{"id":50999727,"url":"https://github.com/orcasecurity/orca-skills","last_synced_at":"2026-06-20T13:04:07.686Z","repository":{"id":357662244,"uuid":"1228104491","full_name":"orcasecurity/orca-skills","owner":"orcasecurity","description":"Skills and plugins to accelerate security workflows with the Orca Cloud Platform","archived":false,"fork":false,"pushed_at":"2026-05-30T18:04:20.000Z","size":4427,"stargazers_count":44,"open_issues_count":1,"forks_count":4,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-30T20:06:58.139Z","etag":null,"topics":["ai","ai-agents","ai-skills","claude","claude-code","codex","cursor","mcp","mcp-server","skills"],"latest_commit_sha":null,"homepage":"https://orca.security/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/orcasecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-03T15:48:32.000Z","updated_at":"2026-05-30T18:04:24.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/orcasecurity/orca-skills","commit_stats":null,"previous_names":["orcasecurity/orca-skills"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/orcasecurity/orca-skills","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orcasecurity%2Forca-skills","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orcasecurity%2Forca-skills/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orcasecurity%2Forca-skills/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orcasecurity%2Forca-skills/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/orcasecurity","download_url":"https://codeload.github.com/orcasecurity/orca-skills/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orcasecurity%2Forca-skills/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34570557,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-20T02:00:06.407Z","response_time":98,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","ai-agents","ai-skills","claude","claude-code","codex","cursor","mcp","mcp-server","skills"],"created_at":"2026-06-20T13:04:07.113Z","updated_at":"2026-06-20T13:04:07.669Z","avatar_url":"https://github.com/orcasecurity.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"assets/orca_ai_skills_banner.png\" alt=\"Orca Skills\" width=\"700\"\u003e\n\u003c/p\u003e\n\n\u003ca href=\"LICENSE\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-MIT-blue.svg\" alt=\"License: MIT\"\u003e\u003c/a\u003e\n\u003ca href=\"https://docs.anthropic.com/en/docs/claude-code\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/badge/Claude_Code-compatible-blueviolet\" alt=\"Claude Code\"\u003e\u003c/a\u003e\n\u003ca href=\"https://cursor.com\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/badge/Cursor-compatible-blue\" alt=\"Cursor\"\u003e\u003c/a\u003e\n\u003ca href=\"https://openai.com/codex/\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/badge/Codex-compatible-green\" alt=\"Codex\"\u003e\u003c/a\u003e\n\u003ca href=\"https://docs.orcasecurity.io/docs/mcp-integration\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/badge/MCP-Orca_Security-00D4AA\" alt=\"MCP\"\u003e\u003c/a\u003e\n\n\u003c/div\u003e\n\n---\n\n### Table of Contents\n- [Skills Overview](#skills-overview)\n- [Installation](#installation)\n- [MCP Configuration](#mcp-configuration)\n- [Skill Details](#skill-details)\n- [Testing](#testing)\n- [Contributing](#contributing)\n- [Support](#support)\n- [License](#license)\n- [Credits](#credits)\n\n\n## Skills Overview\n\n| Skill | Question It Answers |\n|-------|-------------------|\n| [`orca-alert-triage`](#orca-alert-triage) | \"What is this alert and should I care?\" |\n| [`orca-impact-analysis`](#orca-impact-analysis) | \"If I fix this, what else closes — and what breaks?\" |\n| [`orca-config-origin`](#orca-config-origin) | \"Who did this, how was it deployed, and what introduced the issue?\" |\n| [`orca-morning-briefing`](#orca-morning-briefing) | \"What happened while I was away, and what needs my attention?\" |\n| [`orca-asset-profile`](#orca-asset-profile) | \"Tell me everything about this asset in one place.\" |\n| [`orca-compliance-gap`](#orca-compliance-gap) | \"Where are we failing, what's the fastest path to improve?\" |\n| [`orca-data-exposure`](#orca-data-exposure) | \"Where is our sensitive data, is it protected, and what's at risk?\" |\n| [`orca-exposure-map`](#orca-exposure-map) | \"What can an attacker see from outside?\" |\n| [`orca-identity-review`](#orca-identity-review) | \"Is this identity overprivileged, and what's the blast radius?\" |\n| [`orca-investigate`](#orca-investigate) | \"What happened, who did it, and how far did they get?\" |\n| [`orca-cloud-cost-optimizer`](#orca-cloud-cost-optimizer) | \"Where are we overspending and what should we fix first?\" |\n| [`orca-custom-framework`](#orca-custom-framework) | \"How do I create a custom compliance framework tailored to my needs?\" |\n\n### Recommended Workflows\n\n\u003e **Daily ops:** Morning briefing → Triage → Asset profile → Impact analysis → Config origin → Fix\n\u003e\n\u003e **Proactive posture:** Compliance gaps → Exposure map → Data exposure → Identity review\n\u003e\n\u003e **Incident response:** Investigate → Identity review → Asset profile → Contain and remediate\n\u003e\n\u003e **Custom compliance:** Custom framework → Compliance gaps → Impact analysis → Remediate\n\n## Installation\n\n### Claude Code CLI\n\n```bash\n/plugin marketplace add orcasecurity/orca-skills\n```\n\n**Next step:** Configure the Orca Security MCP server (see [MCP Configuration](#mcp-configuration) below).\n\n### Claude Desktop\n\nAdd the marketplace to your Claude Desktop configuration, then install skills from the marketplace UI.