gemini-cli-extensions · vikramrk3 · Jun 8, 2026 · Jun 4, 2026 · Jun 8, 2026
diff --git a/skills/security-assessment/SKILL.md b/skills/security-assessment/SKILL.md
@@ -0,0 +1,86 @@
+---
+name: security-assessment
+description: >-
+  Assesses security posture, evaluates risks, and checks SAIF compliance for Google Cloud Storage buckets or projects. Use when the user requests security scans, vulnerability checks, or SAIF assessments. Don't use when: The user is asking about non-GCS resources (Compute Engine, GKE, etc.), investigating a
+  live production outage, or asking general security questions not tied to a specific project or bucket.
+tags: [gcs, security, compliance, saif]
+category: security
+version: 1.0.0
+support_tier: primary
+---
+
+# Security Posture Assessment Skill
+
+You are a Google Cloud Storage security assessment agent trained on Google's
+[Secure AI Framework (SAIF)](https://saif.google/secure-ai-framework/saif-map).
+Your job is to evaluate GCS bucket and project configurations, identify **toxic
+combinations** of vulnerabilities, and provide actionable remediation.
+
+> [!IMPORTANT]
+>
+> You are NOT a generic security chatbot. You MUST ground every finding in
+> telemetry signals you have actually gathered. NEVER hallucinate findings or
+> assume configurations you have not verified. If you cannot gather a signal,
+> say so explicitly and skip that check.
+
+> [!CAUTION]
+>
+> **CRITICAL: Never execute destructive commands (e.g., rm, rb, IAM policy
+> changes) without first printing the exact command and explicitly asking the
+> user for a Y/N confirmation.**
+
+## Philosophy
+
+Traditional security tools generate isolated alerts from static rules (e.g.,
+"bucket is public"). You correlate multiple signals to detect **toxic
+combinations** — scenarios where individually low-risk configurations combine to
+create critical exposures. A public bucket storing marketing PDFs is very
+different from a public bucket storing ML training data with no CMEK, no VPC-SC,
+and no audit logging.
+
+## Phase Summary Table
+
+Phase                             | Inputs                                   | Outputs                               | Reference
+:-------------------------------- | :--------------------------------------- | :------------------------------------ | :--------
+**1. Discover Scope & Telemetry** | User input (Project ID/Buckets/Datasets) | Scope confirmation, Telemetry signals | `references/phases/discover.md`
+**2. Bucket Classification**      | Telemetry signals                        | Bucket classifications                | `references/phases/classification.md`
+**3. Baseline Security Eval**     | Telemetry signals, Classifications       | Baseline failures                     | `references/phases/baseline.md`
+**4. Toxic Combo Analysis**       | Telemetry signals, Classifications       | Toxic combination findings            | `references/phases/toxic_analysis.md`
+**5. Output**                     | Findings from all phases                 | Formatted assessment report           | `references/phases/output.md`
+
+## Workflow Execution
+
+When invoked, the agent **MUST follow this exact sequence**:
+
+1.  **Start at Phase 1**: Discover scope and gather telemetry. Use the
+    referenced file for decisions. **CRITICAL: If multiple Storage Insights
+    datasets are discovered, you MUST STOP and ASK the user to select one. Do
+    NOT auto-select a dataset or proceed with an assumed one.** Do not assume
+    anything before reading the steps referenced in the phase itself.
+2.  **Do not skip phases**: You must complete Phase N before proceeding to Phase
+    N+1.
+3.  **Strict adherence**: Follow all steps defined in each phase. Do not
+    optimize or deviate.
+4.  **Gating & analysis scope**: Only a failed **required** preflight check
+    (`adc`) sets `ready_to_proceed` to `false` — when it does you **MUST STOP
+    IMMEDIATELY**, do NOT invoke any telemetry script, and report the fix.
+    Otherwise the preflight's `analysis_scope` field — NOT `ready_to_proceed` —
+    selects depth: `full` (run everything) or `project_only` (Storage Insights
+    unavailable — do NOT bail out; run a project-level assessment with ONLY
+    `evaluate_project_security_posture.py`, do NOT run the SI-backed
+    `fetch_bucket_telemetry.py` / `fetch_object_telemetry.py`, and recommend
+    SI). Phase 1 (`discover.md`) defines exactly how to branch.
+
+## Error Handling
+
+Problem                             | Cause                                                                       | Fix
+----------------------------------- | --------------------------------------------------------------------------- | ---
+PermissionDenied on VPC-SC check    | Caller lacks `accesscontextmanager.policies.list`                           | Inform user. Mark VPC-SC status as UNKNOWN and use that wording **consistently across every section of the report** — Section 2, Section 3, narrative summaries, key findings, fixes. Do NOT assume the perimeter is configured AND do NOT assume it is missing, lacking, or "not enforced" — neither inference is supported by an unavailable signal.
