when you need to verify what your app actually sends on the wire, trace authentication or API failures, or document suspicious traffic during a security review. The published SKILL artifact in this ingest is primarily license metadata; placement and copy assume the standard cybersecurity-skills intent—structured prompts for filters, protocol fields, and incident narratives rather than replacing a certified SOC process. It suits developers who ship web APIs, agents, or internal tools and must self-serve forensics without a dedicated NOC. Combine with broader hardening skills after you isolate the flows that matter.1installs 46Analyzing Office365 Audit Logs For CompromiseAnalyzing Office365 Audit Logs For Compromise is an agent skill aimed at solo builders and small teams who run on Microsoft 365 and need a repeatable way to read audit logs when something looks wrong. Instead of ad-hoc searching in the compliance center, the skill frames how to pull relevant Unified Audit Log activity, correlate risky patterns such as impossible travel, privilege escalation, suspicious inbox rules, and mass downloads, and turn raw events into a short incident narrative you can act on. It fits the Operate phase when you are responding to alerts, validating a phishing aftermath, or doing periodic tenant hygiene—not when you are shipping application code. Expect procedural security knowledge rather than a turnkey SIEM integration; you still need appropriate Microsoft admin roles and export access. Use it when cloud identity compromise is plausible and you want structured questions and interpretation steps rather than guessing which cmdlet or portal view to open first.1installs 47Analyzing Outlook Pst For Email ForensicsAnalyzing Outlook PST for Email Forensics is an agent skill aimed at builders and small teams who need to examine Outlook Personal Storage Table files during security reviews, HR matters, or legal holds. It sits in the Ship phase under security because the work is about extracting trustworthy evidence from email archives—not shipping features or running production dashboards. Solo operators often receive a PST dump with little context; this skill gives the agent a consistent lens for what to look for, how to scope the examination, and how to avoid mishandling chain-of-custody assumptions. It pairs naturally with broader audit and compliance skills when you must correlate mailbox content with access logs or policy violations. Expect advanced familiarity with forensic constraints and Windows-centric mail formats; it is not a general-purpose email client integration for product features.1installs 48Analyzing Packed Malware With Upx UnpackerAnalyzing packed malware with UPX unpacker is a technique for decompressing and examining executable files that have been compressed using the UPX packer. Security researchers and incident responders use this skill when investigating suspicious binaries to uncover hidden code, understand malware behavior, and extract forensic artifacts. Mastering this technique is critical for threat analysis and developing effective detection signatures.1installs 49Analyzing Pdf Malware With PdfidAnalyzing PDF malware with PDFiD is an agent skill aimed at indie builders and operators who receive PDFs from users, vendors, or email and need a fast structural read before execution risk spreads. It guides the agent through PDFiD-oriented analysis: enumerating suspicious PDF constructs and correlating counts with common malware patterns rather than trusting file extensions alone. Typical use is pre-release attachment review, incident response on a questionable download, or validating that a support upload is not weaponized. The skill stays at the triage layer—it does not replace full dynamic sandboxes or enterprise SOAR—but it gives repeatable steps an coding agent can run beside your repo. Pair it with your local PDFiD install and organizational policy on handling quarantined samples.1installs 50Analyzing Persistence Mechanisms In LinuxAnalyzing persistence mechanisms in Linux is an agent skill for solo and indie builders who run Linux APIs, CLIs, or self-hosted agents and need disciplined ways to find how attackers survive reboots. The skill name targets cron jobs, systemd units, startup scripts, authorized keys, and similar footholds that are easy to miss when you ship fast without a dedicated SOC. Use it during ship security reviews, after a suspected breach, or when operate-phase logs show recurring unknown processes. It lives in a cybersecurity skills collection so your coding agent can walk checklists instead of improvising grep one-liners. Expect procedural guidance rather than a live scanner MCP; you still run commands on the host. Best for builders who own their VPS, homelab, or small fleet and want repeatable persistence triage without hiring a full-time analyst.1installs 51Analyzing Powershell Empire Artifactsanalyzing-powershell-empire-artifacts is an agent skill aimed at solo builders and small security-minded