Security checks across malware telemetry and agentic risk
The skill is a coherent Elasticsearch/Kibana helper, but it gives an agent broad live data and admin powers without enough built-in safety checks.
Install only if you are comfortable letting an agent generate and run Elasticsearch/Kibana API calls. Use least-privilege, task-specific API keys, prefer read-only keys for search, avoid production admin credentials, keep secrets out of shell profiles and transcripts, and manually approve any DELETE, bulk write, reindex, alias, ILM, cluster-setting, dashboard import/export, saved-object delete, or alert-rule change.
# All requests follow this pattern:
curl -s "${ES_URL%/}/<endpoint>" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)" \
-H "Content-Type: application/json" \
-d '<json-body>'
```If the user provides a URL and key, export them as `ES_URL` and `ES_API_KEY` before running commands.
**Important — variable expansion in curl:**
- Always use `$(printenv ES_API_KEY)` instead of `$ES_API_KEY` in curl headers. The `$ES_API_KEY` variable may not expand correctly in the shell, resulting in empty `Authorization` headers and 401 errors.
- Always use `${ES_URL%/}` to strip any trailing slash from the URL, preventing double-slash path issues (e.g., `//_cluster/health`).
## Quick Health Check```bash
# Cluster health (green/yellow/red) — NOT available on serverless
curl -s "${ES_URL%/}/_cluster/health" -H "Authorization: ApiKey $(printenv ES_API_KEY)" | jq .
# Node stats summary — NOT available on serverless
curl -s "${ES_URL%/}/_cat/nodes?v&h=name,heap.percent,ram.percent,cpu,load_1m,disk.used_percent" \# Node stats summary — NOT available on serverless
curl -s "${ES_URL%/}/_cat/nodes?v&h=name,heap.percent,ram.percent,cpu,load_1m,disk.used_percent" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)"
# Index overview (works on both serverless and traditional)
curl -s "${ES_URL%/}/_cat/indices?v&s=store.size:desc&h=index,health,status,docs.count,store.size" \# Index overview (works on both serverless and traditional)
curl -s "${ES_URL%/}/_cat/indices?v&s=store.size:desc&h=index,health,status,docs.count,store.size" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)"
```
**Serverless Elasticsearch:** If you get `api_not_available_exception` errors, the cluster is running in serverless mode. The following APIs are **not available** in serverless:```bash
# Simple match query
curl -s "${ES_URL%/}/my-index/_search" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)" \
-H "Content-Type: application/json" \
-d '{
"query": { "match": { "message": "error timeout" } },# Bool query (must + filter + must_not)
curl -s "${ES_URL%/}/my-index/_search" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)" \
-H "Content-Type: application/json" \
-d '{
"query": {```bash
# Create index with mappings
curl -s -X PUT "${ES_URL%/}/my-index" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)" \
-H "Content-Type: application/json" \
-d '{
"settings": { "number_of_shards": 1, "number_of_replicas": 1 },# Index a document (auto-generate ID)
curl -s -X POST "${ES_URL%/}/my-index/_doc" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)" \
-H "Content-Type: application/json" \
-d '{ "message": "hello world", "@timestamp": "2026-01-31T12:00:00Z", "level": "info" }'# Index with specific ID
curl -s -X PUT "${ES_URL%/}/my-index/_doc/doc-123" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)" \
-H "Content-Type: application/json" \
-d '{ "message": "specific doc", "level": "warn" }'-d '{ "message": "specific doc", "level": "warn" }'
# Get document
curl -s "${ES_URL%/}/my-index/_doc/doc-123" -H "Authorization: ApiKey $(printenv ES_API_KEY)" | jq .
# Update document (partial)
curl -s -X POST "${ES_URL%/}/my-index/_update/doc-123" \# Update document (partial)
curl -s -X POST "${ES_URL%/}/my-index/_update/doc-123" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)" \
-H "Content-Type: application/json" \
-d '{ "doc": { "level": "error" } }'# Delete document
curl -s -X DELETE "${ES_URL%/}/my-index/_doc/doc-123" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)"
# Bulk operations (newline-delimited JSON)
curl -s -X POST "${ES_URL%/}/_bulk" \# Bulk operations (newline-delimited JSON)
curl -s -X POST "${ES_URL%/}/_bulk" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)" \
-H "Content-Type: application/x-ndjson" \
--data-binary @- << 'EOF'
{"index":{"_index":"my-index"}}```bash
# Terms aggregation (top values)
curl -s "${ES_URL%/}/my-index/_search?size=0" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)" \
-H "Content-Type: application/json" \
-d '{
"aggs": {# Date histogram + nested metric
curl -s "${ES_URL%/}/my-index/_search?size=0" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)" \
-H "Content-Type: application/json" \
-d '{
"query": { "range": { "@timestamp": { "gte": "now-24h" } } },```bash
# Get mapping
curl -s "${ES_URL%/}/my-index/_mapping" -H "Authorization: ApiKey $(printenv ES_API_KEY)" | jq .
# Add field to existing mapping (mappings are additive — you can't change existing field types)
curl -s -X PUT "${ES_URL%/}/my-index/_mapping" \# Add field to existing mapping (mappings are additive — you can't change existing field types)
curl -s -X PUT "${ES_URL%/}/my-index/_mapping" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)" \
-H "Content-Type: application/json" \
-d '{ "properties": { "new_field": { "type": "keyword" } } }'# Reindex (change mappings, rename index, etc.)
curl -s -X POST "${ES_URL%/}/_reindex" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)" \
-H "Content-Type: application/json" \
-d '{
"source": { "index": "old-index" },}'
# Delete index
curl -s -X DELETE "${ES_URL%/}/my-index" -H "Authorization: ApiKey $(printenv ES_API_KEY)"
# Index aliases
curl -s -X POST "${ES_URL%/}/_aliases" \# Index aliases
curl -s -X POST "${ES_URL%/}/_aliases" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)" \
-H "Content-Type: application/json" \
-d '{
"actions": [# Index templates (for time-series / rollover patterns)
curl -s -X PUT "${ES_URL%/}/_index_template/my-template" \
-H "Authorization: ApiKey $(printenv ES_API_KEY)" \
-H "Content-Type: application/json" \
-d '{
"index_patterns": ["logs-*"],66/66 vendors flagged this skill as clean.