anthropic-cybersecurity-skills
aradotso/security-skills
How to install anthropic-cybersecurity-skills
npx skills add https://github.com/aradotso/security-skills --skill anthropic-cybersecurity-skillsFull instructions (SKILL.md)
Source of truth, from aradotso/security-skills.
name: anthropic-cybersecurity-skills description: Use 754 structured cybersecurity skills mapped to MITRE ATT&CK, NIST CSF, ATLAS, D3FEND, and NIST AI RMF for AI-driven security operations triggers:
- "help me investigate this security incident"
- "analyze this malware sample"
- "perform memory forensics on this dump"
- "hunt for threats in our environment"
- "check cloud security posture"
- "map this attack to MITRE ATT&CK"
- "what security skills are available"
- "guide me through incident response"
anthropic-cybersecurity-skills
Skill by ara.so — Security Skills collection.
Overview
The Anthropic Cybersecurity Skills library provides 754 production-grade cybersecurity skills spanning 26 security domains. Each skill is structured following the agentskills.io standard and mapped to five industry frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, MITRE D3FEND, and NIST AI RMF. This enables AI agents to perform security operations with expert-level guidance.
Installation
# Option 1: Using npx (recommended)
npx skills add mukul975/Anthropic-Cybersecurity-Skills
# Option 2: Git clone
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
cd Anthropic-Cybersecurity-Skills
# Option 3: Add as submodule
git submodule add https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git skills/cybersecurity
Directory Structure
skills/
├── {skill-name}/
│ ├── SKILL.md # Skill definition with YAML frontmatter
│ ├── references/
│ │ ├── standards.md # Framework mappings
│ │ └── workflows.md # Technical procedures
│ ├── scripts/
│ │ └── *.py # Helper scripts
│ └── assets/
│ └── *.md # Templates and checklists
Discovering Skills
By Domain
Skills are organized into 26 domains. List all domains:
import os
import yaml
def list_domains():
domains = {}
for skill_dir in os.listdir('skills'):
skill_path = f'skills/{skill_dir}/SKILL.md'
if os.path.exists(skill_path):
with open(skill_path, 'r') as f:
content = f.read()
# Extract YAML frontmatter
if content.startswith('---'):
yaml_end = content.find('---', 3)
frontmatter = yaml.safe_load(content[3:yaml_end])
domain = frontmatter.get('domain', 'unknown')
subdomain = frontmatter.get('subdomain', 'general')
if domain not in domains:
domains[domain] = {}
if subdomain not in domains[domain]:
domains[domain][subdomain] = []
domains[domain][subdomain].append(frontmatter['name'])
return domains
# Usage
domains = list_domains()
for domain, subdomains in domains.items():
print(f"\n{domain.upper()}")
for subdomain, skills in subdomains.items():
print(f" {subdomain}: {len(skills)} skills")
By Framework Mapping
Find skills mapped to specific ATT&CK techniques:
def find_by_attack_technique(technique_id):
"""Find skills mapped to a specific ATT&CK technique"""
matching_skills = []
for skill_dir in os.listdir('skills'):
skill_path = f'skills/{skill_dir}/SKILL.md'
if os.path.exists(skill_path):
with open(skill_path, 'r') as f:
content = f.read()
if content.startswith('---'):
yaml_end = content.find('---', 3)
frontmatter = yaml.safe_load(content[3:yaml_end])
# Check ATT&CK mappings in references
refs_path = f'skills/{skill_dir}/references/standards.md'
if os.path.exists(refs_path):
with open(refs_path, 'r') as ref_file:
if technique_id in ref_file.read():
matching_skills.append({
'name': frontmatter['name'],
'description': frontmatter['description'],
'path': skill_path
})
return matching_skills
# Usage
skills = find_by_attack_technique('T1003') # Credential Dumping
for skill in skills:
print(f"{skill['name']}: {skill['description']}")
By Tags
Search skills by tags:
def search_by_tags(search_tags):
"""Find skills matching any of the provided tags"""
results = []
for skill_dir in os.listdir('skills'):
skill_path = f'skills/{skill_dir}/SKILL.md'
if os.path.exists(skill_path):
with open(skill_path, 'r') as f:
content = f.read()
if content.startswith('---'):
yaml_end = content.find('---', 3)
frontmatter = yaml.safe_load(content[3:yaml_end])
skill_tags = frontmatter.get('tags', [])