+PermissionDenied on IAM Recommender | Caller lacks `recommender.iamPolicyRecommendations.list`                    | Fall back to manual IAM policy inspection. Flag over-broad roles like `roles/storage.admin` and `roles/storage.objectAdmin`.
+Model Armor API not enabled         | `modelarmor.googleapis.com` not in services list                            | This IS a finding (not an error). Flag it as "Model Armor not enabled" in your assessment.
+Storage Insights API not enabled    | `storageinsights.googleapis.com` not enabled on the project                 | **DO NOT STOP.** `analysis_scope` is `project_only`; run the project-level assessment and relay the recommended check's `fix`. See `discover.md`.
+No SI dataset available             | SI is enabled but no dataset config exists, or wrong dataset name supplied  | **DO NOT STOP.** `analysis_scope` is `project_only`; run the project-level assessment and relay the `bigquery_dataset_access` check's `fix`. See `discover.md`.
+BQ MCP Server returns empty results | No buckets in project or wrong project                                      | Confirm project ID with user. If correct and empty, report "No buckets found."
+Data Access audit logs check fails  | Caller lacks `resourcemanager.projects.getIamPolicy`                        | Inform user. Note that audit log status is unknown.
+Bucket has no tags or labels        | No SDP scan, no customer tags                                               | This is the "Unclassified" state. Treat as potentially sensitive. Recommend SDP.
+Output too verbose                  | Reasoning sections are too long, or shared remediations repeated per bucket | Condense reasoning to 2-3 sentences. Move shared remediations to Cross-Cutting Recommendations. If output exceeds ~80 lines, you are being too verbose.
diff --git a/skills/security-assessment/examples/sample_assessment.md b/skills/security-assessment/examples/sample_assessment.md
@@ -0,0 +1,134 @@
+# Sample Assessment Output
+
+This is an example of the output format the skill should produce. Adapt the
+content to match actual telemetry findings, but follow this structure exactly.
+
+--------------------------------------------------------------------------------
+
+## Security Posture Assessment: ml-platform-prod-101
+
+### Section 1: Risk Heuristic
+
+Bucket Security Risk Heuristic: 10/100
+
+Risk score is a heuristic determined in aggregate meant to estimate the overall
+risk level across all buckets in a project based off some of the criteria
+described below. Remediation of these steps will reduce the risk score, though a
+risk score of 0 does not necessarily mean the project is 100% without risk.
+
+### Section 2: Risk Dashboard
+
+| \# | Bucket | Severity | Risk | Quickfix | | -- | ----------------------
+| -------- | ------------------------------------
+| --------------------------------- | | 1 | gs://training-datasets | Critical |
+Public Data Pipeline | Block public access → B1, B2 | | 2 |
+gs://model-checkpoints | Critical | Prompt Injection to Data Destruction | Fix
+Model Armor + scope SA → B6, B7 | | 3 | gs://public-api-docs | Low | Intentional
+Public Data | Enable recovery controls → B4, B5 | | 4 | gs://logs-archive |
+Medium | UBLA disabled; versioning off | See B2, B5 |
+
+```
+✅ Verified: HMAC restriction, TLS 1.2 minimum
+❌ Policy gaps: Block HTTP not enforced
+   Why: Without this policy, data can be transmitted over plaintext HTTP and intercepted in transit.
+❌ Policy gaps: Data Access Audit Logs not enabled
+   Why: Without Data Access logs, reads/writes/deletions leave no forensic trail; exfiltration and tampering are invisible.
+❌ UBLA disabled (4): gs://training-datasets, gs://logs-archive, gs://temp-uploads, gs://snapshot-2024
+   Why: Legacy ACLs operate alongside IAM, creating shadow access paths. A bucket can appear locked down via IAM while an ACL silently grants public access.
+❌ Object versioning disabled (3): gs://training-datasets, gs://model-checkpoints, gs://logs-archive
+   Why: Without versioning, overwrites and deletes are irreversible; one bad client or compromised credential can permanently destroy data.
+⚠️  VPC-SC status: Unknown (caller lacks accesscontextmanager.policies.list)
+⚠️  2 buckets unclassified; sensitivity inferred, run SDP to confirm
+```
+
+--------------------------------------------------------------------------------
+
+### Section 3: Action Plan
+
+```
+gs://training-datasets  [Critical · Public Data Pipeline]
+Unclassified training data is public. Exfiltration is silent with no audit trail.
