# MSP Skills - full corpus

> Free MCP servers and Skills connecting MSP tools to the AI you already use. Built for MSP business owners. Apache-2.0, runs locally, no data leaves your network. This file is the expanded corpus; the short index is at https://msp-skills.compoundingteams.com/llms.txt

## What an MCP server is (for MSPs)

An MCP server is a small program that connects your AI to a real system - like your PSA, RMM, or backup tool - safely, with your own credentials, running on your own machine. It lets you ask your AI a plain-English question about that system ("which clients had backup failures last quarter?") and get a real answer back, instead of the AI guessing or sending you off to a dashboard.

One thing, many names: what this site calls an MCP server is what ChatGPT calls an app or connector, Claude on the web calls a connector, Microsoft Copilot calls a connector, and Claude Code calls a Skill. Same standard underneath: the Model Context Protocol.

## Why MSP owners use msp-skills

### It answers questions your vendor's API can't

Picture QBR prep: you want backup status across 90 days for 10 clients. Through a normal live API that is roughly 900 calls - paginated, rate-limited, and slow enough that you give up and pull a screenshot instead.

### It joins systems, not just reads one

A connector that only reads one tool answers one tool's questions. The MSP questions that actually matter span systems.

### One quality bar, every connector

Every connector passes the same mechanical verification before it ships:

### It complements what your vendors ship

Your PSA and backup vendors are adding AI, and that is good. Vendor-native AI is excellent for per-ticket work: rewriting a reply, summarizing one ticket, flagging sentiment. It lives inside one product and answers one product's questions.

### Free, local, yours

### The place to get MSP connectors

The vision is simple: one install pattern, every MSP tool. HaloPSA and Servosity are live today; 30+ connectors are coming through a build pipeline, and we build the next ones live with real MSPs in free weekly Build Sessions. Bring the system you want covered and watch it built against a real tenant.

## Connectors

### Abnormal Security (Security)

Page: https://msp-skills.compoundingteams.com/skills/abnormal/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/abnormal/install.sh)

Abnormal Security plus your AI answers the SOC questions the portal makes you click for: what new email threats are still unremediated right now, what numbers go in this quarter's client security report, and an employee's full account-takeover risk picture - each in one command. It syncs your tenant to a local store, ranks the threat queue, and confirms remediations actually completed.

Outcomes (question -> command your AI agent runs):
- What new, unremediated email threats need attention right now? -> abnormal-cli triage --since 24h --top 20
- Pull a client-ready security report for the quarter -> abnormal-cli report-snapshot --since 90d --csv
- What is the account-takeover risk picture for this employee? -> abnormal-cli employee-risk "vip@acme.com"
- Is this vendor showing email-compromise signs? -> abnormal-cli vendor-risk "acme-supplies.com"
- Remediate a threat and block until it actually completes -> abnormal-cli remediate-watch <threat|case> <id>
- List the latest Abnormal cases -> abnormal-cli cases retrieve --all
- How many attacks did we stop this week? -> abnormal-cli aggregations attack-stopped-retrieve
- Find threats from a spoofed sender -> abnormal-cli threats retrieve --sender "ceo@spoofed.com"

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Abnormal Security MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Abnormal Security data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my Abnormal API rate limits?
A: It does not have to. A sync pulls your tenant into a local SQLite mirror once, then triage, search, and reporting answer from disk - so repeat questions never touch the API. For live calls you can cap throughput with --rate-limit and page large pulls.
Q: Do I need to be an Abnormal partner or customer?
A: You need API access to an Abnormal Security tenant and a token generated from the portal's integration settings. The REST API does not require a separate partner tier - just a credential scoped to what you want the skill to do.
Q: Can it actually remediate, or only read?
A: It can remediate threats and delete or move malicious messages through the remediation commands, and remediate-watch blocks until Abnormal reports the action reached a terminal state. Those actions are gated behind a human-in-the-loop policy - see the safety model below.
Q: Will it replace the Abnormal portal?
A: No. Detection tuning, policy, and configuration stay in the portal. This is a read-first, action-on-approval surface for your terminal and your agents, not a replacement UI.

Governance: The skill authenticates with a single ABNORMAL_API_TOKEN scoped to your tenant. Read commands - triage, reporting, threat/case/vendor/employee lookups, and API-token metadata - are always safe and can run unattended. Routine writes such as updating a case status, submitting a misclassification report, or managing API resources should be previewed with --dry-run and approved. Remediation actions that delete or move mail, remediate threats, or bulk-import records are human-in-the-loop only.

### Acronis Cyber Protect Cloud (Backup/DR)

Page: https://msp-skills.compoundingteams.com/skills/acronis/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/acronis/install.sh)

MSPs run Acronis Cyber Protect Cloud across dozens of customer tenants, but its partner dashboards report one tenant at a time. Ask your AI "whose backups failed last night," "which agents went offline," or "where am I billing for protection that isn't running," and get the cross-tenant answer in one table - computed offline from a local mirror, not six console drill-downs or a month-end CSV export.

Outcomes (question -> command your AI agent runs):
- Whose backups succeeded, failed, or went stale across every customer last night? -> acronis-cli health
- Show me each failed or missed backup in the last 24 hours, newest first -> acronis-cli failures --since 24h
- Which customers have gone too long without a good backup (SLA breach)? -> acronis-cli freshness --sla 48h --breached
- Which backup agents have silently gone offline across all tenants? -> acronis-cli agents stale --older-than 7d
- Did every customer's agents update after the rollout? -> acronis-cli agents compliance
- Where am I billing for protection that isn't actually running? -> acronis-cli coverage --unprotected
- Which usage has no matching SKU, and which paid SKUs have zero usage? -> acronis-cli reconcile usages
- What grew or shrank in usage between two months? -> acronis-cli usages drift --from 2026-04-01 --to 2026-05-01
- Give me the full picture on one customer before the call -> acronis-cli customer "<TENANT_ID>"
- Which enabled customers are missing users, agents, or offering items? -> acronis-cli tenants audit

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Acronis MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Acronis data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my Acronis API rate limits?
A: The local mirror exists so reads stop hitting the API. After the first sync, the cross-tenant views (health, coverage, freshness, agents stale, reconcile usages) run against local SQLite with zero API calls. Live calls respect a --rate-limit throttle, and sync is incremental - it only fetches what changed since the last checkpoint.
Q: Do I need to be an Acronis partner?
A: Yes. You authenticate with an API client created in your own Acronis Management Portal (an OAuth2 client, or a bearer token), so you need partner or admin access to the tenants you want to reach. The CLI can only see what that API client is scoped to.
Q: Which datacenter does it point at?
A: Whichever hosts your Acronis account. Set ACRONIS_DATACENTER (for example us-cloud or eu2-cloud), or pass --datacenter on auth login. The CLI builds the correct regional API host from it, so you don't hand-assemble the datacenter URL in every call.
Q: Will this replace the Acronis console?
A: No. The console stays best for configuring protection plans and running restores. This skill adds the cross-tenant reporting layer the partner dashboards don't - one place to ask whose backups failed, which agents are offline, and where billing and protection diverge.

Governance: The skill drives the acronis-cli and acronis-mcp binaries, authenticating with an Acronis API credential read from the environment (ACRONIS_CYBER_PROTECT_BEARER_AUTH, or an OAuth2 client via auth login) and scoped to your datacenter (ACRONIS_DATACENTER) - never logged, never sent anywhere except the Acronis API. Read commands (the cross-tenant rollups, search, reports) cannot change anything. Writes are not gated by default: --dry-run is an opt-in preview flag, so the recommended policy is an agent-level rule - preview with --dry-run, show the exact command, get approval, then run the write. Keep tenant, agent, and OAuth-client deletion plus the token (idp) commands human-only. The strongest control is the scope of the API client you create in the Acronis Management Portal.

### Action1 (RMM)

Page: https://msp-skills.compoundingteams.com/skills/action1/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/action1/install.sh)

Ask "which endpoints across all my clients are missing the most patches?" and get one ranked list - no clicking org by org. Action1's API and console are siloed per client organization; this skill syncs every org into a local mirror so patch posture, CVE blast-radius, stale agents, and a per-client scorecard become single fleet-wide commands your AI agent runs from the terminal.

Outcomes (question -> command your AI agent runs):
- Which endpoints across all clients are missing the most patches? -> action1-cli fleet patch-posture
- Which CVEs hit the most machines, weighted by severity and known-exploited status? -> action1-cli fleet vuln-triage --kev-only
- Which agents have stopped checking in across the fleet? -> action1-cli fleet stale --days 14
- What is the patch-and-vulnerability posture for each client organization? -> action1-cli fleet org-scorecard
- Which endpoints are waiting on a reboot to finish a patch cycle? -> action1-cli fleet reboot-pending
- Rank every endpoint by overall risk (missing updates, open CVEs, reboot, staleness) -> action1-cli fleet health-score
- What software is installed across the whole fleet, deduped by version? -> action1-cli fleet software-rollup
- What changed since the last sync - what got remediated, what is newly missing? -> action1-cli fleet patch-drift
- List the managed endpoints in one client organization -> action1-cli endpoints managed <orgId>
- What updates are available or missing for one organization? -> action1-cli updates org-id-get <orgId>

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Action1 MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Action1 data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Which Action1 region and credentials do I need?
A: An API client (Client ID + Client Secret) from your Action1 console's API Credentials page, plus ACTION1_REGION set to us, eu, or au to match your console URL. The CLI mints and refreshes the bearer token for you. Scope the client to read-only permissions if you only need reporting.
Q: Does this replace the Action1 console?
A: No. The console stays your place to configure automations and approve patches interactively. This skill answers the cross-organization questions the console shows one org at a time - fleet patch posture, CVE blast-radius, per-client scorecards - and lets your AI agent run them.

Governance: The skill reads freely - fleet rollups, lists, reports, search, export - and those reads change nothing. Routine writes (config edits, including the read-named import command) should be previewed with --dry-run, then approved. Endpoint-level actions like running an automation, approving updates for deployment, or opening a remote session, plus token-minting, user/role management, and deletes, are endpoint-execution, credential, or destructive tier - keep them human-in-the-loop and scope your API client to only the permissions your workflow needs.

### Afi (Backup/DR)

Page: https://msp-skills.compoundingteams.com/skills/afi/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/afi/install.sh)

Ask your AI 'which mailboxes aren't backed up in Afi?' and get the answer across every tenant at once. This skill walks your whole Afi fleet into a local store, then answers coverage gaps, stale backups, license drift, and per-tenant posture offline - no per-tenant portal clicking, no tripping Afi's rate limits - and runs a verified archive-then-release when someone leaves.

Outcomes (question -> command your AI agent runs):
- Which resources have no backup protection at all? -> afi-cli coverage-gaps --agent
- Which protected resources have a stale backup (silent failures)? -> afi-cli backup-stale --max-age 48h --agent
- Is the whole fleet green this morning, or who failed? -> afi-cli fleet-health --failed-only --agent
- What is one tenant's full backup posture for a QBR or ticket? -> afi-cli tenant-scorecard <tenant-id> --agent
- Am I over- or under-licensed on Afi seats? -> afi-cli reconcile-licenses --agent
- Who is jane.doe@example.com in Afi, across Multi-Geo tenants? -> afi-cli resolve <email-or-id> --agent
- Safely back up then release a departing employee's mailbox? -> afi-cli offboard <resource-id> --tenant <tenant-id> --reason "employee departure"

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Afi MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Afi data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this trip Afi's API rate limits?
A: Not if you use it as designed. Afi throttles - and may suspend - applications that poll continuously, so this skill walks the fleet into a local store in one respectful, rate-limited pass with fleet-sync, then answers every question offline against that store. You sync on a schedule, not on every question.
Q: Do I need to be an Afi customer, and what access does the key need?
A: Yes - you need an Afi account and an Application API key (created in the Afi portal: org level under Configuration to Apps, or tenant level under Service to Settings to Apps). The key inherits the Application's installation scope, so the CLI sees exactly the orgs and tenants that Application is installed on. Each Application supports two keys for rotation.
Q: Will this replace the Afi portal?
A: No. Restores, exports, and policy editing still happen in the Afi portal - the public API does not expose them. This skill is the read, report, and guarded-offboard layer: it answers fleet questions and runs the verified archive-then-release, then hands you back to the portal for the actions only it can do.

