Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders

skills/implementing-api-gateway-security-controls/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Anthropic Agent Skills Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

skills/implementing-api-gateway-security-controls/references/api-reference.md

@@ -0,0 +1,59 @@
+# API Reference: Implementing API Gateway Security Controls
+
+## AWS API Gateway (boto3)
+
+```python
+import boto3
+client = boto3.client("apigateway")
+apis = client.get_rest_apis()["items"]
+method = client.get_method(restApiId=api_id, resourceId=res_id, httpMethod="GET")
+# Check: authorizationType, apiKeyRequired, requestValidatorId
+stages = client.get_stages(restApiId=api_id)["item"]
+# Check: accessLogSettings, methodSettings throttling
+```
+
+## Kong Admin API
+
+```bash
+# List services and their plugins
+curl http://localhost:8001/services
+curl http://localhost:8001/services/{id}/plugins
+
+# Enable rate limiting
+curl -X POST http://localhost:8001/services/{id}/plugins \
+  -d "name=rate-limiting" -d "config.minute=100"
+
+# Enable JWT auth
+curl -X POST http://localhost:8001/services/{id}/plugins \
+  -d "name=jwt"
+```
+
+## Security Controls Checklist
+
+| Control | Gateway | Severity if Missing |
+|---------|---------|---------------------|
+| Authentication (JWT/OAuth) | All | CRITICAL |
+| Rate Limiting | All | HIGH |
+| Request Validation | All | MEDIUM |
+| Access Logging | All | HIGH |
+| TLS/mTLS | All | CRITICAL |
+| CORS Policy | All | MEDIUM |
+| IP Restriction | All | LOW |
+
+## NGINX Gateway Security
+
+```nginx
+location /api/ {
+    limit_req zone=api burst=20 nodelay;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_pass http://backend;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY;
+}
+```
+
+### References
+
+- AWS API Gateway: https://docs.aws.amazon.com/apigateway/
+- Kong Gateway: https://docs.konghq.com/gateway/
+- Azure APIM: https://learn.microsoft.com/en-us/azure/api-management/

