{"id":"2c2a2380-9288-4656-9e4a-3a6e3e366258","shortId":"AtvXjV","kind":"skill","title":"pilot-security-operations-center-setup","tagline":"Deploy a security operations center pipeline with 4 agents.  Use this skill when: 1. User wants to set up a SOC or security monitoring pipeline 2. User is configuring a log collector, threat analyzer, enforcer, or dashboard agent 3. User asks about threat detection, blocklisting,","description":"# Security Operations Center Setup\n\nDeploy 4 agents: collector, analyzer, enforcer, and dashboard.\n\n## Roles\n\n| Role | Hostname | Skills | Purpose |\n|------|----------|--------|---------|\n| collector | `<prefix>-collector` | pilot-event-log, pilot-audit-log, pilot-stream-data, pilot-cron | Aggregates security events |\n| analyzer | `<prefix>-analyzer` | pilot-event-filter, pilot-event-replay, pilot-alert, pilot-priority-queue | Detects and classifies threats |\n| enforcer | `<prefix>-enforcer` | pilot-blocklist, pilot-quarantine, pilot-webhook-bridge, pilot-audit-log | Blocks threats, quarantines nodes |\n| dashboard | `<prefix>-dashboard` | pilot-metrics, pilot-slack-bridge, pilot-network-map, pilot-mesh-status | Visualizes security posture |\n\n## Setup Procedure\n\n**Step 1:** Ask the user which role and prefix.\n\n**Step 2:** Install skills:\n```bash\n# collector:\nclawhub install pilot-event-log pilot-audit-log pilot-stream-data pilot-cron\n# analyzer:\nclawhub install pilot-event-filter pilot-event-replay pilot-alert pilot-priority-queue\n# enforcer:\nclawhub install pilot-blocklist pilot-quarantine pilot-webhook-bridge pilot-audit-log\n# dashboard:\nclawhub install pilot-metrics pilot-slack-bridge pilot-network-map pilot-mesh-status\n```\n\n**Step 3:** Set hostname and write manifest to `~/.pilot/setups/security-operations-center.json`.\n\n**Step 4:** Handshake with adjacent agents.\n\n## Manifest Templates Per Role\n\n### collector\n```json\n{\n  \"setup\": \"security-operations-center\", \"role\": \"collector\", \"role_name\": \"Log Collector\",\n  \"hostname\": \"<prefix>-collector\",\n  \"skills\": {\n    \"pilot-event-log\": \"Aggregate security events from all nodes.\",\n    \"pilot-audit-log\": \"Maintain tamper-evident event log.\",\n    \"pilot-stream-data\": \"Stream events to analyzer in real time.\",\n    \"pilot-cron\": \"Schedule periodic log sweeps.\"\n  },\n  \"data_flows\": [{ \"direction\": \"send\", \"peer\": \"<prefix>-analyzer\", \"port\": 1002, \"topic\": \"security-event\", \"description\": \"Raw security events\" }],\n  \"handshakes_needed\": [\"<prefix>-analyzer\"]\n}\n```\n\n### analyzer\n```json\n{\n  \"setup\": \"security-operations-center\", \"role\": \"analyzer\", \"role_name\": \"Threat Analyzer\",\n  \"hostname\": \"<prefix>-analyzer\",\n  \"skills\": {\n    \"pilot-event-filter\": \"Filter and correlate events, detect patterns.\",\n    \"pilot-event-replay\": \"Replay past events for forensic investigation.\",\n    \"pilot-alert\": \"Emit classified threat alerts.\",\n    \"pilot-priority-queue\": \"Prioritize threats by severity.