Pilot Security Operations Center Setup

v1.0.0

Deploy a security operations center pipeline with 4 agents. Use this skill when: 1. User wants to set up a SOC or security monitoring pipeline 2. User is con...

⭐ 0· 77·0 current·0 all-time

byCalin Teodor@teoslayer

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for teoslayer/pilot-security-operations-center-setup.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Pilot Security Operations Center Setup" (teoslayer/pilot-security-operations-center-setup) from ClawHub.
Skill page: https://clawhub.ai/teoslayer/pilot-security-operations-center-setup
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: pilotctl, clawhub
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pilot-security-operations-center-setup

ClawHub CLI

Package manager switcher

npx clawhub@latest install pilot-security-operations-center-setup

Security Scan

Capability signals

Crypto

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

Name/description (SOC setup) align with the declared binaries (pilotctl, clawhub) and the SKILL.md: it installs pilot-* skills, sets hostnames, writes a manifest, and establishes agent handshakes — all expected for a multi‑agent SOC deployment.

ℹ

Instruction Scope

Instructions are CLI-driven and narrowly scoped to installing sub-skills, setting hostnames, writing a manifest to ~/.pilot/setups/security-operations-center.json, and exchanging handshakes. This is appropriate for the purpose, but the doc explicitly states trust is auto-approved when both sides handshake — a security behavior you should be aware of before enabling on production hosts.

ℹ

Install Mechanism

The skill is instruction-only (no install spec). It relies on clawhub to fetch and install many other pilot-* skills; that is expected but increases risk surface because clawhub will pull code from external sources. The skill itself does not download or extract archives directly.

ℹ

Credentials

This skill requests no environment variables, which is reasonable for an orchestrator. However some installed sub-skills referenced (e.g., pilot-slack-bridge, pilot-webhook-bridge) will likely require external credentials/endpoints; the SKILL.md does not document those credential needs — you should be prepared to provide them per sub-skill and confirm safe handling of secrets.

✓

Persistence & Privilege

always is false and the skill does not request elevated/system-wide privileges. It will write a manifest under the user's home (~/.pilot) and instruct other agents to exchange handshakes and network traffic on port 1002, which are reasonable for a distributed SOC deployment.

Assessment

This skill is an orchestration recipe that runs pilotctl and clawhub to install many other pilot-* skills and to establish trust between agents. Before installing: (1) verify pilotctl and clawhub are official and trusted binaries for your environment; (2) be aware clawhub will fetch and install additional packages (review their sources and required credentials); (3) understand the handshake behavior (it auto-approves trust when both sides exchange handshakes) and restrict this to isolated or well-segmented networks until you’re confident; (4) expect to supply credentials for connectors like Slack or webhooks at the sub-skill level — confirm how those secrets are stored/used; and (5) inspect the manifests written to ~/.pilot and the network ports (1002) used for internal communications. If any of these points are unacceptable, do not run the orchestration on production hosts without further review.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binspilotctl, clawhub

latestvk97343w68p10w5dqrcj1w5frjn85d7ch

77downloads

0stars

1versions

Updated 5d ago

v1.0.0

MIT-0

Security Operations Center Setup

Deploy 4 agents: collector, analyzer, enforcer, and dashboard.

Roles

Role	Hostname	Skills	Purpose
collector	`<prefix>-collector`	pilot-event-log, pilot-audit-log, pilot-stream-data, pilot-cron	Aggregates security events
analyzer	`<prefix>-analyzer`	pilot-event-filter, pilot-event-replay, pilot-alert, pilot-priority-queue	Detects and classifies threats
enforcer	`<prefix>-enforcer`	pilot-blocklist, pilot-quarantine, pilot-webhook-bridge, pilot-audit-log	Blocks threats, quarantines nodes
dashboard	`<prefix>-dashboard`	pilot-metrics, pilot-slack-bridge, pilot-network-map, pilot-mesh-status	Visualizes security posture

Setup Procedure

Step 1: Ask the user which role and prefix.

Step 2: Install skills:

# collector:
clawhub install pilot-event-log pilot-audit-log pilot-stream-data pilot-cron
# analyzer:
clawhub install pilot-event-filter pilot-event-replay pilot-alert pilot-priority-queue
# enforcer:
clawhub install pilot-blocklist pilot-quarantine pilot-webhook-bridge pilot-audit-log
# dashboard:
clawhub install pilot-metrics pilot-slack-bridge pilot-network-map pilot-mesh-status

Step 3: Set hostname and write manifest to ~/.pilot/setups/security-operations-center.json.