Governance: The skill reads your Afi fleet (installations, orgs, tenants, resources, protections, policies, archives, quotas, and task stats) and can run a small set of writes: create a child org, import records, trigger a backup, and add a protection. Three commands are genuinely destructive - offboard, protections-unprotect, and archives delete - because they release backup coverage or delete an archive. Let an agent run reads freely; require a human to approve every write, and especially the destructive tier.

### AppDirect (Billing)

Page: https://msp-skills.compoundingteams.com/skills/appdirect/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/appdirect/install.sh)

Ask 'which AppDirect payments failed this week?' or 'reconcile billing before month-close' and get an answer across every reseller company in one call. The skill syncs your whole AppDirect marketplace - subscriptions, invoices, payments, companies, pipeline - into a local mirror, so cross-company billing questions that take hundreds of console clicks return instantly, offline, from your terminal or your AI agent.

Outcomes (question -> command your AI agent runs):
- Which payments failed or stalled in the last week, across every company? -> appdirect-cli payments unpaid --since 7d --json
- What's active-but-unbilled, overdue, or failed before month-close? -> appdirect-cli reconcile --since 30d --agent
- What changed in subscriptions this week - new, ended, or suspended? -> appdirect-cli subs changed --since 7d --json
- Show one customer's full picture - users, subscriptions, invoices, opportunities. -> appdirect-cli company show <companyId>
- What does my assisted-sales pipeline look like by status? -> appdirect-cli pipeline --group-by status --agent
- Which open opportunities have gone stale? -> appdirect-cli pipeline stale --days 14 --json
- Find any company, subscription, invoice, or opportunity by keyword. -> appdirect-cli search "<text>"
- Pull the whole marketplace into a local mirror for offline analysis. -> appdirect-cli sync

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local AppDirect MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my AppDirect data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Do I need to be an AppDirect partner?
A: Yes. The skill authenticates with partner API credentials (OAuth2 client_credentials) for a marketplace you operate or resell on - it is not for end-user purchases on a marketplace you don't control. Point it at your own marketplace with APPDIRECT_BASE_URL if you run a white-label domain.
Q: Will this hit AppDirect's API rate limits?
A: It is built to avoid them. The marketplace REST API uses leaky-bucket rate limits (for example, 20-request buckets that refill a few per second); because this skill syncs to a local mirror and answers most questions offline, your day-to-day queries make almost no live calls. Sync itself respects the limits and you can cap request rate with --rate-limit.

Governance: The skill reads marketplace data - companies, users, subscriptions, invoices, payments, and the assisted-sales pipeline - and those reads are always safe. It can also write: create and update companies, users, memberships, and opportunities; touch money-moving operations like purchases and payment instruments; and delete or expire records. Keep an autonomous agent to reads plus previewed (--dry-run) writes, and require a human for payment/credential and destructive (delete, cancel, expire) operations.

### Atera (RMM)

Page: https://msp-skills.compoundingteams.com/skills/atera/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/atera/install.sh)

Ask plain-English questions about your whole Atera estate and get answers the portal can't assemble in one view: which agents went dark, which tickets are about to breach SLA, which customers are under-contracted, and what contracts expire next quarter. `atera-cli` syncs Atera into a local SQLite mirror, then answers cross-client rollups instantly and offline - from the terminal or any AI agent.

Outcomes (question -> command your AI agent runs):
- Which agents have gone offline or stopped checking in? -> atera-cli agents stale --days 30
- Which open tickets are closest to breaching SLA? -> atera-cli tickets sla
- Who is overloaded on the service desk right now? -> atera-cli tickets workload
- Which customers have managed agents but no active contract? -> atera-cli customers coverage
- What contracts expire in the next 60 days? -> atera-cli contracts expiring --days 60
- What's my full book of business by customer and contract mix? -> atera-cli customers book
- Which machines generate the most alerts over a week? -> atera-cli agents noisy --days 7
- What's the patch-compliance picture across the fleet? -> atera-cli agents patch-status
- Which machines are running an end-of-life OS? -> atera-cli agents inventory --eol
- What changed across agents, tickets, and alerts in the last 24 hours? -> atera-cli since 24h

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Atera MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Atera data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my Atera API rate limits?
A: Rarely. Most questions run against the local SQLite mirror after a one-time `sync`, so they make zero API calls. The few commands that fetch live (like `agents patch-status`) are paced under Atera's 700-requests-per-minute limit.
Q: Do I need to be an Atera partner?
A: No. You need an Atera account and an API key created under Admin → API. Any plan that exposes the API works; nothing here requires a special partner tier.
Q: Will this replace my Atera portal?
A: No - it complements it. The portal stays your system of record and remote-access console; this skill adds the cross-client, terminal-and-AI query layer the portal doesn't offer.

Governance: The skill reads everything - agents, tickets, customers, contracts, alerts, devices, rates, and custom fields - and can also create, update, and delete those records through the Atera API. Reads, including every cross-client rollup, are always safe to run; routine writes should be previewed with `--dry-run` and approved before they fire; deletes and credential changes are human-in-the-loop only. The CLI can only do what your Atera API key is permitted to do, so scope the key to the workflow.

### Autotask PSA (PSA)

Page: https://msp-skills.compoundingteams.com/skills/autotask/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/autotask/install.sh)

MSPs run Autotask PSA as the system of record - tickets, time, contracts, billing. Ask your AI "what's gone stale on the service desk," "which approved time hasn't been invoiced," or "how burned is that block-hours contract," and get answers the portal can't compose: cross-entity rollups across tickets, time, contracts, and resources, computed offline from a local mirror in one query instead of a LiveReport and an Excel export.

Outcomes (question -> command your AI agent runs):
- Which approved time entries haven't been invoiced yet? -> autotask-cli unbilled
- How stale is the service desk right now, bucketed by age? -> autotask-cli ticket-aging
- Which open tickets has nobody touched in a week? -> autotask-cli stale --days 7
- Which unassigned tickets should the dispatcher pick up first? -> autotask-cli triage
- Who's overloaded before I assign the next ticket? -> autotask-cli workload
- How burned are our block-hour contracts, and when do they run out? -> autotask-cli retainer
- Everything we know about one company - tickets, contacts, contracts, config items, opportunities? -> autotask-cli company-360 "1234"
- What's the month-end billing picture - unbilled time, contract burn, money on the table? -> autotask-cli reconcile
- What's the label-to-ID map for the ticket status picklist? -> autotask-cli picklist "Tickets" "status"

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Autotask MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Autotask data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: What credentials do I need?
A: An API-only user created in your own Autotask instance, which gives you a UserName and Secret, plus the tracking Integration Code from your integration vendor record. Set AUTOTASK_PSA_USER_NAME, AUTOTASK_PSA_SECRET, and AUTOTASK_PSA_API_INTEGRATION_CODE in your environment. The API user's security level is the real permission boundary - scope it to exactly what you want the AI to reach.
Q: Do I have to figure out my Autotask zone URL?
A: No. Autotask hosts each tenant in a numbered zone (webservicesN.autotask.net). Run autotask-cli zone once and the CLI discovers and caches your tenant's base URL, the same way Autotask's own docs tell integrations to make a zone-information request first.
Q: Will this blow through my Autotask API limits?
A: Autotask meters API calls per database in a rolling 60-minute window and adds latency as you approach the threshold. The local mirror exists so reads stop hitting the API: after the first sync, the cross-entity views (unbilled, reconcile, retainer, company-360, ticket-aging, triage, workload) run against local SQLite with zero API calls, and sync is incremental - it only fetches what changed since the last checkpoint.
Q: How do I deal with status and priority being numbers, not labels?
A: Run autotask-cli picklist "Tickets" "status" (or any entity and field) and it prints the label-to-ID map from cached field metadata, so you can read reports and build filters without memorizing the integer IDs Autotask stores categorical fields as.
Q: Is this Datto Autotask PSA or just Autotask?
A: Same product. Autotask PSA is now branded Datto Autotask PSA under Kaseya; this skill targets the Autotask REST API, which both names refer to. It does not cover Datto RMM - that is a separate product with a separate API.

Governance: The skill drives the autotask-cli and autotask-mcp binaries, authenticating with an Autotask API user's credentials read from the environment (AUTOTASK_PSA_USER_NAME, AUTOTASK_PSA_SECRET, AUTOTASK_PSA_API_INTEGRATION_CODE) - never logged and never sent anywhere except your own Autotask zone. Read commands (the cross-entity views, search, picklist) can change nothing. Writes are not gated by default: --dry-run is an opt-in preview flag, so the recommended policy is an agent-level rule - preview with --dry-run, show the exact command, get approval, then run the write. Keep the delete commands and any security-level administration human-only. The strongest control is the security level on the API user you create.

### Axcient x360Recover (Backup/DR)

Page: https://msp-skills.compoundingteams.com/skills/axcient/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/axcient/install.sh)

MSPs run Axcient x360Recover across dozens of clients, but the portal answers one entity at a time and the public API famously won't tell you which client a device belongs to. Ask your AI "whose backups failed last night," "who's breaching RPO," or "what do I bill each client this month," and get the fleet-wide answer in one table - computed offline from a local mirror that joins the device, job, restore-point, and client data the raw API leaves unconnected.

Outcomes (question -> command your AI agent runs):
- Whose backups failed or went stale across every client last night? -> axcient-cli health
- Give me one row per client: devices total, failing, stale, RPO-breach, and AutoVerify-fail counts -> axcient-cli client-rollup
- Which devices are past their recovery-point objective, grouped by client? -> axcient-cli rpo --hours 24
- Only show the devices actually breaching RPO at the cloud tier -> axcient-cli rpo --hours 24 --target cloud
- Produce backup-compliance evidence for one client (restore-point age + AutoVerify + RPO verdict) -> axcient-cli compliance --client 42 --hours 24 --csv
- Only the compliance rows that fail RPO or AutoVerify -> axcient-cli compliance --failing-only
- What does each client consume for invoice reconciliation this month? -> axcient-cli billing --csv
- Which devices does each appliance protect, and what state are those backups in? -> axcient-cli appliance-map
- Find everything matching a client or device name across synced data -> axcient-cli search "Acme Corp"
- Refresh the local mirror, then run the morning sweep -> axcient-cli sync && axcient-cli health --agent

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Axcient MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Axcient data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my Axcient API rate limits?
A: The local mirror exists so reads stop hitting the API. After the first sync, the fleet views (health, client-rollup, rpo, compliance, billing, appliance-map) run against local SQLite with zero API calls. Live calls respect a --rate-limit throttle, and sync is incremental - it only fetches what changed since the last checkpoint.
Q: What kind of Axcient credential do I need?
A: An organization-scoped API key created in the x360Portal (Settings > API Keys, admin role required). The CLI sends it as the X-Api-Key header and can only see what that key is scoped to. Set it as AXCIENT_API_KEY; nothing is written to disk.
Q: Can I try it without a real tenant?
A: Yes. Axcient hosts a public mock server - set AXCIENT_BASE_URL=https://ax-pub-recover.wiremockapi.cloud/x360recover with any non-empty AXCIENT_API_KEY and the whole CLI runs against fixtures, no real credentials needed.
Q: Does this cover x360Sync or x360Cloud?
A: No. This skill is the x360Recover (BCDR) public API only - vaults, appliances, devices, jobs, restore points, AutoVerify, and usage. x360Sync and x360Cloud are separate products with separate APIs.

Governance: The skill drives the axcient-cli and axcient-mcp binaries, authenticating with an organization-scoped API key (AXCIENT_API_KEY) read from the environment and sent as the X-Api-Key header - never written to disk, never logged, never sent anywhere except the Axcient API. The surface is overwhelmingly read-only: every fleet view (health, client-rollup, rpo, compliance, billing, appliance-map) and every resource read cannot change anything. Only three commands write - vault threshold set-by-vault-id and the bulk import <resource> mutate or create data, and client vault get-d2c-agent-token-by-client-and-ids mints a direct-to-cloud agent install token - so the recommended policy is read plus previewed (--dry-run) writes, with a human in the loop for the token mint. The strongest control is the scope of the API key you create in the x360Portal.

### Better Stack (Monitoring)

Page: https://msp-skills.compoundingteams.com/skills/betterstack/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/betterstack/install.sh)

Ask your AI "what's down and is anyone actually paged?" and get a straight answer across your whole Better Stack account: every client's monitors, heartbeats, open incidents, and on-call rotation in one view. It surfaces the silent monitors that page nobody, the noisy ones waking techs at 3am, your real MTTA/MTTR, and status pages showing green while a monitor is down.