\"\n  },\n  \"data_flows\": [\n    { \"direction\": \"receive\", \"peer\": \"<prefix>-collector\", \"port\": 1002, \"topic\": \"security-event\", \"description\": \"Raw events\" },\n    { \"direction\": \"send\", \"peer\": \"<prefix>-enforcer\", \"port\": 1002, \"topic\": \"threat-verdict\", \"description\": \"Threat verdicts\" },\n    { \"direction\": \"send\", \"peer\": \"<prefix>-dashboard\", \"port\": 1002, \"topic\": \"threat-alert\", \"description\": \"Classified threats\" }\n  ],\n  \"handshakes_needed\": [\"<prefix>-collector\", \"<prefix>-enforcer\", \"<prefix>-dashboard\"]\n}\n```\n\n### enforcer\n```json\n{\n  \"setup\": \"security-operations-center\", \"role\": \"enforcer\", \"role_name\": \"Threat Enforcer\",\n  \"hostname\": \"<prefix>-enforcer\",\n  \"skills\": {\n    \"pilot-blocklist\": \"Add malicious IPs/agents to deny list.\",\n    \"pilot-quarantine\": \"Isolate compromised agents.\",\n    \"pilot-webhook-bridge\": \"Trigger incident webhooks.\",\n    \"pilot-audit-log\": \"Log all enforcement actions.\"\n  },\n  \"data_flows\": [\n    { \"direction\": \"receive\", \"peer\": \"<prefix>-analyzer\", \"port\": 1002, \"topic\": \"threat-verdict\", \"description\": \"Threat verdicts\" },\n    { \"direction\": \"send\", \"peer\": \"<prefix>-dashboard\", \"port\": 1002, \"topic\": \"enforcement-action\", \"description\": \"Actions taken\" }\n  ],\n  \"handshakes_needed\": [\"<prefix>-analyzer\", \"<prefix>-dashboard\"]\n}\n```\n\n### dashboard\n```json\n{\n  \"setup\": \"security-operations-center\", \"role\": \"dashboard\", \"role_name\": \"SOC Dashboard\",\n  \"hostname\": \"<prefix>-dashboard\",\n  \"skills\": {\n    \"pilot-metrics\": \"Display threat counts, response times.\",\n    \"pilot-slack-bridge\": \"Send security summaries to Slack.\",\n    \"pilot-network-map\": \"Visualize network topology and threats.\",\n    \"pilot-mesh-status\": \"Show peer connectivity and encryption status.\"\n  },\n  \"data_flows\": [\n    { \"direction\": \"receive\", \"peer\": \"<prefix>-analyzer\", \"port\": 1002, \"topic\": \"threat-alert\", \"description\": \"Classified threats\" },\n    { \"direction\": \"receive\", \"peer\": \"<prefix>-enforcer\", \"port\": 1002, \"topic\": \"enforcement-action\", \"description\": \"Actions taken\" }\n  ],\n  \"handshakes_needed\": [\"<prefix>-analyzer\", \"<prefix>-enforcer\"]\n}\n```\n\n## Data Flows\n\n- `collector → analyzer` : raw security events (port 1002)\n- `analyzer → enforcer` : threat verdicts (port 1002)\n- `analyzer → dashboard` : classified threats (port 1002)\n- `enforcer → dashboard` : enforcement actions (port 1002)\n\n## Workflow Example\n\n```bash\n# On collector:\npilotctl --json publish <prefix>-analyzer security-event '{\"type\":\"port_scan\",\"source\":\"203.0.113.42\",\"ports\":1024}'\n# On analyzer:\npilotctl --json publish <prefix>-enforcer threat-verdict '{\"source\":\"203.0.113.42\",\"severity\":\"high\",\"action\":\"block\"}'\n# On enforcer:\npilotctl --json publish <prefix>-dashboard enforcement-action '{\"source\":\"203.0.113.42\",\"action\":\"blocked\"}'\n```\n\n## Dependencies\n\nRequires `pilot-protocol` skill, `pilotctl` binary, `clawhub` binary, and a running daemon.","tags":["pilot","security","operations","center","setup","skills","teoslayer","agent-skills","ai-agents","clawhub","networking","openclaw"],"capabilities":["skill","source-teoslayer","skill-pilot-security-operations-center-setup","topic-agent-skills","topic-ai-agents","topic-clawhub","topic-networking","topic-openclaw","topic-overlay-network","topic-p2p","topic-pilot-protocol"],"categories":["pilot-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/TeoSlayer/pilot-skills/pilot-security-operations-center-setup","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add