From orca-skills
Provides DSPM view discovering sensitive data risks including exposed secrets, PII, credentials, unprotected data stores, security posture, and remediation priorities. Use for data exposure or secrets queries.
npx claudepluginhub orcasecurity/orca-skills --plugin orca-skillsThis skill uses the workspace's default tool permissions.
Answers the question: **"Where is our sensitive data, is it protected, and what's at risk right now?"**
Maps internet-facing assets, ranks by exploitability risk, identifies exposed ports/services, public storage, and vulnerabilities from an attacker's perspective. Use for attack surface analysis.
Reviews SentinelOne XSPM misconfigurations across AWS, Azure, GCP, Kubernetes, identity, and IaC. Covers detection, compliance standards, MITRE ATT&CK mappings, remediation steps, evidence, and MSP posture workflows.
Guides automated PII discovery and classification using Microsoft Purview, BigID, OneTrust DataDiscovery, AWS Macie. Covers scanning configs, accuracy tuning, false positives, integrations.
Share bugs, ideas, or general feedback.
Answers the question: "Where is our sensitive data, is it protected, and what's at risk right now?"
Provides a DSPM (Data Security Posture Management) view: discovers sensitive data across the environment (secrets, PII, credentials, API keys, financial data), identifies unprotected or exposed data stores, ranks data risks by exposure level, and generates a remediation plan to secure the most critical data first.
/orca-data-exposure
/orca-data-exposure secrets
/orca-data-exposure account 123456789012
Or natural language:
Parse user input:
Run 6 discovery_search queries covering different data exposure categories:
Query 1: Exposed secrets and credentials
discovery_search:
search_phrase: "exposed secrets credentials API keys passwords"
limit: 10
Query 2: PII exposure
discovery_search:
search_phrase: "sensitive data PII personally identifiable information exposed"
limit: 10
Query 3: Unencrypted data stores
discovery_search:
search_phrase: "unencrypted S3 buckets databases storage with sensitive data"
limit: 10
Query 4: Public data stores with sensitive content
discovery_search:
search_phrase: "publicly accessible storage buckets with sensitive data or secrets"
limit: 10
Query 5: Sensitive data on internet-facing assets
discovery_search:
search_phrase: "internet facing assets with sensitive data or secrets"
limit: 10
Query 6: Certificate and key exposure
discovery_search:
search_phrase: "exposed private keys certificates TLS SSL"
limit: 10
For the top 5 most critical data exposure findings, run in parallel:
Per asset:
get_asset_related_alerts_summary:
asset_id: <UUID>
get_asset_crown_jewel_info:
group_unique_id: <group_unique_id>
Check data protection compliance:
get_enabled_compliance_frameworks:
(no filters)
Extract data-relevant frameworks and scores:
CRITICAL — Immediate data breach risk:
• Secrets/credentials on public-facing assets
• PII in publicly accessible storage
• Unencrypted database with sensitive data exposed to internet
• API keys/tokens in container images or public repos
HIGH — Significant exposure:
• Secrets on internal assets with other vulnerabilities
• Unencrypted data stores with sensitive content
• PII without encryption at rest
• Credentials in environment variables or config files
MEDIUM — Suboptimal protection:
• Encrypted but overly permissive access to sensitive data
• Secrets in private storage but without rotation
• PII with encryption but weak access controls
LOW — Minor gaps:
• Internal data stores with proper encryption but missing audit logging
• Secrets managed properly but rotation overdue
Group findings by data type:
CRITICAL: Never leave the user with just data. After EVERY output layer, suggest the next action and offer to generate remediation code.