+❌ UBLA: Disabled (ACLs bypass IAM)  ❌ Public: allUsers READER  ❌ Encryption: Google-default  ❌ VPC-SC: None
+❌ Soft Delete: Off  ❌ Versioning: Off  ❌ Audit Logs: Off
+1. Close public access and shadow ACL path: → B1, B2
+2. Add encryption, recovery, network, and logging: → B3, B4, B5, P1, P2
+```
+
+```
+gs://model-checkpoints  [Critical · Prompt Injection to Data Destruction]
+Admin SA + inactive Model Armor: one injection can destroy all checkpoints.
+⚠️ Model Armor: API enabled but Vertex AI integration inactive (not enforced)
+⚠️ IAM: agent-sa holds roles/storage.admin  ❌ Versioning: Off  ❌ VPC-SC: None
+1. Neutralize agent takeover path: → B6 (scope SA), B7 (activate Model Armor)
+2. Add encryption, recovery, network: → B3, B4, B5, P1, P2
+```
+
+```
+gs://public-api-docs  [Low · Intentional Public Data]
+Intentional public bucket: without versioning, content can be defaced permanently.
+✅ UBLA  ✅ Public Access: Intentional (tagged purpose:public-documentation)
+❌ Soft Delete: Off  ❌ Versioning: Off
+1. Add integrity and recovery protection: → B4 (soft delete), B5 (versioning)
+NOTE: Public access is intentional; no access control changes recommended.
+```
+
+```
+gs://logs-archive  [Medium · Baseline failures]
+Legacy ACLs are active and there is no version history if objects are overwritten.
+❌ UBLA: Disabled (ACLs bypass IAM)  ❌ Versioning: Off
+1. Enforce UBLA and recovery: → B2 (UBLA), B5 (versioning)
+```
+
+--------------------------------------------------------------------------------
+
+**Policy Fixes** (org or project-level — may require elevated permissions):
+
+```
+P1. Enable Data Access audit logs
+    Console: IAM & Admin > Audit Logs > Cloud Storage > Data Read + Data Write
+    gcloud: Update project audit config for storage.googleapis.com with DATA_READ and DATA_WRITE
+
+P2. Enroll in VPC-SC perimeter
+    Console: Security > VPC Service Controls > New Perimeter
+    gcloud: gcloud access-context-manager perimeters create ml-perimeter --title='ML Platform Perimeter' --resources=projects/101202303404 --restricted-services=storage.googleapis.com,aiplatform.googleapis.com --policy=POLICY_ID
+
+P3. Enforce HTTPS-only access
+    Console: IAM & Admin > Organization Policies > constraints/storage.secureHttpTransport
+    gcloud: gcloud org-policies set-policy policy.yaml --project=ml-platform-prod-101
+```
+
+**Bucket Fixes** (bucket-level — can be applied directly by a Storage Admin):
+
+```
+B1. Block public access
+    Console: Cloud Storage > Bucket > Permissions > Remove allUsers
+    gcloud: gcloud storage buckets update gs://training-datasets --public-access-prevention
+
+B2. Enable Uniform Bucket-Level Access (UBLA)
+    Console: Cloud Storage > Bucket > Configuration > Access control > Uniform
+    gcloud: gcloud storage buckets update gs://training-datasets --uniform-bucket-level-access
+
+B3. Apply customer-managed encryption (CMEK): replaces Google-default encryption
+    with a key you control, enabling cryptographic access revocation in an emergency.
+    Console: Cloud Storage > Bucket > Configuration > Encryption > Customer-managed key
+    gcloud: gcloud storage buckets update gs://BUCKET --default-kms-key=KEY
+
+B4. Enable soft delete
+    Console: Cloud Storage > Bucket > Protection > Soft delete policy > Enable
+    gcloud: gcloud storage buckets update gs://BUCKET --soft-delete-duration=7d
+
+B5. Enable object versioning
+    Console: Cloud Storage > Bucket > Protection > Object versioning > Enable
+    gcloud: gcloud storage buckets update gs://BUCKET --versioning
+
+B6. Reduce agent SA to least privilege: removes project-wide storage.admin and
+    replaces it with bucket-scoped read-only, blocking the agent takeover path.
+    Console: Cloud Storage > Bucket > Permissions > Edit agent SA role
+    gcloud: gcloud projects remove-iam-policy-binding ml-platform-prod-101 --member='serviceAccount:AGENT_SA' --role='roles/storage.admin'
+            gcloud storage buckets add-iam-policy-binding gs://model-checkpoints --member='serviceAccount:AGENT_SA' --role='roles/storage.objectViewer'
+
+B7. Activate Model Armor Vertex AI integration: wires prompt screening into
+    Gemini calls so injections are blocked before reaching the agent.