Outcomes (question -> command your AI agent runs):
- What's down right now and is anyone actually paged? -> betterstack-cli down
- Which monitors would page nobody if they failed? -> betterstack-cli coverage
- What's our MTTA and MTTR over the last 30 days, by monitor? -> betterstack-cli mttr --days 30 --by-monitor --top 10
- Which monitors are the noisiest over the last week? -> betterstack-cli flapping --days 7 --top 10
- Is anyone actually on call right now, or is there a gap? -> betterstack-cli oncall-gaps
- Which heartbeats are most at risk of a silent miss? -> betterstack-cli heartbeat-risk --top 10
- Are any status pages green while a monitor has an open incident? -> betterstack-cli statuspage-audit
- How healthy is each client group right now? -> betterstack-cli group-health
- Give me one health board for the whole account. -> betterstack-cli fleet
- Which open incidents are oldest and still unacknowledged? -> betterstack-cli triage

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Better Stack MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Better Stack data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my Better Stack API rate limits?
A: No. The skill syncs once into a local SQLite mirror, then answers from local data, so repeated questions never touch the API. Only sync, live writes, and the status-page resource fan-out (used by statuspage-audit) call Better Stack.
Q: Do I need a paid Better Stack plan?
A: You need a Better Stack account with an API token. The analytics run against whatever monitors, heartbeats, incidents, on-call calendars, and status pages your plan includes - the skill reads what your token can see.
Q: Will this replace the Better Stack portal?
A: No, it complements it. The portal is still where you configure monitors and watch live. This skill answers the cross-account questions the portal makes you click through - coverage gaps, MTTA/MTTR, on-call gaps, status-page drift - from your AI.

Governance: The skill reads your Better Stack monitors, heartbeats, incidents, on-call calendars, and status pages, and it can create or update monitors, heartbeats, groups, policies, and status-page sections, acknowledge or resolve incidents, bulk-import records, and delete resources. Reads are always safe to allow. Routine writes - creates, updates, incident acknowledge/resolve, and import - should be previewed with --dry-run and approved. Deletes are human-in-the-loop only.

### Blumira (Security)

Page: https://msp-skills.compoundingteams.com/skills/blumira/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/blumira/install.sh)

Running Blumira across a book of client accounts? Ask your AI "what are the worst open findings everywhere," "which detections fell out of coverage this week," or "which domain controllers went dark," and get one cross-account answer the Blumira portal can't compose. Every sub-account is mirrored into a local store, so one ranked triage queue, one MTTR rollup, and one coverage-drift report replace dozens of one-account-at-a-time portal logins.

Outcomes (question -> command your AI agent runs):
- What are the worst open findings across all my client accounts right now? -> blumira-cli triage --status open
- What changed since my last sync, new, resolved, or status-changed findings? -> blumira-cli drift
- What's my mean-time-to-resolve per account over the last month? -> blumira-cli velocity --by account --window 30d
- Which open findings are about to breach my age-based SLA? -> blumira-cli sla --breach-in 4h
- Which detection rules are missing or disabled versus our basis ruleset? -> blumira-cli coverage --against basis
- Which domain controllers are stale or unprotected across every account? -> blumira-cli exposure --flag-dc-stale
- Which findings were resolved and then re-fired? -> blumira-cli audit --min-reopens 1
- Which detections keep firing over and over across accounts? -> blumira-cli recurring --window 90d
- Give me one per-account rollup of open findings, age, and agent health? -> blumira-cli overview
- Which findings mention this IOC, hostname, or user in their evidence? -> blumira-cli evidence-search "<ioc>"
- Pull every account's Blumira data into a local mirror for offline questions? -> blumira-cli sync
- Give me a flat finding-to-owner-to-status table to reconcile against my PSA? -> blumira-cli reconcile --status open
- Which analyst is carrying the most open findings, and how old are they? -> blumira-cli workload

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Blumira MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Blumira data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Do I need a Blumira partner account for the cross-account views?
A: The cross-account commands (triage, overview, coverage across every client) read Blumira's MSP sub-account API, so they need partner API credentials with sub-account access. A single-org account still gets every direct-org command, findings, evidence search, and agent and detection rollups, plus offline sync. Generate credentials under Settings > Organization > Generate API Credentials, then run `blumira-cli auth login`.

Governance: The skill reads findings, detections, agents, and evidence through your Blumira API credential and mirrors them into a local store. It can add comments, resolve findings, and assign owners when you ask, but those writes are opt-in and best previewed with --dry-run first. The safe default for an autonomous agent is read plus planned (dry-run) writes; keep a human on anything that resolves a finding or reassigns ownership.

### CIPP (Security)

Page: https://msp-skills.compoundingteams.com/skills/cipp/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/cipp/install.sh)

CIPP manages Microsoft 365 across all your client tenants, but its portal and API work one tenant at a time. Ask your AI "which tenants are off our security baseline" or "where are we paying for unused licenses" and get the cross-tenant answer the UI never renders: one fan-out pulls every tenant into a local store, then posture, license-waste, stale-account, and standards-drift rollups run instantly - offline, across the whole fleet.

Outcomes (question -> command your AI agent runs):
- Which tenants still have users without MFA registered? -> cipp-cli posture --dimension mfa
- How does Conditional Access coverage compare across all tenants? -> cipp-cli posture --dimension ca
- Where am I paying for M365 licenses nobody uses? -> cipp-cli licenses waste
- Which licensed accounts haven't signed in for 90 days, across every client? -> cipp-cli users stale --days 90
- Which tenants drifted off our security baseline since the last check? -> cipp-cli standards drift
- Pull one read across every client tenant at once and keep it locally -> cipp-cli fanout --endpoint /ListUsers --all-tenants --save
- Offboard a batch of departures from a CSV with 429 backoff and resume -> cipp-cli bulk --from offboards.csv --execute
- Are my CIPP credentials and connectivity healthy? -> cipp-cli doctor

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local CIPP MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my CIPP data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local store are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Do I need my own CIPP instance to use this?
A: Yes - this drives your own self-hosted CIPP instance's API. In CIPP you create an API client (it issues a client ID, secret, tenant ID, and token URL); the CLI authenticates with OAuth2 client credentials via 'cipp-cli auth login', or you save a bearer token with 'cipp-cli auth set-token'. It reads and acts through your CIPP - it does not replace it.
Q: Will this hit Microsoft Graph or CIPP rate limits?
A: The cross-tenant rollups (posture, licenses waste, users stale, standards drift) read the local store after one fan-out, so repeat questions cost zero API calls. fanout throttles with --concurrency and the client retries 429s with Retry-After; bulk checkpoints completed rows with --resume so a throttled batch continues instead of restarting.
Q: Can this change my tenants, or only read?
A: Both. CIPP is a full management API, so the CLI can create users, offboard, set forwarding, and more. But the fleet rollups are read-only, and bulk prints its plan by default and only writes when you pass --execute. If you want reporting only, scope the API client to read-only in CIPP - the credential is the boundary.
Q: Does it replace the CIPP portal?
A: No. CIPP stays your portal for deep single-tenant work. This skill adds the cross-tenant reporting layer and lets your AI agent drive CIPP from natural language.

Governance: The skill drives the cipp-cli and cipp-mcp binaries, authenticating to your self-hosted CIPP instance with a bearer token from CIPP_API_KEY (obtained via OAuth2 client credentials - 'auth login' performs and caches the exchange) read from the environment, never logged or sent anywhere except the CIPP API. CIPP is a read-write management API: read and rollup commands change nothing; bulk prints its plan and only writes with --execute; everything else (create/edit/offboard/delete, MFA and token actions) sends on run unless you pass --dry-run first. The real permission boundary is the scope you grant the API client in CIPP, so keep autonomous agents to reads plus previewed writes.

### ConnectWise PSA (Manage) (PSA)

Page: https://msp-skills.compoundingteams.com/skills/connectwise-manage/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/connectwise-manage/install.sh)

MSPs run ConnectWise PSA (Manage) as the system of record - tickets, time, agreements, billing. Ask your AI "what's rotting on the board," "which closed tickets have no time logged," or "how burned is that block-hours agreement," and get answers the portal can't compose: cross-entity joins across tickets, time, agreements, and configurations, computed offline from a local mirror in one query instead of five portal screens and an Excel export.

Outcomes (question -> command your AI agent runs):
- Which tickets did we touch this week that have zero time logged against them? -> connectwise-manage-cli unbilled --since 7d
- Which clients are about to blow through their block-hours agreement? -> connectwise-manage-cli agreement-burn --period 30d
- What does the Help Desk board look like right now - age, owner, priority? -> connectwise-manage-cli board "Help Desk"
- Which open tickets has nobody touched in five days? -> connectwise-manage-cli stale --days 5
- Who has bandwidth for the next ticket? -> connectwise-manage-cli workload
- Which tickets are sitting unassigned on the board? -> connectwise-manage-cli board "Help Desk" --unassigned
- Everything we know about one client - contacts, agreements, configurations, open tickets? -> connectwise-manage-cli account AcmeCorp
- Write me a valid conditions filter for open Help Desk tickets -> connectwise-manage-cli condition build --field board/name --op = --value "Help Desk" --field closedFlag --op = --value false

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local ConnectWise Manage MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my ConnectWise Manage data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my ConnectWise API rate limits?
A: The local mirror exists so reads stop hitting the API. After the first sync, the cross-entity views (unbilled, account, agreement-burn, board, stale, workload) run against local SQLite with zero API calls. Live calls respect a --rate-limit throttle, and sync is incremental - it only fetches what changed since the last checkpoint.
Q: Is this for ConnectWise PSA or ConnectWise Manage?
A: Same product - ConnectWise renamed Manage to ConnectWise PSA. This skill targets the Manage REST API (v4_6_release/apis/3.0), which is the API both names refer to. It does not cover ConnectWise Automate - that is a separate product with a separate API.
Q: What credentials do I need?
A: An API Member with public/private keys from your own Manage instance, plus a clientId from the ConnectWise developer portal. Set CW_COMPANY_ID, CW_PUBLIC_KEY, CW_PRIVATE_KEY, and CW_CLIENT_ID in your environment; CW_SITE selects your region or on-prem host. The API Member's security role is the real permission boundary - scope it to what you want the AI to reach.
Q: Does it work with on-premises ConnectWise Manage?
A: Yes. CW_SITE accepts your own server's hostname as well as the cloud region hosts; the CLI builds the standard v4_6_release/apis/3.0 base URL either way.

Governance: The skill drives the connectwise-manage-cli and connectwise-manage-mcp binaries, authenticating with API Member keys read from the environment (CW_COMPANY_ID, CW_PUBLIC_KEY, CW_PRIVATE_KEY, CW_CLIENT_ID) - never logged and never sent anywhere except your ConnectWise Manage instance. Read commands (boards, cross-entity views, search, reports) can change nothing. Writes are not gated by default: --dry-run is an opt-in preview flag, so the recommended policy is an agent-level rule - preview with --dry-run, show the exact command, get approval, then run the write. Keep delete and member-administration commands human-only. The strongest control is the security role on the API Member you create.

### Cove Data Protection (Backup/DR)

Page: https://msp-skills.compoundingteams.com/skills/cove/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/cove/install.sh)

Ask which Cove backups failed last night and get every failed, aborted, or never-started device across all your customers in one sweep, the status codes decoded to plain names. Cove's console scopes to one partner at a time and forgets yesterday; this skill speaks the whole JSON-RPC API and keeps a local snapshot history, so storage-growth and what-changed-since-Friday trends exist at all.

Outcomes (question -> command your AI agent runs):
- Which devices failed their last backup since yesterday? -> cove-cli devices failures --since 24h --json
- Which devices have had no successful backup in 3 days? -> cove-cli devices stale --days 3 --json
- What is the fleet-wide health rollup, broken down per customer? -> cove-cli fleet health --by partner --json
- Which devices and customers grew their storage fastest this week? -> cove-cli storage growth --since 7d --json
- What is the month-end billing usage per device, with codes decoded? -> cove-cli billing usage --csv
- Which device SKUs or seat counts changed since last month? -> cove-cli billing changes --json
- Which backup statuses flipped since my last snapshot? -> cove-cli devices changes --since 7d --json

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Cove Data Protection MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Cove Data Protection data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: What kind of Cove account does it need?
A: An API-enabled backup.management user: a Security Officer service account with the API flag set. Interactive two-factor logins cannot use the JSON-RPC API. You set COVE_USERNAME and COVE_PASSWORD once; the skill exchanges them for a cached session visa and refreshes it automatically.
Q: Can it restore files or browse backed-up data?
A: No. This skill speaks the Cove management API: fleet health, billing, storage trends, and enumeration. Restores and per-session file browsing run through the Backup Manager client and the storage-node Reporting Service, which this CLI does not cover.