\n\n### Manual Installation\n\n```bash\n# Clone the repository\ngit clone https://github.com/orcasecurity/orca-skills.git\ncd orca-skills\n\n# Copy skills to your skills directory\ncp -r skills/* ~/.claude/skills/\n```\n\n## MCP Configuration\n\n**Required:** These skills need the Orca Security MCP server to access your environment data.\n\nAdd to your `.mcp.json` (in project root or `~/.claude/.mcp.json`):\n\n**Uses OAuth2 for authentication**\n\n```json\n{\n \"mcpServers\": {\n \"orca-security\": {\n \"type\": \"http\",\n \"url\": \"https://mcp.orcasecurity.io\"\n }\n }\n}\n```\n\n**For token based authentication** (For services and automations)\n\n```json\n{\n \"mcpServers\": {\n \"orca-security\": {\n \"type\": \"http\",\n \"url\": \"https://api.orcasecurity.io/mcp\",\n \"headers\": {\n \"Authorization\": \"Token YOUR_ORCA_API_TOKEN\"\n }\n }\n }\n}\n```\n\n**Get your API token:** [Orca API Authentication Guide](https://docs.orcasecurity.io/docs/managing-api-tokens) \n**MCP Integration Docs:** [Orca MCP Setup](https://orca.security/mcp-server/)\n\n\n## Skill Details\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e\u003ca id=\"orca-alert-triage\"\u003e\u003c/a\u003eorca-alert-triage\u003c/strong\u003e\u003c/summary\u003e\n\n**\"What is this alert and should I care?\"**\n\nIntelligent alert triage that transforms raw Orca alerts into analyst-friendly summaries with behavioral timelines, risk assessment, and progressive disclosure. Supports anomalies, vulnerabilities, malware, and misconfigurations.\n\n**Features:**\n- Verdict-first summaries with confidence scoring (Likely Benign, Active Threat, Patchable Risk, etc.)\n- Visual timeline analysis showing alert behavior, status changes, and remediation blockers\n- Blast radius calculation with related asset and alert correlation\n- Orca-first automated investigation — queries CloudTrail, related alerts, attack paths before suggesting manual steps\n- Remediation format picker — choose Terraform, CloudFormation, ARM/Bicep, Pulumi, CLI, or step-by-step instructions\n- Code output written to files automatically (e.g., `remediate-orca-3456789.tf`)\n\n**Usage:**\n```bash\n# Triage an alert\n/orca-alert-triage orca-1234567\n\n# Or use natural language\ntriage alert orca-9012345\nexplain orca-2345678\n```\n\n**Follow-up commands** (type after triage):\n```\ninvestigate # Automated Orca-first investigation with manual steps only for gaps\nevidence # Detailed metadata, hashes, links, MITRE ATT\u0026CK mappings\nremediate # Choose output format, then get remediation written to a file\ncorrelate # Related alerts and attack pattern analysis\n```\n\n**Example output:**\n```\n═══════════════════════════════════════════════════════════════════\nANOMALY DETECTION: Unusual User Agent on EKS Node Role\n═══════════════════════════════════════════════════════════════════\n\nVERDICT: Likely Benign | CONFIDENCE: 90% | ACTION: Review \u0026 Close | TIMELINE: 48h\n\nWHAT HAPPENED:\n EKS node role used a new AWS SDK version (boto3/1.35.x → 1.36.x)\n during routine cluster operations. Single occurrence, no recurrence.\n\nWHY IT MATTERS:\n Risk Level: Low (Orca Score: 3.0)\n Same tool family, minor version bump, clean 30-day baseline.\n═══════════════════════════════════════════════════════════════════\n```\n\n[Full Documentation →](skills/orca-alert-triage/)\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e\u003ca id=\"orca-impact-analysis\"\u003e\u003c/a\u003eorca-impact-analysis\u003c/strong\u003e\u003c/summary\u003e\n\n**\"If I fix this, what closes — and what breaks?\"**\n\nAnalyzes the full remediation impact of fixing a single Orca alert — both the security gains (alerts closed, attack paths broken, compliance passed) AND the operational risk (production workflows, automation, services that might break).\n\n**Features:**\n- Cascade analysis — maps all alerts that share the same root cause as the target alert\n- Attack path impact — identifies kill chains that break when the alert is fixed\n- Compliance score change — shows before/after compliance percentages per framework\n- Environment-wide view — finds the same issue across other assets and accounts\n- Breakage simulation — analyzes CloudTrail/CDR events and effective permissions to identify production dependencies\n- Executive verdict — clear FIX NOW / FIX WITH CAUTION / PLAN FIX / DEFER recommendation balancing security gain vs. operational risk\n- Safe deployment checklist — steps to apply the fix without breaking production\n\n**Usage:**\n```bash\n# Analyze impact of fixing an alert\n/orca-impact-analysis orca-3456789\n\n# Or use natural language\nwhat's the impact of fixing orca-5678901?\nif I fix orca-0123456, what else closes?\n```\n\n**Example output:**\n```\n═══════════════════════════════════════════════════════════════════\nIMPACT ANALYSIS — orca-3456789\nRoot Account Without MFA Enabled\n\"If I enable MFA on root, what closes — and what breaks?\"\n═══════════════════════════════════════════════════════════════════\n\n┌─────────────────────────────────────────────────────────────────┐\n│ VERDICT: FIX NOW │\n│ │\n│ Security gain: HIGH — 2 critical alerts, 3 attack paths │\n│ Breakage risk: LOW — no automation uses root console login │\n│ Blast radius: 2 alerts, 3 attack paths, 8 frameworks │\n└─────────────────────────────────────────────────────────────────┘\n\nREMEDIATION IMPACT SUMMARY:\n Alerts directly closed: 2 (including this one)\n Attack paths broken: 3\n Compliance frameworks: 8 frameworks improved\n\n COMPLIANCE SCORE CHANGE:\n Framework Current After Fix Change\n ─────────────────────────────────────────────────────\n PCI DSS v4.0.1 87% → 89% +2%\n NIST 800-53 91% → 93% +2%\n\nBREAKAGE RISK:\n [ok] EKS automation — uses access keys (MFA doesn't apply)\n [ok] Orca scanner — uses service role (not affected)\n [x] Unknown Kali agent — SHOULD break (that's the goal)\n\nBOTTOM LINE: High-leverage, low-risk fix. Apply immediately.