Available Skills
Reference of built-in skills loaded by nctl ai for policy, clusters, and operations.
nctl ai loads specialized skills dynamically based on your task. The following built-in skills are available.
Skills by category
| Category | Skill | Description |
|---|---|---|
| Design | brand-guidelines | Applies Nirmata’s official brand colors and typography to generated content. Use when creating emails, reports, presentations, Slack/Teams messages, or any artifact requiring Nirmata branding or company design standards. |
| Policy | chainsaw-tests | Generate and run Chainsaw E2E integration tests. Use when the user asks for chainsaw tests, e2e tests, or integration tests, or wants to test policies in a real Kubernetes cluster. Creates test manifests and validates admission webhook behavior for ValidatingPolicy, MutatingPolicy, and ClusterPolicy. |
| Setup | cluster-setup | Set up a local Kubernetes development environment with Docker, Kind, Kyverno, and testing tools. For developers who can install tools locally. |
| Policy | converting-chainsaw-tests | Convert Chainsaw tests from ClusterPolicy (kyverno.io/v1) to ValidatingPolicy (policies.kyverno.io/v1alpha1) format. Use when converting existing test suites to work with new Kyverno ValidatingPolicy resources. |
| Policy | converting-policies | Convert any policy to modern Kyverno ValidatingPolicy format. Use when the user asks to convert, migrate, upgrade, or transform a policy. Handles ClusterPolicy to ValidatingPolicy, OPA Rego migration, Gatekeeper constraint templates, Sentinel policies, and cross-engine policy translation. |
| Cost | cost-management | Installs, configures, and validates the Nirmata Cost Management Add-on. Deploys OpenCost for cost visibility, Prometheus integration, Grafana dashboards for chargeback, and Kyverno cost guardrails for namespace labeling and resource requests. Supports kind, EKS, GKE, and AKS with real cloud pricing. Use when setting up cost visibility, cost allocation, cost hygiene labels, or troubleshooting OpenCost. |
| Setup | installing-remediator-agent | Installs and configures the Remediator Agent for policy violation remediation. Guides through environment selection (ArgoCD Hub, Local Cluster, VCS Target), LLM provider setup (NirmataAI, AWS Bedrock, Azure OpenAI), GitHub auth (App or PAT), action config (CreatePR, CreateIssue), scheduling, and verification. Use when setting up automated AI-powered policy remediation. |
| Compliance | cis-benchmark-scan | Scans Kubernetes clusters against CIS Benchmarks using nctl scan compliance and generates a full markdown compliance report. No policies are deployed to the cluster — nctl evaluates them locally with results stored as snapshots. Supports EKS (CIS EKS Benchmark v1.7.0), AKS, GKE, and generic Kubernetes (CIS Kubernetes Benchmark v1.8.0). Covers RBAC and Pod Security controls, plus AWS API checks for Control Plane (Section 2) and cluster networking (Section 5.3–5.5) on EKS. Use when performing CIS compliance audits, generating compliance reports for security teams, or assessing cluster security posture against industry benchmarks. |
| Compliance | compliance-evidence | Collects and packages Kubernetes-native compliance evidence for external auditors. Exports RBAC configurations, NetworkPolicies, admission webhooks, Kyverno PolicyReports and PolicyExceptions, and generates a timestamped MANIFEST.md with control-ID mapping and a manual evidence checklist. Supports NSA/CISA, NIST SP 800-53, SOC 2 Type II, ISO/IEC 27001, and PCI-DSS. Use when preparing evidence packages for SOC 2, ISO 27001, NIST, or PCI-DSS auditors, or to document accepted risks via PolicyExceptions. |
| Compliance | compliance-scan | Scans Kubernetes clusters against regulatory compliance standards using nctl scan compliance and generates a full markdown report with control-ID mapping. Supports NSA/CISA Kubernetes Hardening Guide, NIST SP 800-53, SOC 2 Type II, ISO/IEC 27001, and PCI-DSS. No policies are deployed — nctl evaluates them locally and stores results as snapshots. Use when performing regulatory audits, generating SOC 2 or ISO 27001 evidence, or assessing Kubernetes security posture against NIST or NSA/CISA frameworks. |
| Compliance | kyverno-compliance-management | Install Kyverno or Nirmata Enterprise Kyverno with optional compliance dashboards. Detects if Kyverno is missing and guides installation. Supports Pod Security Standards (PSS Baseline, PSS Restricted), RBAC Best Practices, and Grafana compliance visualization. Use when installing Kyverno/N4K, setting up Kubernetes compliance, or configuring PSS or RBAC policies. |
| Policy | kyverno-policies | Generate and create Kyverno policies from natural language requirements. Use when the user asks to generate, create, or write a policy, or needs help with policy development. Covers ValidatingPolicy, MutatingPolicy, GeneratingPolicy, ClusterPolicy, and other Kyverno policy types. |
| Policy | kyverno-tests | Generate and run Kyverno CLI unit tests for fast offline policy validation. Use when the user asks for unit tests, kyverno test, cli tests, or wants to test policies without a cluster. Creates kyverno-test.yaml files and runs the kyverno test command. |
| Onboarding | quickstart | First-run cluster assessment: checks cluster maturity, identifies issues, runs security scans, and recommends policy packs. Alias: assessment. Use on first launch, or when assessing a new cluster, running a health check, getting security recommendations, checking policy coverage, or identifying quick wins for Kubernetes governance. |
| Policy | recommend-policies | Analyzes Kubernetes clusters to recommend Kyverno policies based on installed workloads and platform type. Detects baseline security gaps (pod-security, RBAC, workload-security), platform-specific needs (EKS, OpenShift), and add-on policies (Istio, Linkerd, Flux, Tekton, Veeam Kasten, KubeVirt, Karpenter, ArgoCD, Crossplane). Use when assessing cluster security posture, implementing policy governance, or ensuring compliance. |
| Troubleshooting & Operations | troubleshooting-kyverno | Diagnoses Kyverno issues: webhook timeouts, OOMKilled pods, CrashLoopBackOff, policy failures, permission errors, performance degradation, report accumulation. Use when policies not enforcing, admission controller crashing, context deadline exceeded, client-side throttling, or cloud-specific failures on EKS/GKE/AKS. |
| Troubleshooting & Operations | troubleshooting-workloads | Troubleshoot Kubernetes workloads, pods, and applications in any namespace. Diagnoses CrashLoopBackOff, ImagePullBackOff, Pending pods, OOMKilled, failed probes, resource constraints. Use when debugging pods, investigating application failures, pods not starting, containers crashing, high restart counts, or services unreachable. Recommends Kyverno policies to prevent recurrence. |
Adding custom skills
You can extend the agent with your own skills. See Adding Skills on the main nctl ai page for loading custom skill directories and creating SKILL.md files.