Governance: The skill is read-first: every command that touches Cove reads (failure sweeps, health rollups, billing, storage, enumeration) and changes nothing in your tenant. The local commands (sync, snapshot, auth) write only to your machine's SQLite mirror and session cache. The one escape hatch, call, can invoke any JSON-RPC method including the few that mutate, so keep it human-reviewed. Recommended policy: allow reads freely; gate call and anything that writes behind a human.

### CrowdStrike Falcon (Security)

Page: https://msp-skills.compoundingteams.com/skills/crowdstrike/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/crowdstrike/install.sh)

Running CrowdStrike Falcon across a book of client tenants? Ask your AI "what should I triage first across every CID," "which sensors went silent," or "where are the critical vulnerabilities," and get one cross-tenant answer the Falcon console can't compose. Every child CID is mirrored into one local store keyed by CID, so a single scorecard, vuln ranking, and stale-sensor sweep replace flipping Flight Control tenant by tenant.

Outcomes (question -> command your AI agent runs):
- What should I triage first across all my client tenants right now? -> crowdstrike-cli fleet alerts --status new
- Rank the critical vulnerabilities across every tenant? -> crowdstrike-cli fleet vulns --severity critical
- Which hosts haven't reported a sensor heartbeat lately? -> crowdstrike-cli fleet stale --days 14
- Give me one posture scorecard per tenant for the QBR deck? -> crowdstrike-cli fleet scorecard
- Which tenants are under-protected versus my prevention-policy baseline? -> crowdstrike-cli fleet policy-drift
- Which single fix clears the most hosts and tenants? -> crowdstrike-cli fleet remediate --severity critical
- Which tenants got worse since the last sync? -> crowdstrike-cli fleet trend
- Map every child CID, CID group, and role grant across my MSSP? -> crowdstrike-cli fleet tenants
- Search every synced host, alert, vuln, and policy across all tenants? -> crowdstrike-cli fleet search "<query>"
- Pull every child tenant's Falcon data into a local mirror for offline queries? -> crowdstrike-cli fleet sync --all-cids

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local CrowdStrike MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my CrowdStrike data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Do I need a parent (MSSP) CID for the fleet commands?
A: Yes. The cross-tenant fleet commands need a parent-CID Falcon API client with Flight Control (MSSP) scope so fleet sync can discover and pull every child CID. Without it, sync degrades gracefully to the single authenticated CID and the fleet rollups simply cover that one tenant. The per-CID commands (alerts, devices, spotlight, policy) work against any single tenant's client.
Q: Will this hit my CrowdStrike API rate limits?
A: The local store exists so reads stop hitting the API. After fleet sync, every cross-tenant view (fleet alerts, vulns, stale, scorecard, policy-drift, remediate, trend, tenants, search) runs against local SQLite with zero API calls, and live calls respect a --rate-limit throttle. The trend and policy-drift analytics need at least two syncs to have history to diff.
Q: What scopes does the Falcon API client need?
A: Read scopes for the entities you query - Alerts (read), Hosts (read), Spotlight Vulnerabilities (read), Prevention Policies (read), and for the fleet commands a parent-CID client with Flight Control / MSSP read. Add write scopes (Hosts write, Prevention Policies write) only if you intend to contain hosts or edit policies. Mint a read-only client for reporting workflows and keep write scope for the rare case you actually need it - the client's scopes are the real permission boundary.
Q: Does it replace the Falcon console?
A: No. The console stays best for hunting, RTR sessions, policy authoring, and the interactive response workflow inside one CID. This skill adds cross-tenant queries and scriptable actions to your AI agent so you stop scoping into each CID to answer book-wide questions.

Governance: The skill drives the crowdstrike-cli and crowdstrike-mcp binaries, authenticating with a Falcon API client (FALCON_CLIENT_ID + FALCON_CLIENT_SECRET, plus an optional CROWDSTRIKE_OAUTH_SCOPE) read from the environment, never logged and never sent anywhere except the CrowdStrike API. The read commands (every fleet rollup, the alerts/devices/spotlight/policy/mssp query and get commands, search, doctor) change nothing. Writes are not gated by default: --dry-run is an opt-in preview flag, so the recommended policy is an agent-level rule - preview with --dry-run, show the exact command, get approval, then run the write. Keep the destructive tier (devices delete-host-groups, policy delete-prevention-policies, the mssp delete-* and deleted-roles commands) and the devices perform-action-v2 host actions (contain, delete) human-only. The strongest control is the scope you grant the Falcon API client.

### Datto BCDR (Backup/DR)

Page: https://msp-skills.compoundingteams.com/skills/datto-bcdr/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/datto-bcdr/install.sh)

Ask in plain English which Datto backups failed their last screenshot verification, which clients are most at risk, and which appliance fills up first - and get the answer across your whole fleet in seconds. The Datto BCDR API answers one appliance at a time; this skill mirrors every device, agent, and alert locally, so the fleet-wide question the Partner Portal can't answer becomes one instant command.

Outcomes (question -> command your AI agent runs):
- Which protected machines failed their last backup screenshot verification? -> datto-bcdr-cli screenshots --failed --stale-days 7 --agent
- Which agents are behind on local snapshots or offsite sync? -> datto-bcdr-cli stale-backups --local-days 1 --offsite-days 3 --agent
- What percentage of my fleet is actually recoverable right now? -> datto-bcdr-cli recoverability --agent
- Which clients are most at risk across backups, alerts, and storage? -> datto-bcdr-cli client-risk --top 10 --agent
- Show me every open alert across the whole fleet, grouped by client. -> datto-bcdr-cli alert-triage --group-by client --agent
- Which appliance runs out of local or offsite storage first? -> datto-bcdr-cli storage-runway --threshold-pct 85 --agent
- Which protected machines are paused, archived, or on an appliance that went dark? -> datto-bcdr-cli forgotten-assets --offline-days 2 --agent
- Which machines are running an outdated backup agent? -> datto-bcdr-cli agent-versions --outdated --agent
- Give me a one-page backup health report for a single client before the QBR. -> datto-bcdr-cli client-report "Acme Corp" --agent

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Datto BCDR MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Datto BCDR data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Do I need to be a Datto partner to use this?
A: Yes. It uses the Datto BCDR REST API, which needs a partner-generated public/secret key pair from the Partner Portal under Admin > Integrations. If you manage Datto BCDR appliances, you already qualify - the CLI base64-encodes the key pair into the Authorization header on every request.
Q: Will this hit my Datto BCDR API rate limits?
A: It's gentle by design. The first sync pulls each resource with bounded pagination, and you can cap throughput with --rate-limit. After that, fleet questions run against the local mirror and make zero API calls - --data-source local never touches the API at all.
Q: Does this replace the Datto Partner Portal?
A: No. It answers the fleet-wide, cross-client questions the per-appliance portal can't, and it's read-only for everyday use - you still use the portal for restores, virtualization, and device configuration.
Q: Can it change anything in Datto, or just read?
A: Read-only for everyday use - every analysis, list, and report command only reads. The single exception is `import`, an explicit bulk data-load command you would never run by accident; preview it with --dry-run first.

Governance: The datto-bcdr skill is read-only for everyday use: it reads your Datto BCDR fleet (devices, agents, shares, alerts, screenshots) and writes only to a local SQLite mirror on your machine. The single API-mutating command is `import`, a bulk data load you preview with --dry-run; nothing else can change remote state. Scope the partner key pair to what your workflow needs, and keep autonomous agents to read plus previewed imports.

### Datto RMM (RMM)

Page: https://msp-skills.compoundingteams.com/skills/datto-rmm/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/datto-rmm/install.sh)

Ask in plain English which endpoints across every client have gone dark, lost antivirus, fallen behind on patches, or are about to drop out of warranty - and get the list in seconds. Datto RMM plus your AI agent reads a local mirror of your whole multi-site fleet, so the cross-customer questions the portal makes you click through site by site become one instant, reproducible answer.

Outcomes (question -> command your AI agent runs):
- Which devices haven't checked in for 30 days, across every client? -> datto-rmm-cli fleet stale --days 30 --agent
- Where is antivirus missing, disabled, or not running? -> datto-rmm-cli fleet av-gaps --status not-running --agent
- Which endpoints are most behind on patches right now? -> datto-rmm-cli fleet patch-gaps --min-missing 5 --agent
- Which devices have warranties expiring in the next 60 days? -> datto-rmm-cli fleet warranty --within 60 --agent
- Which devices are generating the most alert noise this week? -> datto-rmm-cli fleet storms --days 7 --top 20 --agent
- Give me a one-page health scorecard for a client before the QBR. -> datto-rmm-cli fleet scorecard "Acme Corporation" --agent
- How many copies of an app are installed fleet-wide, and which versions? -> datto-rmm-cli fleet sprawl --name "Google Chrome" --agent
- Which devices are running an out-of-date RMM agent? -> datto-rmm-cli fleet agent-drift --agent

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Datto RMM MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Datto RMM data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my Datto RMM API rate limits?
A: It's gentle by design. The skill syncs your fleet into a local mirror once, then answers fleet-wide questions from that mirror instead of calling the API per question. You re-sync on your own cadence; everyday analytics run offline against the local store.
Q: Do I need to be a Datto partner or have special permissions?
A: You need an API key and secret key from Setup > Users in your Datto RMM portal (the OAuth API user). The skill can only do what that API user is allowed to do, so scope the user to the access your workflow actually needs.

Governance: The skill reads your Datto RMM fleet and writes only when you ask it to - creating or updating variables, warranty and UDF data, sites, and quick jobs. Every fleet rollup, search, and lookup is read-only and always safe to run. Deleting variables or site proxy settings, bulk-resolving alert storms, and resetting your API keys are gated as destructive or credential operations and should stay human-in-the-loop.

### Domotz (Network Monitoring)

Page: https://msp-skills.compoundingteams.com/skills/domotz/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/domotz/install.sh)

Ask your AI "which client sites have devices down right now?" and get one answer instead of clicking through the Domotz portal Collector by Collector. domotz-cli syncs every Collector into a local mirror, so cross-site rollups - fleet health, every offline device, overnight new-device sweeps, one unified asset inventory - come back as single offline queries your agent can run in seconds.

Outcomes (question -> command your AI agent runs):
- Is anything on fire across all my sites? -> domotz-cli fleet health --agent
- Which Collectors (sites) are offline or degraded right now? -> domotz-cli fleet agents --agent
- What devices are offline across every client? -> domotz-cli fleet offline --agent
- What new devices appeared on any network in the last day? -> domotz-cli fleet new --since 24h --agent
- Give me one asset inventory across every site -> domotz-cli fleet inventory --csv
- Where are IP conflicts across the fleet? -> domotz-cli fleet ip-conflicts --agent
- Which devices can't be fully monitored (auth or SNMP gaps)? -> domotz-cli fleet unmonitored --agent
- How many devices of each vendor do we manage? -> domotz-cli fleet breakdown --by vendor --agent
- Which Collectors have gone quiet (stale sync)? -> domotz-cli fleet stale --agent
- Find a hostname or IP anywhere in the synced fleet -> domotz-cli search "<query>"

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Domotz MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Domotz data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Do I need a special Domotz plan to use the API?
A: No add-on is required - you generate an API Key from the Domotz Portal under Settings > Services > API Keys on your existing account. A handful of endpoints (company areas, team moves, some RBAC) are Enterprise-plan only; everything else works on standard accounts, and the CLI returns a clear error when a plan gates an endpoint.

Governance: The skill reads your Domotz fleet - Collectors, devices, variables, alerts, and topology - and can also create and delete monitoring objects, control device power outlets, and change SNMP credentials. Reads are safe to run unattended with one exception: reading SNMP authentication returns community strings and keys, so treat it like a secret. Keep an autonomous agent to reads plus previewed writes, and require a human for anything that deletes, controls hardware, or touches credentials.

