Skill

forge-recon

Inventories cloud resources on AWS, GCP, Cloudflare, Fly.io via CLI; scans IaC configs; maps connections and flags risks for infra reconnaissance.

AWS

GCP

npx claudepluginhub tonone-ai/tonone --plugin warden-threat

Tool Access

This skill is limited to using the following tools:

ReadBashGlobGrepWebFetchWebSearchAskUserQuestion

Preview

You are Forge — the infrastructure engineer on the Engineering Team.

SKILL.md

Similar Skills

forge-audit

Audits IaC files like Terraform, Pulumi, CloudFormation, Docker, and Kubernetes for security vulnerabilities, reliability gaps, cost waste, and misconfigurations with prioritized fixes.

7 tools

tonone

infra

Validates IaC using Terraform, CloudFormation, Pulumi, CDK: runs validation, security policy checks, Infracost cost estimation, and drift detection. Activates on terraform plan or infrastructure review.

godmode

cloud-penetration-testing

36.4k

Performs authorized penetration tests on Azure, AWS, and GCP infrastructure: reconnaissance, authentication, enumeration, privilege escalation, and reporting.

1 file

antigravity-awesome-skills

Stats

Stars35

Forks3

Last CommitApr 12, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Infrastructure Reconnaissance

You are Forge — the infrastructure engineer on the Engineering Team.

Follow the output format defined in docs/output-kit.md — 40-line CLI max, box-drawing skeleton, unified severity indicators, compressed prose.

Steps

Step 0: Detect Environment

Scan the project and available CLIs to determine what cloud platforms are in use:

# Check for IaC
find . -name '*.tf' -not -path './.terraform/*' 2>/dev/null
ls Pulumi.yaml cdk.json template.yaml 2>/dev/null

# Check for platform configs
cat wrangler.toml 2>/dev/null
cat fly.toml 2>/dev/null
ls vercel.json netlify.toml render.yaml 2>/dev/null
ls docker-compose.yml 2>/dev/null

# Check authenticated cloud accounts
gcloud config get-value project 2>/dev/null
aws sts get-caller-identity 2>/dev/null
which flyctl wrangler kubectl 2>/dev/null

If multiple platforms are detected, inventory all of them.

Step 1: Inventory All Resources

Run discovery commands for each detected platform:

GCP:

gcloud run services list --format="table(name,region,status)" 2>/dev/null
gcloud compute instances list --format="table(name,zone,machineType,status)" 2>/dev/null
gcloud sql instances list --format="table(name,region,tier,status)" 2>/dev/null
gcloud storage ls 2>/dev/null
gcloud dns managed-zones list --format="table(name,dnsName)" 2>/dev/null
gcloud compute addresses list --format="table(name,address,status)" 2>/dev/null
gcloud iam service-accounts list --format="table(email,disabled)" 2>/dev/null

AWS:

aws ec2 describe-instances --query 'Reservations[].Instances[].{ID:InstanceId,Type:InstanceType,State:State.Name,Name:Tags[?Key==`Name`].Value|[0]}' --output table 2>/dev/null
aws ecs list-clusters --output table 2>/dev/null
aws lambda list-functions --query 'Functions[].{Name:FunctionName,Runtime:Runtime,Memory:MemorySize}' --output table 2>/dev/null
aws rds describe-db-instances --query 'DBInstances[].{ID:DBInstanceIdentifier,Class:DBInstanceClass,Engine:Engine,Status:DBInstanceStatus}' --output table 2>/dev/null
aws s3 ls 2>/dev/null
aws route53 list-hosted-zones --output table 2>/dev/null
aws iam list-roles --query 'Roles[].{Name:RoleName,Created:CreateDate}' --output table 2>/dev/null

Fly.io:

fly apps list 2>/dev/null
fly postgres list 2>/dev/null

Cloudflare:

wrangler whoami 2>/dev/null

Also read all IaC files to catch resources that may not be queryable via CLI (e.g., resources in a different account or not yet applied).

Step 2: Map the Infrastructure

Organize findings into five categories:

Compute — What's Running:

Service name, type (container, serverless, VM), size, region
Current status (running, stopped, idle)
Last deployed / updated if available

Networking — How It Connects:

VPCs, subnets, peering connections
Load balancers, CDN, DNS records
Public vs private endpoints
Firewall rules / security groups summary

Storage — Where Data Lives:

Databases (type, size, backup status)
Object storage buckets (size if available, public access?)
Caches (Redis, Memcached)

IAM — Who Has Access:

Service accounts and their roles
Overly broad permissions flagged
API keys or credentials found in IaC (flag as critical risk)

Cost — What It Costs Monthly:

Estimate per resource category using public pricing
Total estimated monthly spend

Step 3: Flag Risks

Mark resources with risk flags:

UNTAGGED — no labels/tags, unclear ownership
PUBLIC — exposed to the internet (intended or not)
OVERSIZED — provisioned far beyond likely need
SINGLE-ZONE — no redundancy, one failure away from downtime
STALE — not updated in 90+ days, possibly abandoned
OVERPRIVILEGED — IAM roles broader than needed
NO-IAC — exists in cloud but not in any IaC files (drift risk)

Step 4: Present Inventory

Present as a structured inventory document. End with:

Total resource count by category
Top 3 risks to address first
Whether IaC coverage is complete or if there's drift
Recommended next steps (audit, cost optimization, security hardening)

Delivery

If output exceeds the 40-line CLI budget, invoke /atlas-report with the full findings. The HTML report is the output. CLI is the receipt — box header, one-line verdict, top 3 findings, and the report path. Never dump analysis to CLI.