teams who need structured help interpreting artifacts linked to the PowerShell Empire adversary framework. Empire-class tooling leaves distinctive PowerShell staging, module loading, and persistence patterns; this skill orients your agent toward defender workflows—cataloging suspicious scripts, correlating execution evidence, and reasoning about post-exploitation behavior rather than treating logs as opaque text. Prism lists it under Ship security because the payoff is catching risky remnants before you ship updates, publish infrastructure, or close an incident ticket. The published readme excerpt is license-forward, so treat operational steps as agent-procedural knowledge you still validate against your SOC playbooks and legal scope. Use when IR, red-team debriefs, or compliance reviews explicitly mention Empire, PS Empire, or similar modular PowerShell C2 kits.1installs 52Analyzing Powershell Script Block Logginganalyzing-powershell-script-block-logging is a cybersecurity-oriented agent skill focused on interpreting PowerShell Script Block Logging—Windows Event Tracing for Defender-class pipelines that records de-obfuscated script segments at execution time. Solo builders shipping SaaS on Windows servers or supporting enterprise customers often inherit EDR and SIEM expectations even when their day job is product code; this skill gives agents a named procedure for turning noisy script-block events into reviewable findings instead of ad-hoc grep. It sits in the Ship security lane because you typically enable, tune, and validate logging before you sign off on production posture, though operators may revisit it during incidents. Expect advanced familiarity with Windows logging, event IDs, and defender tooling; it is not a substitute for full purple-team exercises or generic secret scanning in CI.1installs 53Analyzing Prefetch Files For Execution HistoryAnalyzing Prefetch Files for Execution History is an agent skill aimed at solo builders and indie operators who need lightweight digital forensics without a full DFIR team. Windows Prefetch stores metadata about recently launched executables; this skill guides structured interpretation of those artifacts so you can corroborate or refute what ran on a workstation or build VM. Use it during security reviews, suspected compromise triage, or compliance checks when Event Viewer and EDR data are incomplete. The skill is phase-specific to Ship → security: it does not replace secure coding in Build, but it closes the gap when you must reason about ground truth on a Windows endpoint. Pair it with broader hardening and logging skills; treat conclusions as corroborating evidence alongside other telemetry. Because published SKILL.md in the repo is minimal, treat operational steps as agent-procedural knowledge you validate against your toolchain and jurisdiction before production IR.1installs 54Analyzing Ransomware Encryption Mechanismsanalyzing-ransomware-encryption-mechanisms is an agent skill from the Anthropic cybersecurity skills lineage that guides systematic analysis of how ransomware families implement encryption—keys, modes, file targeting, and operational constraints—so you can reason about blast radius and controls. Solo builders with security responsibilities, indie SaaS operators handling customer data, or small teams doing threat-informed design use it during security reviews, tabletop exercises, or post-incident learning—not for everyday feature work. The public Prism excerpt is predominantly license text, so invoke details should be confirmed in the full SKILL.md before autonomous runs. Treat outputs as analytical hypotheses that must be validated against samples, logs, and your environment. The skill advances Ship-phase security depth by translating encryption behavior into actionable detection and backup priorities without replacing professional incident response.1installs 55Analyzing Ransomware Leak Site IntelligenceThis skill teaches analysts how to systematically collect and analyze intelligence from ransomware leak sites where threat actors publish stolen data and ransom demands. Security teams use it to identify threats targeting their organization, understand attacker tactics, and enhance their defensive posture. Analyzing leak site intelligence is critical for threat assessment, incident response coordination, and staying ahead of evolving ransomware campaigns.1installs 56Analyzing Ransomware Network IndicatorsAnalyzing Ransomware Network Indicators is a security-focused agent skill from the Anthropic cybersecurity skills corpus, aimed at helping operators and indie builders with production exposure interpret network-level signs associated with ransomware activity. Prism lists it for solo founders who wear the security hat: when logs, DNS, beaconing, or C2-like traffic patterns raise alarm, the skill steers systematic indicator review rather than ad-hoc guessing. Public README material in the ingest is largely license text, so treat operational steps as defined in