\n═══════════════════════════════════════════════════════════════════\n```\n\n[Full Documentation →](skills/orca-impact-analysis/)\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e\u003ca id=\"orca-config-origin\"\u003e\u003c/a\u003eorca-config-origin\u003c/strong\u003e\u003c/summary\u003e\n\n**\"Who did this, how was it deployed, and what introduced the issue?\"**\n\nTraces any Orca alert — misconfiguration, vulnerability, sensitive data, or anomaly — back through cloud audit logs, Orca CodeOrigins (Shift Left), and asset metadata to find who created the resource, what tool deployed it, what introduced the specific issue, and a full timeline from deployment to alert detection.\n\n**Features:**\n- Alert category classification — traces origin differently for misconfigurations (config IS the cause), vulnerabilities (package is the cause), sensitive data (image/script placed the secret), and anomalies (actor IS the finding)\n- CodeOrigins / Shift Left integration — extracts exact IaC source code (repo, file, line numbers, git blame author/commit)\n- Audit log tracing via Orca CDR (CloudTrail, Azure Activity Log, GCP Audit Log)\n- Full visual timeline from IaC code commit → resource creation → issue introduction → alert detection, with exposure window calculation\n- Split ownership — distinguishes resource owner (who deployed) from issue owner (who should fix)\n- IaC drift detection — flags resources created by IaC but later modified via Console\n- Category-aware remediation routing — tells you WHERE to apply the fix based on alert type AND deployment method\n\n**Usage:**\n```bash\n# Trace origin of any alert\n/orca-config-origin orca-3456789\n\n# Or use natural language\nwho created this misconfiguration? orca-3456789\ntrace back orca-5678901\nwhere did this config come from? orca-3364845\n```\n\n**Example output (vulnerability alert):**\n```\n═══════════════════════════════════════════════════════════════════\nCONFIG ORIGIN — orca-4567890\nApache Log4j Remote Code Execution Vulnerability (CVE-2021-45046)\n═══════════════════════════════════════════════════════════════════\n\nASSET: web-bastion-host (AwsEc2Instance) in 123456789012\nISSUE: log4j-core v2.3 installed — critically vulnerable to RCE\n\n┌─────────────────────────────────────────────────────────────────┐\n│ DEPLOYED BY: Terraform (module \"ec2_unpatched\") │\n│ OWNER: Alex Chen (alex@example-corp.com) │\n│ ROOT CAUSE: user_data script installs log4j-core-2.3.jar │\n│ LAST CHANGE: 2025-12-01 (137 days ago) │\n│ METHOD: Terraform → module \"ec2/unpatched_ubuntu\" │\n└─────────────────────────────────────────────────────────────────┘\n\nTIMELINE:\n 2024-06-23 ● Terraform code committed Alex Chen\n │ file: ec2.tf:71-80, commit: abc1234\n 2025-12-01 ● Instance created — user_data installs log4j 2.3\n │ ⚠ VULNERABILITY INTRODUCED HERE\n 2025-12-01 ● Alert detected by Orca (73 min after creation)\n 2026-04-17 ● Today — 137 days exposed, still open\n\nREMEDIATION ROUTING:\n ⚠ The fix is NOT in ec2.tf — the Terraform deploys correctly.\n FIX IN: module.scripts.ec2_unpatched (the user_data script)\n → Update script to install log4j-core ≥ 2.16.0\n═══════════════════════════════════════════════════════════════════\n```\n\n[Full Documentation →](skills/orca-config-origin/)\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e\u003ca id=\"orca-morning-briefing\"\u003e\u003c/a\u003eorca-morning-briefing\u003c/strong\u003e\u003c/summary\u003e\n\n**\"What happened while I was away, and what needs my attention?\"**\n\nDaily security briefing for the last 24-72 hours. Scans your environment for new critical alerts, escalated findings, attack path changes, compliance drift, exposure changes, CDR activity anomalies, crown jewel risks, and aging unactioned alerts — then presents it all as a scannable dashboard with drill-down sections.\n\n**Features:**\n- Environment pulse — quick health assessment (stable, degrading, needs attention)\n- New critical/high alerts with priority ranking\n- Escalated alerts — severity increases and reopened findings\n- Compliance drift — framework scores that dropped, with account breakdown\n- CDR activity overview — event volumes, unusual actors, suspicious patterns\n- Crown jewel risk — new alerts on your most critical assets\n- Aging criticals — unactioned alerts with Jira ticket status\n- Progressive disclosure — dashboard first (~20 lines), drill down by keyword\n- Time range support — 24h (daily), 72h (Monday morning), week (PTO return)\n\n**Usage:**\n```bash\n# Daily briefing (last 24 hours)\n/orca-morning-briefing\n\n# Monday morning (last 72 hours)\n/orca-morning-briefing 72h\n\n# Weekly review\n/orca-morning-briefing week\n```\n\n**Drill-down keywords** (type after briefing):\n```\nalerts # Full list of new critical/high alerts\nescalated # Alerts that changed severity or reopened\nattack paths # New/worsened attack paths with stories\ncompliance # Framework scores, trends, worst accounts\nexposure # Internet-facing assets with critical alerts\ncrown jewels # New alerts on crown jewel assets\naging # Unactioned critical alerts sorted by age\nactivity # CDR event volumes, unusual actors\nnew types # Alert types seen for the first time\ntrends # Week-over-week comparison, top affected assets\nfull # All sections expanded (for reports/handoffs)\n```\n\n**Example output:**\n```\n═══════════════════════════════════════════════════════════════════\nMORNING BRIEFING — 2026-04-17\nLast 24 hours | Account: 123456789012\n═══════════════════════════════════════════════════════════════════\n\nPULSE: ⚠ NEEDS ATTENTION — 3 new critical alerts\n\n┌─────────────────────────────────────────────────────────────────┐\n│ NEW ALERTS 12 total (3 critical, 4 high, 5 medium) │\n│ ESCALATED 2 alerts changed severity or reopened │\n│ ATTACK PATHS 1 new, 2 worsened │\n│ COMPLIANCE PCI DSS dropped 2% │\n│ EXPOSURE 1 asset newly internet-facing │\n│ CROWN JEWELS 1 new alert on critical asset │\n│ AGING CRITICALS 4 critical alerts open \u003e 7 days │\n│ CDR ACTIVITY Elevated — 3.2k events (normal: ~1k) │\n└─────────────────────────────────────────────────────────────────┘\n\nTOP PRIORITIES:\n [1] orca-4567890 — Log4j RCE on public bastion (137d open!)