### Gradient MSP (Billing)

Page: https://msp-skills.compoundingteams.com/skills/gradient/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/gradient/install.sh)

Ask your AI to push tonight's usage counts, tell you which accounts' billing changed since the last push, and confirm an alert actually became a PSA ticket - and it runs the real Gradient MSP Synthesize commands and shows you the receipts. The full vendor API from your terminal, plus a local push ledger and offline mirror that Gradient's PowerShell SDK cannot give you.

Outcomes (question -> command your AI agent runs):
- Push a whole file of usage counts and rebuild billing exactly once? -> gradient-cli usage push --file ./counts.csv --agent
- Which accounts' usage changed between my last two pushes? -> gradient-cli usage drift --agent
- Send an alert and confirm the PSA ticket was actually created? -> gradient-cli alert send --account "123456789" --title "Backup failure" --wait --agent
- Which of my dispatched alerts never became tickets? -> gradient-cli alert trace --stuck --agent
- Which accounts are unmapped or missing a vendor SKU? -> gradient-cli hygiene unmapped --agent
- Is my integration ready to flip to active? -> gradient-cli status ready --agent
- Add a single ad-hoc unit count for one account and service? -> gradient-cli billing <serviceId> --account-id "123456789" --unit-count 42
- Are my credentials valid and what's my integration status? -> gradient-cli integration get --agent

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Gradient MSP MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Gradient MSP data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Which credentials do I need, and how do I set them?
A: A Synthesize vendor token. Set GRADIENT_TOKEN to the base64 of <vendorApiKey>:<partnerApiKey>, or set GRADIENT_VENDOR_API_KEY and GRADIENT_PARTNER_API_KEY and the CLI derives the token for you. Run gradient-cli integration get to confirm the credential works.
Q: Does this replace the Synthesize portal or Managed Billing Reconciliation?
A: No. Mapping approval and reconciliation review still happen in the Synthesize portal (or are handled by Gradient's MBR service). This CLI is the vendor and integration side: it pushes accounts, services, and usage counts in, audits what was pushed, and traces alerts to PSA tickets. It complements the portal, it does not log into it.

Governance: The skill reads your Synthesize accounts, services, mappings, integration status, and local push ledger, and it can write: push usage counts, create or update accounts, services, and mappings, dispatch alerts, and flip integration status. There are no vendor-side delete commands. Keep an autonomous agent to reads plus previewed (--dry-run) writes, and require a human to approve any count push, mapping change, or status flip.

### HaloPSA (PSA)

Page: https://msp-skills.compoundingteams.com/skills/halopsa/
Badge: Live-verified
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/halopsa/install.sh)

MSPs run HaloPSA as the service desk - tickets, SLAs, contracts, and the queue that never stops. Ask your AI "what's about to breach SLA," "who's overloaded," or "what's the whole story for this client," and get an answer the portal can't compose in one shot: cross-entity rollups across tickets, clients, contracts, time, and assets, joined offline in one query instead of clicking through five tabs. A local SQLite mirror means QBR-time questions don't hit rate limits.

Outcomes (question -> command your AI agent runs):
- What's about to breach SLA in the next 24 hours? -> halopsa-cli sla breaching --within 24h --team Support --json
- What's the dispatcher view across all agents and teams? -> halopsa-cli triage --team Support --json
- Who's overloaded right now? -> halopsa-cli agent workload --team Support --json
- What's the whole story for this client, on one screen? -> halopsa-cli client card "Acme Corp" --json
- How much contract time is left, and who's tracking over their bank? -> halopsa-cli contracts burn --client "Acme Corp" --month current --json
- Which clients have stale tickets aging out that I should close? -> halopsa-cli tickets age-out --status "Awaiting Customer" --stale-days 14 --action-note "Auto-closing per policy" --apply
- What changed in Halo since this morning while I was in a meeting? -> halopsa-cli tickets changed-since 09:00 --mine --json
- Which KB article should the tech link to for this ticket? -> halopsa-cli kbarticle suggest --ticket 12345 --limit 5

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on Plus, Pro, Team, Business, Enterprise, and Education plans (the Free tier does not yet expose Developer Mode). ChatGPT connects to remote MCP servers over HTTPS, not local stdio binaries, so you expose the local HaloPSA MCP server via the mcp-remote bridge or your own HTTPS endpoint. Step-by-step in mcp-install.md.
Q: Do I need to know how to code?
A: No. The recommended install is to paste one sentence into Claude Code or Codex and your agent reads SKILL.md and does the install. The fallback is a one-line installer per OS (bash or PowerShell). You enter your HaloPSA API credentials once.
Q: Is my HaloPSA data safe?
A: Your data stays on your machine. The CLI and MCP server are local binaries and the SQLite mirror sits under your user account. The AI agent only sees what the CLI returns - typically a query result, not raw bulk data. Credentials are read from your environment, never bundled into this repo or transmitted anywhere by MSP Skills.
Q: Will this hit my HaloPSA API rate limits?
A: Almost never. HaloPSA's rate limits aren't publicly documented and vary between cloud-hosted and self-hosted instances. The skill syncs once with sync --full, then incrementally; subsequent triage, SLA, client-card, and cross-client queries run against the local mirror, not the live API. The big-batch queries that get you 429'd with API-passthrough tools become one SQL join here.
Q: How is this different from HaloPSA's built-in ChatGPT integration?
A: HaloPSA's built-in integration is great for single-ticket work - rewriting replies, summarizing one ticket, sentiment-flagging. This skill is the cross-client analytics and MSP-owner-on-the-couch layer: questions across thousands of tickets, multi-system queries that join HaloPSA with other tools, and ad-hoc reports HaloPSA's UI doesn't surface. The two complement; you don't pick one.
Q: Can I run this on Windows?
A: Yes. The PowerShell installer is the Windows path, and the CLI and MCP binaries are native Windows builds. Cline users on Windows may need a small npx workaround documented in docs/which-agent.md.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use (Claude, ChatGPT, Codex, and so on), billed by your AI provider, not by us.

Governance: The skill drives the halopsa-cli and halopsa-mcp binaries, authenticating to your own HaloPSA tenant with an OAuth2 client-credentials application you create at Configuration > Integrations > Halo PSA API. Credentials (HALOPSA_CLIENT_ID, HALOPSA_CLIENT_SECRET, HALOPSA_TENANT) are read from the environment only - never written to disk, never logged, never sent anywhere except your Halo endpoint. Read commands (triage, sla breaching, client card, contracts burn, and the other cross-entity views) read and aggregate; they cannot change Halo state. Writes are not gated by a built-in confirmation: --dry-run is an opt-in flag (default off) that previews a request without sending, and --yes is reserved for explicit confirmation of destructive actions, so a raw create or delete sends on first run unless your agent passes --dry-run first. The recommended policy is an agent-level rule: keep autonomous agents to read plus previewed writes, and require a human for anything destructive or configuration-touching. The strongest control is the scope you grant the OAuth application in your Halo tenant - because Halo enforces that scope server-side, the CLI can only do what the application is permitted to do, so a read/report workflow simply should not be granted write or delete permissions.

### HubSpot (CRM)

Page: https://msp-skills.compoundingteams.com/skills/hubspot/
Badge: Live-verified
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/hubspot/install.sh)

MSPs run HubSpot as the sales CRM - pipeline, deals, quote-chasing. Ask your AI "which deals went cold," "what's my pipeline health," or "who do I call today," and get an answer the portal can't compose: cross-object rollups across deals, contacts, owners, and engagements, computed offline in one query instead of a dozen exports and saved views.

Outcomes (question -> command your AI agent runs):
- Which open deals have gone cold with no engagement in the last three weeks? -> hubspot-cli stale deals --days 21 --owner me
- Which of my contacts haven't been touched in a month? -> hubspot-cli stale contacts --days 30 --owner me
- What's my pipeline health right now - per-stage count, dollars, and what's at risk? -> hubspot-cli pipeline-health --idle-days 14
- How is the open-deal load spread across my reps? -> hubspot-cli owner-load --pipeline default
- Who should I call today, ranked by stale-days, deal size, and stage? -> hubspot-cli nurture queue --owner me --top 20
- Which are my top deals by composite score (signal, amount, stage, recency)? -> hubspot-cli deals top --top 5 --owner me
- What's the full activity trail for a specific deal - every call, email, meeting, note, and task? -> hubspot-cli engagements of deal:456 --since 90d
- Which meetings were ever Scheduled in a given month, even after they flipped to Completed or No Show? -> hubspot-cli meetings status-report --status scheduled --month 2026-04

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local HubSpot MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my HubSpot data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my HubSpot API rate limits?
A: The local mirror exists so you stop hitting the API for reads. After the first sync (which respects HubSpot's pagination), every aggregate report runs against your local SQLite with zero API calls. You can scope sync with --resources and --since to keep it light, and the CLI surfaces sync warnings rather than swallowing them.
Q: Do I need to be a HubSpot partner or a paid tier?
A: No partnership is required. You create a HubSpot Private App access token from your portal with read scopes for the objects you care about. Property-history retention varies by HubSpot plan, so the depth of historical reporting depends on your tier; the CLI captures whatever the API returns and accrues forward from your first --with-history sync.
Q: Does it work with HubSpot's free CRM?
A: It works against any portal that issues a Private App access token with the read scopes you grant. Which objects, properties, and history depth are available is governed by your HubSpot plan and the scopes on the token, not by this skill.

Governance: The skill drives the hubspot-cli and hubspot-mcp binaries, authenticating only with HUBSPOT_ACCESS_TOKEN read from the environment - never written to disk, logged, or sent anywhere except the HubSpot API. Read commands (reports, rollups, search) are always safe and can change nothing. Writes are not gated by default: --dry-run is an opt-in flag (default off) that previews a request without sending, so raw create/update/delete commands send immediately on first run unless your agent passes --dry-run first. The one built-in mutation gate is on contacts bulk-update, and it only fires above 100 rows (smaller batches dispatch immediately with a one-line bypass warning). The recommended policy is an agent-level rule: require the agent to show the exact command and get human approval before any mutation, and require a human for any destructive or credential-touching command. The strongest control is the scope you grant the Private App token.

### Hudu (Documentation)

Page: https://msp-skills.compoundingteams.com/skills/hudu/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/hudu/install.sh)

Ask in plain English which clients have the worst documentation, which vault passwords are overdue for rotation, and what SSL certs, domains, or warranties expire next - across every company at once. Hudu plus your AI agent reads a local mirror of your whole instance, so the hygiene questions the portal makes you click through company by company become one instant, reproducible answer.

Outcomes (question -> command your AI agent runs):
- Which clients have the worst documentation completeness? -> hudu-cli audit completeness --agent
- What's expiring in the next 30 days across every client? -> hudu-cli audit expirations --within 30d --agent
- Which vault passwords are overdue for rotation? -> hudu-cli audit stale-passwords --older-than 180d --agent
- Which knowledge-base articles are stale and probably out of date? -> hudu-cli audit stale-articles --older-than 365d --agent
- Which assets have drifted from their layout's current schema? -> hudu-cli audit layout-drift --agent
- Give me one worst-first hygiene scorecard across every company. -> hudu-cli audit summary --agent
- Find everything matching a keyword across all synced docs. -> hudu-cli search "vpn gateway" --agent
- Resolve this Hudu link to its asset, company, and relations. -> hudu-cli resolve "https://docs.example.huducloud.com/a/dc01-abc123" --agent
- Which PSA/RMM records don't map to a live Hudu asset? -> hudu-cli reconcile --agent
- Scaffold a new client's docs from our house template. -> hudu-cli onboard --company 42 --template msp-standard

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Hudu MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Hudu data safe?
A: Your data stays on your machine - the CLI, MCP server, and the local mirror are all local. The password audit never reads or stores secret values; it uses only each entry's name, username, and last-updated date. Credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will a company-scoped Hudu API key work?
A: Mostly. Audits and search run over whatever you've synced, so they work with any key. The one limit: Hudu's global asset-list endpoint requires a global (not company-scoped) key - with a scoped key, use 'assets list-by-company <company_id>' instead. The 'onboard --apply' write path also needs a global key.

Governance: The skill reads everything over a local mirror - audits, search, resolve, and reconcile are always safe to run and cannot change anything. Writes (creating or updating assets, articles, companies, and asset layouts, plus 'onboard --apply') send to your live Hudu instance, so the recommended agent policy is preview-then-approve. Reading or changing password-vault entries and managing the API credential are credential-tier; deletes and archives are destructive - keep both human-in-the-loop.

