Generate artistic infographics from any topic. Runs the Sumi pipeline (analyze → structure → craft prompt → generate image) entirely within Claude Code. Use when "generate infographic", "create infographic", "sumi", "make an infographic about", or "visualize topic".

libtype - Shared Protocol Buffer types. Generated from proto/ definitions. Namespaces include common, agent, memory, graph, vector, tool, trace, llm, resource. Use Type.fromObject() for creation. identifier() method generates resource IDs. Use for typed message creation, protobuf data structures, and cross-service type sharing.

libtelemetry - OpenTelemetry-based logging and tracing. createLogger and Logger provide RFC 5424 structured logging. Tracer creates distributed trace spans. TraceVisualizer renders trace diagrams. TraceIndex stores trace data. observe function wraps operations with timing. Use for logging, distributed tracing, and performance monitoring.

libdoc - Documentation build and serve tools. build function generates static sites from Markdown with Mustache templates. serve function provides local development server. parseFrontMatter extracts YAML metadata from markdown files. Use for generating documentation websites and serving docs locally.

libcodegen - Protocol Buffer code generation. TypeGenerator, ServiceGenerator, and DefinitionGenerator transform .proto files into JavaScript types, gRPC service stubs, and type definitions. Use for generating code from protobuf schemas, automating service stub creation, and maintaining type consistency across services.

Reviews codebases, architectures, PRs, and technical plans for vanity engineering — code and systems built for the developer's ego, resume, or intellectual pleasure rather than delivering user or business value. Triggers on: "review this code", "is this over-engineered", "code review", "architecture review", "complexity audit", "vanity check", "is this necessary", "simplify this", "tech debt review", or any request to evaluate whether code or architecture is justified by actual requirements. Also trigger when the user shares a codebase and asks for feedback, when discussing framework/library choices, when reviewing PRs, or when someone is debating whether to refactor or rebuild. Nudge activation when you detect patterns of unnecessary abstraction, premature optimization, or resume-driven technology choices in code the user shares — even if they haven't asked for a vanity review.

Controls a local browser from a sandboxed remote machine. Use when the agent is running in a sandbox (no GUI) and needs to navigate websites, interact with web pages, fill forms, take screenshots, or expose local dev servers via tunnels.

Browser SDK for connecting to the iii engine from web applications via WebSocket. Use when building browser-based clients that register functions, invoke triggers, or consume streams from the frontend.

Official Rails documentation. Use when asked about any Rails-specific topic including ActiveRecord, routing, controllers, views, mailers, jobs, Action Cable, Action Text, Active Storage, migrations, validations, callbacks, associations, caching, security, or internals.

Use when upgrading a Rails application from one version to another, assessing upgrade readiness, planning a multi-hop upgrade path, or investigating breaking changes, deprecation warnings, gem compatibility issues, or config.load_defaults transitions between any Rails versions from 5.2 through the latest release.

Create, iterate, and scale paid ad creative for Google Ads, Meta, LinkedIn, TikTok, and similar platforms. Use when generating headlines, descriptions, primary text, or large sets of ad variations for testing and performance optimization.

enforces engineering-governance checks before code changes that may be unnecessary, risky, architectural, or scope-widening. use when the user asks whether to refactor, clean up, redesign, choose a next development step, review a proposed implementation, evaluate architectural consistency, review a pull request, or prevent development drift. do not use as the primary implementation skill for routine debugging, bug fixes, feature coding, or language-specific coding unless a no-op, minimal-diff, or architecture-conflict judgment is needed.

Update repo documentation and agent-facing guidance such as AGENTS.md, README.md, docs/, specs, plans, and runbooks. Use when code, skill, or infrastructure changes risk doc drift or when documentation needs cleanup or restructuring. Do not use for code review, runtime verification, or `agent-readiness` setup.

Style and render geographic data with renderers, symbols, and visual variables. Use for creating thematic maps, heatmaps, class breaks, unique values, labels, and 3D visualization.

Style and render geographic data with renderers, symbols, and visual variables. Use for creating thematic maps, heatmaps, class breaks, unique values, labels, and 3D visualization.

Analyzes UEFI bootkit persistence mechanisms including firmware implants in SPI flash, EFI System Partition (ESP) modifications, Secure Boot bypass techniques, and UEFI variable manipulation. Covers detection of known bootkit families (BlackLotus, LoJax, MosaicRegressor, MoonBounce, CosmicStrand), ESP partition forensic inspection, chipsec-based firmware integrity verification, and Secure Boot configuration auditing. Activates for requests involving UEFI malware analysis, firmware persistence investigation, boot chain integrity verification, or Secure Boot bypass detection.

Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence, mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac or pySigma backends.

Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed Martin kill chain framework.

Designs and documents structured incident response playbooks that define step-by-step procedures for specific incident types aligned with NIST SP 800-61r3 and SANS PICERL frameworks. Covers playbook structure, decision trees, escalation criteria, RACI matrices, and integration with SOAR platforms. Activates for requests involving IR playbook creation, incident response procedure documentation, response runbook development, or SOAR playbook design.

Leverages Splunk Enterprise Security and SPL (Search Processing Language) to investigate security incidents through log correlation, timeline reconstruction, and anomaly detection. Covers Windows event logs, firewall logs, proxy logs, and authentication data analysis. Activates for requests involving Splunk investigation, SPL queries, SIEM log analysis, security event correlation, or log-based incident investigation.