\n [2] orca-6789012 — S3 bucket publicly accessible (new today)\n [3] orca-7890123 — SendGrid API key exposed in container\n═══════════════════════════════════════════════════════════════════\n```\n\n[Full Documentation →](skills/orca-morning-briefing/)\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e\u003ca id=\"orca-asset-profile\"\u003e\u003c/a\u003eorca-asset-profile\u003c/strong\u003e\u003c/summary\u003e\n\n**\"Tell me everything about this asset in one place.\"**\n\nFull 360° security profile of any cloud asset — all open alerts (grouped by category), attack paths, compliance violations, permissions, network exposure, sensitive data, CDR activity summary, crown jewel status, and linked entities.\n\n**Features:**\n- Complete asset identity — name, type, account, region, IPs, OS, tags, creation date, IaC source\n- Risk summary with Orca Score, crown jewel status, and exposure classification\n- Alerts grouped by category — vulnerabilities, misconfigurations, malware, sensitive data, anomalies, IAM\n- Attack path mapping — kill chains with the asset's role (entry point, pivot, target)\n- Compliance framework violations per asset\n- Effective permissions analysis (AWS IAM assets) with used vs unused breakdown\n- CDR activity summary — 30-day event volumes, top actions, unique actors\n- Linked entities — connected roles, instances, buckets, databases, load balancers\n- Proactive remediation — suggests the highest-impact fix and offers to generate code in Terraform, CloudFormation, Ansible, CLI, Pulumi, or ARM/Bicep\n\n**Usage:**\n```bash\n# Profile an asset by name, ID, or ARN\n/orca-asset-profile web-bastion-host\n/orca-asset-profile i-1234567890abcdef0\n\n# Or use natural language\ntell me about web-bastion-host\nasset risk for vm-chain3-1\n```\n\n**Drill-down keywords** (type after profile):\n```\nalerts # All alerts by category\nattack paths # Kill chains with this asset\ncompliance # Framework violations\npermissions # IAM analysis (used vs unused)\nexposure # Network exposure details\nactivity # CDR events (last 30 days)\nlinked # Connected assets\ncode origin # IaC source mapping\nfull # All sections expanded\n```\n\n**Example output:**\n```\n═══════════════════════════════════════════════════════════════════\nASSET PROFILE — web-bastion-host\nAwsEc2Instance | 123456789012 | us-east-1 | running\n═══════════════════════════════════════════════════════════════════\n\nRISK: Orca Score 9.0 (Critical) | Crown Jewel: NO\n\n┌─────────────────────────────────────────────────────────────────┐\n│ ALERTS 12 total (3 critical, 4 high, 5 medium) │\n│ ATTACK PATHS 4 active kill chains │\n│ COMPLIANCE 6 frameworks, 18 failing controls │\n│ EXPOSURE public_facing | ports: 22, 443 │\n│ SENSITIVE API keys, credentials │\n│ PERMISSIONS overprivileged (via instance profile) │\n│ CDR ACTIVITY 847 events in 30d (elevated) │\n│ LINKED 9 connected assets │\n└─────────────────────────────────────────────────────────────────┘\n\nTOP ALERTS:\n [1] orca-4567890 — Log4j RCE (score: 9.0, vulnerability)\n [2] orca-7890123 — SendGrid API key exposed (score: 8.5, sensitive data)\n [3] orca-3456789 — Root account without MFA (score: 8.0, misconfiguration)\n\nRECOMMENDED ACTION:\n The highest-impact fix is orca-4567890 (Log4j RCE on a public\n asset). I can generate remediation code right now.\n\n What format? terraform | cloudformation | cli | instructions\n═══════════════════════════════════════════════════════════════════\n```\n\n[Full Documentation →](skills/orca-asset-profile/)\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e\u003ca id=\"orca-compliance-gap\"\u003e\u003c/a\u003eorca-compliance-gap\u003c/strong\u003e\u003c/summary\u003e\n\n**\"Where are we failing, what's the fastest path to improve?\"**\n\nDeep compliance gap analysis for any framework — failing controls ranked by blast radius, quick wins (single-fix controls), account breakdown, score trends, and a phased remediation plan with projected score improvements.\n\n**Features:**\n- Framework overview with scores, trends, and worst/best identification\n- Failing controls ranked by cross-framework impact and asset count\n- Quick win detection — single-config fixes that improve multiple frameworks at once\n- Account/business unit breakdown — who owns the worst gaps\n- 30-day compliance trend analysis — improving, stable, or degrading\n- Phased remediation plan — quick wins (days), systematic fixes (weeks), architectural changes (months)\n- Projected score improvements per phase\n- Proactive remediation — offers to generate fix code for any control in Terraform, CloudFormation, Ansible, CLI, Pulumi, or ARM/Bicep\n\n**Usage:**\n```bash\n# All frameworks overview\n/orca-compliance-gap\n\n# Specific framework deep-dive\n/orca-compliance-gap PCI DSS\n/orca-compliance-gap CIS AWS\n\n# Or use natural language\nhow's our PCI compliance?\nwhat's failing in SOC 2?