### Huntress (Security)

Page: https://msp-skills.compoundingteams.com/skills/huntress/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/huntress/install.sh)

Ask "which Huntress incidents are oldest across all my clients?" and get one age-sorted queue spanning every organization - the cross-tenant view the per-org portal never shows. Triage incidents fleet-wide, find coverage gaps and dark agents, reconcile invoiced seats against deployed agents, and trace an indicator's blast radius across your whole account, in plain English, from one local mirror.

Outcomes (question -> command your AI agent runs):
- Which incidents are oldest across every client org? -> huntress-cli fleet-incidents --sort age
- Where are my posture gaps - stale callbacks, disabled Defender or firewall? -> huntress-cli coverage-gaps
- Has this IP or file hash touched any of my clients? -> huntress-cli blast-radius --indicator 203.0.113.10
- Am I billed for more seats than I have agents deployed? -> huntress-cli billing-reconcile
- Which agents went dark in the last week? -> huntress-cli stale-agents --days 7
- What is my mean time-to-resolve per client? -> huntress-cli mttr --group-by org
- What changed across the fleet since my last shift? -> huntress-cli handoff --since 12h
- Give me a QBR scorecard for one client. -> huntress-cli org-scorecard --org 12345

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Huntress MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Huntress data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Do I need to be a Huntress partner?
A: You need a Huntress account with API credentials (a key and secret) generated from your portal. Reseller credentials unlock the cross-account reseller-rollup; a single-account credential drives everything else.
Q: Will this hit my Huntress API rate limits?
A: Sync pulls your account into a local mirror once, then every rollup and search runs against that local copy - so repeated questions cost zero API calls. The CLI also honors a configurable --rate-limit on the requests it does make.
Q: Will this replace my Huntress portal?
A: No - it complements it. The portal stays your console for configuration and deep investigation; this skill answers the cross-tenant and historical questions the portal can only show one organization at a time.

Governance: The skill authenticates with your Huntress API key and secret and is read-first: every rollup, search, and report is non-mutating and safe to let an agent run. The handful of write commands (update an organization, membership, account, or unwanted-access rule) and the destructive deletes are opt-in and should sit behind an agent policy of preview-then-approve. Keep autonomous agents to reads plus dry-run previews; require a human for any write or delete.

### IT Glue (Documentation)

Page: https://msp-skills.compoundingteams.com/skills/itglue/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/itglue/install.sh)

MSPs keep their whole client world in IT Glue - organizations, contacts, passwords, configurations, documents - but the API answers one record at a time under a 3000-request rate ceiling. Ask your AI "which clients are under-documented," "which credentials haven't rotated in a year," or "which client owns this serial number," and get fleet-wide answers from a local mirror in one query - no portal clicking, no rate-limit math.

Outcomes (question -> command your AI agent runs):
- Which client owns this device, serial number, or contact? -> itglue-cli search "Fortinet"
- Which clients are under-documented, thinnest first? -> itglue-cli coverage --below 1
- Which credentials haven't been rotated in a year, grouped by client? -> itglue-cli passwords stale --days 365
- What changed across every client since a given date? -> itglue-cli changes --since 2026-05-01
- Which contacts are duplicated across or within clients? -> itglue-cli contacts dupes
- Everything we know about one client, in a single offline read? -> itglue-cli org show "12345"
- Which records are orphaned after a client was offboarded? -> itglue-cli orphans
- List every organization in the account. -> itglue-cli organizations list

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local IT Glue MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my IT Glue data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: What credentials do I need?
A: An IT Glue API key, which you generate in your IT Glue account settings (Account > Settings > API Keys). Set ITGLUE_API_KEY in your environment, or run itglue-cli auth set-token. The key inherits the permissions of the IT Glue account it belongs to, so scope that account to exactly what you want the AI to reach - a key with password access lets passwords get/list return stored secrets, so scope it accordingly.
Q: Will this blow through my IT Glue API limits?
A: IT Glue meters the API at roughly 3000 requests per 5 minutes. The local mirror exists so reads stop hitting the API: after the first sync, search, coverage, passwords stale, changes, contacts dupes, org show, and orphans all run against local SQLite with zero API calls, and sync is incremental - it only fetches what changed since the last checkpoint.
Q: Does it work with IT Glue's EU or AU data regions?
A: Yes. IT Glue hosts data in regional API endpoints; set ITGLUE_BASE_URL to your region's API URL and the CLI uses it. The default targets the US endpoint.
Q: Can it delete my documentation?
A: No. The CLI reads, and creates or updates contacts, passwords, configurations, and documents - it exposes no delete for any IT Glue resource. The coverage and stale-password audits read metadata only; password secret values are never read or printed.

Governance: The skill drives the itglue-cli and itglue-mcp binaries, authenticating with an IT Glue API key read from the environment (ITGLUE_API_KEY) - never logged and never sent anywhere except the IT Glue API. Most read commands (search, coverage, changes, contacts dupes, org show, orphans, and the organization/configuration/contact/document list and get) change nothing and run against the local mirror. The exceptions are passwords get and passwords list: when the API key has password access they can return the stored secret, so treat them as credential-tier, not routine reads (passwords stale is metadata-only and stays safe). Writes are not gated by default: --dry-run is an opt-in preview flag, so the recommended policy is an agent-level rule - preview with --dry-run, show the exact command, get approval, then run the write. The CLI exposes no delete for any IT Glue resource; the most sensitive operations are credential reads and writes (passwords get/list/create/update), which should stay human-approved. The real permission boundary is the scope of the IT Glue account whose key you use.

### Kaseya BMS (PSA)

Page: https://msp-skills.compoundingteams.com/skills/kaseya-bms/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/kaseya-bms/install.sh)

Run the Kaseya BMS service desk, contracts, and billing from your terminal - or let your AI agent do it. Ask in plain English which queues are underwater, which tickets are going stale, who's overloaded, how much of each contract you've burned, and what billable time is sitting unbilled - and get the answer instantly from a local mirror, without exporting a single report.

Outcomes (question -> command your AI agent runs):
- Which queues are underwater and what's going stale before standup? -> kaseya-bms-cli queue-health --agent
- Which open tickets haven't been touched in a week, oldest first? -> kaseya-bms-cli stale-tickets --days 7 --agent
- Who's overloaded and who can take the next ticket? -> kaseya-bms-cli workload --agent
- How much of each contract have we burned this quarter? -> kaseya-bms-cli contract-burn --window-days 90 --agent
- What approved billable time is ready to invoice, by account? -> kaseya-bms-cli unbilled --agent
- What's the open sales pipeline by stage, and which deals have slipped? -> kaseya-bms-cli pipeline --agent
- Find every ticket mentioning a phrase across the whole tenant -> kaseya-bms-cli search "VPN outage"
- Sync the tenant into a local mirror for instant offline queries -> kaseya-bms-cli sync

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Kaseya BMS MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Kaseya BMS data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my Kaseya BMS API rate limits?
A: Rarely. BMS allows 1,500 requests per hour per endpoint. Reads default to the local SQLite mirror (--data-source auto), so day-to-day questions cost zero API calls; you only spend the budget when you sync or query live.
Q: Do I need to be a Kaseya customer, and how do I authenticate?
A: Yes - you need a Kaseya BMS tenant and an API user. The skill authenticates as that user with 'kaseya-bms-cli auth login' (your BMS username, password, and tenant name), and can only do what that user is permitted to do. You can also paste a pre-minted JWT via KASEYA_BMS_TOKEN.
Q: Will this replace my Kaseya BMS portal?
A: No. It's a faster path for the questions you ask every day - queue health, unbilled time, pipeline - and for letting an AI agent drive the service desk. The BMS portal stays your system of record.

Governance: The skill reads everything - tickets, CRM, contracts, finance, projects - and can create and update records across the service desk, CRM, finance, and projects, so keep an autonomous agent to reads plus previewed (--dry-run) writes with a human approving each write. Deletes, the back-office 'admin' group, and any command that returns stored credentials (ITGlue or VSA access info) are human-in-the-loop only. The strongest control is the scope of the BMS API user you authenticate as.

### KnowBe4 (Security)

Page: https://msp-skills.compoundingteams.com/skills/knowbe4/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/knowbe4/install.sh)

KnowBe4's console reports one tenant, one phishing test, one chart at a time. This skill syncs your KMSAT data into a local SQLite mirror and answers the questions the portal can't: which users clicked the bait in multiple phishing tests, whose risk score is deteriorating this quarter, and who clicked a phish but finished zero training - across every client, in seconds, from your terminal.

Outcomes (question -> command your AI agent runs):
- Who clicked the bait in more than one phishing test? -> knowbe4-cli repeat-clickers --min-clicks 2 --since 90d
- Whose risk score is getting worse this quarter? -> knowbe4-cli risk-drift --window 90d --worsened --top 20
- Who clicked a phish but never passed training? -> knowbe4-cli untrained-clickers --since 180d
- Which active users have zero training or zero phishing coverage? -> knowbe4-cli coverage-gaps
- Is training actually working for the Finance group? -> knowbe4-cli phish-prone-trend --group "Finance" --since 12mo
- Who are my highest-risk users, with the why behind the score? -> knowbe4-cli risk-leaderboard --top 25
- Which departments are driving our risk up? -> knowbe4-cli group-risk-contribution --window 90d --top 10
- Assemble the full client quarterly review in one command -> knowbe4-cli qbr --since 90d
- Who never reports a simulated phish? -> knowbe4-cli report-rate --bottom 25
- Is my synced data fresh enough to trust a clicker hunt? -> knowbe4-cli freshness

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local KnowBe4 MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my KnowBe4 data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local, and the bundled MCP server exposes read-only reporting tools only. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Does this replace the KnowBe4 console or need a special partner API?
A: Neither. It uses your standard KMSAT Reporting API key (Account Settings - API - enable Reporting API) and your region (us, eu, ca, uk, or de). It reads what your account already exposes and adds the cross-client rollups the console doesn't. The one write path that needs extra setup is pushing custom risk events, which uses a separate, opt-in User Event API key.

Governance: The skill reads your KnowBe4 reporting data - accounts, users, groups, phishing tests, training, risk scores - and can sync it to a local SQLite mirror; all of that is read-only and safe to let an agent run, and the bundled MCP server exposes only those read tools. The only write paths are CLI-only: pushing or deleting custom risk events on a user's timeline (a separate, opt-in User Event API key) and bulk import. Keep those human-reviewed and preview them with --dry-run first.

### Level (RMM)

Page: https://msp-skills.compoundingteams.com/skills/levelio/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/levelio/install.sh)

Ask "which Level endpoints are most at risk right now?" and get one ranked list across active alerts, missing patches, low security scores, and dark devices - not four portal tabs. levelio-cli syncs your whole Level fleet into a local mirror, then answers portfolio-wide questions the portal shows one device at a time: patch exposure, stale agents, alert clusters, and per-client QBR scorecards. Offline, instant, and read-only-safe.

Outcomes (question -> command your AI agent runs):
- Which devices are most at risk across alerts, patches, score, and staleness? -> levelio-cli at-risk --top 20
- Which devices have gone dark and stopped checking in? -> levelio-cli stale --days 30
- What is my fleet-wide patch exposure, by category? -> levelio-cli patch-posture --category security
- How is my fleet broken down by OS, platform, or group? -> levelio-cli fleet --by os
- Where are my active critical fires, clustered by group? -> levelio-cli alert-triage --severity critical
- Give me a per-client posture scorecard for QBRs. -> levelio-cli client-scorecard
- Which devices are below my security-score threshold? -> levelio-cli security-posture --below 70
- Which devices are waiting on a reboot to finish patching? -> levelio-cli reboot-due
- Which monitors fire most often across the fleet? -> levelio-cli alert-recurrence --top 15
- What changed since yesterday - new alerts, updates, device activity? -> levelio-cli since --days 1

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Level MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Level data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my Level API rate limits?
A: Only 'sync' calls the Level API, and it paginates politely. Every report, rollup, and search after that runs against the local SQLite mirror - zero API calls, no rate-limit pressure. Re-sync when you want fresh data.
Q: Do I need a paid Level plan or to be a Level partner?
A: You need a Level account and an API key (Settings > API keys). A read-only key is enough for every report and rollup here, and you can scope it tighter than your portal login. The skill itself is free and open source.

