{"id":"eb541374-3d8c-4eb7-9860-36702eae2015","shortId":"zGqWyh","kind":"skill","title":"pilot-threat-intelligence-setup","tagline":"Deploy a threat intelligence platform with 4 agents.  Use this skill when: 1. User wants to set up a threat intelligence pipeline for IOC collection and distribution 2. User is configuring agents for threat feed aggregation, enrichment, or STIX/TAXII publishing 3. User asks about","description":"# Threat Intelligence Setup\n\nDeploy 4 agents: collector, enricher, analyzer, and distributor.\n\n## Roles\n\n| Role | Hostname | Skills | Purpose |\n|------|----------|--------|---------|\n| collector | `<prefix>-collector` | pilot-stream-data, pilot-cron, pilot-archive | Aggregates threat feeds from OSINT, honeypots, CVE databases |\n| enricher | `<prefix>-enricher` | pilot-dataset, pilot-task-router, pilot-event-filter | Correlates IOCs, enriches with WHOIS/GeoIP, maps to MITRE |\n| analyzer | `<prefix>-analyzer` | pilot-metrics, pilot-consensus, pilot-alert | Scores severity, identifies campaigns and APT groups |\n| distributor | `<prefix>-distributor` | pilot-webhook-bridge, pilot-announce, pilot-audit-log | Publishes STIX/TAXII feeds, pushes IOCs to SIEM |\n\n## Setup Procedure\n\n**Step 1:** Ask the user which role this agent should play and what prefix to use.\n\n**Step 2:** Install the skills for the chosen role:\n```bash\n# For collector:\nclawhub install pilot-stream-data pilot-cron pilot-archive\n# For enricher:\nclawhub install pilot-dataset pilot-task-router pilot-event-filter\n# For analyzer:\nclawhub install pilot-metrics pilot-consensus pilot-alert\n# For distributor:\nclawhub install pilot-webhook-bridge pilot-announce pilot-audit-log\n```\n\n**Step 3:** Set the hostname and write the manifest to `~/.pilot/setups/threat-intelligence.json`.\n\n**Step 4:** Tell the user to initiate handshakes with the peers for their role.\n\n## Manifest Templates Per Role\n\n### collector\n```json\n{\n  \"setup\": \"threat-intelligence\", \"role\": \"collector\", \"role_name\": \"Intel Collector\",\n  \"hostname\": \"<prefix>-collector\",\n  \"skills\": {\n    \"pilot-stream-data\": \"Ingest real-time threat feeds from OSINT and honeypots.\",\n    \"pilot-cron\": \"Schedule periodic CVE database and dark web scans.\",\n    \"pilot-archive\": \"Store raw indicator history for retrospective analysis.\"\n  },\n  \"data_flows\": [{ \"direction\": \"send\", \"peer\": \"<prefix>-enricher\", \"port\": 1002, \"topic\": \"raw-ioc\", \"description\": \"Normalized IOCs from threat feeds\" }],\n  \"handshakes_needed\": [\"<prefix>-enricher\"]\n}\n```\n\n### enricher\n```json\n{\n  \"setup\": \"threat-intelligence\", \"role\": \"enricher\", \"role_name\": \"Threat Enricher\",\n  \"hostname\": \"<prefix>-enricher\",\n  \"skills\": {\n    \"pilot-dataset\": \"Cross-reference IOCs against known threat databases.\",\n    \"pilot-task-router\": \"Route enrichment tasks to specialized lookup services.\",\n    \"pilot-event-filter\": \"Filter low-confidence indicators before analysis.\"\n  },\n  \"data_flows\": [\n    { \"direction\": \"receive\", \"peer\": \"<prefix>-collector\", \"port\": 1002, \"topic\": \"raw-ioc\", \"description\": \"Raw IOCs to enrich\" },\n    { \"direction\": \"send\", \"peer\": \"<prefix>-analyzer\", \"port\": 1002, \"topic\": \"enriched-ioc\", \"description\": \"IOCs with WHOIS, GeoIP, MITRE context\" }\n  ],\n  \"handshakes_needed\": [\"<prefix>-collector\", \"<prefix>-analyzer\"]\n}\n```\n\n### analyzer\n```json\n{\n  \"setup\": \"threat-intelligence\", \"role\": \"analyzer\", \"role_name\": \"Threat Analyzer\",\n  \"hostname\": \"<prefix>-analyzer\",\n  \"skills\": {\n    \"pilot-metrics\": \"Track threat volumes, severity distribution, and response times.