the full SKILL.md in-repo. Use during Operate when investigating anomalies or validating threat intel, often paired with monitoring and IR runbooks. Intermediate to advanced: comfort with networks, logs, and incident escalation is assumed. Outcomes are clearer prioritization of network IoCs and next investigative actions—not automatic eradication without human judgment.1installs 57Analyzing Ransomware Payment WalletsAnalyzing Ransomware Payment Wallets is an agent skill from the Anthropic cybersecurity skills collection that helps solo builders and small security teams structure investigation of cryptocurrency addresses used in ransomware extortion. The skill is meant for agents assisting with threat research, SOC triage, or compliance-adjacent documentation when you need repeatable steps rather than ad-hoc blockchain queries. It targets builders shipping security tooling, running internal IR playbooks, or embedding agent workflows in DevSecOps—not casual product features. Use it when you have a suspected wallet hash or ransom note and need guided analysis patterns; pair it with your own chain analytics tools and jurisdictional policies. Because the packaged readme is license-only, treat triggers and outputs as defined by the upstream SKILL.md in the repo before automating production decisions.1installs 58Analyzing Sbom For Supply Chain VulnerabilitiesAnalyzing SBOM for supply chain vulnerabilities is an agent skill from a cybersecurity skills collection focused on reading a software bill of materials and surfacing dependency risks that affect what you ship. Solo and indie builders invoke it when they need to understand what libraries sit in their product, which versions are exposed, and where known weaknesses might enter the chain without hiring a dedicated AppSec team. The skill sits primarily in Ship security reviews ahead of launch, and remains useful in Operate when you refresh images or bump lockfiles after advisories. It complements automated scanners by giving agents a procedural lens for SBOM interpretation, correlation, and remediation planning. Tag confidence is moderate because ingested readme content in Prism may be license text only; placement follows the skill name and anthropic-cybersecurity-skills domain. Expect intermediate complexity—you should have an exportable SBOM (SPDX, CycloneDX, or tool-generated equivalent) and basic familiarity with semver and CVE language. Outcomes include a clearer picture of risky components and next steps to patch, pin, or replace dependencies before customers inherit them.1installs 59Analyzing Security Logs With SplunkAnalyzing Security Logs With Splunk is an agent skill that teaches solo builders and small teams how to turn raw security telemetry into actionable hunts using Splunk Search Processing Language. It is aimed at operators who already ingest auth, firewall, endpoint, and proxy logs and need repeatable queries instead of ad-hoc grep in production. The skill walks through index and sourcetype hygiene, basic and advanced SPL, statistical correlation, and threat-hunting patterns aligned to common MITRE-style scenarios such as credential abuse, exfiltration, and lateral movement. It also covers dashboard and alert design, CIM-oriented field normalization, and performance tactics so searches stay within SLA during incidents. Use it when you are responding to alerts, doing proactive hunts, or improving detection coverage after a near-miss. It does not replace a full SOC playbook or vendor-specific Enterprise Security configuration, but it gives your coding agent structured SPL templates and investigation steps you can adapt to your indexes.1installs 60Analyzing Slack Space And File System ArtifactsAnalyzing Slack Space And File System Artifacts is a security-focused agent skill from the Anthropic cybersecurity skills set, intended to help you systematically examine Slack workspace evidence and on-disk artifacts during investigations or hardening passes. Catalog ingest did not include the procedural SKILL.md body beyond license text, so placement follows the skill name and collection context: collaboration-tool forensics plus host filesystem review for indie operators who run their own repos, bots, and small-team Slack. Expect the full skill—when present in the upstream repo—to structure what to collect, how to interpret workspace and file metadata, and how to document findings for remediation. Use it in Ship when validating security before launch or after a suspicious login, webhook abuse, or leaked token—not as a substitute for professional IR when regulatory or customer impact is high. Pair with broader security audit skills in the same collection for coverage gaps.1installs 61Analyzing Supply Chain Malware ArtifactsAnalyzing-supply-chain-malware-artifacts is a security agent skill that gives solo builders and small security-minded teams a repeatable report skeleton for suspicious dependency or package artifacts. The SKILL content centers on filling structured tables for