After the dashboard and after every drill-down section:
When the user selects a format:
secure-data-<asset-name>.<ext> (e.g., .tf, .yml, .sh)Format mapping:
| User says | Extension | Template |
|---|---|---|
| Terraform | .tf | HCL with bucket policy / encryption / KMS resources |
| CloudFormation | .cfn.yaml | YAML template with security resources |
| Ansible | .yml | Playbook with data protection tasks |
| CLI | .sh | Shell script with aws/az/gcloud CLI commands |
| Instructions | inline | Numbered step-by-step console walkthrough |
| Pulumi | .ts | TypeScript Pulumi program |
| ARM/Bicep | .bicep | Bicep template |
═══════════════════════════════════════════════════════════════════
DATA EXPOSURE REPORT — <scope>
<date> | <account scope>
═══════════════════════════════════════════════════════════════════
DATA POSTURE: <assessment — 1 line>
┌─────────────────────────────────────────────────────────────────┐
│ TOTAL FINDINGS <N> data exposure alerts │
│ CRITICAL <N> — immediate breach risk │
│ HIGH <N> — significant exposure │
│ SECRETS <N> exposed credentials/API keys/tokens │
│ PII <N> assets with personally identifiable data │
│ PUBLIC DATA <N> publicly accessible data stores │
│ UNENCRYPTED <N> data stores without encryption │
│ CROWN JEWELS <N> data findings on critical assets │
│ COMPLIANCE <frameworks with data requirements> │
└─────────────────────────────────────────────────────────────────┘
TOP DATA RISKS:
[1] <alert-id> — <title> (score: <X.X>)
<asset> | <data type> | <exposure: public/internal>
[2] <alert-id> — <title> (score: <X.X>)
<asset> | <data type> | <exposure>
[3] <alert-id> — <title> (score: <X.X>)
<asset> | <data type> | <exposure>
[4] <alert-id> — <title> (score: <X.X>)
[5] <alert-id> — <title> (score: <X.X>)
RECOMMENDED ACTION:
Priority #1: <top data risk — e.g., "Rotate the exposed API
key on <asset> and move to Secrets Manager.">
I can generate the fix right now.
What format? terraform | cloudformation | ansible | cli |
instructions | pulumi | arm/bicep
═══════════════════════════════════════════════════════════════════
Or drill down: secrets | pii | public data | unencrypted |
compliance | accounts | remediation plan | full
═══════════════════════════════════════════════════════════════════
───────────────────────────────────────────────────────────────────
SECRETS & CREDENTIALS — Exposed
───────────────────────────────────────────────────────────────────
CRITICAL (rotate immediately):
<alert-id> <score> <title>
Asset: <asset> (<type>) in <account>
Secret type: <API key / password / token / connection string>
Location: <file path / env var / config>
Exposure: <public / internal>
Fix: Rotate secret, move to secrets manager
...
HIGH (rotate soon):
...
SUMMARY:
Total exposed secrets: <N>
Public-facing: <N> (CRITICAL)
Internal only: <N> (HIGH)
Types: <breakdown by secret type>
RECOMMENDED ACTIONS:
1. Rotate all publicly exposed secrets NOW
2. Move secrets to AWS Secrets Manager / Azure Key Vault / GCP Secret Manager
3. Scan code repos for committed secrets
4. Implement secret detection in CI/CD pipeline
FIX NOW:
I'll generate rotation scripts and Secrets Manager configs.
Choose format: terraform | cloudformation | ansible | cli |
instructions | pulumi | arm/bicep
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
PII EXPOSURE — Personally Identifiable Information
───────────────────────────────────────────────────────────────────
<alert-id> <score> <title>
Asset: <asset> in <account>
PII types: <names / emails / SSNs / addresses / phone>
Records: <estimated count if available>
Encrypted: YES/NO
Access: <public / internal / restricted>
Compliance: <GDPR / HIPAA / PCI affected>
...
COMPLIANCE IMPACT:
GDPR: <N> findings with EU personal data
HIPAA: <N> findings with health data
PCI DSS: <N> findings with payment data
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
PUBLIC DATA STORES — Internet Accessible
───────────────────────────────────────────────────────────────────
⚠ <storage name> (<type>) in <account>
Access: PUBLIC READ / PUBLIC WRITE / PUBLIC LIST
Content: <data types detected>
Sensitive: YES — <what sensitive data>
Encryption: <encrypted / NOT encrypted>
Fix: <specific action — remove public access, add auth>
⚠ <database name> (<type>) in <account>
Access: Internet-facing on port <port>
Auth: <strong / weak / default / none>
Content: <data types>
Fix: <action>
LOCK IT DOWN:
I can generate bucket policies, access controls, and
encryption configs. Choose format: terraform | cloudformation |
ansible | cli | instructions | pulumi | arm/bicep
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
UNENCRYPTED DATA STORES
───────────────────────────────────────────────────────────────────
<storage/database name> (<type>) in <account>
Contains: <data types>
Sensitive data: YES/NO
Encryption at rest: MISSING
Encryption in transit: <YES/NO>
Fix: Enable <SSE-S3/SSE-KMS/AES-256/TDE>
...
