One source of DevOps expertise, three AI coding tools. Reusable skills for Claude Code, Cursor, and Codex that review and scaffold Terraform, Kubernetes/Helm, Docker, CI/CD (GitHub Actions + GitLab), AWS FinOps, GitHub repo hygiene, and OWASP security — without you copy-pasting the same prompt into every project.
/plugin marketplace add anmolnagpal/devops-skills
/plugin install clouddrove@devops-skills
Skills land as /clouddrove:tf, /clouddrove:finops, … with a native (clouddrove) label. For Cursor/Codex/MCP, use the installer.
- 13 skills that auto-trigger on file globs and answer with structured, rule-ID-tagged review output
(
/clouddrove:tf,/clouddrove:k8s,/clouddrove:ci,/clouddrove:github-actions,/clouddrove:github,/clouddrove:docker,/clouddrove:finops,/clouddrove:owasp,/clouddrove:appsec,/clouddrove:wrapper-tf,/clouddrove:deploy,/clouddrove:adr,/clouddrove:skill-creator) - Packaged as the
clouddroveplugin — installed from this repo's own marketplace, so skills are namespaced(clouddrove)in Claude Code natively - Single source in
skills/<name>/SKILL.md— a generator emits Cursor.mdcrules and CodexAGENTS.mdso every tool stays in sync - One installer with flags —
--claude/--cursor/--codex/--all, global or per-project scope - Curated Claude plugin set — Terraform code/module generation (HashiCorp), claude-mem, superpowers, caveman, engineering-workflow-skills
- MCP servers wired in: Kubernetes live access, EKS ops, AWS Cost Explorer, Atlassian (Jira + Confluence), Outline docs/wiki
New here? Skip to CHEATSHEET.md for one-line prompts per skill.
Every review answers in the same shape — BLOCKING (must fix) and ADVISORY (should fix), each finding tagged with a stable rule ID and a file:line, then a one-line summary.
/clouddrove:tf review — pre-MR Terraform check:
BLOCKING — Must fix before MR
[main.tf:14] TF-STATE-001 No remote backend — state would live on a laptop
→ add a `backend "s3"` block with DynamoDB state locking
[rds.tf:31] TF-VAR-001 Hardcoded DB password in `default` → move to a variable,
mark `sensitive = true`, source from AWS Secrets Manager
[versions.tf:1] TF-PROV-001 Provider not version-pinned → pin `aws ~> 5.0`
ADVISORY — Should fix
[s3.tf:8] TF-RES-001 Bucket missing required tags (Environment, Team, ManagedBy)
[variables.tf:5] TF-VAR-003 `instance_type` has no description/type
Summary: 3 blocking issue(s), 2 advisory issue(s).
/clouddrove:finops — AWS cost review:
BLOCKING — none
ADVISORY — Should fix
[ebs] COST-STOR-003 12 gp2 volumes not migrated to gp3 → ~20% cheaper + faster,
online conversion, no downtime. Run scripts/ebs-gp2-to-gp3-audit.sh — est. $340/mo
[vpc] COST-NET-001 Per-AZ NAT gateways in 3 AZs for a non-prod account
→ consolidate to 1 or use VPC endpoints — est. $190/mo
Summary: 0 blocking, 2 advisory. Estimated saving: ~$530/month.
/clouddrove:deploy — production-readiness gate before first prod release:
PRODUCTION READINESS — payments-api → prod
BLOCKING — Must fix before deploy
[helm/values-prod.yaml:22] ARCH-SPOF-002 replicaCount: 1 — single pod, no HA
[helm/values-prod.yaml] ARCH-HA-003 No readiness/liveness probes
[.github/workflows/deploy.yml:40] CICD-FLOW-002 No manual prod approval gate
ADVISORY — Should fix
[helm/values-prod.yaml] OBS-MON-002 No alerting configured
Gate: FAILED — 3 blocking. Recommended strategy: blue-green (stateful, first prod release).