TeoSlayer/pilot-skills","source_repo":"https://github.com/TeoSlayer/pilot-skills","install_from":"skills.sh"}},"qualityScore":"0.453","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 6 github stars · SKILL.md body (5,356 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:15:00.701Z","embedding":null,"createdAt":"2026-05-18T13:22:47.158Z","updatedAt":"2026-05-18T19:15:00.701Z","lastSeenAt":"2026-05-18T19:15:00.701Z","tsv":"'/.pilot/setups/security-operations-center.json':245 '1':20,153 '1002':317,387,400,413,479,492,563,576,596,602,608,614 '1024':633 '2':32,162 '203.0.113.42':631,644,659 '3':45,238 '4':14,57,247 'action':471,496,498,580,582,612,647,657,660 'add':445 'adjac':250 'agent':15,44,58,251,456 'aggreg':86,276 'alert':101,197,367,371,417,567 'analyz':40,60,89,90,184,299,315,328,329,337,341,343,477,502,561,586,591,597,603,623,635 'ask':47,154 'audit':77,124,175,217,284,466 'bash':165,617 'binari':669,671 'block':126,648,661 'blocklist':51,114,207,444 'bridg':121,138,214,228,460,531 'center':5,11,54,262,335,432,510 'classifi':108,369,419,569,605 'clawhub':167,185,203,220,670 'collector':38,59,69,70,166,256,264,268,270,385,423,590,619 'compromis':455 'configur':35 'connect':552 'correl':351 'count':525 'cron':85,183,305 'daemon':675 'dashboard':43,63,130,131,219,411,425,490,503,504,512,516,518,604,610,654 'data':82,180,295,310,380,472,556,588 'deni':449 'depend':662 'deploy':7,56 'descript':322,392,405,418,484,497,568,581 'detect':50,106,353 'direct':312,382,395,408,474,487,558,571 'display':523 'emit':368 'encrypt':554 'enforc':41,61,110,111,202,398,424,426,434,438,440,470,495,574,579,587,598,609,611,639,650,656 'enforcement-act':494,578,655 'event':73,88,93,97,171,189,193,274,278,290,297,321,325,347,352,357,361,391,394,594,626 'evid':289 'exampl':616 'filter':94,190,348,349 'flow':311,381,473,557,589 'forens':363 'handshak':248,326,421,500,584 'high':646 'hostnam':66,240,269,342,439,517 'incid':462 'instal':163,168,186,204,221 'investig':364 'ips/agents':447 'isol':454 'json':257,330,427,505,621,637,652 'list':450 'log':37,74,78,125,172,176,218,267,275,285,291,308,467,468 'maintain':286 'malici':446 'manifest':243,252 'map':142,232,540 'mesh':145,235,548 'metric':134,224,522 'monitor':30 'name':266,339,436,514 'need':327,422,501,585 'network':141,231,539,542 'node':129,281 'oper':4,10,53,261,334,431,509 'past':360 'pattern':354 'peer':314,384,397,410,476,489,551,560,573 'per':254 'period':307 'pilot':2,72,76,80,84,92,96,100,103,113,116,119,123,133,136,140,144,170,174,178,182,188,192,196,199,206,209,212,216,223,226,230,234,273,283,293,304,346,356,366,373,443,452,458,465,521,529,538,547,665 'pilot-alert':99,195,365 'pilot-audit-log':75,122,173,215,282,464 'pilot-blocklist':112,205,442 'pilot-cron':83,181,303 'pilot-event-filt':91,187,345 'pilot-event-log':71,169,272 'pilot-event-replay':95,191,355 'pilot-mesh-status':143,233,546 'pilot-metr':132,222,520 'pilot-network-map':139,229,537 'pilot-priority-queu':102,198,372 'pilot-protocol':664 'pilot-quarantin':115,208,451 'pilot-security-operations-center-setup':1 'pilot-slack-bridg':135,225,528 'pilot-stream-data':79,177,292 'pilot-webhook-bridg':118,211,457 'pilotctl':620,636,651,668 'pipelin':12,31 'port':316,386,399,412,478,491,562,575,595,601,607,613,628,632 'postur':149 'prefix':160 'priorit':376 'prioriti':104,200,374 'procedur':151 'protocol':666 'publish':622,638,653 'purpos':68 'quarantin':117,128,210,453 'queue':105,201,375 'raw':323,393,592 'real':301 'receiv':383,475,559,572 'replay':98,194,358,359 