SUMMARY:
Total unencrypted: <N>
With sensitive data: <N> (PRIORITY)
Without sensitive data: <N> (still fix)
ENABLE ENCRYPTION:
I'll generate encryption configs for all unencrypted stores.
Choose format: terraform | cloudformation | ansible | cli |
instructions | pulumi | arm/bicep
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
DATA PROTECTION COMPLIANCE
───────────────────────────────────────────────────────────────────
Framework Score Data Controls Status
─────────────────────────────────────────────────────
PCI DSS v4.0 <X>% <N> failing ⚠ GAPS
HIPAA <X>% <N> failing ⚠ GAPS
GDPR <X>% <N> failing ⚠ GAPS
SOC 2 <X>% <N> failing ✓ OK
...
DATA-SPECIFIC CONTROL FAILURES:
<control> — <description> (<N> assets)
<control> — <description> (<N> assets)
...
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
DATA RISK BY ACCOUNT
───────────────────────────────────────────────────────────────────
Account Secrets PII Public Unencrypted
────────────────────────────────────────────────────────────
<account-1> <N> <N> <N> <N>
<account-2> <N> <N> <N> <N>
...
WORST ACCOUNT: <account> — <why>
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
DATA PROTECTION REMEDIATION PLAN
───────────────────────────────────────────────────────────────────
PHASE 1: STOP THE BLEEDING (immediate)
[ ] Rotate <N> publicly exposed secrets
[ ] Remove public access from <N> data stores with sensitive data
[ ] Add authentication to <N> exposed databases
PHASE 2: ENCRYPT EVERYTHING (this week)
[ ] Enable encryption at rest on <N> data stores
[ ] Enable encryption in transit where missing
[ ] Move <N> secrets to managed secrets service
PHASE 3: ACCESS CONTROLS (this month)
[ ] Implement least-privilege access to data stores
[ ] Enable audit logging on all sensitive data stores
[ ] Set up automated secret rotation
PHASE 4: GOVERNANCE (ongoing)
[ ] Implement data classification policy
[ ] Deploy DLP controls
[ ] Set up continuous monitoring for new data exposure
[ ] Regular compliance audits
ESTIMATED IMPACT:
Phase 1: Eliminates <N> critical data exposure alerts
Phase 2: Resolves <N> encryption compliance failures
Phase 3: Reduces unauthorized access risk by ~<X>%
START NOW:
Tell me which phase to begin and your preferred format.
I'll generate implementation code for each fix.
Format: terraform | cloudformation | ansible | cli |
instructions | pulumi | arm/bicep
───────────────────────────────────────────────────────────────────
Show all sections in order.
✅ No exposed sensitive data detected.
Your data protection posture appears clean. Consider:
• Verify Orca DSPM scanning is enabled for all accounts
• Check data classification settings
• This scan covers known patterns — custom sensitive data may need custom rules
⚠ Significant data exposure: <N> findings detected.
Showing top 10 by risk. This indicates a systemic data protection gap.
Recommendations:
1. Prioritize: Fix publicly exposed data stores first
2. Automate: Deploy encryption-by-default policies
3. Prevent: Add pre-commit hooks for secret detection
4. Monitor: Set up real-time alerts for new public data stores
Some secrets may already be rotated but the alert remains open. Note:
Note: Verify if this secret has already been rotated.
If rotated, the alert may close on next Orca scan.
If not rotated, treat as active exposure.
| Tool | Purpose | Parameter |
|---|---|---|
discovery_search | Find data exposure findings | search_phrase, limit |
get_asset_related_alerts_summary | All alerts on data-holding assets | asset_id (UUID) |
get_asset_crown_jewel_info | Crown jewel status of data stores | group_unique_id |
get_enabled_compliance_frameworks | Data protection compliance scores | optional filters |
| Tool | Purpose | When |
|---|---|---|
get_asset_by_id | Full asset details | Drill-down on specific data store |
get_compliance_framework_control_tests | Failing data controls | "compliance" drill-down |
search_cdr_events | Who accessed the data store | Investigation |
get_linked_entities_mapping | What connects to the data store | Access analysis |
discovery_search max 10 results per query — use multiple queries with different search phrases to cover all data types/orca-alert-triage <alert-id> for individual findings, /orca-exposure-map for full attack surface, /orca-asset-profile for data store details.