Outputs above are representative. Findings, rule IDs, and
file:lineare real to your repo when you run the skill.
| Instead of… | You get here |
|---|---|
| Copy-pasting the same prompt into every repo | One versioned source, auto-triggers on file globs, namespaced /clouddrove:<skill> — edit once, everyone pulls the update |
| A generic skill pack | Opinionated DevOps depth — real Terraform/EKS/Helm/FinOps/OWASP review and scaffolding, not vibes |
| A static linter (tfsec, checkov, hadolint) | In-context reasoning and scaffolding and explanation, in your editor. Linters still win on deterministic pattern checks — run both |
| Claude-only skills | One source emits Cursor .mdc and Codex AGENTS.md too — same review across all three tools |
| Prose findings | Every finding carries a stable rule ID shared with the auditkit audit engine — an inline review finding and a deep-audit finding are the same ID, so baselines and dedup carry across both |
The honest line: static linters are faster for pure pattern matching, and a deep audit engine (auditkit) is the executor for whole-repo + live-cloud scans. This plugin is the IDE-time advisory layer that speaks the same rule-ID language as that engine — review before you commit, with findings that line up when the auditor runs later. It's CI-tested (six gates), not just a prompt dump.
Multi-tool: works with Claude Code, Cursor, and Codex (same skills, different injection per tool).
Claude Code — install as a plugin (no clone needed):
/plugin marketplace add anmolnagpal/devops-skills
/plugin install clouddrove@devops-skills
Skills then appear as /clouddrove:tf, /clouddrove:deploy, … with a native (clouddrove) label. The install script below does the same automatically (plus Cursor/Codex and MCP).
# Claude Code only
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/anmolnagpal/devops-skills/main/scripts/bootstrap.sh)" -- --claude
# All three tools
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/anmolnagpal/devops-skills/main/scripts/bootstrap.sh)" -- --all
# Interactive (no flags) — prompts for which tools
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/anmolnagpal/devops-skills/main/scripts/bootstrap.sh)"What each flag does:
| Flag | What it installs |
|---|---|
--claude |
clouddrove skills plugin (from this repo's marketplace), team plugins from config/plugins.txt, MCP servers |
--cursor |
.cursor/rules/*.mdc into ~/.cursor/rules/ (or --project <path>) |
--codex |
AGENTS.md into ~/.codex/AGENTS.md (or --project <path>) |
--all |
All three |
Per-tool flags:
./scripts/install.sh --claude --no-mcp --no-plugins # skills only
./scripts/install.sh --cursor --project ~/work/repo # per-project install
./scripts/install.sh --codex --project ~/work/repoGitLab authentication: If you get a 403, make sure you have access to the repo. You may need to use SSH clone instead — see Manual install below.
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/anmolnagpal/devops-skills/main/scripts/bootstrap.sh)"Same command. If the repo is already installed it pulls the latest and re-runs the installer.
If you prefer SSH or need to use a different install directory:
git clone git@github.com:anmolnagpal/devops-skills.git ~/devops-skills
~/devops-skills/scripts/install.shSingle source: skills/<name>/SKILL.md. The clouddrove plugin bundles them all; the generator emits per-tool adapters via scripts/generate.sh:
| Source | Claude slash | Cursor rule | Auto-trigger |
|---|---|---|---|
skills/tf/SKILL.md |
/clouddrove:tf |
tf.mdc |
**/*.tf, **/*.tfvars |
skills/k8s/SKILL.md |
/clouddrove:k8s |
k8s.mdc |
**/values*.yaml, **/Chart.yaml, **/templates/*.yaml |
skills/ci/SKILL.md |
/clouddrove:ci |
ci.mdc |
**/.gitlab-ci.yml |
skills/github-actions/SKILL.md |
/clouddrove:github-actions |
github-actions.mdc |
**/.github/workflows/*.yml |
skills/github/SKILL.md |
/clouddrove:github |
github.mdc |
**/CODEOWNERS, **/.github/dependabot.yml, PR/issue templates |
skills/docker/SKILL.md |
/clouddrove:docker |
docker.mdc |
**/Dockerfile, **/docker-compose*.yml |
skills/finops/SKILL.md |
/clouddrove:finops |
finops.mdc |
manual |
skills/owasp/SKILL.md |
/clouddrove:owasp |
owasp.mdc |
manual |
skills/appsec/SKILL.md |
/clouddrove:appsec |
appsec.mdc |
manual |
skills/wrapper-tf/SKILL.md |
/clouddrove:wrapper-tf |
wrapper-tf.mdc |
_modules/**/*.tf, environments/**/*.tf, .github/workflows/terraform.yml |
skills/deploy/SKILL.md |
/clouddrove:deploy |
deploy.mdc |
manual |
skills/adr/SKILL.md |
/clouddrove:adr |
adr.mdc |
**/docs/adr/*.md |
skills/skill-creator/SKILL.md |
/clouddrove:skill-creator |
skill-creator.mdc |
manual |
All 13 are also injected into AGENTS.md for Codex.
