A new way to run a security scan: just ask
Running a Kafka security audit used to mean copy-pasting kafkaguard scan --bootstrap … into a terminal, waiting for a JSON report, opening it in an editor, and then deciding what to do next.
With the new KafkaGuard OpenClaw skill, that whole loop collapses into a conversation:
"Audit our staging Kafka cluster at
kafka-stg-1:9092,kafka-stg-2:9092against the enterprise policy."
The agent picks the right command, runs the scan, parses the JSON, and hands you back the headline — score, critical findings, and the path to the full HTML report — all in the same chat window.
What it is
OpenClaw is an open-source agent runtime with a skill registry called ClawHub. Skills are small SKILL.md files that teach an agent how to use a tool or workflow — same idea as Anthropic's Claude Skills, but vendor-neutral.
The KafkaGuard skill wraps the KafkaGuard CLI and teaches an agent four things:
- What to ask — bootstrap servers, which policy, which output formats, and auth details if the cluster is secured.
- How to invoke — the right combination of
--bootstrap,--policy,--format, and auth flags for SASL/SCRAM, mTLS, MSK IAM, or Confluent Cloud. - How to read the output — parse the JSON report, extract score and severity counts, pull out the top failing controls.
- What not to do — never print SASL passwords, never invent control IDs, never ship reports to third parties without asking.
Install in 30 seconds
You need the kafkaguard binary on your PATH first (grab it from kafkaguard-releases or run via Docker). Then:
openclaw skills install \
https://github.com/KafkaGuard/kafkaguardmain/tree/master/integrations/openclaw/kafkaguard-scan \
--as kafkaguard-scan
Or, once we land it on ClawHub:
openclaw skills install kafkaguard-scan
Why this matters
Most SRE and platform teams already live inside an agent — Claude Code, Cursor, OpenClaw, Gemini CLI. Forcing them to context-switch into a separate dashboard to check Kafka posture is friction we don't need. The skill lets the audit meet the engineer where they already are.
A few real workflows this unlocks:
- "Is anything broken right now?" — agent runs the scan, says "3 high-severity findings, all on the new staging cluster". Done in 20 seconds.
- Pre-deploy gate — wire the skill into a release runbook. Agent runs the scan, blocks the deploy if the score drops.
- Fleet sweep — feed the agent a list of clusters, get back a table of
cluster | score | critical | highfor the whole org. - Auditor-ready PDF on demand — "generate a finance-iso report for last quarter's prod cluster". Agent runs it, PDF lands in
./reports.
Cross-platform
The same SKILL.md works (with minor tweaks) on:
| Runtime | Status |
|---|---|
| OpenClaw | ✅ Official |
| Claude Code | ✅ Copy into .claude/skills/ |
| Gemini CLI | ✅ Via activate_skill |
| Cursor / Continue | ⚠️ Paste workflow as a system prompt |
What's next
This is the Tier 1 release — a thin, well-instructed wrapper around the CLI. On the roadmap:
- Fleet helper — first-class multi-cluster scans with a single command.
- MCP server (
kafkaguard-mcp) — typed tool calls (scan_cluster,diff_scans,get_trend) so the same surface works in Claude Desktop, Cursor, ChatGPT, and Gemini without per-runtime glue. - Auto-triage — the skill suggests remediation PRs based on the
remediationfield in each finding.
Get involved
The skill source lives in the main KafkaGuard repo. Issues and PRs welcome — especially around new auth modes, fleet workflows, and policy-pack additions.
If you're running KafkaGuard inside an agent today and want us to support a runtime that isn't listed above, open an issue and tell us what you're using.