Cyber Ir Playbook
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill coherently builds local incident-response timeline reports, with the main caveat that its dry-run option still writes an output file.
This appears safe to install for local IR timeline and report generation. Before running it, use copies of incident logs when appropriate, pick a dedicated output folder, and remember that --dry-run still creates the output file.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken output path could write the report somewhere unintended or overwrite an existing file.
The utility writes to a user-selected output path and creates parent directories. This is expected for report generation, but it can create or replace files if given an unsafe path.
parser.add_argument("--output", required=True, help="Path to output artifact.") ... output_path.parent.mkdir(parents=True, exist_ok=True) ... output_path.write_text(...)Use a dedicated incident-report output directory and avoid system, credential, or unrelated project paths.
A user who expects dry-run mode to avoid file creation may still get a written report file.
The dry-run help text says there are no side effects, but the script still calls render unconditionally and writes the output artifact.
parser.add_argument("--dry-run", action="store_true", help="Run without side effects.") ... render(result, Path(args.output), args.format)Do not rely on --dry-run to prevent file writes unless the script is corrected; use a temporary output path for testing.