confirm-action
$
npx mdskill add dandye/ai-runbooks/confirm-actionVerify critical actions before execution to prevent unintended damage.
- Prevents accidental isolation, deletion, or account disable operations.
- Integrates with containment, remediation, and incident response workflows.
- Decides execution based on user selection from predefined or custom options.
- Delivers results by returning the user's response for workflow branching.
SKILL.md
.github/skills/confirm-actionView on GitHub ↗
--- name: confirm-action description: "Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response." personas: [all] --- # Confirm Action Skill Ask the user a confirmation question before proceeding with a significant action. ## Inputs - `QUESTION_TEXT` - The specific question to ask (e.g., "Isolate endpoint WORKSTATION-01?", "Proceed with account disable for jsmith?") - *(Optional)* `RESPONSE_OPTIONS` - Predefined options for the user: - Default: `["Yes", "No"]` - Custom examples: `["Disable Account", "Reset Password", "Monitor Only"]` ## Workflow ### Step 1: Present Question Display the question to the user with available options. ### Step 2: Wait for Response Collect the user's selection or custom input. ### Step 3: Return Response Provide the response back to the calling workflow for decision branching. ## Outputs | Output | Description | |--------|-------------| | `USER_RESPONSE` | The user's answer to the confirmation question | ## When to Use **Always confirm before:** - Isolating/quarantining endpoints - Disabling user accounts - Blocking IPs/domains at firewall - Terminating processes - Deleting files - Escalating to incident response - Closing cases as false positive (for high-severity alerts) **May skip confirmation for:** - Adding comments to cases - Running enrichment queries - Generating reports - Read-only operations ## Example Confirmations **Containment:** ``` Question: "Isolate endpoint WORKSTATION-01 from the network?" Options: ["Yes - Isolate", "No - Continue Monitoring", "Escalate First"] ``` **Account Action:** ``` Question: "User jsmith shows signs of compromise. What action?" Options: ["Disable Account", "Force Password Reset", "Monitor Only", "Escalate to IR"] ``` **Case Closure:** ``` Question: "Close case 1234 as False Positive?" Options: ["Yes - Close FP", "No - Keep Open", "Escalate to Tier 2"] ```
More from dandye/ai-runbooks
- analyze-content-gapsIdentify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
- audit-contentComprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
- check-duplicates"Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
- close-case-artifact"Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
- cluster-documentsAutomated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
- correlate-ioc"Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
- deep-dive-ioc"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
- design-metadata-schemaDesign comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
- document-in-case"Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."
- enrich-ioc"Enrich an IOC (IP, domain, hash, URL) with threat intelligence. Use when you need to look up reputation and context for an indicator using GTI and SIEM. Returns threat intel findings, SIEM entity summary, and IOC match status."