Skills Overview
A Skill is a registered, read-only analytical capability. Skills observe, detect, and assess — they never mutate cloud resources.
Skills vs Playbooks
This distinction is enforced by the platform, not by convention:
| Skill | Playbook | |
|---|---|---|
| Operation | Read-only only | Write operations |
| Cloud mutations | Never permitted | Permitted after approval |
| Human approval | Not required | Always required before execution |
| Output | Finding, Report, Triage, Audit Event Report | Evidence, execution record |
| Registered via | agent.yaml → skills | agent.yaml → playbooks |
| Tool access | readonly_tools only | write_tools permitted |
A Skill that attempts to use a write tool class fails ADK validation at registration time. This is a hard constraint — it cannot be overridden at runtime.
Verticals — designed vs currently shipped
The framework defines a multi-vertical skill model. Currently shipped capability (per the v2-skills repo) is narrower than the full vertical list — v2-skills contains AWS + Azure estate-scan and cost scripts, plus AWS-only monitoring scripts. The marketing-positioned vertical names below describe the design surface; verify against v2-skills/ and the analysis-agent prompts for what's currently executable.
| Vertical | What it audits (designed) | Currently shipped scripts in v2-skills/ |
|---|---|---|
| FinOps | Cost anomalies, idle resources, reservation utilization, savings opportunities | cost/aws/aws_cost_report.sh, cost/azure/azure_cost_report.sh |
| SecOps | Network exposure, public ingress/egress, open S3 buckets, security group misconfigs | covered by estate-scan/aws/iam-details-*.sh, s3-details-*.sh, vpc-details-*.sh and Azure equivalents |
| Compliance | SOC 2 TSC, GDPR, HIPAA, ISO 27001, PCI-DSS | no dedicated compliance script — reasoning happens at the analysis-agent layer over estate data |
| IAM | Role trust chains, privilege escalation paths, MFA gaps, access-key hygiene | estate-scan/aws/iam-details-*.sh (AWS); no equivalent shipped Azure IAM script |
| Infra Ops | Estate inventory, resource topology, drift detection, tagging compliance | full coverage in estate-scan/aws/ and estate-scan/azure/ |
| DevOps | Deployment health, change risk, incident triage | no dedicated script in v2-skills/; reasoning depends on analysis-agent prompts + GitHub integration via v4-integrations-agent-go |
| Data Ops | RDS configuration, backup compliance, data residency, DB access controls | partial — estate-scan/aws/rds-details-*.sh covers RDS posture; no Azure DB script |
How skills work inside the platform
Skills run through the Platform Framework formula. When a user asks a question, the gateway classifies the intent and identifies the matching skill. The platform then:
- Resolves the skill from the Context Engine — fetches the skill manifest, context config, tools, guardrails, and output template
- Assembles context — the Context Manager collects relevant estate data from local RAG; CE provides domain knowledge (advanced tier)
- Executes the skill — the domain agent runs the skill's tool execution plan, collecting data in declared dependency order
- Reasons over grounded context — the LLM receives only structured, fetched data; it does not invent facts about your estate
- Produces typed output —
finding,report,triage,audit_event_report, orclosure_summaryper the skill'soutput_type
Cross-domain skill composition
Skills can be composed across verticals. The platform handles this natively — a multi-domain prompt is decomposed, executed across the relevant skills in parallel, and synthesised into a single coherent response.
Example: "Are any of my overprovisioned EC2 instances also security risks?"
This crosses FinOps (idle/oversized resources) and SecOps (exposure risks). The platform resolves both skills, executes them in parallel against the same EstateView, and the Analysis Agent synthesises a joint response correlating cost and security findings.
A Finding from SecOps can also directly trigger a FinOps Plan — if remediating a public S3 bucket also recovers storage costs, both verticals produce coordinated outputs from the same event.
Skill output types
| Output type | Description | Spawns |
|---|---|---|
finding | A single actionable issue on a specific resource or set of resources | Can link to a Plan |
report | A structured analysis with multiple items, version history, categories | Can spawn Findings |
triage | A rapid prioritization summary for incident or multi-finding scenarios | Can link to a Plan |
audit_event_report | A structured record of who-did-what-when from CloudTrail or Azure Activity Log | For compliance evidence |
closure_summary | A post-execution summary confirming a Finding is resolved | Closes a Finding |
Skill tiers
Skills are available at two tiers:
Basic tier:
- Skill execution with estate context (local RAG)
- Standard tool access
- Guardrails applied
- Templated output
Advanced tier (adds):
- Domain Lens documents — expert-curated knowledge base per domain (e.g. SOC 2 control mapping, FinOps optimization principles)
- Domain Expert Graph — control relationships, cross-domain correlations
- Deeper context resolution from the Context Engine
Tier support is declared per agent in agent.yaml → classification.tier_support.
Next steps
- FinOps — Cost analysis and optimization
- SecOps — Security posture and exposure
- Compliance — SOC 2, GDPR, HIPAA, ISO, PCI-DSS
- IAM — Access and privilege analysis
- Writing Playbooks — Turn Findings into executable Playbooks