if any(tag in skill_tags for tag in search_tags):
results.append(frontmatter)
return results
# Usage
malware_skills = search_by_tags(['malware-analysis', 'reverse-engineering'])
for skill in malware_skills:
print(f"{skill['name']}: {', '.join(skill['tags'])}")
Loading and Executing Skills
Progressive Loading Pattern
Load only frontmatter first (low token cost), then full content when needed:
class SkillLoader:
def __init__(self, skills_dir='skills'):
self.skills_dir = skills_dir
def scan_all_frontmatter(self):
"""Scan all skill frontmatter (~30 tokens each)"""
skills_index = []
for skill_dir in os.listdir(self.skills_dir):
skill_path = f'{self.skills_dir}/{skill_dir}/SKILL.md'
if os.path.exists(skill_path):
with open(skill_path, 'r') as f:
content = f.read()
if content.startswith('---'):
yaml_end = content.find('---', 3)
frontmatter = yaml.safe_load(content[3:yaml_end])
frontmatter['path'] = skill_path
skills_index.append(frontmatter)
return skills_index
def load_full_skill(self, skill_name):
"""Load complete skill content (~500-2000 tokens)"""
skill_path = f'{self.skills_dir}/{skill_name}/SKILL.md'
with open(skill_path, 'r') as f:
content = f.read()
# Parse frontmatter and body
if content.startswith('---'):
yaml_end = content.find('---', 3)
frontmatter = yaml.safe_load(content[3:yaml_end])
body = content[yaml_end + 3:].strip()
return {
'metadata': frontmatter,
'content': body,
'references': self._load_references(skill_name),
'scripts': self._load_scripts(skill_name)
}
def _load_references(self, skill_name):
"""Load framework mappings and workflows"""
refs = {}
refs_dir = f'{self.skills_dir}/{skill_name}/references'
if os.path.exists(refs_dir):
for ref_file in os.listdir(refs_dir):
with open(f'{refs_dir}/{ref_file}', 'r') as f:
refs[ref_file.replace('.md', '')] = f.read()
return refs
def _load_scripts(self, skill_name):
"""Load helper scripts"""
scripts = {}
scripts_dir = f'{self.skills_dir}/{skill_name}/scripts'
if os.path.exists(scripts_dir):
for script_file in os.listdir(scripts_dir):
with open(f'{scripts_dir}/{script_file}', 'r') as f:
scripts[script_file] = f.read()
return scripts
# Usage
loader = SkillLoader()
# Step 1: Scan all skills (lightweight)
all_skills = loader.scan_all_frontmatter()
print(f"Found {len(all_skills)} skills")
# Step 2: Find relevant skills
memory_forensics = [s for s in all_skills if 'memory-analysis' in s.get('tags', [])]
# Step 3: Load top matches fully
for skill in memory_forensics[:3]:
full_skill = loader.load_full_skill(skill['name'])
print(f"\n{skill['name']}")
print(f"Content length: {len(full_skill['content'])} chars")
Common Usage Patterns
Incident Response Workflow
def incident_response_guide(incident_type):
"""Get relevant IR skills for incident type"""
loader = SkillLoader()
all_skills = loader.scan_all_frontmatter()
# Map incident types to skill domains
incident_mappings = {
'ransomware': ['malware-analysis', 'incident-response', 'forensics'],
'data_breach': ['threat-hunting', 'forensics', 'cloud-security'],
'phishing': ['email-security', 'threat-intelligence', 'endpoint-security'],
'insider_threat': ['behavior-analytics', 'iam', 'forensics']
}
relevant_tags = incident_mappings.get(incident_type, [])
relevant_skills = [
s for s in all_skills
if any(tag in s.get('tags', []) for tag in relevant_tags)
]
# Prioritize by subdomain
prioritized = sorted(
relevant_skills,
key=lambda s: (
s.get('subdomain') == 'incident-response',
len(set(s.get('tags', [])) & set(relevant_tags))
),
reverse=True
)
return prioritized[:5]
# Usage
ransomware_skills = incident_response_guide('ransomware')
for skill in ransomware_skills:
print(f"- {skill['name']}: {skill['description']}")
ATT&CK Technique Coverage
def check_attack_coverage(technique_id):
"""Check which skills cover a specific ATT&CK technique"""
loader = SkillLoader()
coverage = []
for skill_dir in os.listdir('skills'):
refs_path = f'skills/{skill_dir}/references/standards.md'
if os.path.exists(refs_path):
with open(refs_path, 'r') as f:
content = f.read()
if technique_id in content:
skill = loader.load_full_skill(skill_dir)
coverage.append({
'name': skill['metadata']['name'],
'description': skill['metadata']['description'],
'domain': skill['metadata']['subdomain']
})
return coverage
