Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders

skills/implementing-cloud-security-posture-management/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Anthropic Agent Skills Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

skills/implementing-cloud-security-posture-management/references/api-reference.md

@@ -0,0 +1,50 @@
+# API Reference: Implementing Cloud Security Posture Management
+
+## Libraries
+
+### Prowler (Multi-Cloud CSPM)
+- **Install**: `pip install prowler`
+- **Docs**: https://docs.prowler.com/
+- CLI: `prowler aws --compliance cis_level1 -M json`
+- Supported: AWS, Azure, GCP, Kubernetes
+- Compliance frameworks: CIS, SOC2, PCI-DSS, HIPAA, NIST 800-53, GDPR
+
+### boto3 (AWS Posture Checks)
+- **Install**: `pip install boto3`
+- Key services: S3, IAM, EC2, CloudTrail, Config, SecurityHub
+
+### ScoutSuite (Multi-Cloud Auditing)
+- **Install**: `pip install scoutsuite`
+- **Docs**: https://github.com/nccgroup/ScoutSuite
+- CLI: `scout aws --report-dir /tmp/scout-report`
+
+## AWS Posture Check APIs
+
+| Service | Method | Check |
+|---------|--------|-------|
+| S3 | `get_public_access_block()` | Public access settings |
+| S3 | `get_bucket_encryption()` | Default encryption |
+| IAM | `get_account_summary()` | Root MFA status |
+| IAM | `list_access_keys()` | Key age/rotation |
+| EC2 | `describe_security_groups()` | Open ports (0.0.0.0/0) |
+| CloudTrail | `get_trail_status()` | Logging active |
+| Config | `describe_config_rules()` | Compliance rules |
+
+## Prowler Check Categories
+- IAM: Access keys, MFA, password policy, root usage
+- Storage: S3 public access, encryption, versioning
+- Network: Security groups, VPC flow logs, NACLs
+- Logging: CloudTrail, Config, VPC flow logs
+- Encryption: EBS, RDS, S3, KMS key rotation
+
+## Severity Mapping
+- **CRITICAL**: Root MFA disabled, CloudTrail off, public DB
+- **HIGH**: S3 public access, open SSH/RDP, unencrypted volumes
+- **MEDIUM**: Key rotation >90d, missing tags, flow logs off
+- **LOW**: Informational findings, best practice suggestions
+
+## External References
+- Prowler Documentation: https://docs.prowler.com/
+- ScoutSuite: https://github.com/nccgroup/ScoutSuite
+- AWS Security Hub: https://docs.aws.amazon.com/securityhub/
+- CIS Benchmarks: https://www.cisecurity.org/benchmark/amazon_web_services