sample metadata, graded findings, extracted indicators of compromise, and prioritized recommendations—suited when you are investigating a potentially malicious supply-chain sample rather than doing casual code review. It does not replace automated scanners; it standardizes human-led triage so nothing critical is omitted from the write-up. Invoke it when you need a formal analysis memo after obtaining hashes and file types from an incident or hunt. Pair with your own tooling for sandbox execution and verification; this skill packages the documentation ritual.1installs 62Analyzing Threat Actor Ttps With Mitre AttackAnalyzing Threat Actor TTPs with MITRE ATT&CK is an agent skill that gives solo builders and tiny teams a repeatable intelligence report skeleton instead of ad-hoc markdown notes. It walks through report metadata (TLP, analyst, group ID), actor profiling, tactic-level technique counts, row-level ATT&CK mappings such as T1566.001 spearphishing attachments, and an explicit detection coverage section that highlights what your telemetry already catches versus blind spots. Use it when you need to document how a named group operates, communicate risk to stakeholders, or drive detection engineering priorities without standing up a full threat-intel platform. The template forces coverage math and gap ordering so agents do not stop at technique lists. It complements secure coding skills by connecting behaviors to observable data sources; you still must validate intel against your environment and legal sharing boundaries.1installs 63Analyzing Threat Actor Ttps With Mitre NavigatorAnalyzing Threat Actor TTPs with MITRE Navigator is an agent skill aimed at solo builders and small teams who must translate vague security worry into an ATT&CK-grounded picture of what adversaries actually do. Instead of generic checklists, it steers the agent through technique mapping and Navigator-friendly outputs so you can see gaps in detection, hardening, and response before customers or auditors ask harder questions. Use it when you are preparing a ship gate, responding to an incident hypothesis, or documenting why certain controls matter. Pair it with your own telemetry and threat intel—the skill structures analysis; it does not replace formal pen tests or SOC operations.1installs 64Analyzing Threat Intelligence Feedsanalyzing-threat-intelligence-feeds is a security agent skill from the Anthropic cybersecurity skills lineage, intended for builders who must make sense of noisy IOC and threat feeds without a full-time SOC. Prism lists it for solo developers shipping APIs, agents, or SaaS who still need disciplined triage: which feeds to trust, how to normalize indicators, and what merits a code or config change before launch. The canonical placement is Ship under security, but the same analysis supports Operate when monitoring new campaigns against production telemetry. Because the indexed readme in this batch is license text only, treat operational steps as defined in the full SKILL.md in-repo—install when your agent should follow a CTI checklist rather than hallucinating CVE relevance. Always pair automated analysis with human judgment for attribution and legal constraints on sharing indicators.1installs 65Analyzing Threat Landscape With MispMISP (Malware Information Sharing Platform) is an open-source threat intelligence platform that helps security teams aggregate, share, and analyze threat data. A solo builder or security team uses it to centralize indicators of compromise (IOCs), malware signatures, and vulnerability intelligence from multiple sources, making it easier to understand the threat landscape and respond to emerging risks. This matters because fragmented threat intelligence is less actionable—MISP enables correlation and pattern recognition that helps prioritize security efforts and detect threats faster.1installs 66Analyzing Tls Certificate Transparency Logsanalyzing-tls-certificate-transparency-logs is a security-focused agent skill from an Anthropic-oriented cybersecurity skills collection, aimed at helping builders query and interpret CT logs to find certificates issued for names you control—or names attackers might typosquat. Solo founders rarely have a dedicated security team, yet a single unexpected cert can signal DNS takeover, compromised panel, or a sloppy subdomain spray. Invoke this when you are hardening Ship checks or doing periodic Operate sweeps, not when you only need local dev HTTPS with mkcert. Prism ingestion may not yet include the full procedural body; treat the skill name and repo theme as the capability contract until richer SKILL.md lands.1installs 67Analyzing Typosquatting Domains With DnstwistAnalyzing Typosquatting Domains with dnstwist is an agent skill from a cybersecurity-oriented skill pack that guides solo builders through discovering look-alike domains that target their brand, product name, or primary hostname. Typosquatting remains one of the cheapest attacks against indie SaaS: a single swapped