# Usage
t1003_coverage = check_attack_coverage('T1003') # Credential Dumping
print(f"Skills covering T1003: {len(t1003_coverage)}")
for skill in t1003_coverage:
print(f" {skill['domain']}: {skill['name']}")
Multi-Framework Compliance Check
def compliance_mapper(skill_name):
"""Show all framework mappings for a skill"""
loader = SkillLoader()
skill = loader.load_full_skill(skill_name)
frameworks = {
'MITRE ATT&CK': skill['metadata'].get('attack_techniques', []),
'NIST CSF 2.0': skill['metadata'].get('nist_csf', []),
'MITRE ATLAS': skill['metadata'].get('atlas_techniques', []),
'MITRE D3FEND': skill['metadata'].get('d3fend_techniques', []),
'NIST AI RMF': skill['metadata'].get('nist_ai_rmf', [])
}
print(f"\nFramework mappings for: {skill_name}\n")
for framework, mappings in frameworks.items():
if mappings:
print(f"{framework}:")
for mapping in mappings:
print(f" - {mapping}")
# Usage
compliance_mapper('performing-memory-forensics-with-volatility3')
Working with Skill Scripts
Many skills include helper scripts in scripts/ directories:
import subprocess
import json
def execute_skill_script(skill_name, script_name, **kwargs):
"""Execute a skill's helper script with arguments"""
script_path = f'skills/{skill_name}/scripts/{script_name}'
if not os.path.exists(script_path):
raise FileNotFoundError(f"Script not found: {script_path}")
# Build command with arguments
cmd = ['python', script_path]
for key, value in kwargs.items():
cmd.extend([f'--{key}', str(value)])
# Execute
result = subprocess.run(cmd, capture_output=True, text=True)
return {
'stdout': result.stdout,
'stderr': result.stderr,
'returncode': result.returncode
}
# Usage example with memory forensics skill
result = execute_skill_script(
'performing-memory-forensics-with-volatility3',
'process.py',
dump_file='/path/to/memory.dmp',
plugin='windows.pslist'
)
if result['returncode'] == 0:
print(result['stdout'])
else:
print(f"Error: {result['stderr']}")
Environment Configuration
Skills that require API keys or credentials reference environment variables:
# .env file for skills requiring external services
export VIRUSTOTAL_API_KEY=your_vt_key_here
export SHODAN_API_KEY=your_shodan_key_here
export MISP_URL=https://your-misp-instance.com
export MISP_API_KEY=your_misp_key_here
export SPLUNK_HOST=your-splunk-host
export SPLUNK_TOKEN=your_splunk_token
Load in Python:
import os
from dotenv import load_dotenv
load_dotenv()
# Skills will reference these
vt_key = os.getenv('VIRUSTOTAL_API_KEY')
misp_url = os.getenv('MISP_URL')
Integration Examples
With Claude Code / Cursor
Place in your project's .claud/ or .cursorrules:
# Cybersecurity Skills Context
This project has access to 754 cybersecurity skills in the `skills/` directory.
When I ask security questions:
1. Scan skill frontmatter in skills/*/SKILL.md
2. Match by domain, subdomain, or tags
3. Load top 3 relevant skills fully
4. Follow the Workflow sections step-by-step
5. Verify results using Verification sections
Example: "analyze this memory dump"
→ load performing-memory-forensics-with-volatility3/SKILL.md
→ execute Volatility3 commands from Workflow
→ validate findings using Verification checklist
With Custom AI Agent (Python)
class CybersecurityAgent:
def __init__(self, skills_dir='skills'):
self.loader = SkillLoader(skills_dir)
self.skill_index = self.loader.scan_all_frontmatter()
def handle_query(self, user_query):
"""Process security query using relevant skills"""
# Step 1: Find relevant skills
relevant = self._match_skills(user_query)
# Step 2: Load top matches
top_skills = [
self.loader.load_full_skill(s['name'])
for s in relevant[:3]
]
# Step 3: Extract workflow steps
workflows = []
for skill in top_skills:
content = skill['content']
# Extract Workflow section
if '## Workflow' in content:
start = content.index('## Workflow')
end = content.index('##', start + 1) if '##' in content[start + 1:] else len(content)
workflows.append(content[start:end])
return {
'matched_skills': [s['metadata']['name'] for s in top_skills],
'workflows': workflows,
'framework_mappings': self._get_mappings(top_skills)
}
def _match_skills(self, query):
"""Simple keyword matching (replace with semantic search)"""
query_lower = query.lower()
scores = []
for skill in self.skill_index:
score = 0
desc = skill['description'].lower()