Step 4: Handshake with adjacent agents.

Manifest Templates Per Role

collector

{
  "setup": "security-operations-center", "role": "collector", "role_name": "Log Collector",
  "hostname": "<prefix>-collector",
  "skills": {
    "pilot-event-log": "Aggregate security events from all nodes.",
    "pilot-audit-log": "Maintain tamper-evident event log.",
    "pilot-stream-data": "Stream events to analyzer in real time.",
    "pilot-cron": "Schedule periodic log sweeps."
  },
  "data_flows": [{ "direction": "send", "peer": "<prefix>-analyzer", "port": 1002, "topic": "security-event", "description": "Raw security events" }],
  "handshakes_needed": ["<prefix>-analyzer"]
}

analyzer

{
  "setup": "security-operations-center", "role": "analyzer", "role_name": "Threat Analyzer",
  "hostname": "<prefix>-analyzer",
  "skills": {
    "pilot-event-filter": "Filter and correlate events, detect patterns.",
    "pilot-event-replay": "Replay past events for forensic investigation.",
    "pilot-alert": "Emit classified threat alerts.",
    "pilot-priority-queue": "Prioritize threats by severity."
  },
  "data_flows": [
    { "direction": "receive", "peer": "<prefix>-collector", "port": 1002, "topic": "security-event", "description": "Raw events" },
    { "direction": "send", "peer": "<prefix>-enforcer", "port": 1002, "topic": "threat-verdict", "description": "Threat verdicts" },
    { "direction": "send", "peer": "<prefix>-dashboard", "port": 1002, "topic": "threat-alert", "description": "Classified threats" }
  ],
  "handshakes_needed": ["<prefix>-collector", "<prefix>-enforcer", "<prefix>-dashboard"]
}

enforcer

{
  "setup": "security-operations-center", "role": "enforcer", "role_name": "Threat Enforcer",
  "hostname": "<prefix>-enforcer",
  "skills": {
    "pilot-blocklist": "Add malicious IPs/agents to deny list.",
    "pilot-quarantine": "Isolate compromised agents.",
    "pilot-webhook-bridge": "Trigger incident webhooks.",
    "pilot-audit-log": "Log all enforcement actions."
  },
  "data_flows": [
    { "direction": "receive", "peer": "<prefix>-analyzer", "port": 1002, "topic": "threat-verdict", "description": "Threat verdicts" },
    { "direction": "send", "peer": "<prefix>-dashboard", "port": 1002, "topic": "enforcement-action", "description": "Actions taken" }
  ],
  "handshakes_needed": ["<prefix>-analyzer", "<prefix>-dashboard"]
}

dashboard

{
  "setup": "security-operations-center", "role": "dashboard", "role_name": "SOC Dashboard",
  "hostname": "<prefix>-dashboard",
  "skills": {
    "pilot-metrics": "Display threat counts, response times.",
    "pilot-slack-bridge": "Send security summaries to Slack.",
    "pilot-network-map": "Visualize network topology and threats.",
    "pilot-mesh-status": "Show peer connectivity and encryption status."
  },
  "data_flows": [
    { "direction": "receive", "peer": "<prefix>-analyzer", "port": 1002, "topic": "threat-alert", "description": "Classified threats" },
    { "direction": "receive", "peer": "<prefix>-enforcer", "port": 1002, "topic": "enforcement-action", "description": "Actions taken" }
  ],
  "handshakes_needed": ["<prefix>-analyzer", "<prefix>-enforcer"]
}

Data Flows

collector → analyzer : raw security events (port 1002)
analyzer → enforcer : threat verdicts (port 1002)
analyzer → dashboard : classified threats (port 1002)
enforcer → dashboard : enforcement actions (port 1002)

Workflow Example

# On collector:
pilotctl --json publish <prefix>-analyzer security-event '{"type":"port_scan","source":"203.0.113.42","ports":1024}'
# On analyzer:
pilotctl --json publish <prefix>-enforcer threat-verdict '{"source":"203.0.113.42","severity":"high","action":"block"}'
# On enforcer:
pilotctl --json publish <prefix>-dashboard enforcement-action '{"source":"203.0.113.42","action":"blocked"}'

Dependencies

Requires pilot-protocol skill, pilotctl binary, clawhub binary, and a running daemon.

Comments

Loading comments...