Governance: The skill reads everything - reports, rollups, search, and a sync to a local mirror that never writes back to Level. It can also change Level records when you let it: update devices, manage groups, tags, and custom fields, resolve alerts, import data, and trigger automations that run on real endpoints. Recommended policy: give autonomous agents a read-only API key, preview every write with --dry-run, and keep a human in the loop for automations, deletes, and credential changes.

### Liongard (Documentation)

Page: https://msp-skills.compoundingteams.com/skills/liongard/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/liongard/install.sh)

Ask "what changed across all my clients this week," "which Liongard collectors went stale," or "which agents are offline," and get the answer in one command instead of clicking through the portal environment by environment. The skill syncs your whole Liongard estate into a local mirror, then drift-checks, searches, and rolls it up across every environment - so the visibility you already pay for finally reaches you.

Outcomes (question -> command your AI agent runs):
- What changed across all my clients in the last 24 hours? -> liongard-cli drift --since 24h
- Which collectors (launchpoints) have gone stale? -> liongard-cli launchpoints stale --older-than 7d
- Which agents are offline right now, and whose environment do they serve? -> liongard-cli agents offline
- Give me one health scorecard for the whole estate. -> liongard-cli health --agent
- Show me one client's complete picture in a single command. -> liongard-cli environments overview 42
- Which inspections failed or errored across the estate? -> liongard-cli detections failures --since 7d
- Pull one metric across every system, CSV-ready for a report. -> liongard-cli metrics pivot "MFA Enabled Count" --csv
- Which systems breach a threshold, like patch age over 30 days? -> liongard-cli metrics breach "Patch Age Days" --op gt --value 30
- Where are my monitoring gaps (systems with no launchpoint, environments with no systems)? -> liongard-cli coverage
- Which environments are still missing a given inspector? -> liongard-cli inspectors coverage --inspector "Microsoft 365"
- What is the full change history for one system? -> liongard-cli systems history 4821
- Search everything I've synced for a term. -> liongard-cli search "domain admin"

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Liongard MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Liongard data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Do I need to be a Liongard customer, and will this hit my API limits?
A: Yes - you use your own Liongard instance and access keys, so the skill only reaches data your credentials already permit. Because it syncs once into a local mirror and answers most questions from there, it makes far fewer API calls than a per-question live wrapper, which keeps you well clear of rate limits during reporting and QBR prep.

Governance: Read commands (drift, health, coverage, the stale/offline/failure rollups, search, and every get/list) cannot change anything and are safe to allow. Writes are explicit and named - creating or updating environments, launchpoints, metrics, users, and agents, plus importing data and triggering inspection runs - and should be previewed before they send. Deletes, minting access keys, and the auth/token commands are human-in-the-loop only. The strongest control is the scope of the Liongard access keys you supply: the CLI can only do what those keys are permitted to do.

### Microsoft Graph (Security)

Page: https://msp-skills.compoundingteams.com/skills/microsoft-graph/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/microsoft-graph/install.sh)

Microsoft retires the Graph CLI (mgc) on August 28, 2026 and points admins at the heavier PowerShell SDK. This is the lightweight successor: one cross-platform binary, no .NET or PowerShell runtime. Ask your AI "which M365 licenses are we wasting," "who holds privileged admin right now," or "what's new in Defender since yesterday," and get cross-tenant answers computed offline from a local SQLite mirror - one query instead of CSV exports and portal tab-hopping.

Outcomes (question -> command your AI agent runs):
- Which SKUs are we paying for but not fully using, ranked by wasted seats? -> microsoft-graph-cli licenses waste --agent
- Which disabled or guest accounts still hold a paid license? -> microsoft-graph-cli licenses orphans --json
- Who exactly is consuming one specific SKU before I reclaim seats? -> microsoft-graph-cli licenses map "ENTERPRISEPACK" --agent
- Who holds a privileged directory role right now, and which holders are guest or disabled? -> microsoft-graph-cli admins audit --agent
- What open security alerts are new since yesterday, by severity and source? -> microsoft-graph-cli security triage --since 24h --agent
- Which Intune devices are non-compliant, unencrypted, or stale this month? -> microsoft-graph-cli managed-devices drift --days 30 --agent
- Which groups are ownerless, empty, or guest-heavy across the tenant? -> microsoft-graph-cli groups risk --agent
- Where does this tenant stand overall - users, license waste, admins, alerts, device drift? -> microsoft-graph-cli tenant snapshot --agent

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Microsoft Graph MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Microsoft 365 data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local SQLite mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills - the token is read from your environment and used only against the Microsoft Graph API.
Q: Will this hit my Microsoft Graph throttling limits?
A: The local mirror exists so reads stop hitting Graph. After the first `pull`, the cross-entity views (licenses waste/orphans/map, admins audit, security triage, managed-devices drift, groups risk, tenant snapshot) run against local SQLite with zero API calls. Live calls follow @odata.nextLink and respect a `--rate-limit` throttle, and pull treats resources your token can't reach as warnings, not failures.
Q: Is this the replacement for the Microsoft Graph CLI (mgc) that's being retired?
A: It is built as the lightweight successor for the MSP read-and-report core - directory, licensing, security, and device surfaces - as one cross-platform Go binary with no .NET or PowerShell runtime. Microsoft's own recommended path is the PowerShell SDK; this is the option for teams who want a scriptable single binary and their AI agent instead. It is not affiliated with or endorsed by Microsoft.
Q: Does it use a delegated or app-only token?
A: Either. Run `auth login --tenant <id> --client-id <id> --client-secret <secret>` to mint and cache an app-only (client-credentials) token for unattended MSP use, or export a pre-minted token as MICROSOFT_GRAPH_TOKEN. Read scopes such as Directory.Read.All, RoleManagement.Read.Directory, SecurityAlert.Read.All, and DeviceManagementManagedDevices.Read.All must be granted and admin-consented. App-only tokens have no /me, so `users me` is delegated-only.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.

Governance: The skill drives the microsoft-graph-cli and microsoft-graph-mcp binaries, authenticating with a MICROSOFT_GRAPH_TOKEN read from the environment - never logged, never written to disk, never sent anywhere except the Microsoft Graph API. Every typed command is read-only: users, groups, directory roles, licenses, devices, managed devices, security alerts and incidents, and the cross-entity analytics change nothing. The single write path is the explicit `import` command (a JSONL-to-POST create path), which previews with `--dry-run`. The strongest control is the scope of the token you mint - grant read-only Graph scopes and the CLI can only read.

### Concierge (Meta)

Page: https://msp-skills.compoundingteams.com/skills/msp-skills-concierge/
Badge: Awaiting live verification

### MSPbots (Analytics)

Page: https://msp-skills.compoundingteams.com/skills/mspbots/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/mspbots/install.sh)

MSPbots aggregates your PSA, RMM, and finance data into KPI dashboards - then keeps it there. Ask your AI "is our ticket backlog up or down this week" and get the answer the dashboard can't give: point-in-time snapshots, week-over-week deltas, row-level diffs, and full CSV exports - through readable aliases and filters instead of 19-digit resource IDs and a comma-encoded query DSL.

Outcomes (question -> command your AI agent runs):
- Is our open-ticket backlog up or down versus last week? -> mspbots-cli trend open_tickets --agg count
- What changed in open tickets since the last snapshot - rows added, removed, or edited? -> mspbots-cli diff open_tickets
- Pull the open tickets updated since June 1 -> mspbots-cli pull open_tickets --where "Update Date >= 2026-06-01"
- What columns does this dataset have, and what types? -> mspbots-cli describe open_tickets
- Export the entire dataset to CSV for the QBR deck -> mspbots-cli export open_tickets --format csv
- Capture today's KPI snapshot (schedule it and history accrues) -> mspbots-cli snapshot open_tickets
- Stop pasting 19-digit IDs - name the dataset once -> mspbots-cli registry add open_tickets 1534956341424005122
- Are my API key and resource bindings working? -> mspbots-cli doctor

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local MSPbots MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my MSPbots data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local snapshot store are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: What credentials do I need?
A: An MSPbots API key: an admin creates it at Settings > Public API in the MSPbots app and binds each dataset or widget to it. Set MSPBOTS_API_KEY in your environment or run mspbots-cli auth set-token. The binding is the permission boundary - the key can only read resources explicitly bound to it, and the global Enable Public API toggle gates everything.
Q: Can this write to MSPbots?
A: No. The MSPbots Public API is read-only - datasets and widgets out, nothing in. The only things this skill writes are local: alias registrations, snapshots, and the sync cache in your own SQLite store. No command can change anything in your MSPbots tenant.
Q: Why do I register datasets before pulling them?
A: The Public API has no list endpoint - it cannot tell you what is bound to your key. You copy each resource ID from Settings > Public API once, register it with mspbots-cli registry add open_tickets <resourceId>, and every other command accepts the alias from then on.
Q: Will this hit MSPbots rate limits?
A: The API documents rate limits without publishing numbers. The CLI ships a --rate-limit throttle, export bounds its page-walking with --max-pages and reports when the cap was hit, and the history questions (trend, diff) run entirely against local snapshots - zero API calls after capture.
Q: Does it support widgets as well as datasets?
A: Yes - pull, export, snapshot, describe, and registry add all accept --type widget. One documented exception inherited from the API: widgets with measure or calculate layers are not supported by the Public API itself.

Governance: The skill drives the mspbots-cli and mspbots-mcp binaries, authenticating with an API key read from MSPBOTS_API_KEY or saved locally via auth set-token - never logged and never sent anywhere except the MSPbots API. The Public API is read-only, so no command can change anything in your MSPbots tenant; the only writes are local (alias registry, snapshot store, sync cache in your own SQLite file). The permission boundary is which datasets and widgets an admin binds to the key.

### N-able N-central (RMM)

Page: https://msp-skills.compoundingteams.com/skills/n-central/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/n-central/install.sh)

N-central knows every device you manage - and answering "where is that machine" still means walking the console's org tree. Ask your AI "what's red right now", "where is EXCHANGE01", or "which devices have no maintenance window before Saturday's patch wave" and get rollups the console can't compose: cross-tenant search from an offline mirror, severity-ranked triage, coverage audits, and a guardian that catches the JWT before it silently dies.

Outcomes (question -> command your AI agent runs):
- What's red right now, grouped by customer and ranked by severity? -> n-central-cli triage --by customer
- Where is EXCHANGE01 - server, service org, customer, site? -> n-central-cli whereis EXCHANGE01
- Find anything named acme across every server we run -> n-central-cli fanout "acme"
- Which devices are missing the Backup Plan custom property, by customer? -> n-central-cli props audit --required "Backup Plan"
- Which devices have no maintenance window before the June 15 patch wave? -> n-central-cli maint coverage --before 2026-06-15
- Is the JWT healthy, and when does the API user's password kill it? -> n-central-cli guardian --password-set 2026-03-01
- Hardware and software inventory for one device -> n-central-cli devices assets 987654321
- Every device, exported for the QBR or your documentation tool -> n-central-cli export "devices" --format jsonl

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local N-central MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my N-central data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: What credentials do I need?
A: A JSON Web Token for an API-only user: in N-central, go to Administration > User Management > Users > select the API user > API Access > Generate JSON Web Token. MFA must be off on that user, and the user's password expiry (90 days by default) silently invalidates the JWT - guardian tracks that countdown. Set NCENTRAL_JWT and N_CENTRAL_BASE_URL (e.g. https://yourmsp.ncod.n-able.com/api).
Q: Can this make changes in N-central?
A: Almost everything is read-only. Two commands can change things: scheduled-tasks run executes an API-enabled Automation Policy or Script on a device, and import POSTs records from a JSONL file. --dry-run is an opt-in preview, not a default - the recommended agent policy is preview first, a human approves, then run. Keep scheduled-tasks run human-in-the-loop.
Q: We run more than one N-central server - does this handle that?
A: Yes. Each server syncs to its own local mirror, and fanout unions them: one query returns matches across every server's mirror, each row tagged with the server it came from.
Q: Will this hit N-central API rate limits?
A: N-able documents per-endpoint concurrency caps - 429 responses beyond roughly 3 to 50 concurrent calls depending on the endpoint. The CLI ships a --rate-limit throttle, and the heaviest questions (whereis, fanout, search) run against the local mirror with zero API calls.
Q: Does this work with N-able N-sight?
A: No. This skill targets the N-central REST API specifically. N-sight is a separate N-able product with a separate API.