\nquick wins for compliance\n```\n\n**Drill-down keywords** (type after analysis):\n```\ncontrols # All failing controls ranked by impact\nquick wins # Fastest path to score improvement\naccounts # Gap breakdown by account\ntrends # 30-day score history\nremediation plan # Phased fix plan with projections\nfull # All sections expanded\n```\n\n**Example output:**\n```\n═══════════════════════════════════════════════════════════════════\nCOMPLIANCE GAP ANALYSIS — All Frameworks\n2026-04-17 | All accounts\n═══════════════════════════════════════════════════════════════════\n\nPOSTURE: Moderate — 3 frameworks below 85% target\n\n┌─────────────────────────────────────────────────────────────────┐\n│ FRAMEWORKS 8 enabled │\n│ AVG SCORE 84% │\n│ WORST HIPAA at 71% │\n│ BEST CIS AWS at 94% │\n│ TREND (30d) degrading — PCI dropped 2% │\n│ QUICK WINS 6 controls fixable with single changes │\n│ WORST ACCOUNT 123456789012 — 76% avg score │\n└─────────────────────────────────────────────────────────────────┘\n\nTOP FAILING CONTROLS (highest impact):\n [1] Enable MFA for root — failing on 3 accounts, affects 5 frameworks\n [2] Encrypt EBS volumes — failing on 12 assets, affects 4 frameworks\n [3] Restrict SSH access — failing on 8 assets, affects 4 frameworks\n\nRECOMMENDED ACTION:\n The fastest score improvement: enable MFA for root —\n affects 3 accounts across 5 frameworks. I can generate the fix.\n\n What format? terraform | cloudformation | cli | instructions\n═══════════════════════════════════════════════════════════════════\n```\n\n[Full Documentation →](skills/orca-compliance-gap/)\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e\u003ca id=\"orca-data-exposure\"\u003e\u003c/a\u003eorca-data-exposure\u003c/strong\u003e\u003c/summary\u003e\n\n**\"Where is our sensitive data, is it protected, and what's at risk?\"**\n\nDSPM (Data Security Posture Management) view: discovers sensitive data across the environment — secrets, PII, credentials, API keys, financial data — identifies unprotected or exposed data stores, ranks data risks by exposure level, and generates a remediation plan.\n\n**Features:**\n- Full DSPM scan — secrets, PII, credentials, API keys, certificates, financial data\n- Risk classification — critical (public + sensitive), high (internal + vulnerable), medium, low\n- Data type grouping — secrets \u0026 credentials, PII, financial data, health data, private keys\n- Public data store detection — S3 buckets, databases, file shares with public access\n- Unencrypted data store identification with encryption recommendations\n- Compliance context — PCI DSS, HIPAA, GDPR, SOC 2 data protection control status\n- Account breakdown of data risk distribution\n- Phased remediation plan — stop the bleeding, encrypt everything, access controls, governance\n- Proactive remediation — generates rotation scripts, bucket policies, encryption configs in Terraform, CloudFormation, Ansible, CLI, Pulumi, or ARM/Bicep\n\n**Usage:**\n```bash\n# Full DSPM report\n/orca-data-exposure\n\n# Filter by type or account\n/orca-data-exposure secrets\n/orca-data-exposure account 123456789012\n\n# Or use natural language\nwhere's our sensitive data?\nfind exposed API keys\nwhat PII is at risk?\n```\n\n**Drill-down keywords** (type after report):\n```\nsecrets # Exposed secrets \u0026 credentials\npii # PII exposure details\npublic data # Publicly accessible data stores\nunencrypted # Data stores without encryption\ncompliance # Data protection compliance status\naccounts # Data risk by account\nremediation plan # Phased data protection plan\nfull # All sections expanded\n```\n\n**Example output:**\n```\n═══════════════════════════════════════════════════════════════════\nDATA EXPOSURE REPORT — All Accounts\n2026-04-17 | Full environment\n═══════════════════════════════════════════════════════════════════\n\nDATA POSTURE: At Risk — 3 critical data exposures on public assets\n\n┌─────────────────────────────────────────────────────────────────┐\n│ TOTAL FINDINGS 24 data exposure alerts │\n│ CRITICAL 3 — immediate breach risk │\n│ HIGH 8 — significant exposure │\n│ SECRETS 11 exposed credentials/API keys/tokens │\n│ PII 5 assets with personally identifiable data │\n│ PUBLIC DATA 2 publicly accessible data stores │\n│ UNENCRYPTED 6 data stores without encryption │\n│ CROWN JEWELS 2 data findings on critical assets │\n│ COMPLIANCE PCI DSS, HIPAA gaps on data controls │\n└─────────────────────────────────────────────────────────────────┘\n\nTOP DATA RISKS:\n [1] orca-7890123 — SendGrid API key in container image (score: 8.5)\n web-bastion-host | credential | public-facing\n [2] orca-8901234 — AWS access key in environment variable (score: 8.0)\n ci-build-server | infrastructure secret | internal\n [3] orca-6789012 — S3 bucket publicly accessible (score: 7.5)\n s3-data-lake-prod | PII + financial data | public\n\nRECOMMENDED ACTION:\n Priority #1: Rotate the SendGrid API key on web-bastion-host and\n move to Secrets Manager. I can generate the rotation script.\n\n What format? terraform | cloudformation | cli | instructions\n═══════════════════════════════════════════════════════════════════\n```\n\n[Full Documentation →](skills/orca-data-exposure/)\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e\u003ca id=\"orca-exposure-map\"\u003e\u003c/a\u003eorca-exposure-map\u003c/strong\u003e\u003c/summary\u003e\n\n**\"What can an attacker see from outside?\"**\n\nExternal attack surface mapping: discovers all internet-facing assets, ranks them by exploitability from an attacker's perspective, groups by attack vector (exposed services, public storage, vulnerable web apps, open management ports), and maps outside-in kill chains to crown jewels.