Findings are tagged with stable rule IDs (TF-STATE-001, SEC-NET-001, CICD-DOCK-002, …). The canonical set lives in rules/rule-ids.yaml (141 IDs) — the single source of truth. CI (scripts/check-rule-ids.sh) fails if a skill emits an ID not in the registry. The auditkit audit engine consumes the same registry and checks against it, so an inline plugin finding and a deep-audit finding share the same ID — and the two can't drift.
A finding's severity means something different depending on which skill raised it:
| Model | Used by | Meaning |
|---|---|---|
| BLOCKING / ADVISORY, fixed per rule ID | tf, k8s, docker, ci, github-actions, github, appsec, wrapper-tf, deploy |
Severity is baked into the rule catalog — the skill never invents it. BLOCKING = fix before merge/deploy. |
| BLOCKING / ADVISORY, judged per finding | owasp |
Same two labels, but severity depends on exploitability in this codebase (reachable? mitigated already?) — assessed each time, not looked up. |
| HIGH / MED / LOW $-impact | finops |
Cost findings are opportunities ranked by savings magnitude, never merge-blockers — there's no "block the MR" concept for a cost lever. |
All three carry the same stable rule-ID convention and file:line/resource citation — only the severity axis differs. If you're scripting against output (e.g. failing CI on BLOCKING), branch on the skill, not a single global severity enum.
Backlog specs (drafts, not active): skills/specs/ — aws-cost, aws-security, azure-cost, azure-security, gcp-cost, gcp-security, kubernetes-cost, kubernetes-security. Promote to active by adding frontmatter under skills/<name>/SKILL.md.
Edit skills/<name>/SKILL.md, run bash scripts/generate.sh, commit. Re-run ./scripts/install.sh --all to push to local installs.
In Claude Code: invoke with /clouddrove:<skill> (namespaced by the plugin). In Cursor: rules auto-attach via globs:. In Codex: AGENTS.md loaded by default.
| Skill | Purpose |
|---|---|
/clouddrove:tf |
Terraform (generic / terraform-aws-modules ecosystem): pre-MR review, AWS resource scaffolding, provider upgrade guidance |
/clouddrove:k8s |
Kubernetes/Helm: pre-deploy review, production-ready values scaffolding |
/clouddrove:ci |
GitLab CI/CD: pipeline review, Terraform/Helm pipeline scaffolds |
/clouddrove:github-actions |
GitHub Actions: workflow review, security hardening (OIDC, pinning), scaffolds |
/clouddrove:github |
GitHub repo hygiene: settings audit, CODEOWNERS, branch protection, releases |
/clouddrove:docker |
Dockerfile review, image optimization, Compose, registry workflows |
/clouddrove:finops |
AWS cost: waste detection, right-sizing, Savings Plans/RIs, EKS cost |
/clouddrove:owasp |
Security review against OWASP Top 10:2025, ASVS 5.0, Agentic AI risks |
/clouddrove:appsec |
Application-level security: dependency audit (via the ecosystem's real audit tool), missing security headers, CORS wildcard misconfiguration |
/clouddrove:wrapper-tf |
Team standard for AWS Terraform repos on the CloudDrove wrapper pattern: scaffold _modules/<name>/, generate Terraform GitHub Actions CI, review against the wrapper pattern, map to SOC2/GDPR controls. Supersedes /clouddrove:tf on these repos. |
/clouddrove:deploy |
Deployment strategy (rolling/blue-green/canary), production-readiness gate (reuses existing rule IDs), and rollback playbook for AWS/EKS |
/clouddrove:adr |
Capture architectural decisions as structured ADRs under docs/adr/ |
/clouddrove:skill-creator |
Author, eval, and refine new skills in this repo |
/skill-creator |
Build, test, and iterate new skills |
Declared in plugins.txt and installed automatically by install.sh. Skips any already installed.