letter or homoglyph can harvest credentials or siphon support traffic while you are still small enough to notice late. This skill orients your coding agent around dnstwist’s permutation and DNS analysis mindset so you generate candidate domains, interpret active vs parked registrations, and prioritize domains that overlap your user-facing URLs or OAuth redirect patterns. It is most valuable when you have chosen a public domain, registered social handles, or published a marketing site—moments when impersonation becomes economically attractive. Expect workflow steps that assume CLI tooling and disciplined scope (your brands only), not blanket scanning of unrelated companies. Results should feed registrar defensive registration decisions, WAF rules, user education, and monitoring hooks in Operate. Because packaged readmes may ship license boilerplate, treat invoke triggers1installs 68Analyzing Uefi Bootkit Persistenceanalyzing-uefi-bootkit-persistence is a security-oriented agent skill from the Anthropic cybersecurity skills line, aimed at analysts who need to reason about UEFI-level bootkits and how they maintain persistence beneath the operating system. Solo builders shipping desktop tools, security products, or managing their own dev hardware benefit when an agent can frame boot firmware attack surfaces, persistence indicators, and investigation steps instead of generic malware advice. Prism lists it for builders who wear a security hat during Ship-phase hardening or when investigating a machine that may survive wipes via firmware implants. Public ingest for this listing did not include SKILL.md body beyond license text, so treat capability claims as name- and collection-level until you open the full skill in-repo. Pair with disk, memory, and supply-chain checks; this skill narrows the problem class to UEFI bootkit persistence rather than replacing a full DFIR lab.1installs 69Analyzing Usb Device Connection HistoryAnalyzing USB Device Connection History is a security-oriented agent skill from the Anthropic cybersecurity skills line aimed at helping you interpret historical USB attachment evidence on endpoints. Solo builders and indie operators who ship desktop utilities, handle customer data on laptops, or run small-team IR drills install it when they need structured prompts for removable-media timelines rather than improvised shell grepping. Prism lists it under ship security because the payoff is catching policy violations, staging vectors, or post-incident scope before broader launch or operate phases. Public SKILL excerpts in the bundle emphasize licensing metadata; pair this skill with your OS-specific artifact locations and chain-of-custody practices. It is not a substitute for enterprise EDR, certified forensics labs, or legal discovery processes.1installs 70Analyzing Web Server Logs For IntrusionThis skill teaches how to parse, search, and analyze web server logs to detect unauthorized access attempts, malicious payloads, and anomalous behavior. A solo builder uses it when investigating security incidents or implementing proactive threat monitoring on their production systems. It matters because early intrusion detection can prevent data breaches, unauthorized access, and service disruptions.1installs 71Analyzing Windows Amcache ArtifactsAnalyzing Windows Amcache Artifacts is an agent skill aimed at security practitioners and indie builders who maintain Windows fleets or investigate compromised laptops. Amcache records program execution and inventory metadata that investigators use to reconstruct timelines, spot unauthorized binaries, and correlate persistence with user activity. The skill packages procedural knowledge so Claude Code, Cursor, or Codex can walk you through artifact locations, interpretation pitfalls, and how Amcache complements prefetch, shimcache, and event logs. Use it when you are operating in production or handling an alert—not when you are still validating a product idea. It is intermediate complexity because registry forensics assumes familiarity with Windows internals and chain-of-custody discipline. Prism lists it under Security so solo operators can find forensic depth without ad-hoc forum threads.1installs 72Analyzing Windows Event Logs In SplunkThis skill teaches how to ingest, search, and analyze Windows event logs using Splunk to uncover security incidents and operational issues. Solo builders and ops teams use it to investigate suspicious activity, audit system changes, and respond to security events. It matters because Windows logs contain critical evidence of breaches, privilege escalation, and system misconfigurations that are essential for security posture and compliance.1installs 73Analyzing Windows Lnk Files For ArtifactsAnalyzing Windows LNK Files for Artifacts is a security-oriented agent skill aimed at defenders and builders who need structured help examining Windows shortcut files for execution paths, timestamps, and other forensic indicators. Solo operators running small SaaS