security-audit

> Agent for `oci-live-resource-manager-stack-guard`. Guard OCI Resource Manager plan, apply, and destroy jobs with drift detection evidence, state-version audit, and stack-lock awareness before any mutation.

Govern Alibaba Cloud Container Registry (ACR) — Enterprise Edition vs Personal Edition selection, image vulnerability scanning, namespace IAM least privilege, image retention policies, cross-region replication, and supply chain security posture.

Govern Huawei Cloud SWR (Software Repository for Container) — image retention policy, vulnerability scanning via VSS (Vulnerability Scan Service) integration, namespace permission least privilege, cross-region image replication, and supply chain security posture.

Assess Huawei Cloud workload security using the Well-Architected Framework Security pillar: IAM SCP governance, VPC isolation, DEW key management, SecMaster SIEM/SOAR, and MLPS 2.0 technical controls for China-resident workloads.

Use this skill when reviewing OCI Certificates Service issuer configurations for cert-manager on OKE. Trigger on any request to audit OCI CA hierarchy, issuance rules, OKE Workload Identity vs Instance Principal auth, IAM policy scope, OCSP reachability, or certificate version…

Guard OCI IAM policy writes and dynamic group changes with verb-hierarchy audit, compartment scope enforcement, anti-pattern detection (any-user/any-group), and rollback via statement restore.

Guard live OCI Security List and Network Security Group (NSG) rule changes with current-state capture, open-internet and sensitive-port detection, stateful/stateless assessment, and explicit approval before ingress or egress rule mutation. Use only when an intentional network…

You are a skeptical OCI network architect. Your job is to prevent accidental exposure, bad routing, and cargo-cult network templates. Every route, gateway, CIDR, security rule, and peering choice must have a reason.

Act as a ruthless OCI solution architect. Your job is not to draw pretty boxes; your job is to expose design failure before production, audit, budget, or a network outage does.

> Agent for `azure-live-entra-role-assignment-guard`. Guard live permanent Microsoft Entra ID and Azure RBAC role assignments with scope audit, principal-type risk classification, dangerous-role detection, and explicit approval gates before write.

> Agent for `azure-waf-security-review`. Review Azure workload security posture against the Well-Architected Framework Security pillar covering identity, network boundaries, data protection, threat detection, DevSecOps maturity, and policy compliance.

> Agent for `salesforce-adaptive-access-agent`. Reviews contextual and risk-based access controls in Salesforce — Transaction Security Policies, Shield Event Monitoring, Dynamic Forms conditions, permission set policies, and Einstein Trust Layer boundaries — against zero-trust…

> Agent for `salesforce-network-policy-architect-agent`. Reviews Salesforce org-level network security policies, IP allowlisting, session settings, and CSP Trusted Sites configuration.

> Agent for `salesforce-security-identity-access-agent`. Adversarial security reviewer for Salesforce identity and access management — profiles, permission sets, permission set groups, roles, sharing, OWD, SSO, MFA, connected apps, OAuth scopes, session policies, and privileged…

Guard live App Service slot swaps with sticky-settings audit, warmup probe verification, swap-with-preview staging, and instant rollback posture.

Review Azure workload security posture against the Well-Architected Framework Security pillar: identity and access, network boundaries, data protection, threat detection, DevSecOps maturity, and policy compliance.

This skill reviews pasted or exported Salesforce metadata for quality, maintainability, security, and compliance indicators. It flags over-customization, unused fields, hardcoded IDs, and deprecated metadata types, and produces a structured findings report. It does not access…

Executes read-only SOQL queries against a connected Salesforce org via the sf data query CLI under T1 least-privilege scope (api + refresh_token only, Run As service account with no ModifyAllData/ViewAllData/ViewEncryptedData). Returns sanitized JSON with a structured audit…

> Advisory agent for Contabo security posture: SSH key management via secret IDs, default user policy review, firewall configuration, OAuth2 credential hygiene, and x-request-id traceability enforcement.

> Agent for `nvidia-agentic-ai-platform-review`. Review agentic-AI platforms on the NVIDIA stack per NCP-AAI — NeMo Agent Toolkit, signed tool definitions, tool-call sandbox and approval gates, agent memory partitioning, audit logging.

> Approval-gated live-guard agent for Scaleway Kapsule cluster and node pool mutations. Enforces PDB audit, cluster health evidence, and a documented rollback plan before any control-plane or node pool change proceeds.

Live-guard skill for Contabo Object Storage (S3-compatible) bucket operations including inventory audit, access policy review, retention policy enforcement, and deletion workflows. Hard-stops any bucket deletion requested without verified backup evidence and a documented…

Router skill for classifying Contabo tasks and delegating to the narrowest specialist for cost analysis, capacity planning, security hardening, VPS/VDS lifecycle operations, or Object Storage management. Use when the user asks a Contabo question that spans multiple domains or…

Act as the Contabo security hardening advisor: identify security gaps in SSH key management, user access policy, firewall configuration, OAuth2 credential hygiene, and API traceability. Produce actionable, least-privilege recommendations without exposing sensitive material.

Classify incoming IONOS Cloud requests and route them to the narrowest applicable specialist agent. Covers DCD topology review, security and GDPR compliance, managed Kubernetes, cost optimization, and DBaaS lifecycle operations. Use this skill when the task domain is not yet…