\",\n    \"pilot-consensus\": \"Correlate multi-source verdicts for high-confidence scoring.\",\n    \"pilot-alert\": \"Emit critical threat alerts for immediate action.\"\n  },\n  \"data_flows\": [\n    { \"direction\": \"receive\", \"peer\": \"<prefix>-enricher\", \"port\": 1002, \"topic\": \"enriched-ioc\", \"description\": \"Enriched IOCs to analyze\" },\n    { \"direction\": \"send\", \"peer\": \"<prefix>-distributor\", \"port\": 1002, \"topic\": \"threat-verdict\", \"description\": \"Scored verdicts with campaign attribution\" }\n  ],\n  \"handshakes_needed\": [\"<prefix>-enricher\", \"<prefix>-distributor\"]\n}\n```\n\n### distributor\n```json\n{\n  \"setup\": \"threat-intelligence\", \"role\": \"distributor\", \"role_name\": \"Intel Distributor\",\n  \"hostname\": \"<prefix>-distributor\",\n  \"skills\": {\n    \"pilot-webhook-bridge\": \"Push IOC updates to firewalls, IDS, and SIEM.\",\n    \"pilot-announce\": \"Broadcast threat advisories to subscribed consumers.\",\n    \"pilot-audit-log\": \"Log all published intelligence with distribution timestamps.\"\n  },\n  \"data_flows\": [\n    { \"direction\": \"receive\", \"peer\": \"<prefix>-analyzer\", \"port\": 1002, \"topic\": \"threat-verdict\", \"description\": \"Threat verdicts to distribute\" },\n    { \"direction\": \"send\", \"peer\": \"external\", \"port\": 443, \"topic\": \"threat-feed\", \"description\": \"STIX/TAXII feeds to security infrastructure\" }\n  ],\n  \"handshakes_needed\": [\"<prefix>-analyzer\"]\n}\n```\n\n## Data Flows\n\n- `collector -> enricher` : raw IOCs normalized from threat feeds (port 1002)\n- `enricher -> analyzer` : enriched IOCs with context and confidence scores (port 1002)\n- `analyzer -> distributor` : threat verdicts with severity and campaign data (port 1002)\n- `distributor -> external` : published threat feeds to security infrastructure (port 443)\n\n## Workflow Example\n\n```bash\n# On collector -- forward raw IOC:\npilotctl --json publish <prefix>-enricher raw-ioc '{\"type\":\"ip\",\"value\":\"198.51.100.23\",\"source\":\"honeypot-east\",\"tags\":[\"c2\",\"cobalt-strike\"]}'\n# On enricher -- forward enriched IOC:\npilotctl --json publish <prefix>-analyzer enriched-ioc '{\"type\":\"ip\",\"value\":\"198.51.100.23\",\"whois\":{\"asn\":\"AS62904\",\"country\":\"RU\"},\"mitre\":[\"T1071.001\"],\"confidence\":0.87}'\n# On analyzer -- send verdict:\npilotctl --json publish <prefix>-distributor threat-verdict '{\"ioc\":\"198.51.100.23\",\"severity\":\"critical\",\"campaign\":\"APT-THUNDER-BEAR\",\"action\":\"block\"}'\n```\n\n## Dependencies\n\nRequires `pilot-protocol` skill, `pilotctl` binary, `clawhub` binary, and a running daemon.","tags":["pilot","threat","intelligence","setup","skills","teoslayer","agent-skills","ai-agents","clawhub","networking","openclaw","overlay-network"],"capabilities":["skill","source-teoslayer","skill-pilot-threat-intelligence-setup","topic-agent-skills","topic-ai-agents","topic-clawhub","topic-networking","topic-openclaw","topic-overlay-network","topic-p2p","topic-pilot-protocol"],"categories":["pilot-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/TeoSlayer/pilot-skills/pilot-threat-intelligence-setup","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add TeoSlayer/pilot-skills","source_repo":"https://github.com/TeoSlayer/pilot-skills","install_from":"skills.sh"}},"qualityScore":"0.453","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 6 github