Incident Response Network
v1.0.0Network forensics evidence collection and analysis during security incidents. Guides volatile evidence preservation, lateral movement detection via flow reco...
⭐ 0· 112·1 current·1 all-time
byVahagn Madatyan@vahagn-madatyan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name, description, and included references all align with network forensics evidence collection. One minor inconsistency: the SKILL.md metadata includes an openclaw.requires entry listing the ssh binary, but the registry 'Requirements' section provided to you lists no required binaries. Requiring SSH is reasonable for this skill, but the registry metadata should match the SKILL.md declaration.
Instruction Scope
The instructions stay focused on network artifacts (ARP/MAC/CAM, flows, routing, packet captures, syslog) and do not attempt to read unrelated system data or exfiltrate evidence to third-party endpoints. They do however include file write operations (exporting captures to flash or /var/tmp, copying running-config to flash, computing SHA-256 hashes) — these are expected for evidence preservation but are not strictly 'read-only' changes to device storage. The skill documents performance and safety trade-offs (CPU impact, storage limits).
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes risk from arbitrary downloads or executed installers.
Credentials
The skill declares no required environment variables or credentials in the registry listing. Practically, network device access requires valid device credentials and an SSH client; the SKILL.md metadata indicates 'ssh' is required. This is proportionate to the stated purpose, but the skill does not declare how credentials should be supplied or used by the agent — ensure credential handling is performed by the agent platform and not baked into the skill.
Persistence & Privilege
The skill does not request always:true and uses the platform default for autonomous invocation. It does not attempt to modify other skills or system-wide configuration. The agent will need network/device access privileges to perform the described steps, which is appropriate for the use case.
Assessment
This skill appears to be a legitimate, focused network-forensics playbook. Before installing or using it: 1) Confirm the minor metadata mismatch: SKILL.md lists ssh as required but the registry listing shows no required binaries — ensure your agent environment provides a trusted ssh client. 2) Ensure the agent or operator supplies device credentials securely (the skill itself does not request env vars); verify the agent will not leak credentials or collected evidence to external systems. 3) Understand that evidence preservation commands write files to device storage (flash, /var/tmp) and can consume CPU and space — test in a lab and monitor device health before running on production devices. 4) Validate that the agent's use of the skill is authorized and supervised; packet captures and on-device exports can be sensitive and should be governed by change-control/forensics policies. 5) Retain chain-of-custody: compute and record hashes immediately and store evidence in a secure location. If you want higher assurance, ask the publisher to correct the declared requirements (explicitly name 'ssh') and to document how credentials should be provided and audited.Like a lobster shell, security has layers — review code before you run it.
latestvk97e5t8anv1jj9dkptv13gk9yn83cmg2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.