or internal tools still encounter Windows clients, phishing lures, and compromised laptops; this skill slots into a ship-phase security mindset when you are validating whether a machine or artifact chain looks benign before you trust production access. The catalog ingest for this entry is thin on procedural steps in the excerpt Prism received, so treat it as a specialized forensics helper to pair with your own tooling and legal scope. Use when triaging suspected malicious shortcuts or documenting artifact fields for a report, not as a substitute for full disk imaging or certified IR playbooks.1installs 74Analyzing Windows Prefetch With Pythonanalyzing-windows-prefetch-with-python is an agent skill from a cybersecurity skills bundle focused on interpreting Windows Prefetch data using Python. Solo builders who also operate their own Windows dev machines, run small IT for a side project, or contribute to security automation can use it when they need structured guidance for parsing prefetch-related evidence instead of guessing file formats. The skill is suited to incident triage, understanding what executables ran on a host, and building repeatable scripts that analysts or agents can run in a controlled environment. Prism lists it for builders who ship software but must also reason about endpoint security during reviews or post-incident checks. Pair it with proper legal authorization, isolated lab VMs, and your org’s IR playbook rather than running exploratory parsers on production employee laptops without clearance.1installs 75Analyzing Windows Registry For Artifactsanalyzing-windows-registry-for-artifacts is an agent skill aimed at builders and operators who need structured help interpreting Windows Registry data during security work. Prism ingested the package from the anthropic-cybersecurity-skills collection; the published artifact emphasizes licensing metadata, so you should treat the skill name and collection context as the primary signal: it teaches or orchestrates registry-oriented artifact hunting rather than generic code review. Use it when you are hardening a Windows desktop or server product, responding to suspicious host behavior, or documenting what keys and hives to inspect for persistence and user-activity traces. Solo builders shipping Windows clients or supporting small fleets can pair it with their agent to keep registry checks repeatable instead of reinventing DFIR checklists in chat. Review upstream SKILL.md in the repo for the full hive list and parsing steps before relying on it in production investigations.1installs 76Analyzing Windows Shellbag Artifactsanalyzing-windows-shellbag-artifacts guides solo builders, consultants, and small security teams through documenting Windows Shellbag forensic results in a consistent report layout. Shellbags reveal historical folder browsing—including removable and UNC paths—which matters when you are validating whether a compromised laptop accessed sensitive shares or staging directories. The skill supplies tabular sections for folder access summaries, USB timelines, and network share hits so an agent does not improvise incompatible headings during IR. It fits builders who wear both dev and ops hats and need repeatable DFIR-style output without opening a full commercial case-management suite. Use it when you already extracted shellbag data with your toolchain and need human-readable case notes for clients, insurers, or internal postmortems. It does not replace proper chain-of-custody tooling; it standardizes how findings are narrated for Ship-phase security reviews and Operate-phase incident follow-up.1installs 77Auditing Azure Active Directory Configurationauditing-azure-active-directory-configuration is an agent skill from the Anthropic cybersecurity skills lineage focused on reviewing Microsoft Entra ID (Azure Active Directory) tenant configuration. Solo founders shipping B2B SaaS or internal tools on Azure use it when identity is the blast radius: conditional access policies, legacy auth exposure, guest access, privileged roles, and sync misconfigurations that agents can walk through systematically instead of improvising checklists in chat. Prism lists it under Ship security as the primary shelf, with secondary use in Operate monitoring when you re-audit after org changes. Public SKILL body in the ingest was sparse (license text only), so operational steps should be validated against the full repo file before production audits. Treat outputs as guidance that still needs human verification and your change-management process.1installs 78Auditing Cloud With Cis BenchmarksCIS Benchmarks provide standardized, consensus-driven security guidelines for configuring cloud infrastructure and systems. Solo builders use this skill to audit their cloud environments, validate security configurations, and ensure compliance with industry best practices. This matters because it helps prevent security breaches, ensures regulatory compliance, and reduces the risk of infrastructure