stars · SKILL.md body (5,546 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:15:05.787Z","embedding":null,"createdAt":"2026-05-18T13:22:54.284Z","updatedAt":"2026-05-18T19:15:05.787Z","lastSeenAt":"2026-05-18T19:15:05.787Z","tsv":"'/.pilot/setups/threat-intelligence.json':240 '0.87':681 '1':18,148 '1002':316,385,400,472,487,556,596,607,618 '198.51.100.23':647,672,694 '2':33,164 '3':46,231 '4':12,54,242 '443':571,628 'action':464,702 'advisori':534 'agent':13,37,55,155 'aggreg':41,78 'alert':117,214,457,461 'analysi':308,377 'analyz':58,107,108,203,398,415,416,423,427,429,481,554,584,598,608,665,683 'announc':133,225,531 'apt':123,699 'apt-thunder-bear':698 'archiv':77,186,301 'as62904':675 'ask':48,149 'asn':674 'attribut':497 'audit':136,228,540 'bash':172,631 'bear':701 'binari':711,713 'block':703 'bridg':130,222,520 'broadcast':532 'c2':653 'campaign':121,496,615,697 'chosen':170 'clawhub':175,189,204,217,712 'cobalt':655 'cobalt-strik':654 'collect':30 'collector':56,66,67,174,259,266,270,272,383,414,587,633 'confid':374,453,604,680 'configur':36 'consensus':114,211,444 'consum':537 'context':411,602 'correl':99,445 'countri':676 'critic':459,696 'cron':74,183,290 'cross':349 'cross-refer':348 'cve':84,293 'daemon':717 'dark':296 'data':71,180,277,309,378,465,549,585,616 'databas':85,294,355 'dataset':90,193,347 'depend':704 'deploy':6,53 'descript':321,390,405,477,492,561,576 'direct':311,380,395,467,482,551,566 'distribut':32,438,547,565 'distributor':60,125,126,216,485,501,502,509,513,515,609,619,689 'east':651 'emit':458 'enrich':42,57,86,87,101,188,314,329,330,337,341,343,361,394,403,470,475,478,500,588,597,599,640,658,660,667 'enriched-ioc':402,474,666 'event':97,200,369 'exampl':630 'extern':569,620 'feed':40,80,140,283,326,575,578,594,623 'filter':98,201,370,371 'firewal':525 'flow':310,379,466,550,586 'forward':634,659 'geoip':409 'group':124 'handshak':248,327,412,498,582 'high':452 'high-confid':451 'histori':305 'honeypot':83,287,650 'honeypot-east':649 'hostnam':63,234,271,342,428,514 'id':526 'identifi':120 'immedi':463 'indic':304,375 'infrastructur':581,626 'ingest':278 'initi':247 'instal':165,176,190,205,218 'intel':269,512 'intellig':4,9,26,51,264,335,421,507,545 'ioc':29,100,142,320,323,351,389,392,404,406,476,479,522,590,600,636,643,661,668,693 'ip':645,670 'json':260,331,417,503,638,663,687 'known':353 'log':137,229,541,542 'lookup':365 'low':373 'low-confid':372 'manifest':238,255 'map':104 'metric':111,208,433 'mitr':106,410,678 'multi':447 'multi-sourc':446 'name':268,339,425,511 'need':328,413,499,583 'normal':322,591 'osint':82,285 'peer':251,313,382,397,469,484,553,568 'per':257 'period':292 'pilot':2,69,73,76,89,92,96,110,113,116,128,132,135,178,182,185,192,195,199,207,210,213,220,224,227,275,289,300,346,357,368,432,443,456,518,530,539,707 'pilot-alert':115,212,455 'pilot-announc':131,223,529 'pilot-arch':75,184,299 'pilot-audit-log':134,226,538 'pilot-consensus':112,209,442 'pilot-cron':72,181,288 'pilot-dataset':88,191,345 'pilot-event-filt':95,198,367 'pilot-metr':109,206,431 'pilot-protocol':706 'pilot-stream-data':68,177,274 'pilot-task-rout':91,194,356 'pilot-threat-intelligence-setup':1 'pilot-webhook-bridg':127,219,517 'pilotctl':637,662,686,710 'pipelin':27 'platform':10 'play':157 'port':315,384,399,471,486,555,570,595,606,617,627 'prefix':160 'procedur':146 'protocol':708 'publish':45,138,544,621,639,664,688 'purpos':65 'push':141,521 'raw':303,319,388,391,589,635,642 'raw-ioc':318,387,641 'real':280 'real-tim':279 'receiv':381,468,552 'refer':350 'requir':705 'respons':440 'retrospect':307 