All plugins live in config/plugins.txt and are installed automatically by install.sh.
| Plugin | Source | What it adds |
|---|---|---|
terraform-code-generation |
hashicorp | Terraform style guide, registry search, import, tests |
terraform-module-generation |
hashicorp | Module refactoring and Terraform Stacks |
claude-mem |
thedotmack | Persistent cross-session memory — Claude remembers past decisions and context |
engineering-workflow-skills |
mhattingpete | Git operations, code review, feature planning workflows |
superpowers |
obra/superpowers | TDD, systematic debugging, brainstorming/planning, and subagent dev workflows |
caveman |
JuliusBrussee/caveman | Ultra-compressed communication mode — cuts ~75% tokens while preserving technical accuracy |
Add a line to config/plugins.txt:
name@marketplace— for official Claude plugin marketplace installshub:github-org/repo— for plugins installed vianpx claudepluginhub
If it's from a new marketplace, also add it to config/marketplaces.txt. Then commit and push — teammates pick it up on next ./scripts/install.sh.
Configured interactively during install.sh. Each server prompts you to install or skip. Already-installed servers are skipped automatically.
| Server | What it gives Claude |
|---|---|
kubernetes-mcp-server |
Live read access to EKS clusters — pods, logs, events, Helm releases |
eks-mcp-server |
AWS-native EKS ops — cluster diagnostics, CloudWatch, IAM/OIDC, resource management |
billing-mcp-server |
Cost Explorer, budget tracking, savings plan analysis, Compute Optimizer |
mcp-atlassian |
Jira + Confluence — JQL search, create/update issues, add comments, transition tickets |
outline |
Outline docs/wiki — search, read, create/update documents (remote HTTP, browser OAuth) |
If you need to switch the AWS profile used by the AWS MCP servers:
# Interactive
~/devops-skills/scripts/set-aws-profile.sh
# Or directly
~/devops-skills/scripts/set-aws-profile.sh prodRestart Claude Code after switching.
devops-skills/
.claude-plugin/ ← plugin.json (clouddrove) + marketplace.json (repo = its own marketplace)
skills/ ← Canonical skill sources, one dir per skill (edit here)
<name>/SKILL.md ← the skill body (tf, k8s, ci, owasp, docker, finops, deploy, adr, wrapper-tf, …)
<name>/evals/ ← static eval fixtures + validate.sh (file-input skills)
owasp/*.md ← reference docs loaded on-demand; docker/ finops/ add scripts too
specs/ ← Backlog spec docs (not active skills)
rules/rule-ids.yaml ← Canonical shared rule-ID registry (single source of truth)
.cursor/rules/ ← Generated Cursor rules (.mdc) — from scripts/generate.sh
AGENTS.md ← Generated Codex skill doc — from scripts/generate.sh
agents/ ← Reserved for Claude Code agents
hooks/ ← Shipped with the plugin (registered via hooks.json)
hooks.json ← Plugin hook config (uses ${CLAUDE_PLUGIN_ROOT})
session-banner.sh ← SessionStart: prints repo/branch/AWS/kube context
bash-guard.sh ← PreToolUse(Bash): blocks destructive patterns
templates/
CLAUDE.md ← Copy into project repos for always-on team context
settings.json ← Global ~/.claude/settings.json defaults (perm allow/deny)
scripts/
bootstrap.sh ← One-liner installer
install.sh ← Flag dispatcher (--claude / --cursor / --codex / --all)
install-claude.sh ← Claude adapter: skills, plugins, MCP
install-cursor.sh ← Cursor adapter: links .cursor/rules
install-codex.sh ← Codex adapter: links AGENTS.md
generate.sh ← Build Cursor + Codex adapters from skills/<name>/SKILL.md
mcp.sh ← Interactive MCP server install (Claude only)
set-aws-profile.sh ← Switch AWS profile for AWS MCP servers
config/
plugins.txt ← Claude plugins to install
marketplaces.txt ← Claude plugin marketplaces
_docs/
CHEATSHEET.md ← Example prompts per skill and MCP server
README.md
install.sh --claude seeds ~/.claude/settings.json from templates/settings.json on first run. On subsequent runs it merges missing permission entries only — never clobbers existing keys (enabledPlugins, mcpServers, hooks, etc.).