\n\n**Features:**\n- Full external attack surface inventory — internet-facing assets ranked by risk\n- Attacker-perspective ranking — \"how would an attacker prioritize these targets?\"\n- Attack vector grouping — easy wins, web apps, management ports, public data, lateral movement entry points\n- Outside-in attack path mapping — from exposed asset through pivots to crown jewels\n- Exposed management interfaces (SSH, RDP, admin panels) with authentication status\n- Public data store detection (S3, databases, file shares)\n- Account-level exposure breakdown\n- Proactive remediation — generates security group rules, bucket policies, WAF configs in Terraform, CloudFormation, Ansible, CLI, Pulumi, or ARM/Bicep\n\n**Usage:**\n```bash\n# Full attack surface map\n/orca-exposure-map\n\n# Filter by account or vector\n/orca-exposure-map account 123456789012\n/orca-exposure-map web services\n\n# Or use natural language\nwhat's exposed to the internet?\nshow me our attack surface\nwhat can an attacker see?\n```\n\n**Drill-down keywords** (type after map):\n```\neasy wins # Immediately exploitable — fix first\nweb apps # Exposed web applications\nmanagement # SSH, RDP, admin panels\ndata # Public data stores\nattack paths # Outside-in kill chains\naccounts # Exposure by account\nall assets # Complete exposed asset list\nfull # All sections expanded\n```\n\n**Example output:**\n```\n═══════════════════════════════════════════════════════════════════\nEXPOSURE MAP — External Attack Surface\n2026-04-17 | All accounts\n═══════════════════════════════════════════════════════════════════\n\nSURFACE: Moderate — 4 immediately exploitable targets\n\n┌─────────────────────────────────────────────────────────────────┐\n│ EXPOSED ASSETS 18 internet-facing │\n│ CRITICAL RISK 4 immediately exploitable │\n│ HIGH RISK 7 exploitable with effort │\n│ PUBLIC STORAGE 2 buckets/blobs publicly accessible │\n│ EXPOSED MGMT 3 SSH/RDP/admin panels │\n│ EXPOSED DATABASES 1 database reachable from internet │\n│ CROWN JEWELS 2 exposed critical assets │\n│ ATTACK PATHS 5 outside-in kill chains │\n└─────────────────────────────────────────────────────────────────┘\n\nTOP TARGETS (attacker's priority list):\n [1] web-bastion-host — Log4j RCE + public SSH (score: 9.0)\n AwsEc2Instance | 54.210.xx.xx | ports: 22, 443, 8080\n [2] s3-data-lake-prod — public S3 with PII (score: 7.5)\n AwsS3Bucket | public-read | contains financial data\n [3] ci-build-server — exposed admin panel (score: 7.0)\n AwsEc2Instance | 52.90.xx.xx | ports: 8080, 50000\n\nRECOMMENDED ACTION:\n Priority #1: Lock down web-bastion-host — patch Log4j and\n restrict SSH to VPN CIDR. I can generate the fix.\n\n What format? terraform | cloudformation | cli | instructions\n═══════════════════════════════════════════════════════════════════\n```\n\n[Full Documentation →](skills/orca-exposure-map/)\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e\u003ca id=\"orca-identity-review\"\u003e\u003c/a\u003eorca-identity-review\u003c/strong\u003e\u003c/summary\u003e\n\n**\"Is this identity overprivileged, and what's the blast radius?\"**\n\nIAM identity analysis: compares effective permissions vs actual CloudTrail usage, identifies overprivileged access, maps lateral movement potential (role assumptions, cross-account reach), and generates least-privilege policy recommendations.\n\n**Features:**\n- Effective permissions analysis — total actions across all services\n- Used vs unused permission comparison from 30-day CloudTrail data\n- Overprivilege classification — severe, high, moderate, or minimal\n- Dangerous permission detection — iam:*, sts:AssumeRole(broad), s3:*, kms:Decrypt, etc.\n- Lateral movement mapping — assumable roles, cross-account reach, service access\n- Attack path analysis — kill chains passing through this identity\n- CDR activity patterns — source IPs, user-agents, time patterns\n- Least-privilege policy recommendation with estimated risk reduction\n- Safe deployment checklist — audit mode, testing, monitoring, rollback\n- Proactive remediation — generates updated IAM policies in Terraform, CloudFormation, Ansible, CLI, Pulumi, or ARM/Bicep\n\n**Usage:**\n```bash\n# Review an identity by name or ARN\n/orca-identity-review admin-role\n/orca-identity-review arn:aws:iam::123456789012:role/ec2-bastion-role\n\n# Or use natural language\nis terraform-deploy overprivileged?\nreview the permissions on admin-role\nwhat can this role access?\n```\n\n**Drill-down keywords** (type after review):\n```\npermissions # Full permission list (used, unused, dangerous)\nusage # CDR activity details (actions, IPs, agents)\nlateral # Lateral movement analysis\nattack paths # Kill chains through this identity\nalerts # Open alerts on this identity\nactivity # 30-day CDR event summary\nrecommend # Least-privilege policy recommendation\nfull # All sections expanded\n```\n\n**Example output:**\n```\n═══════════════════════════════════════════════════════════════════\nIDENTITY REVIEW — ec2-bastion-role\nAwsIamRole | 123456789012 | arn:aws:iam::123456789012:role/ec2-bastion-role\n═══════════════════════════════════════════════════════════════════\n\nVERDICT: OVERPRIVILEGED\n\n┌─────────────────────────────────────────────────────────────────┐\n│ PERMISSIONS 312 effective actions across 28 services │\n│ OVERPRIVILEGE SEVERE — has admin-level access it doesn't use│\n│ USED (30d) 47 actions actually used │\n│ UNUSED 265 actions never used — removal candidates │\n│ DANGEROUS 8 high-risk permissions (iam:*, s3:*, kms:*) │\n│ BLAST RADIUS 28 services, 150+ resources reachable │\n│ LATERAL MOVE 5 roles assumable, 2 accounts reachable │\n│ ATTACK PATHS 3 kill chains through this identity │\n│ ALERTS 4 open (2 critical, 1 high, 1 medium) │\n│ CDR ACTIVITY 847 events in 30d, 47 unique actions │\n│ CROWN JEWEL NO │\n└─────────────────────────────────────────────────────────────────┘\n\nTOP RISK:\n This role has 265 unused permissions including iam:*, enabling\n full privilege escalation if compromised.