misconfigurations that could expose sensitive data or systems.1installs 79Auditing Gcp Iam PermissionsAuditing GCP IAM permissions is an agent skill for solo builders and small teams running workloads on Google Cloud who need repeatable identity reviews without a dedicated cloud security hire. It guides structured inspection of IAM roles, bindings, service accounts, and inherited organization policies so you can spot standing admin access, stale principals, and cross-project privilege sprawl before customers or auditors ask. Use it when you are shipping a new environment, onboarding contractors, or rotating keys after an incident. The skill fits the Security discipline in Prism and pairs with broader compliance work when you later need evidence of access governance. Expect checklist-style analysis rather than live API automation unless your agent is wired to gcloud—treat outputs as a review draft you validate against your console and policy baselines.1installs 80Auditing Kubernetes Cluster RbacAuditing Kubernetes Cluster RBAC is an agent skill aimed at solo and indie builders who run apps on Kubernetes and need repeatable role-and-binding reviews without hiring a dedicated platform security team. It instructs your coding agent to walk cluster RBAC configuration—who can create secrets, exec into pods, or escalate privileges—and surface excessive grants before they become incidents. Use it when you are shipping a new service account layout, onboarding a contractor, or responding to a leaked kubeconfig. The skill fits the Ship and Operate phases as a checker-style ritual you invoke against kube-apiserver context you already trust. It complements generic linting by focusing on authorization graphs rather than container image CVEs. Pair it with your existing kubectl or cloud-console workflow; the agent structures questions and findings you can paste into tickets or policy docs. Because the published SKILL body in-repo is minimal beyond licensing, treat outputs as advisory and validate every recommendation against your org’s least-privilege baseline and live `kubectl auth can-i` checks.1installs 81Auditing Terraform Infrastructure For SecurityAuditing Terraform Infrastructure for Security is an agent skill aimed at solo builders who manage their own cloud with Terraform and cannot afford a dedicated platform security team. Instead of hoping a generic linter catches everything, the skill steers the agent through a security-oriented pass over modules, variables, IAM bindings, network exposure, secrets handling, and state/backend choices— the places AI-generated infra often drifts toward convenience over least privilege. Use it in the Ship phase when a PR touches .tf files, before terraform apply in staging, or when onboarding a new environment copied from a tutorial. Outputs are findings and remediation guidance you can turn into tasks or policy checks. It is a checker-style skill, not a live scanner replacement; you still own account guardrails and the Security Audits panel on Prism for package trust. Pair with your existing CI plan review for defense in depth.1installs 82Auditing Tls Certificate Transparency LogsAuditing TLS Certificate Transparency Logs is a security-focused agent skill from the Anthropic cybersecurity skills family. It guides solo builders and small teams through reviewing Certificate Transparency (CT) records for domains they operate—surfacing certificates you did not expect, wildcard expansions, or issuer changes that warrant investigation. CT logs are public by design; the skill turns that visibility into a repeatable audit ritual you can run before launch and on a calendar during Operate, without needing a full SOC. Use it when you add subdomains, rotate CAs, or after a phishing scare to confirm nobody obtained a valid cert for your hostname. The skill emphasizes methodical queries and interpretation rather than automated blocking—outputs are findings you can triage, document, and feed into DNS, CA, or incident response playbooks. Pair with broader secret and dependency audits on Prism for defense in depth.1installs 83Automating Ioc Enrichmentautomating-ioc-enrichment is an agent skill aimed at security-minded solo builders and indie teams who need to turn raw indicators into actionable context without opening five browser tabs. It packages procedural steps for enriching IOCs—such as tying hashes, domains, and addresses to reputation and context—so your coding agent can run a repeatable enrichment pass as part of alert triage or post-deploy review. Because the published SKILL excerpt in the catalog is thin, treat it as a focused security automation module within mukul975’s Anthropic cybersecurity skills collection rather than a full SIEM replacement. Use it when you already have indicators from logs, a breach checklist, or a dependency audit and want structured enrichment before blocking, patching, or documenting an incident. Pair with review and monitoring skills once you have production traffic to watch.1installs