{"id":"aba396d8-7eae-4d89-9f24-0e1eb845aea5","shortId":"WMhbXJ","kind":"skill","title":"kafka-security-audit","tagline":"Audit Kafka security configuration across the codebase and live cluster using the Lenses MCP server. Checks authentication (SASL), encryption (SSL/TLS), authorisation (ACLs), secrets management and environment tier mismatches. Use when user says \"audit Kafka security\", \"check sec","description":"# Kafka Security Posture Audit\n\nAudits Kafka security configuration across the codebase and infrastructure. Kafka clusters often start as PLAINTEXT in dev and never get properly secured for production.\n\nTarget environment: $ARGUMENTS\n\n## Workflow\n\nCopy this checklist and track your progress:\n\n```\nSecurity Audit Progress:\n- [ ] Step 1: Check environment health and tier\n- [ ] Step 2: Scan codebase for security configuration\n- [ ] Step 3: Audit authentication\n- [ ] Step 4: Audit encryption\n- [ ] Step 5: Audit secrets management\n- [ ] Step 6: Generate report\n```\n\n1. **Check environment health and tier** via Lenses MCP\n2. **Scan codebase** for security-related configuration (see `references/security-properties.md`)\n3. **Audit authentication** (SASL mechanism)\n4. **Audit encryption** (SSL/TLS)\n5. **Audit secrets management** (hardcoded credentials)\n6. **Report findings** with severity calibrated to environment tier\n\n## Step 1: Environment Context\n\nUse Lenses MCP tools to understand the environment:\n\n- `check_environment_health` - verify environment is healthy and agent is connected\n- `get_environment` - get environment tier (development, staging, production) to calibrate severity levels. A PLAINTEXT connection in dev is a suggestion; in production it's critical.\n\nExpected output: Environment tier (development/staging/production) and health status.\n\n**Validation**: If the environment tier cannot be determined, default to production-level severity - it is safer to over-report.\n\n## Step 2: Codebase Inspection\n\nSearch the codebase for Kafka security configuration. Consult `references/security-properties.md` for the full list of authentication properties, encryption properties and files to scan.\n\n## Step 3: Audit Authentication\n\nApply the authentication audit rules from `references/security-properties.md`. Key checks:\n- PLAINTEXT protocol in production (critical)\n- PLAIN SASL without TLS (critical)\n- No authentication configured in production (critical)\n- Weak SASL mechanisms (warning)\n\n## Step 4: Audit Encryption\n\nApply the encryption audit rules from `references/security-properties.md`. Key checks:\n- No SSL/TLS in production (critical)\n- Disabled hostname verification (warning)\n- Plaintext keystore passwords (warning)\n\n## Step 5: Audit Secrets Management\n\nApply the secrets audit rules from `references/security-properties.md`. Key checks:\n- Hardcoded credentials in source files (critical)\n- Credentials tracked by git (critical)\n- Missing `.gitignore` entries (warning)\n\n## Step 6: Environment Tier Mismatch\n\nCross-reference findings with the environment tier from Lenses:\n- **Production/Staging**: All findings at full severity\n- **Development**: Downgrade encryption/auth findings to suggestions (acceptable for local dev)\n- Flag any development environment configs that might accidentally be used in production\n\n## Success Criteria\n\n### Quantitative\n- Triggers on 90% of security-related queries (test with 10-20 varied phrasings)\n- Completes audit in under 12 tool calls (MCP + codebase search)\n- 0 failed MCP calls per run\n\n### Qualitative\n- Severity is correctly calibrated to environment tier (dev vs production)\n- Secrets findings have zero false negatives (never misses a hardcoded credential)\n- Every finding includes a risk description and remediation step\n\n## Examples\n\n### Example 1: Pre-production security review\n\nUser says: \"Audit Kafka security for the production environment\"\n\nActions:\n1. Get environment tier (production) from Lenses MCP\n2. Scan codebase for all security properties\n3. Apply full-severity rules for production\nResult: Complete security audit report with all findings at production severity\n\n### Example 2: Development environment check\n\nUser says: \"Is my dev Kafka cluster secure enough?