tags = ' '.join(skill.get('tags', [])).lower()
# Score by keyword matches
for word in query_lower.split():
if word in desc:
score += 2
if word in tags:
score += 1
if score > 0:
scores.append((score, skill))
return [s for _, s in sorted(scores, reverse=True)]
def _get_mappings(self, skills):
"""Extract framework mappings from loaded skills"""
mappings = {
'attack': set(),
'nist_csf': set(),
'atlas': set()
}
for skill in skills:
meta = skill['metadata']
mappings['attack'].update(meta.get('attack_techniques', []))
mappings['nist_csf'].update(meta.get('nist_csf', []))
mappings['atlas'].update(meta.get('atlas_techniques', []))
return {k: list(v) for k, v in mappings.items()}
# Usage
agent = CybersecurityAgent()
response = agent.handle_query("investigate credential dumping attack")
print("Matched skills:", response['matched_skills'])
print("\nATT&CK Techniques:", response['framework_mappings']['attack'])
print("\nFirst workflow:")
print(response['workflows'][0][:500])
Troubleshooting
Skill Not Found
def verify_skill_exists(skill_name):
"""Check if skill exists and is properly formatted"""
skill_path = f'skills/{skill_name}/SKILL.md'
if not os.path.exists(skill_path):
print(f"❌ Skill not found: {skill_path}")
return False
with open(skill_path, 'r') as f:
content = f.read()
if not content.startswith('---'):
print(f"❌ Invalid format: missing YAML frontmatter")
return False
try:
yaml_end = content.find('---', 3)
frontmatter = yaml.safe_load(content[3:yaml_end])
required_fields = ['name', 'description', 'domain', 'subdomain']
for field in required_fields:
if field not in frontmatter:
print(f"❌ Missing required field: {field}")
return False
print(f"✅ Skill valid: {skill_name}")
return True
except Exception as e:
print(f"❌ YAML parse error: {e}")
return False
Framework Mapping Missing
If a skill doesn't show framework mappings, check references/standards.md:
def audit_framework_mappings(skill_name):
"""Check which framework mappings exist for a skill"""
refs_path = f'skills/{skill_name}/references/standards.md'
if not os.path.exists(refs_path):
print(f"⚠️ No references/standards.md found")
return
with open(refs_path, 'r') as f:
content = f.read()
frameworks = {
'ATT&CK': r'T\d{4}',
'NIST CSF': r'[A-Z]{2}\.[A-Z]{2}',
'ATLAS': r'AML\.T\d{4}',
'D3FEND': r'D3-[A-Z]+',
'AI RMF': r'[A-Z]+-\d+\.\d+'
}
import re
for name, pattern in frameworks.items():
matches = re.findall(pattern, content)
if matches:
print(f"✅ {name}: {', '.join(set(matches))}")
else:
print(f"⚠️ {name}: No mappings found")
Key Features Summary
- 754 skills across 26 security domains
- 5 framework mappings: ATT&CK, NIST CSF, ATLAS, D3FEND, AI RMF
- Progressive loading: scan frontmatter (~30 tokens), load full content only when needed
- Structured workflows: step-by-step procedures in every skill
- Helper scripts: working Python scripts in
scripts/directories - Framework standards: complete mappings in
references/standards.md - agentskills.io compliant: works with 26+ AI coding platforms
License
Apache 2.0 — see repository for full license text.
Contributing
Contributions welcome following the project's CONTRIBUTING.md guidelines. All skills must include YAML frontmatter, structured Markdown sections, and framework mappings.
Related skills
More from aradotso/security-skills and the wider catalog.
pentest-ai-agents
Claude Code subagents for offensive security research, penetration testing planning, recon analysis, exploit research, detection engineering, and security reporting
pentest-agents-bug-bounty-framework
Autonomous bug bounty agent framework with 50 agents, hunt loops, exploit chains, MCP servers for platform integration and writeup search
openosint-ai-osint-framework
AI-powered OSINT agent with interactive REPL, MCP server, and CLI for email/username/domain/IP/phone investigation using 11 integrated tools
vibe-security-skill
Agent skill that audits vibe-coded apps for common security vulnerabilities introduced by AI coding assistants
openclaw-security-hardening
Deploy and manage security hardening for high-privilege autonomous AI agents (OpenClaw) using zero-trust architecture and automated defense matrices
malware-detection-awareness
Understanding security risks in software distribution and recognizing illegitimate software packages