ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

IR Playbook Generator

v1.0.0

Generates customized incident response playbooks tailored to organizational assessment data and security requirements.

0· 102·0 current·0 all-time
byToolWeb@krishnakumarmahadevan-cmd

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for krishnakumarmahadevan-cmd/toolweb-ir-playbook-generator.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "IR Playbook Generator" (krishnakumarmahadevan-cmd/toolweb-ir-playbook-generator) from ClawHub.
Skill page: https://clawhub.ai/krishnakumarmahadevan-cmd/toolweb-ir-playbook-generator
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install toolweb-ir-playbook-generator

ClawHub CLI

Package manager switcher

npx clawhub@latest install toolweb-ir-playbook-generator
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (IR Playbook Generator) match the included OpenAPI schema and SKILL.md examples. The skill does not request unrelated binaries or credentials, which is proportionate to a document-generation tool. However, the skill is an instruction-only bundle with no declared backend server URL or author/homepage, so it's unclear how/where the API would actually run.
!
Instruction Scope
SKILL.md defines input data (assessmentData, sessionId, userId, timestamp) and sample responses but does not state the endpoint base URL, authentication, or where requests are transmitted. That omission creates a risk: an agent using this spec might send sensitive organizational assessment data to an unknown remote endpoint or to a platform-mapped host without explicit user consent. The instructions are otherwise limited to generating playbooks and do not explicitly instruct reading local files or environment variables.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes on-disk execution risk; nothing is downloaded or installed by the skill itself.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. However, the API expects structured assessmentData that may contain sensitive or regulated information (PII, system inventories, compliance status). Because the skill provides no provenance or data-handling policy, there's a potential for sensitive data to be transmitted outside the organization without declared safeguards.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not appear to alter other skills or system configurations. It does not request elevated privileges.
What to consider before installing
This skill appears to do what it says (generate incident response playbooks) and does not request credentials or install code, but it lacks an author, homepage, and any server/hosting information in its OpenAPI spec. Before using it with real data, ask the publisher: (1) Where will the assessmentData be sent/executed? (server base URL and hosting/ownership); (2) Is data retained or logged, and for how long? (retention and access controls); (3) Is processing done locally or on a third-party service, and is it encrypted in transit and at rest? If you cannot confirm these, avoid sending real production or PII-containing assessmentData—test with synthetic/dummy inputs only. If you need this functionality but must keep data in-house, prefer a vetted tool with clear hosting or a local/offline implementation.

Like a lobster shell, security has layers — review code before you run it.

latestvk976y3ghzc0easfrbgvf662x9983v155
102downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
ToolWeb@krishnakumarmahadevan-cmd
latest
Download

Overview

The Incident Response Playbook Generator API automates the creation of comprehensive, organization-specific incident response playbooks. Security teams and incident response managers use this tool to rapidly produce formal documentation that aligns with their organizational structure, compliance requirements, and threat landscape.

This API transforms assessment data—including organizational context, existing security controls, and risk profiles—into a fully structured playbook containing executive summaries, response phases, team roles, communication templates, escalation procedures, legal considerations, and emergency contact lists. Rather than starting from scratch with generic templates, teams receive customized playbooks that reflect their unique operational environment.

Ideal users include security operations centers (SOCs), incident response teams, compliance officers, security architects, and organizations preparing for security audits or regulatory assessments.

Usage

Sample Request:

{
  "assessmentData": {
    "organization_name": "TechCorp Inc.",
    "industry": "Financial Services",
    "employee_count": 2500,
    "critical_systems": ["Payment Processing", "Customer Database", "Internal Email"],
    "compliance_frameworks": ["PCI-DSS", "SOC 2", "GDPR"],
    "current_ir_maturity": "Intermediate",
    "primary_threats": ["Ransomware", "Data Exfiltration", "Insider Threats"]
  },
  "sessionId": "sess_abc123def456",
  "userId": 42,
  "timestamp": "2024-01-15T10:30:00Z"
}

Sample Response:

{
  "playbook_title": "TechCorp Inc. Incident Response Playbook 2024",
  "organization_name": "TechCorp Inc.",
  "executive_summary": "This playbook establishes a comprehensive incident response framework for TechCorp Inc., addressing ransomware, data exfiltration, and insider threats within financial services operations. The plan aligns with PCI-DSS, SOC 2, and GDPR requirements and is tailored for an intermediate maturity security posture.",
  "phases": [
    {
      "phase_name": "Detection & Analysis",
      "duration": "0-4 hours",
      "objectives": ["Confirm incident validity", "Classify severity and type", "Preserve evidence"],
      "key_actions": ["Enable enhanced logging", "Isolate affected systems", "Notify IR team"]
    },
    {
      "phase_name": "Containment",
      "duration": "4-24 hours",
      "objectives": ["Stop active attack", "Prevent spread", "Preserve forensic data"],
      "key_actions": ["Segment network", "Reset credentials", "Deploy patches"]
    },
    {
      "phase_name": "Eradication",
      "duration": "1-7 days",
      "objectives": ["Remove attacker presence", "Close vulnerabilities", "Validate remediation"],
      "key_actions": ["Rebuild systems", "Apply security updates", "Conduct forensics"]
    },
    {
      "phase_name": "Recovery",
      "duration": "1-14 days",
      "objectives": ["Restore normal operations", "Verify system integrity", "Restore data"],
      "key_actions": ["Bring systems online", "Monitor for recompromise", "Validate backups"]
    },
    {
      "phase_name": "Post-Incident",
      "duration": "Ongoing",
      "objectives": ["Document lessons learned", "Improve processes", "Update security controls"],
      "key_actions": ["Conduct review meeting", "Update playbook", "Implement improvements"]
    }
  ],
  "roles": [
    {
      "role": "Incident Commander",
      "responsibility": "Overall coordination and decision authority",
      "reporting_chain": "Chief Information Security Officer"
    },
    {
      "role": "Technical Lead",
      "responsibility": "Technical investigation and remediation direction",
      "reporting_chain": "Incident Commander"
    },
    {
      "role": "Communications Lead",
      "responsibility": "Internal and external stakeholder communication",
      "reporting_chain": "Incident Commander"
    },
    {
      "role": "Legal & Compliance",
      "responsibility": "Regulatory notification and legal guidance",
      "reporting_chain": "Incident Commander"
    }
  ],
  "communication_templates": [
    {
      "template_name": "Internal Alert",
      "recipient": "All Staff",
      "message": "A potential security incident has been detected and is being investigated. IT support may be slower than normal. Do not open suspicious emails or click unknown links."
    },
    {
      "template_name": "Executive Briefing",
      "recipient": "C-Suite, Board",
      "message": "At [TIME], a security incident was detected. Current status: [STATUS]. Estimated impact: [IMPACT]. Expected resolution: [TIMELINE]."
    },
    {
      "template_name": "Customer Notification",
      "recipient": "Affected Customers",
      "message": "We recently identified a security incident that may have affected your data. Here's what happened, what we're doing, and how to protect yourself."
    }
  ],
  "escalation_procedures": "Incidents are classified by severity (Low, Medium, High, Critical) based on impact and affected systems. Low incidents are managed by SOC; Medium and High require Incident Commander activation; Critical incidents trigger executive notification within 15 minutes and external communication within 1 hour per GDPR and PCI-DSS requirements.",
  "legal_considerations": [
    "GDPR: Notify regulators within 72 hours of confirmed data breach involving EU resident personal data",
    "PCI-DSS: Notify acquiring bank and card brands of confirmed compromise within 30 days",
    "SOC 2: Maintain audit trail and document all investigation steps for Type II audit review",
    "Financial Services Compliance: Report material incidents to regulators per industry-specific guidance"
  ],
  "contact_list": [
    {
      "role": "CISO",
      "name": "Sarah Chen",
      "phone": "+1-555-0101",
      "email": "s.chen@techcorp.com",
      "available_24_7": true
    },
    {
      "role": "Legal Counsel",
      "name": "James Mitchell",
      "phone": "+1-555-0102",
      "email": "j.mitchell@techcorp.com",
      "available_24_7": false
    },
    {
      "role": "Forensics Vendor",
      "name": "ForensicPro LLC",
      "phone": "+1-800-FORENSIC",
      "email": "onboarding@forensicpro.com",
      "available_24_7": true
    }
  ],
  "session_id": "sess_abc123def456",
  "timestamp": "2024-01-15T10:32:45Z"
}

Endpoints

POST /api/ir/playbook

Summary: Generate Playbook

Description: Generate a customized incident response playbook based on assessment data, organizational context, and security requirements.

Parameters:

NameTypeRequiredDescription
assessmentDataobjectYesStructured assessment data including organization details, critical systems, compliance frameworks, threat landscape, and current IR maturity level
sessionIdstringYesUnique session identifier for tracking and audit purposes
userIdintegerNoUser ID of the requester for multi-tenant environments and audit logging
timestampstringNoISO 8601 timestamp indicating when the request was initiated

Request Body Schema: PlaybookRequest

Response (200 - Success):

Returns a PlaybookResponse object containing:

  • playbook_title (string): Formal title of the generated playbook
  • organization_name (string): Name of the organization
  • executive_summary (string): High-level overview of the playbook and organizational context
  • phases (array of objects): Incident response phases (Detection, Containment, Eradication, Recovery, Post-Incident) with duration, objectives, and key actions
  • roles (array of objects): Defined incident response team roles, responsibilities, and reporting chains
  • communication_templates (array of objects): Ready-to-use message templates for internal alerts, executive briefings, and customer notifications
  • escalation_procedures (string): Procedures for classifying incident severity and escalation paths
  • legal_considerations (array of strings): Compliance and regulatory obligations applicable to the organization
  • contact_list (array of objects): Emergency contacts including name, role, phone, email, and 24/7 availability status
  • session_id (string): Echo of the request session ID
  • timestamp (string): ISO 8601 timestamp of response generation

Response (422 - Validation Error):

Returns HTTPValidationError containing an array of ValidationError objects with:

  • loc (array): Location of the error (field path)
  • msg (string): Error message
  • type (string): Error type (e.g., "value_error", "type_error")

GET /api/ir/health

Summary: Health Check

Description: Verify the API service is operational and responsive.

Parameters: None

Response (200 - Success):

Returns a JSON object indicating service status.

GET /

Summary: Root Endpoint

Description: Root service endpoint; may return service metadata or welcome information.

Parameters: None

Response (200 - Success):

Returns a JSON object with service information.

Pricing

PlanCalls/DayCalls/MonthPrice
Free550Free
Developer20500$39/mo
Professional2005,000$99/mo
Enterprise100,0001,000,000$299/mo

About

ToolWeb.in - 200+ security APIs, CISSP & CISM, platforms: Pay-per-run, API Gateway, MCP Server, OpenClaw, RapidAPI, YouTube.

References

Comments

Loading comments...