skills/implementing-cloud-security-posture-management/scripts/agent.py

@@ -0,0 +1,175 @@
+#!/usr/bin/env python3
+"""Cloud Security Posture Management (CSPM) agent across AWS, Azure, and GCP."""
+
+import json
+import sys
+import argparse
+import subprocess
+from datetime import datetime
+from collections import Counter
+
+try:
+    import boto3
+    from botocore.exceptions import ClientError
+except ImportError:
+    boto3 = None
+
+
+def run_prowler_scan(provider="aws", compliance="cis_level1", output_format="json"):
+    """Run Prowler CSPM scan against a cloud provider."""
+    cmd = ["prowler", provider, "--compliance", compliance,
+           "-M", output_format, "--output-directory", "/tmp/prowler-output"]
+    try:
+        result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
+        return {"status": "completed", "returncode": result.returncode,
+                "output_dir": "/tmp/prowler-output"}
+    except FileNotFoundError:
+        return {"error": "Prowler not installed. Run: pip install prowler"}
+    except subprocess.TimeoutExpired:
+        return {"error": "Prowler scan timed out after 10 minutes"}
+
+
+def check_aws_security_posture(region="us-east-1"):
+    """Run basic AWS security posture checks using boto3."""
+    if boto3 is None:
+        return {"error": "boto3 not installed"}
+    findings = []
+
+    s3 = boto3.client("s3", region_name=region)
+    try:
+        buckets = s3.list_buckets().get("Buckets", [])
+        for bucket in buckets:
+            name = bucket["Name"]
+            try:
+                pab = s3.get_public_access_block(Bucket=name)
+                config = pab["PublicAccessBlockConfiguration"]
+                if not all([config["BlockPublicAcls"], config["BlockPublicPolicy"],
+                            config["IgnorePublicAcls"], config["RestrictPublicBuckets"]]):
+                    findings.append({"check": "S3_PUBLIC_ACCESS", "resource": name,
+                                     "severity": "HIGH", "status": "FAIL",
+                                     "detail": "Public access block not fully enabled"})
+            except ClientError:
+                findings.append({"check": "S3_PUBLIC_ACCESS", "resource": name,
+                                 "severity": "HIGH", "status": "FAIL",
+                                 "detail": "No public access block configured"})
+            try:
+                s3.get_bucket_encryption(Bucket=name)
+            except ClientError:
+                findings.append({"check": "S3_ENCRYPTION", "resource": name,
+                                 "severity": "MEDIUM", "status": "FAIL",
+                                 "detail": "Default encryption not enabled"})
+    except ClientError as e:
+        findings.append({"check": "S3_ACCESS", "status": "ERROR", "detail": str(e)})
+
+    iam = boto3.client("iam", region_name=region)
+    try:
+        acct_summary = iam.get_account_summary()["SummaryMap"]
+        if acct_summary.get("AccountMFAEnabled", 0) == 0:
+            findings.append({"check": "ROOT_MFA", "resource": "root-account",
+                             "severity": "CRITICAL", "status": "FAIL",
+                             "detail": "Root account MFA not enabled"})
+        users = iam.list_users()["Users"]
+        for user in users:
+            keys = iam.list_access_keys(UserName=user["UserName"])["AccessKeyMetadata"]
+            for key in keys:
+                age = (datetime.utcnow() - key["CreateDate"].replace(tzinfo=None)).days
+                if age > 90:
+                    findings.append({"check": "IAM_KEY_ROTATION", "resource": user["UserName"],
+                                     "severity": "MEDIUM", "status": "FAIL",
+                                     "detail": f"Access key {key['AccessKeyId']} is {age} days old"})
+    except ClientError as e:
+        findings.append({"check": "IAM_ACCESS", "status": "ERROR", "detail": str(e)})
+
+    ec2 = boto3.client("ec2", region_name=region)
+    try:
+        sgs = ec2.describe_security_groups()["SecurityGroups"]
+        for sg in sgs:
+            for rule in sg.get("IpPermissions", []):
+                for ip_range in rule.get("IpRanges", []):
+                    if ip_range.get("CidrIp") == "0.0.0.0/0":
+                        port = rule.get("FromPort", "all")
+                        if port in [22, 3389, 0, -1]:
+                            findings.append({"check": "SG_OPEN_PORTS", "resource": sg["GroupId"],
+                                             "severity": "HIGH", "status": "FAIL",
+                                             "detail": f"Port {port} open to 0.0.0.0/0"})
+    except ClientError as e:
+        findings.append({"check": "EC2_ACCESS", "status": "ERROR", "detail": str(e)})
+
+    ct = boto3.client("cloudtrail", region_name=region)
+    try:
+        trails = ct.describe_trails()["trailList"]
+        if not trails:
+            findings.append({"check": "CLOUDTRAIL_ENABLED", "resource": "account",
+                             "severity": "CRITICAL", "status": "FAIL",
+                             "detail": "No CloudTrail trails configured"})
+        for trail in trails:
+            status = ct.get_trail_status(Name=trail["TrailARN"])
+            if not status.get("IsLogging"):
+                findings.append({"check": "CLOUDTRAIL_LOGGING", "resource": trail["Name"],
+                                 "severity": "CRITICAL", "status": "FAIL",
+                                 "detail": "CloudTrail is not actively logging"})
+    except ClientError as e:
+        findings.append({"check": "CLOUDTRAIL_ACCESS", "status": "ERROR", "detail": str(e)})
+
+    return findings
+
+
+def generate_posture_report(findings):
+    """Generate a CSPM posture report from findings."""
+    severity_counts = Counter(f["severity"] for f in findings if f.get("severity"))
+    check_counts = Counter(f["check"] for f in findings)
+    fail_count = sum(1 for f in findings if f.get("status") == "FAIL")
+    pass_rate = round((1 - fail_count / max(len(findings), 1)) * 100, 1)
+
+    print(f"\n{'='*60}")
+    print(f"  CSPM POSTURE REPORT")
+    print(f"  Generated: {datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')} UTC")
+    print(f"{'='*60}\n")
+
+    print(f"--- SUMMARY ---")
+    print(f"  Total Checks: {len(findings)}")
+    print(f"  Failed: {fail_count}")
+    print(f"  Pass Rate: {pass_rate}%\n")
+
+    print(f"--- BY SEVERITY ---")
+    for sev in ["CRITICAL", "HIGH", "MEDIUM", "LOW"]:
+        count = severity_counts.get(sev, 0)
+        bar = "#" * count
+        print(f"  {sev:<10} {count:>3} {bar}")
+
+    print(f"\n--- FAILED CHECKS ---")
+    for f in findings:
+        if f.get("status") == "FAIL":
+            print(f"  [{f['severity']}] {f['check']}: {f.get('resource', 'N/A')}")
+            print(f"    {f.get('detail', '')}")
+
+    print(f"\n{'='*60}\n")
+    return {"total": len(findings), "failed": fail_count, "pass_rate": pass_rate,
+            "by_severity": dict(severity_counts)}
+
+
+def main():
+    parser = argparse.ArgumentParser(description="CSPM Agent")
+    parser.add_argument("--provider", default="aws", choices=["aws", "azure", "gcp"])
+    parser.add_argument("--region", default="us-east-1")
+    parser.add_argument("--prowler", action="store_true", help="Run Prowler scan")
+    parser.add_argument("--scan", action="store_true", help="Run built-in posture scan")
+    parser.add_argument("--output", help="Save report to JSON")
+    args = parser.parse_args()
+
+    if args.prowler:
+        result = run_prowler_scan(args.provider)
+        print(json.dumps(result, indent=2))
+    elif args.scan:
+        findings = check_aws_security_posture(args.region)
+        report = generate_posture_report(findings)
+        if args.output:
+            with open(args.output, "w") as f:
+                json.dump({"findings": findings, "summary": report}, f, indent=2, default=str)
+            print(f"[+] Report saved to {args.output}")
+    else:
+        parser.print_help()
+
+
+if __name__ == "__main__":
+    main()