'role':61,62,153,171,254,258,265,267,336,338,422,424,508,510 'rout':360 'router':94,197,359 'ru':677 'run':716 'scan':298 'schedul':291 'score':118,454,493,605 'secur':580,625 'send':312,396,483,567,684 'servic':366 'set':22,232 'setup':5,52,145,261,332,418,504 'sever':119,437,613,695 'siem':144,528 'skill':16,64,167,273,344,430,516,709 'skill-pilot-threat-intelligence-setup' 'sourc':448,648 'source-teoslayer' 'special':364 'step':147,163,230,241 'stix/taxii':44,139,577 'store':302 'stream':70,179,276 'strike':656 'subscrib':536 't1071.001':679 'tag':652 'task':93,196,358,362 'tell':243 'templat':256 'threat':3,8,25,39,50,79,263,282,325,334,340,354,420,426,435,460,490,506,533,559,562,574,593,610,622,691 'threat-fe':573 'threat-intellig':262,333,419,505 'threat-verdict':489,558,690 'thunder':700 'time':281,441 'timestamp':548 'topic':317,386,401,473,488,557,572 'topic-agent-skills' 'topic-ai-agents' 'topic-clawhub' 'topic-networking' 'topic-openclaw' 'topic-overlay-network' 'topic-p2p' 'topic-pilot-protocol' 'track':434 'type':644,669 'updat':523 'use':14,162 'user':19,34,47,151,245 'valu':646,671 'verdict':449,491,494,560,563,611,685,692 'volum':436 'want':20 'web':297 'webhook':129,221,519 'whoi':408,673 'whois/geoip':103 'workflow':629 'write':236","prices":[{"id":"24177785-3a1f-4378-b799-616784eb13e3","listingId":"eb541374-3d8c-4eb7-9860-36702eae2015","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"TeoSlayer","category":"pilot-skills","install_from":"skills.sh"},"createdAt":"2026-05-18T13:22:54.284Z"}],"sources":[{"listingId":"eb541374-3d8c-4eb7-9860-36702eae2015","source":"github","sourceId":"TeoSlayer/pilot-skills/pilot-threat-intelligence-setup","sourceUrl":"https://github.com/TeoSlayer/pilot-skills/tree/main/skills/pilot-threat-intelligence-setup","isPrimary":false,"firstSeenAt":"2026-05-18T13:22:54.284Z","lastSeenAt":"2026-05-18T19:15:05.787Z"}],"details":{"listingId":"eb541374-3d8c-4eb7-9860-36702eae2015","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"TeoSlayer","slug":"pilot-threat-intelligence-setup","github":{"repo":"TeoSlayer/pilot-skills","stars":6,"topics":["agent-skills","ai-agents","clawhub","networking","openclaw","overlay-network","p2p","pilot-protocol"],"license":"agpl-3.0","html_url":"https://github.com/TeoSlayer/pilot-skills","pushed_at":"2026-05-13T06:08:49Z","description":"80+ agent skills for Pilot Protocol — communication, file transfer, trust, task routing, swarm coordination, and more","skill_md_sha":"a7ddc8cbbc316d30eaebb1f26e03e6299eb2af80","skill_md_path":"skills/pilot-threat-intelligence-setup/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/TeoSlayer/pilot-skills/tree/main/skills/pilot-threat-intelligence-setup"},"layout":"multi","source":"github","category":"pilot-skills","frontmatter":{"name":"pilot-threat-intelligence-setup","license":"AGPL-3.0","description":"Deploy a threat intelligence platform with 4 agents.  Use this skill when: 1. User wants to set up a threat intelligence pipeline for IOC collection and distribution 2. User is configuring agents for threat feed aggregation, enrichment, or STIX/TAXII publishing 3. User asks about threat analysis, IOC correlation, or MITRE ATT&CK mapping  Do NOT use this skill when: - User wants a single alert notification (use pilot-alert instead) - User wants to stream data without threat context (use pilot-stream-data instead) - User only needs a webhook integration (use pilot-webhook-bridge instead)"},"skills_sh_url":"https://skills.sh/TeoSlayer/pilot-skills/pilot-threat-intelligence-setup"},"updatedAt":"2026-05-18T19:15:05.787Z"}}