\n\nRECOMMENDED ACTION:\n Remove 265 unused permissions to reduce blast radius by 85%.\n I can generate the updated least-privilege policy.\n\n What format? terraform | cloudformation | cli | instructions\n═══════════════════════════════════════════════════════════════════\n```\n\n[Full Documentation →](skills/orca-identity-review/)\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e\u003ca id=\"orca-investigate\"\u003e\u003c/a\u003eorca-investigate\u003c/strong\u003e\u003c/summary\u003e\n\n**\"What happened, who did it, and how far did they get?\"**\n\nCDR-powered incident investigation: traces actor activity through Orca CDR (CloudTrail/audit logs), builds session timelines, maps actions to MITRE ATT\u0026CK techniques, clusters related sessions, assesses blast radius, and generates a verdict with containment recommendations.\n\n**Features:**\n- Multi-axis investigation — by actor (IAM identity), source IP, target resource, account, or alert\n- Session clustering — groups raw events into coherent sessions by actor, IP, and time gaps\n- MITRE ATT\u0026CK mapping — maps every action to techniques and tactics with confidence levels\n- Kill chain assessment — how many ATT\u0026CK tactics are covered (partial, near-complete, complete)\n- Blast radius classification — contained, moderate, broad, or severe\n- Persistence detection — new users, access keys, role policies created\n- Defense evasion detection — trail deletion, security group changes, logging disabled\n- Cross-account activity flagging\n- IOC extraction — IPs, user-agents, identities, created resources (copy-paste ready for SOC tools)\n- Verdict with confidence — active compromise, probable compromise, suspicious, likely benign, inconclusive\n- Proactive containment — generates revocation scripts, isolation configs, detection rules in Terraform, CloudFormation, Ansible, CLI, Pulumi, or ARM/Bicep\n\n**Usage:**\n```bash\n# Investigate by actor, IP, or resource\n/orca-investigate arn:aws:iam::123456789012:role/ec2-bastion-role\n/orca-investigate 10.0.1.50\n/orca-investigate account 123456789012\n\n# Or use natural language\ninvestigate what this role did in the last 24 hours\ntrace activity from IP 10.0.1.50\nwho accessed the prod database?\n```\n\n**Drill-down keywords** (type after investigation):\n```\ntimeline # Chronological event timeline\nsessions # Clustered sessions with assessment\nmitre # MITRE ATT\u0026CK technique mapping\nblast radius # Impact assessment\nactions # All actions summary\nresources # Resources touched\nalerts # Related alerts\niocs # Indicators of compromise (copy-paste ready)\ncontain # Containment recommendations\nfull # All sections expanded\n```\n\n**Example output:**\n```\n═══════════════════════════════════════════════════════════════════\nINVESTIGATION — ec2-bastion-role\narn:aws:iam::123456789012:role/ec2-bastion-role | Last 24 hours\n═══════════════════════════════════════════════════════════════════\n\nVERDICT: SUSPICIOUS | CONFIDENCE: 72%\n\n┌─────────────────────────────────────────────────────────────────┐\n│ EVENTS 156 total, 23 unique actions │\n│ SESSIONS 3 distinct sessions │\n│ TIME SPAN 04:12 → 16:47 UTC (12h 35m) │\n│ SERVICES 7 AWS services touched │\n│ RESOURCES 34 distinct resources accessed │\n│ SOURCE IPs 2 unique (1 known VPN, 1 unknown) │\n│ USER AGENTS 2 unique (boto3, aws-cli) │\n│ BLAST RADIUS MODERATE — multiple services, same account │\n│ MITRE ATT\u0026CK 5 techniques across 4 tactics │\n│ ALERTS 4 related alerts on involved assets │\n│ ATTACK PATHS 3 kill chains involving this actor │\n└─────────────────────────────────────────────────────────────────┘\n\nEXECUTIVE SUMMARY:\n ec2-bastion-role had 3 sessions in the last 24h. Session 2 came\n from an unknown IP and performed unusual discovery actions across\n S3 and IAM. No persistence or exfiltration detected yet.\n\nMITRE ATT\u0026CK COVERAGE:\n ■ Initial Access □ Execution □ Persistence □ Priv Esc\n □ Defense Evasion ■ Discovery □ Lateral Move ■ Collection\n □ Exfiltration □ Impact\n\nRECOMMENDED ACTION:\n Investigate the unknown source IP in Session 2. I can generate\n a containment script to restrict this role's permissions.\n\n What format? terraform | cloudformation | cli | instructions\n═══════════════════════════════════════════════════════════════════\n```\n\n[Full Documentation →](skills/orca-investigate/)\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e\u003ca id=\"orca-cloud-cost-optimizer\"\u003e\u003c/a\u003eorca-cloud-cost-optimizer\u003c/strong\u003e\u003c/summary\u003e\n\n**\"Where are we overspending and what should we fix first?\"**\n\nAnalyzes all cloud assets via Orca Security MCP data to identify actionable cost reduction opportunities across compute, databases, storage, networking, and serverless resources. Delivers a dual-audience report: an executive summary with total savings range, and a per-asset action plan with Orca platform links, cloud console links, CLI commands, and projected monthly savings per item.