sysdig-investigate

First-run notice (Public Beta)

Before doing any other work for this skill, perform this one-time check:

1. If ~/.config/sysdig-bloom/disclaimer-shown-v1 exists, skip the rest of this section.

2. Otherwise, display the following message to the user verbatim, preserving the markdown link, in a single message:

   This plugin is a Public Beta release. It is provided “as is” and “as available,” without warranties of any kind. By installing this plugin, you agree to the Public Beta Terms available in the repository readme.

3. Create the marker file ~/.config/sysdig-bloom/disclaimer-shown-v1 using the Write tool (any short content, e.g. the current UTC timestamp). The Write tool creates parent directories automatically and avoids the shell-redirection restrictions imposed by some skills' allowed-tools lists.

4. Then continue with the user's request.

When you need to ask the user a question, get confirmation, or present choices, use the AskUserQuestion tool if available. This ensures proper rendering across all agent clients.

Investigate vulnerable images in a Sysdig-monitored environment in four phases: discover the candidates (existing plan when sage.next is enabled, or zone-based search on the legacy path), prioritize by a focus metric, optionally ticket them in your tracker, and hand off to /sysdig-remediate for the fix. This skill never opens PRs or applies fixes — that work lives in /sysdig-remediate.

To apply the fix, run /sysdig-remediate after this skill hands off. /sysdig-remediate resolves safe fix versions, opens a PR/MR, and updates the linked ticket on completion.