Agent Skills
Open-source agent workflows that run on top of the Whisper MCP connector — whisper-investigate, whisper-cypher, and whisper-brand-protection. Install on Claude.ai, Claude Code, or via the API.
Agent Skills Documentation
Agent Skills are pre-built investigation workflows that run on top of the Whisper MCP connector. They're open source and MIT-licensed at github.com/whisper-sec/whisper-skills.
The connector gives an AI assistant the tools — query, explain_indicator, domain_variants, and the rest. Skills give it the playbooks: which tool to reach for, in what order, with the real graph schema and validated query patterns already baked in. Instead of working a multi-step investigation out from scratch, the assistant loads a skill and runs a known-good workflow.
The three skills
| Skill | What it does |
|---|---|
whisper-investigate | Threat triage and indicator enrichment — chains tools to answer "is this domain or IP malicious?", enrich IOCs, and pivot through infrastructure. |
whisper-cypher | Cypher query authoring — bundles the graph schema, validated query patterns, and the query-safety rules so the assistant writes valid Cypher on the first try. |
whisper-brand-protection | Typosquatting and brand-protection sweeps — lookalike domain detection, registrant pivoting, and takedown-report generation. |
Each skill loads automatically when your question matches it. Ask "is 185.220.101.1 malicious?" and whisper-investigate activates; ask "find typosquats of paypal.com" and whisper-brand-protection activates.
Prerequisite: connect the MCP server
Skills are workflows for the connector — they don't do anything on their own. Connect https://mcp.whisper.security first; see the Setup guide. The skills build on six tools the connector exposes: query, explain_indicator, whisper_history, domain_variants, list_labels, and describe_label.
Install
Clone or download the repo first:
git clone https://github.com/whisper-sec/whisper-skills.git
Claude.ai (Web)
Zip a skill folder and upload it under Settings → Capabilities → Skills. Repeat for each skill you want available.
Claude Code
Copy the skill folders into your skills directory:
# All projects
cp -r whisper-skills/whisper-* ~/.claude/skills/
# This project only
cp -r whisper-skills/whisper-* .claude/skills/
API
Include the skill folders in Messages API requests via the container.skills parameter, alongside the Code Execution tool.
How it fits together
You ask a question
↓
A skill loads the workflow (whisper-investigate / -cypher / -brand-protection)
↓
The MCP connector runs the tools (query, explain_indicator, domain_variants, …)
↓
WhisperGraph answers (7.4B nodes, 39B edges, 5.6M threat-intel edges)
The connector also ships eight built-in prompts for common investigation patterns. Prompts are single-shot — you trigger one explicitly. Skills are richer, auto-loading workflows with the schema and patterns built in. Reach for a prompt when you want a quick one-off; install a skill for repeatable investigations.
Next steps
- MCP Reference — the tools, resources, and prompts the skills are built on.
- Cypher Cookbook — the query patterns behind
whisper-cypher, organised by analyst persona. - Contributions are welcome — the repo is MIT-licensed. Open an issue or PR at github.com/whisper-sec/whisper-skills.