\"\n\nActions:\n1. Get environment tier (development) from Lenses MCP\n2. Scan codebase for security properties\n3. Downgrade auth/encryption findings to suggestions for dev\n4. Keep secrets findings at full severity (credentials should never be hardcoded)\nResult: Report calibrated to development environment\n\n### Example 3: Secrets-focused audit\n\nUser says: \"Check if there are any hardcoded Kafka credentials in the codebase\"\n\nActions:\n1. Search for secret patterns (passwords, tokens, API keys)\n2. Check `.env` files tracked by git\n3. Verify `.gitignore` includes credential files\nResult: Focused report on secrets management only\n\n## Troubleshooting\n\n### Environment tier is unknown\nCause: Lenses `get_environment` returns no tier or a custom tier value.\nSolution: Default to production-level severity. It is safer to over-report than under-report security issues.\n\n### Cannot determine if .env files are tracked by git\nCause: Not running inside a git repository.\nSolution: Check for `.env` files and report their presence. Note that git tracking could not be verified.\n\n### False positives in secrets scan\nCause: Words like \"password\" appear in documentation or comments rather than actual credentials.\nSolution: Report all findings but note the confidence level. Flag inline values as high confidence and reference-only mentions as low confidence.\n\n## Output Format\n\n```\n## Security Audit Report\n\n### Environment: {name} (tier: {development|staging|production})\n\n### Critical (must fix)\n- [file:line] Description of the security issue\n  Risk: {what could go wrong}\n  Remediation: {how to fix}\n\n### Warning (should fix)\n- [file:line] Description of the issue\n  Risk: {what could go wrong}\n  Remediation: {how to fix}\n\n### Suggestion (consider improving)\n- [file:line] Description of the issue\n  Recommendation: {how to improve}\n\n### Summary\n- X critical issues found\n- Y warnings found\n- Z suggestions found\n- Environment tier: {tier}\n- Authentication: {configured|missing}\n- Encryption: {configured|missing}\n- Secrets exposed: {yes|no}\n```","tags":["kafka","security","audit","agentic","engineering","for","apache","lensesio","agent-skills","agentic-engineering","apache-kafka","claude-code"],"capabilities":["skill","source-lensesio","skill-kafka-security-audit","topic-agent-skills","topic-agentic-engineering","topic-apache-kafka","topic-claude-code","topic-context-engineering","topic-cursor","topic-data-engineering","topic-devops","topic-kafka","topic-kafka-connect","topic-lenses","topic-mcp"],"categories":["agentic-engineering-for-apache-kafka"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/lensesio/agentic-engineering-for-apache-kafka/kafka-security-audit","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add lensesio/agentic-engineering-for-apache-kafka","source_repo":"https://github.com/lensesio/agentic-engineering-for-apache-kafka","install_from":"skills.sh"}},"qualityScore":"0.463","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 26 github stars · SKILL.md body (5,795 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:05:00.929Z","embedding":null,"createdAt":"2026-05-15T19:05:07.232Z","updatedAt":"2026-05-18T19:05:00.929Z","lastSeenAt":"2026-05-18T19:05:00.929Z","tsv":"'-20':406 '0':419 '1':85,115,159,458,474,523,583 '10':405 '12':413 '2':92,124,236,482,509,531,592 '3':99,134,262,489,537,564,599 '4':103,139,295,545 '5':107,143,321 '6':112,149,350 '90':397 'accept':376 'accident':387 'acl':26 'across':9,50 'action':473,522,582 'actual':698 'agent':178 'api':590 'appear':691 'appli':265,298,325,490 'argument':72 'audit':4,5,37,45,46,82,100,104,108,135,140,144,263,268,296,301,322,328,410,466,500,568,726 'auth/encryption':539 'authent':21,101,136,253,264,267,285,798 'authoris':25 'calibr':154,190,429,559 'call':415,422 'cannot':219,649 'caus':617,658,687 'check':20,40,86,116,170,273,306,333,512,571,593,666 'checklist':76 'cluster':14,56,519 'codebas':11,52,94,126,237,241,417,484,533,581 'comment':695 'complet':409,498 'confid':707,714,722 'config':384 'configur':8,49,97,131,245,286,799,802 'connect':180,195 'consid':772 'consult':246 'context':161 'copi':74 'correct':428 'could':678,746,764 'credenti':148,335,340,446,552,578,603,699 'criteria':393 'critic':205,278,283,289,311,339,344,734,786 'cross':355 'cross-refer':354 'custom':626 'default':222,630 'descript':452,739,758,776 'determin':221,650 'dev':62,197,379,433,517,544 'develop':186,370,382,510,527,561,731 'development/staging/production':210 'disabl':312 'document':693 'downgrad':371,538 'encrypt':23,105,141,255,297,300,801 'encryption/auth':372 'enough':521 'entri':347 'env':594,652,668 'environ':30,71,87,117,156,160,169,171,174,182,184,208,217,351,360,383,431,472,476,511,525,562,613,620,728,795 'everi':447 'exampl':456,457,508,563 'expect':206 'expos':805 'fail':420 'fals':440,682 'file':258,338,595,604,653,669,737,756,774 'find':151,357,366,373,437,448,504,540,548,703 'fix':736,752,755,770 'flag':380,709 'focus':567,606 'format':724 'found':788,791,794 'full':250,368,492,550 'full-sever':491 'generat':113 'get':65,181,183,475,524,619 'git':343,598,657,663,676 'gitignor':346,601 'go':747,765 'hardcod':147,334,445,556,576 'health':88,118,172,212 'healthi':176 'high':713 'hostnam':313 'improv':773,783 'includ':449,602 'infrastructur':54 'inlin':710 'insid':661 'inspect':238 'issu':648,743,761,779,787 'kafka':2,6,38,42,47,55,243,467,518,577 'kafka-security-audit':1 'keep':546 'key':272,305,332,591 'keystor':317 'lens':17,122,163,363,480,529,618 'level':192,226,634,708 'like':689 'line':738,757,775 'list':251 'live':13 'local':378 'low':721 'manag':28,110,146,324,610 'mcp':18,123,164,416,421,481,530 'mechan':138,292 'mention':719 'might':386 'mismatch':32,353 'miss':345,443,800,803 'must':735 'name':729 'negat':441 'never':64,442,554 'note':674,705 'often':57 'output':207,723 'over-report':232,640 'password':318,588,690 'pattern':587 'per':423 'phrase':408 'plain':279 'plaintext':60,194,274,316 'posit':683 'postur':44 'pre':460 'pre-product':459 'presenc':673 'product':69,188,202,225,277,288,310,391,435,461,471,478,496,506,633,733 'production-level':224,632 'production/staging':364 'progress':80,83 'proper':66 'properti':254,256,488,536 'protocol':275 'qualit':425 'quantit':394 'queri':402 'rather':696 'recommend':780 'refer':356,717 'reference-on':716 'references/security-properties.md':133,247,271,304,331 'relat':130,401 'remedi':454,749,767 'report':114,150,234,501,558,607,642,646,671,701,727 'repositori':664 'result':497,557,605 'return':621 'review':463 'risk':451,744,762 'rule':269,302,329,494 'run':424,660 'safer':230,638 'sasl':22,137,280,291 'say':36,465,514,570 'scan':93,125,260,483,532,686 'search':239,418,584 'sec':41 'secret':27,109,145,323,327,436,547,566,586,609,685,804 'secrets-focus':565 'secur':3,7,39,43,48,67,81,96,129,244,400,462,468,487,499,520,535,647,725,742 'security-rel':128,399 'see':132 'server':19 'sever':153,191,227,369,426,493,507,551,635 'skill' 'skill-kafka-security-audit' 'solut':629,665,700 'sourc':337 