github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2026-04-09 20:27:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
v53.2.0
kubeshark/skills
History
Alon Girmonsky ddc2e57f12 Network RCA skill: use local timezone instead of UTC (#1880) 
* Use local timezone instead of UTC in Network RCA skill output

Add a Timezone Handling section that instructs the agent to detect the
local timezone, present local time as the primary reference with UTC in
parentheses, and convert UTC tool responses before presenting to users.
Update all example timestamps to demonstrate the local+UTC format.

Closes #1879

* Ensure agent proactively starts dissection for workload/API queries

The agent was waiting for dissection to complete without ever starting it.
Add explicit instructions: check dissection status first, start it if
missing, and default to the Dissection route for any non-PCAP question.
Only PCAP-specific requests can skip dissection.

* Translate every API/Kubernetes question into a fresh list_api_calls query

Add "Every Question Is a Query" section: each user prompt with API or
Kubernetes semantics should map to a list_api_calls call with the
appropriate KFL filter. Includes examples of natural language to KFL
translation. Agent should never answer from memory or stale results.

---------

Co-authored-by: Alon Girmonsky <alongir@Alons-Mac-Studio.local>
2026-03-24 12:03:05 -07:00
..
kfl
Add KFL and Network RCA skills (#1875)
2026-03-18 15:31:32 -07:00
network-rca
Network RCA skill: use local timezone instead of UTC (#1880)
2026-03-24 12:03:05 -07:00
README.md
Add KFL and Network RCA skills (#1875)
2026-03-18 15:31:32 -07:00

README.md

Kubeshark AI Skills

Open-source AI skills that work with the Kubeshark MCP. Skills teach AI agents how to use Kubeshark's MCP tools for specific workflows like root cause analysis, traffic filtering, and forensic investigation.

Skills use the open Agent Skills format and work with Claude Code, OpenAI Codex CLI, Gemini CLI, Cursor, and other compatible agents.

Available Skills

Skill Description
network-rca Network Root Cause Analysis. Retrospective traffic analysis via snapshots, with two investigation routes: PCAP (for Wireshark/compliance) and Dissection (for AI-driven API-level investigation).
kfl KFL2 (Kubeshark Filter Language) expert. Complete reference for writing, debugging, and optimizing CEL-based traffic filters across all supported protocols.

Prerequisites

All skills require the Kubeshark MCP:

# Claude Code
claude mcp add kubeshark -- kubeshark mcp

# Without kubectl access (direct URL)
claude mcp add kubeshark -- kubeshark mcp --url https://kubeshark.example.com

For Claude Desktop, add to claude_desktop_config.json:

{
  "mcpServers": {
    "kubeshark": {
      "command": "kubeshark",
      "args": ["mcp"]
    }
  }
}

Installation

Option 1: Plugin (recommended)

Install as a Claude Code plugin directly from GitHub:

/plugin marketplace add kubeshark/kubeshark
/plugin install kubeshark

Skills appear as /kubeshark:network-rca and /kubeshark:kfl. The plugin also bundles the Kubeshark MCP configuration automatically.

Option 2: Clone and run

git clone https://github.com/kubeshark/kubeshark
cd kubeshark
claude

Skills trigger automatically based on your conversation.

Option 3: Manual installation

Clone the repo (if you haven't already), then symlink or copy the skills:

git clone https://github.com/kubeshark/kubeshark
mkdir -p ~/.claude/skills

# Symlink to stay in sync with the repo (recommended)
ln -s kubeshark/skills/network-rca ~/.claude/skills/network-rca
ln -s kubeshark/skills/kfl ~/.claude/skills/kfl

# Or copy to your project (project scope only)
mkdir -p .claude/skills
cp -r kubeshark/skills/network-rca .claude/skills/
cp -r kubeshark/skills/kfl .claude/skills/

# Or copy for personal use (all your projects)
cp -r kubeshark/skills/network-rca ~/.claude/skills/
cp -r kubeshark/skills/kfl ~/.claude/skills/

Contributing

We welcome contributions — whether improving an existing skill or proposing a new one.

  • Suggest improvements: Open an issue or PR with changes to an existing skill's SKILL.md or reference docs. Better examples, clearer workflows, and additional filter patterns are always appreciated.
  • Add a new skill: Open an issue describing the use case first. New skills should follow the structure below and reference Kubeshark MCP tools by exact name.

Skill structure

skills/
└── <skill-name>/
    ├── SKILL.md              # Required. YAML frontmatter + markdown body.
    └── references/           # Optional. Detailed reference docs.
        └── *.md

Guidelines

  • Keep SKILL.md under 500 lines. Use references/ for detailed content.
  • Use imperative tone. Reference MCP tools by exact name.
  • Include realistic example tool responses.
  • The description frontmatter should be generous with trigger keywords.

Planned skills

  • api-security — OWASP API Top 10 assessment against live or snapshot traffic.
  • incident-response — 7-phase forensic incident investigation methodology.
  • network-engineering — Real-time traffic analysis, latency debugging, dependency mapping.
Reference in New Issue View Git Blame Copy Permalink