'requir':663 'respons':526 'role':64,65,158,255,263,265,336,338,433,435,511,513 'run':674 'scan':629 'schedul':306 'secur':3,9,29,52,87,148,260,277,320,324,333,390,430,508,533,593,625 'security-ev':319,389,624 'security-operations-cent':259,332,429,507 'send':313,396,409,488,532 'set':24,239 'setup':6,55,150,258,331,428,506 'sever':379,645 'show':550 'skill':18,67,164,271,344,441,519,667 'skill-pilot-security-operations-center-setup' 'slack':137,227,530,536 'soc':27,515 'sourc':630,643,658 'source-teoslayer' 'status':146,236,549,555 'step':152,161,237,246 'stream':81,179,294,296 'summari':534 'sweep':309 'taken':499,583 'tamper':288 'tamper-evid':287 'templat':253 'threat':39,49,109,127,340,370,377,403,406,416,420,437,482,485,524,545,566,570,599,606,641 'threat-alert':415,565 'threat-verdict':402,481,640 'time':302,527 'topic':318,388,401,414,480,493,564,577 'topic-agent-skills' 'topic-ai-agents' 'topic-clawhub' 'topic-networking' 'topic-openclaw' 'topic-overlay-network' 'topic-p2p' 'topic-pilot-protocol' 'topolog':543 'trigger':461 'type':627 'use':16 'user':21,33,46,156 'verdict':404,407,483,486,600,642 'visual':147,541 'want':22 'webhook':120,213,459,463 'workflow':615 'write':242","prices":[{"id":"37c670a7-26cf-4b79-86d2-46bd6806b0af","listingId":"2c2a2380-9288-4656-9e4a-3a6e3e366258","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"TeoSlayer","category":"pilot-skills","install_from":"skills.sh"},"createdAt":"2026-05-18T13:22:47.158Z"}],"sources":[{"listingId":"2c2a2380-9288-4656-9e4a-3a6e3e366258","source":"github","sourceId":"TeoSlayer/pilot-skills/pilot-security-operations-center-setup","sourceUrl":"https://github.com/TeoSlayer/pilot-skills/tree/main/skills/pilot-security-operations-center-setup","isPrimary":false,"firstSeenAt":"2026-05-18T13:22:47.158Z","lastSeenAt":"2026-05-18T19:15:00.701Z"}],"details":{"listingId":"2c2a2380-9288-4656-9e4a-3a6e3e366258","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"TeoSlayer","slug":"pilot-security-operations-center-setup","github":{"repo":"TeoSlayer/pilot-skills","stars":6,"topics":["agent-skills","ai-agents","clawhub","networking","openclaw","overlay-network","p2p","pilot-protocol"],"license":"agpl-3.0","html_url":"https://github.com/TeoSlayer/pilot-skills","pushed_at":"2026-05-13T06:08:49Z","description":"80+ agent skills for Pilot Protocol — communication, file transfer, trust, task routing, swarm coordination, and more","skill_md_sha":"b6c2d1412338f19ef66a435e2809c3f5387d8e99","skill_md_path":"skills/pilot-security-operations-center-setup/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/TeoSlayer/pilot-skills/tree/main/skills/pilot-security-operations-center-setup"},"layout":"multi","source":"github","category":"pilot-skills","frontmatter":{"name":"pilot-security-operations-center-setup","license":"AGPL-3.0","description":"Deploy a security operations center pipeline with 4 agents.  Use this skill when: 1. User wants to set up a SOC or security monitoring pipeline 2. User is configuring a log collector, threat analyzer, enforcer, or dashboard agent 3. User asks about threat detection, blocklisting, or security event correlation  Do NOT use this skill when: - User wants a single security check (use pilot-watchdog instead) - User wants to blocklist one agent (use pilot-blocklist instead)"},"skills_sh_url":"https://skills.sh/TeoSlayer/pilot-skills/pilot-security-operations-center-setup"},"updatedAt":"2026-05-18T19:15:00.701Z"}}