'source-lensesio' 'ssl/tls':24,142,308 'stage':187,732 'start':58 'status':213 'step':84,91,98,102,106,111,158,235,261,294,320,349,455 'success':392 'suggest':200,375,542,771,793 'summari':784 'target':70 'test':403 'tier':31,90,120,157,185,209,218,352,361,432,477,526,614,623,627,730,796,797 'tls':282 'token':589 'tool':165,414 'topic-agent-skills' 'topic-agentic-engineering' 'topic-apache-kafka' 'topic-claude-code' 'topic-context-engineering' 'topic-cursor' 'topic-data-engineering' 'topic-devops' 'topic-kafka' 'topic-kafka-connect' 'topic-lenses' 'topic-mcp' 'track':78,341,596,655,677 'trigger':395 'troubleshoot':612 'under-report':644 'understand':167 'unknown':616 'use':15,33,162,389 'user':35,464,513,569 'valid':214 'valu':628,711 'vari':407 'verif':314 'verifi':173,600,681 'via':121 'vs':434 'warn':293,315,319,348,753,790 'weak':290 'without':281 'word':688 'workflow':73 'wrong':748,766 'x':785 'y':789 'yes':806 'z':792 'zero':439","prices":[{"id":"80e293da-9f97-45bb-8f75-6a7cde4631de","listingId":"aba396d8-7eae-4d89-9f24-0e1eb845aea5","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"lensesio","category":"agentic-engineering-for-apache-kafka","install_from":"skills.sh"},"createdAt":"2026-05-15T19:05:07.232Z"}],"sources":[{"listingId":"aba396d8-7eae-4d89-9f24-0e1eb845aea5","source":"github","sourceId":"lensesio/agentic-engineering-for-apache-kafka/kafka-security-audit","sourceUrl":"https://github.com/lensesio/agentic-engineering-for-apache-kafka/tree/main/skills/kafka-security-audit","isPrimary":false,"firstSeenAt":"2026-05-15T19:05:07.232Z","lastSeenAt":"2026-05-18T19:05:00.929Z"}],"details":{"listingId":"aba396d8-7eae-4d89-9f24-0e1eb845aea5","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"lensesio","slug":"kafka-security-audit","github":{"repo":"lensesio/agentic-engineering-for-apache-kafka","stars":26,"topics":["agent-skills","agentic-engineering","apache-kafka","claude-code","context-engineering","cursor","data-engineering","devops","kafka","kafka-connect","lenses","mcp","model-context-protocol","platform-engineering","real-time-data","schema-registry","skills","streaming","streaming-data"],"license":"mit","html_url":"https://github.com/lensesio/agentic-engineering-for-apache-kafka","pushed_at":"2026-05-15T11:34:19Z","description":"AI agent skills for building, operating and troubleshooting Apache Kafka applications. Topic audit, consumer lag, schema review, security, connectors and DLQ","skill_md_sha":"4de47fb0fbb483623dd130578eef7a06d43c7170","skill_md_path":"skills/kafka-security-audit/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/lensesio/agentic-engineering-for-apache-kafka/tree/main/skills/kafka-security-audit"},"layout":"multi","source":"github","category":"agentic-engineering-for-apache-kafka","frontmatter":{"name":"kafka-security-audit","license":"MIT","description":"Audit Kafka security configuration across the codebase and live cluster using the Lenses MCP server. Checks authentication (SASL), encryption (SSL/TLS), authorisation (ACLs), secrets management and environment tier mismatches. Use when user says \"audit Kafka security\", \"check security config\", \"is my cluster secure\" or asks about authentication, encryption or credentials. Do NOT use for configuring certificates, creating SASL users or setting up ACLs.","compatibility":"Recommended - the Lenses MCP server (lenses-mcp) connected and configured with a valid environment. Any Kafka MCP that exposes an equivalent broker-config and ACL tool surface will also work; without an MCP server, the skill falls back to codebase-only inspection and skips live-cluster checks."},"skills_sh_url":"https://skills.sh/lensesio/agentic-engineering-for-apache-kafka/kafka-security-audit"},"updatedAt":"2026-05-18T19:05:00.929Z"}}