skills/implementing-api-gateway-security-controls/scripts/agent.py

@@ -0,0 +1,159 @@
+#!/usr/bin/env python3
+"""Agent for auditing API gateway security controls (Kong, AWS API Gateway)."""
+
+import json
+import argparse
+from datetime import datetime
+
+try:
+    import boto3
+except ImportError:
+    boto3 = None
+
+try:
+    import requests
+except ImportError:
+    requests = None
+
+
+def audit_aws_api_gateway(region="us-east-1"):
+    """Audit AWS API Gateway configurations for security issues."""
+    if boto3 is None:
+        return {"error": "boto3 not installed"}
+    client = boto3.client("apigateway", region_name=region)
+    findings = []
+    apis = client.get_rest_apis()["items"]
+    for api in apis:
+        api_id = api["id"]
+        api_name = api["name"]
+        resources = client.get_resources(restApiId=api_id)["items"]
+        for resource in resources:
+            for method_key in resource.get("resourceMethods", {}):
+                method = client.get_method(restApiId=api_id,
+                                           resourceId=resource["id"], httpMethod=method_key)
+                auth_type = method.get("authorizationType", "NONE")
+                api_key_req = method.get("apiKeyRequired", False)
+                if auth_type == "NONE" and not api_key_req:
+                    findings.append({
+                        "api": api_name, "resource": resource["path"],
+                        "method": method_key, "issue": "no_authentication",
+                        "severity": "CRITICAL",
+                    })
+                if not method.get("requestValidatorId"):
+                    findings.append({
+                        "api": api_name, "resource": resource["path"],
+                        "method": method_key, "issue": "no_request_validation",
+                        "severity": "MEDIUM",
+                    })
+        stages = client.get_stages(restApiId=api_id)["item"]
+        for stage in stages:
+            if not stage.get("accessLogSettings"):
+                findings.append({
+                    "api": api_name, "stage": stage["stageName"],
+                    "issue": "no_access_logging", "severity": "HIGH",
+                })
+            throttle = stage.get("methodSettings", {}).get("*/*", {})
+            if not throttle.get("throttlingRateLimit"):
+                findings.append({
+                    "api": api_name, "stage": stage["stageName"],
+                    "issue": "no_rate_limiting", "severity": "HIGH",
+                })
+    return findings
+
+
+def audit_kong_gateway(admin_url="http://localhost:8001"):
+    """Audit Kong API Gateway plugin configurations."""
+    findings = []
+    services = requests.get(f"{admin_url}/services").json().get("data", [])
+    for svc in services:
+        svc_id = svc["id"]
+        svc_name = svc.get("name", svc_id)
+        plugins = requests.get(f"{admin_url}/services/{svc_id}/plugins").json().get("data", [])
+        plugin_names = {p["name"] for p in plugins}
+        if "key-auth" not in plugin_names and "jwt" not in plugin_names and "oauth2" not in plugin_names:
+            findings.append({
+                "service": svc_name, "issue": "no_auth_plugin",
+                "severity": "CRITICAL",
+            })
+        if "rate-limiting" not in plugin_names and "rate-limiting-advanced" not in plugin_names:
+            findings.append({
+                "service": svc_name, "issue": "no_rate_limiting",
+                "severity": "HIGH",
+            })
+        if "cors" not in plugin_names:
+            findings.append({
+                "service": svc_name, "issue": "no_cors_plugin",
+                "severity": "MEDIUM",
+            })
+        if "ip-restriction" not in plugin_names:
+            findings.append({
+                "service": svc_name, "issue": "no_ip_restriction",
+                "severity": "LOW",
+            })
+    return findings
+
+
+def analyze_gateway_logs(log_path):
+    """Analyze API gateway access logs for security issues."""
+    findings = []
+    status_counts = {}
+    ip_counts = {}
+    with open(log_path) as f:
+        for line in f:
+            try:
+                entry = json.loads(line)
+            except json.JSONDecodeError:
+                continue
+            status = int(entry.get("status", entry.get("status_code", 0)))
+            ip = entry.get("client_ip", entry.get("ip", ""))
+            status_counts[status] = status_counts.get(status, 0) + 1
+            ip_counts[ip] = ip_counts.get(ip, 0) + 1
+    total = sum(status_counts.values())
+    error_rate = sum(v for k, v in status_counts.items() if k >= 400) / max(total, 1)
+    if error_rate > 0.1:
+        findings.append({
+            "issue": "high_error_rate", "error_rate": round(error_rate, 3),
+            "severity": "HIGH",
+        })
+    for ip, count in sorted(ip_counts.items(), key=lambda x: -x[1])[:10]:
+        if count > total * 0.3:
+            findings.append({
+                "issue": "traffic_concentration", "ip": ip,
+                "request_pct": round(count / total * 100, 1), "severity": "MEDIUM",
+            })
+    return findings
+
+
+def main():
+    parser = argparse.ArgumentParser(description="API Gateway Security Audit Agent")
+    parser.add_argument("--action", choices=["aws", "kong", "logs", "full"], default="full")
+    parser.add_argument("--kong-url", default="http://localhost:8001")
+    parser.add_argument("--region", default="us-east-1")
+    parser.add_argument("--log", help="Gateway access log (JSON lines)")
+    parser.add_argument("--output", default="api_gateway_audit_report.json")
+    args = parser.parse_args()
+
+    report = {"generated_at": datetime.utcnow().isoformat(), "findings": {}}
+
+    if args.action in ("aws", "full"):
+        findings = audit_aws_api_gateway(args.region)
+        report["findings"]["aws_api_gateway"] = findings
+        print(f"[+] AWS API Gateway findings: {len(findings)}")
+
+    if args.action in ("kong", "full"):
+        findings = audit_kong_gateway(args.kong_url)
+        report["findings"]["kong_gateway"] = findings
+        print(f"[+] Kong Gateway findings: {len(findings)}")
+
+    if args.action in ("logs", "full") and args.log:
+        findings = analyze_gateway_logs(args.log)
+        report["findings"]["log_analysis"] = findings
+        print(f"[+] Log analysis findings: {len(findings)}")
+
+    with open(args.output, "w") as f:
+        json.dump(report, f, indent=2, default=str)
+    print(f"[+] Report saved to {args.output}")
+
+
+if __name__ == "__main__":
+    main()