Template ships with a safe DevOps allow-list (read-only kubectl/terraform/aws/git) and deny-list (kubectl delete, terraform apply, terraform destroy, rm -rf, aws s3 rm, aws ec2 terminate-instances). Edit templates/settings.json to change team defaults, commit, teammates re-run ./scripts/install.sh --claude.
Copy templates/CLAUDE.md into the root of any project repo and fill in the placeholders. Claude Code auto-loads it every session, giving Claude permanent context about your AWS setup, Terraform backend, EKS clusters, and team conventions — without needing to invoke a skill.
cp ~/devops-skills/templates/CLAUDE.md /path/to/your/repo/CLAUDE.md
cp -r ~/devops-skills/templates/.claude /path/to/your/repo/.claude
# Fill in the CLAUDE.md placeholders, then commit bothSkills follow a standard format. Use the /skill-creator skill to build and test new ones.
---
name: skill-name
description: "Concise description — include when to use and key trigger keywords"
metadata:
version: 1.0.0
author: Anmol Nagpal
category: devops
updated: YYYY-MM-DD
---
# Skill Title
One-line summary.
## Keywords
keyword1, keyword2, keyword3
## Output Artifacts
| Request | Output |
|---------|--------|
| "do X" | Produces Y |
---
## SECTION — ...- Create
skills/<name>/SKILL.mdfollowing the format above (co-locateevals/, references, scripts in the same dir) - Run
bash scripts/generate.shto refresh Cursor (.cursor/rules/<name>.mdc) + Codex (AGENTS.md) adapters - Commit
skills/<name>/SKILL.md, the new.cursor/rules/<name>.mdc, and updatedAGENTS.md - Teammates run
git pull && ./scripts/install.sh --allto pick it up (the plugin auto-discovers anyskills/<name>/SKILL.md)
CI runs on every push to main and every pull request via GitHub Actions (.github/workflows/test.yml), with six gates: Docker install harness, adapter-sync (.cursor/rules/, AGENTS.md regenerated from skills/<name>/SKILL.md), skill-frontmatter lint, rule-ID registry check, eval fixtures, and ShellCheck.
To run the test locally (requires Docker):
bash _test/test.shThe test builds _test/Dockerfile, which runs install.sh in a clean container with a stubbed claude CLI and CI=true to skip interactive MCP prompts. It verifies all skills are symlinked and all plugins install without error.
The eval fixtures CI gate above (Tier-1) only checks that eval docs are internally
consistent — rule IDs in expected.txt exist in the catalog, clean-* cases expect
nothing. It never runs a skill and checks its actual output, so a skill could regress
silently (stop detecting a real violation) and Tier-1 would still pass.
scripts/run-behavioral-evals.sh is the Tier-2 gate: it invokes each skill via
claude -p against its fixtures and diffs the live findings against expected.txt.
Opt-in — it spends API tokens and isn't wired into the free six-gate CI, so run it
manually or on a nightly schedule:
EVALS=1 bash scripts/run-behavioral-evals.sh # every skill with evals/
EVALS=1 bash scripts/run-behavioral-evals.sh tf k8s # just these skills- Add a new block to
scripts/mcp.shfollowing the existing pattern (check if installed → prompt → register the server):- Local/stdio servers —
claude mcp add-json <name> '{"command":...,"args":...}' -s user - Remote/HTTP servers (e.g.
outline) —claude mcp add <name> <url> --transport http -s user(auth via browser OAuth on first use)
- Local/stdio servers —
- If the server uses AWS credentials, add it to the
AWS_MCP_SERVERSlist inscripts/set-aws-profile.sh - Commit and push — teammates pick it up on next
./scripts/install.sh