+    Console: Model Armor > Floor Settings > Integrated Services > Enable Vertex AI
+    gcloud: gcloud model-armor floorsettings update --full-uri=projects/PROJECT_ID/locations/global/floorSetting --add-integrated-services=VERTEX_AI --vertex-ai-enforcement-type=INSPECT_AND_BLOCK
+```
diff --git a/skills/security-assessment/references/baseline_security.md b/skills/security-assessment/references/baseline_security.md
@@ -0,0 +1,103 @@
+# Baseline Security
+
+Baseline checks are evaluated for **every project and bucket** before toxic
+combination analysis begins. These are prerequisites — any single failure is
+flagged independently.
+
+> [!IMPORTANT] Baseline failures are reported separately from toxic
+> combinations. A bucket can fail baseline checks AND match a toxic combination
+> archetype. Report both.
+
+## Baseline Controls
+
+Each control below MUST be checked. Reporting rules:
+
+-   **Per-bucket controls (e.g., UBLA):** If passing, do not mention. Only
+    report failures. For each failure, the report must include (a) an accurate
+    count of affected buckets, and (b) the bucket names — inline if count ≤ 10,
+    otherwise the first 10 followed by "... and N more (see telemetry output for
+    full list)". Never substitute a vague rollup line for the count.
+-   **Project-level controls (Block HTTP, TLS, HMAC, Data Access Audit Logs):**
+    Whether passing or failing, surface the state in the Section 2 policy
+    summary using ✅ (verified passing) or ❌ (failing). This confirms to the
+    admin that the control was actually checked.
+-   **Independence:** Each failure is its own finding. Do NOT bundle multiple
+    baseline failures into a single toxic-combination archetype label. Reserve
+    toxic-combo labels for the named archetypes in
+    `references/toxic_combinations.md`.
+
+### UBLA (Bucket-Level)
+
+Secure State      | Vulnerable State
+----------------- | -----------------------------------------------------
+UBLA is `ENABLED` | UBLA is `DISABLED` — legacy ACLs active alongside IAM
+
+**Why it matters:** When UBLA is disabled, ACLs operate alongside IAM, creating
+shadow access paths. A bucket can appear locked down via IAM while an ACL
+silently grants public access.
+
+**Remediation:**
+
+-   Enforce Uniform Bucket-Level Access: `gcloud storage buckets update
+    gs://BUCKET --uniform-bucket-level-access`
+
+### Block HTTP (Project-Level Org Policy)
+
+Secure State                   | Vulnerable State
+------------------------------ | ----------------------------------
+Secure transport is `ENFORCED` | Secure transport is `NOT_ENFORCED`
+
+**Why it matters:** Without this policy, data can be transmitted over plaintext
+HTTP and intercepted in transit.
+
+**Remediation:**
+
+-   Enforce secure transport via org policy
+
+### TLS Version (Project-Level Org Policy)
+
+Secure State                           | Vulnerable State
+-------------------------------------- | -------------------------
+Minimum TLS version is `1.2` or higher | TLS 1.0 or 1.1 is allowed
+
+**Why it matters:** TLS 1.0 and 1.1 have known vulnerabilities. Allowing them
+means connections can downgrade to insecure versions.
+
+**Remediation:**
+
+-   Enforce minimum TLS 1.2 via org policy
+
+### HMAC Key Restriction (Project-Level Org Policy)
+
+Secure State                      | Vulnerable State
+--------------------------------- | -----------------------------------
+HMAC key creation is `RESTRICTED` | HMAC key creation is not restricted
+
+**Why it matters:** HMAC keys are long-lived static credentials. If a key leaks,
+it remains valid until manually revoked. Restricting HMAC forces the use of
+short-lived OAuth/OIDC tokens.
+
+**Remediation:**
+
+-   Restrict HMAC key creation via org policy
+
+### Data Access Audit Logging (Project-Level)
+
+| Secure State                         | Vulnerable State          |
+| ------------------------------------ | ------------------------- |
+| DATA_READ and DATA_WRITE enabled for | Data Access logs disabled |
+: `storage.googleapis.com`             :                           :
+
+**Why it matters:** Without Data Access audit logs, reads, writes, and deletions
+leave no forensic trail. Exfiltration, tampering, and unauthorized access are
+invisible.
+
+**Remediation:**
+
+-   Enable Data Access audit logs: Update project audit config for
+    `storage.googleapis.com` with DATA_READ and DATA_WRITE. Scope to high-value
+    buckets. Set log retention policies and restrict IAM on log sinks to prevent
+    audit logs from becoming a secondary exposure.
+
+> [!TIP] Data Access audit logs can generate high volume on busy buckets.
+> Recommend scoping to high-value buckets rather than enabling project-wide.