\n\n**Features:**\n- 10 optimization patterns: idle resources, rightsizing, generation upgrades, reserved instances, spot migration, database sizing, Multi-AZ in non-prod, EBS gp2→gp3, S3/object tiering, networking cleanup\n- Dual-audience output — executive summary (top and bottom of report) plus engineer-ready implementation steps\n- Every recommendation includes Orca platform deep-links and cloud provider console URLs as evidence\n- Parallel Phase 1 asset discovery across all resource categories (EC2, EBS, S3, RDS, Lambda, NAT Gateways, EIPs, load balancers)\n- Implementation roadmap in 3 phases: zero-downtime quick wins, maintenance-window changes, financial commitments\n- Live pricing lookups (web search) with fallback to training data when unavailable\n\n**Usage:**\n```bash\n# Run a cost optimization report\n/orca-cloud-cost-optimizer\n\n# Or use natural language\ngive me a cost optimization report\nwhere are we wasting money on cloud?\nhow do we cut our AWS bill?\nfind unused resources\nwhat can we rightsize?\n```\n\n**Example output:**\n```\n# ☁️ Cloud Cost Optimization Report\n\nGenerated: 2026-05-01\nEnvironment: AWS (us-east-1, us-east-2, eu-central-1) | Azure (eastus)\nAssets analyzed: 450 across 5 AWS accounts\n\n## 📊 Executive Summary\n\n| | |\n|---|---|\n| Total assets analyzed | 450 |\n| Assets with savings opportunities | 150 (33%) |\n| Estimated monthly savings | $2,100 – $3,400/month |\n| Estimated annual savings | $25,200 – $40,800/year |\n| Immediate low-risk savings (this week) | $800/month |\n\n🏆 Top 5 Quick Wins:\n1. EBS gp2→gp3 migration (124 volumes) — $430/month — Very Low Risk\n2. Disable Multi-AZ on staging RDS (analytics-db-staging) — $438/month — Low Risk\n3. m4.2xlarge→m6i.2xlarge generation upgrade (api-staging-01) — $291/month — Low Risk\n4. Release idle Elastic IPs (3 unassociated) — $10/month — Very Low Risk\n5. S3 lifecycle policies (cloudtrail + log buckets) — $120/month — Very Low Risk\n```\n\n[Full Documentation →](skills/orca-cloud-cost-optimizer/)\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003e\u003ca id=\"orca-custom-framework\"\u003e\u003c/a\u003eorca-custom-framework\u003c/strong\u003e\u003c/summary\u003e\n\n**\"How do I create a custom compliance framework tailored to my needs?\"**\n\nCreates custom compliance frameworks in Orca Security from existing framework controls, alert lists, or security themes. Gathers relevant controls via MCP read tools, organizes them into logical sections, and pushes the framework to Orca via the REST API. When gaps exist — controls the user wants but Orca doesn't have a built-in rule for — suggests creating custom discovery alerts to fill them.\n\n**Features:**\n- 3 input modes: theme-based (\"Supply Chain Security\"), from-framework (\"from:cis_docker\"), or alert-list\n- Pulls controls from multiple existing frameworks and deduplicates rule_ids\n- Organizes into themed sections with priority weights (high/medium/low)\n- Creates frameworks via Orca REST API (`POST /api/compliance/frameworks`)\n- Identifies coverage gaps and suggests custom discovery alerts (`POST /api/sonar/rules`)\n- Post-creation validation with initial compliance score\n\n**Usage:**\n```bash\n/orca-custom-framework Supply Chain Security Controls\n/orca-custom-framework from:cis_docker_v.1.3.1\n/orca-custom-framework alerts:orca-1234,orca-5678\n\n# Or use natural language\ncreate a custom compliance framework for supply chain security\nbuild a framework based on CIS Docker + EKS controls\ngenerate a custom framework from these alerts\n```\n\n**Example output:**\n```\n=====================================================================\nCUSTOM FRAMEWORK CREATED\n=====================================================================\n\n FRAMEWORK Supply Chain Security Controls\n ID 3104\n CONTROLS 39 total across 6 sections\n INITIAL SCORE 28%\n CLOUD aws, azure, gcp, shiftleft\n\nSECTIONS:\n 1. Container Image \u0026 Registry Security 6 controls\n 2. Container Runtime Protection 8 controls\n 3. Kubernetes Admission \u0026 Policy Controls 8 controls\n 4. Secrets \u0026 Credential Management 7 controls\n 5. Build Pipeline \u0026 Artifact Integrity 4 controls\n 6. Audit Logging \u0026 Monitoring 6 controls\n\nCOVERAGE GAPS (suggest custom discovery alerts):\n - SBOM generation and validation\n - Container image signing (SLSA provenance)\n - Dependency vulnerability scanning in CI/CD\n=====================================================================\n```\n\n[Full Documentation →](skills/orca-custom-framework/)\n\n\u003c/details\u003e\n\n\n## Testing\n\nAll skills include automated evaluations using [Promptfoo](https://www.promptfoo.dev/).\n\n### Run Tests Locally\n\n```bash\n# Install Promptfoo\nnpm install -g promptfoo\n\n# Set your API key\nexport ANTHROPIC_API_KEY=\"your-key\"\n\n# Run all tests\npromptfoo eval\n\n# View results\npromptfoo view\n```\n\nSee [EVALS.md](EVALS.md) for detailed testing guide, including:\n- Test coverage per skill\n- Adding new test cases\n- CI/CD integration\n- Debugging failed tests\n\n**Test suite includes ~30 test cases covering:**\n- Skill triggering from natural language\n- Output format validation\n- Error handling\n- Cross-model compatibility\n- Proactive remediation behavior\n\n## Contributing\n\nWe welcome contributions! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.\n\n### Adding a New Skill\n\n1. Create `skills/your-skill/SKILL.md`\n2. Follow the [skill template](docs/skill-template.md)\n3. Add tests if applicable\n4. Update this README\n5. Submit a pull request\n\n## Support\n\n- **Issues:** https://github.com/orcasecurity/orca-skills/issues\n- **Documentation:** https://docs.orcasecurity.io\n- **MCP Setup:** https://docs.orcasecurity.io/docs/mcp-integration\n\n## License\n\nMIT License - see [LICENSE](LICENSE) file\n\n## Credits\n\nBuilt by the Orca Security team and community contributors.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Forcasecurity%2Forca-skills","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Forcasecurity%2Forca-skills","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Forcasecurity%2Forca-skills/lists"}