Governance: The skill drives the n-central-cli and n-central-mcp binaries, authenticating with an API-only user's JWT (NCENTRAL_JWT) exchanged for short-lived access tokens - never logged and never sent anywhere except your N-central server. Nearly all commands are read-only; the exceptions are scheduled-tasks run (executes an API-enabled script or automation policy on a live device) and import (POSTs records), both previewable with the opt-in --dry-run flag. Registration tokens enroll new devices - treat them like credentials. The API user's role in N-central is the real permission boundary.

### Nerdio Manager (RMM)

Page: https://msp-skills.compoundingteams.com/skills/nerdio/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/nerdio/install.sh)

Ask "which host pools have autoscale off across all my customers?" and get one table - not 30 portal logins. Every MSP runs its own Nerdio Manager (NMM) install, so each answer normally means clicking through one tenant at a time. This skill pulls your whole NMM fleet into a local mirror and answers cross-account autoscale, power-state, billing, and Intune questions in a single command.

Outcomes (question -> command your AI agent runs):
- Which host pools have autoscale off or drifting across every customer? -> nerdio-cli fleet autoscale-audit
- What is running right now across all accounts, and where? -> nerdio-cli fleet host-estate
- What did each customer get billed this period, and who is unpaid? -> nerdio-cli fleet billing-rollup --period 2026-05-01:2026-05-31 --unpaid-only
- Which customers' Azure usage spiked month-over-month? -> nerdio-cli usages drift --from 2026-04-01:2026-04-30 --to 2026-05-01:2026-05-31
- List every customer account I manage -> nerdio-cli accounts
- Show the host pools for one account -> nerdio-cli host-pools list <account_id>
- Which Intune devices does this account have? -> nerdio-cli devices list <account_id>
- Did that backup or provisioning job actually finish? -> nerdio-cli job wait <job_id>
- Run one scripted action across many accounts and wait for all of them -> nerdio-cli scripted-actions fan-run <script_id> --accounts 101,102,103 --wait
- Search everything I have synced, offline -> nerdio-cli search <query>

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Nerdio Manager MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Nerdio Manager data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Do I need to be a Nerdio partner, or run Nerdio Manager for MSP (NMM)?
A: Yes - this targets the NMM Partner REST API, which is the MSP edition (not Nerdio Manager for Enterprise). You create an API client in your own NMM portal under Settings > Integrations > REST API. There is no vendor-global endpoint; the CLI talks to your own instance URL, which you set as NERDIO_BASE_URL.
Q: Will this replace the Nerdio Manager portal?
A: No. It is a read-first, cross-account companion. Day-to-day operating still happens in NMM; this is for the fleet-wide questions and scripted automation the portal makes tedious.
Q: Why does a change only return a job ID?
A: Every NMM mutation (provisioning, scripted actions, backup, host power) is async and returns a job ID. Run nerdio-cli job wait <job_id> to poll it to a terminal state and exit non-zero if it failed - so your agent never reports "done" on a job that actually errored.

Governance: The skill reads your whole NMM fleet - accounts, host pools, session hosts, Intune devices, billing - and can also make changes: create or delete host pools and reservations, power and restart session hosts, run scripted actions across accounts, and manage secure variables. Reads are safe to automate. Anything that powers, executes, deletes, or touches a stored secret should be previewed with --dry-run and approved by a human. The credential's NMM role is the real ceiling - scope it to only what your workflow needs.

### NinjaOne (RMM)

Page: https://msp-skills.compoundingteams.com/skills/ninjaone/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/ninjaone/install.sh)

NinjaOne is built for real-time, per-device RMM, but its reporting answers one organization at a time. Ask your AI "which clients are below 95% patched," "which endpoints across the fleet have no backup," or "how far did this threat spread" and get fleet-wide rollups computed offline from a local SQLite mirror of your estate - one query instead of a per-org report re-totaled in a spreadsheet or a third-party BI overlay.

Outcomes (question -> command your AI agent runs):
- Which organizations are below 95% patch compliance? -> ninjaone-cli patch-compliance --min-pct 95
- Which endpoints across the fleet have no backup at all? -> ninjaone-cli backup-coverage
- Which devices is a given threat on, fleet-wide? -> ninjaone-cli av-sweep --threat "Trojan.Generic"
- Which devices have antivirus definitions older than a week? -> ninjaone-cli av-sweep --definition-stale-days 7
- What is each organization's overall health score, and why? -> ninjaone-cli fleet-health
- Which devices have not checked in for two weeks? -> ninjaone-cli stale-devices --days 14
- Which devices are running an end-of-life operating system? -> ninjaone-cli os-eol
- Where is a software title sprawling across too many versions? -> ninjaone-cli software-audit --min-versions 3
- Did patch compliance get better or worse since last week? -> ninjaone-cli drift --metric patch
- Search every synced device, organization, and alert for a string? -> ninjaone-cli search "disk full"

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local NinjaOne MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my NinjaOne data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: Does it work with the US, EU, and other NinjaOne regions?
A: Yes. The US host (https://app.ninjarmm.com) is the default. For another region set NINJAONE_BASE_URL (for example https://eu.ninjarmm.com) and NINJAONE_TOKEN_URL (for example https://eu.ninjarmm.com/ws/oauth/token); run 'ninjaone-cli doctor' to confirm the credentials reach your instance.
Q: Will this hit my NinjaOne API rate limits?
A: The local mirror exists so reads stop hitting the API. After the first 'sync', the fleet views (patch-compliance, backup-coverage, av-sweep, fleet-health, stale-devices, os-eol, software-audit, drift) run against local SQLite with zero API calls. Live calls respect a --rate-limit throttle, and sync is incremental and resumable - it only fetches what changed and treats resources your token cannot reach as warnings, not failures.
Q: Do I need to be a NinjaOne partner or buy the reporting add-on?
A: No. You need an API app you create yourself under Administration > Apps > API, with an OAuth2 client_id and client_secret. The fleet rollups are computed locally from whatever your token can already read - no reporting add-on, data warehouse, or partner tier required.
Q: Can it change things in NinjaOne, or is it read-only?
A: The headline fleet views are read-only. The CLI also wraps NinjaOne's write surface (for example updating an organization, creating a ticket, running a script, or rebooting a device) and a smaller destructive tier (deletes). Preview any write with --dry-run, keep a human in the loop, and scope the API token to only what your workflow needs.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.

Governance: The skill drives the ninjaone-cli and ninjaone-mcp binaries, authenticating with NINJAONE_CLIENT_ID and NINJAONE_CLIENT_SECRET (NINJAONE_OAUTH_SCOPE optionally narrows the token) read from the environment - never logged, never sent anywhere except the NinjaOne API. Every fleet view, report, and search is read-only. The CLI also exposes routine write commands and a smaller destructive tier; the recommended policy is to preview a write with --dry-run, show the request, get approval, then run. The strongest control is the scope of the API app you mint.

### PagerDuty (Incident Response)

Page: https://msp-skills.compoundingteams.com/skills/pagerduty/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/pagerduty/install.sh)

Ask "who's on call for the payments service right now, and when do they hand off?" or "what's our MTTR by service this month?" and get the answer in one command. PagerDuty syncs to a local SQLite mirror, so post-incident analytics, on-call coverage audits, and escalation-gap checks run instantly and offline: no Analytics add-on, no portal clicking, no per-question API call.

Outcomes (question -> command your AI agent runs):
- What's on fire right now, ranked by SLA risk? -> pagerduty-cli pulse
- Who's on call for a service right now, and when's the handoff? -> pagerduty-cli oncall who --service "Payments"
- What's our MTTA and MTTR by service this month? -> pagerduty-cli insights mttr --by service --since 30d
- Which services have a broken escalation chain or single point of failure? -> pagerduty-cli audit coverage --severity high
- Where does a schedule have nobody on call over the next two weeks? -> pagerduty-cli audit schedule-gaps --days 14
- Which responders carry the most pages and off-hours load? -> pagerduty-cli insights responders --since 30d
- Which services are the noisiest? -> pagerduty-cli insights noisy --top 10 --since 7d
- What changed right before this incident broke? -> pagerduty-cli incidents changes <incident-id> --window 4h
- What's the full timeline of this incident? -> pagerduty-cli incidents timeline <incident-id>
- Which open incidents are quietly rotting with no recent activity? -> pagerduty-cli insights stale --hours 24

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local PagerDuty MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my PagerDuty data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my PagerDuty API rate limits?
A: Rarely. Read questions run against the local SQLite mirror, not the API - you sync once, then analytics, audits, and search are offline. Only sync and live writes call PagerDuty, and the CLI honors a configurable --rate-limit.
Q: Do I need PagerDuty's paid Analytics add-on for MTTR reporting?
A: No. The skill computes MTTA, MTTR, responder workload, and noisy-service rankings locally from the incidents and log entries any REST API key can read, so you get the post-incident numbers without the paid Analytics tier.

Governance: The skill reads everything through your PagerDuty REST API key and writes only when you tell it to - acknowledging, resolving, snoozing, or noting incidents, and creating or editing services, schedules, and policies. Reads (pulse, insights, audit, oncall, search) are always safe to run. Routine writes should be previewed with --dry-run and approved; deletes and config changes are human-in-the-loop only. The strongest control is scoping the API key to what your workflow actually needs.

### PandaDoc (Documentation)

Page: https://msp-skills.compoundingteams.com/skills/pandadoc/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/pandadoc/install.sh)

Ask your AI "which proposals are stalled?" or "what's our open quote value?" and get the answer in seconds. PandaDoc's portal shows one document at a time and has no rollup for these. This skill syncs your documents, templates, and contacts into a local mirror, so cross-document questions - stalled deals, aging quotes, recipient engagement, dollars in-flight - become one instant query instead of a manual export-and-pivot.

Outcomes (question -> command your AI agent runs):
- Which documents were sent but never completed? -> pandadoc-cli stalled --days 14
- How much money is tied up in open quotes? -> pandadoc-cli value
- What does my whole document funnel look like right now? -> pandadoc-cli pipeline
- How long has each document sat in its current status? -> pandadoc-cli aging
- Which clients haven't signed anything in a month? -> pandadoc-cli cold-clients --days 30
- Who should I follow up with today? -> pandadoc-cli followup --days 7
- Which recipients actually open and sign vs. let documents sit? -> pandadoc-cli engagement
- Which templates actually close? -> pandadoc-cli template-stats
- Which sent documents have no auto-reminder set? -> pandadoc-cli reminder-gaps
- What changed in the last day? -> pandadoc-cli since 24h

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local PandaDoc MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my PandaDoc data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my PandaDoc API rate limits?
A: Day-to-day questions read the local mirror, so they never touch the API. Only `sync`, `tail`, and a few live commands (such as `reminder-gaps`) call PandaDoc directly, and the CLI honors a configurable `--rate-limit` so you stay inside your plan's limits.
Q: Do I need to be a PandaDoc partner or customer?
A: You need your own PandaDoc account with API access (included on PandaDoc's paid plans). The skill authenticates with your own `PANDADOC_API_KEY` - there is no Servosity or PandaDoc partner requirement.
Q: Will this replace my PandaDoc portal?
A: No. You still create, send, and sign documents in PandaDoc. This adds the cross-document reporting and follow-up rollups the portal doesn't surface, so you can ask your AI instead of exporting spreadsheets.

Governance: Reads (pipeline, stalled, aging, value, search, list commands) are always safe and cannot change anything, so an agent can run them freely. Routine writes (create or update contacts, documents, and templates; send a document; add recipients) should be previewed with `--dry-run` and approved before they run. Credential-issuing commands (issue a workspace API key, create a member token, set the webhook shared key) and destructive deletes (delete or bulk-delete documents, remove recipients) are human-in-the-loop only. The strongest control is scoping the API key you grant the CLI.

### Pax8 (Billing)

Page: https://msp-skills.compoundingteams.com/skills/pax8/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/pax8/install.sh)

MSPs resell Microsoft, security, and backup through Pax8, then lose days each month reconciling its invoices against subscriptions and their PSA. Ask your AI "where is billing leaking this month," "what's my MRR and margin," or "which usage is about to overage," and get answers the Pax8 portal can't compose: invoices joined to subscriptions joined to usage, computed offline from a local mirror in one query instead of a CSV export and a spreadsheet.

Outcomes (question -> command your AI agent runs):
- Where is my billing leaking - invoiced for a cancelled product, or active but never billed? -> pax8-cli reconcile
- Can I catch that leakage before the next invoice finalizes? -> pax8-cli reconcile --draft
- What is my MRR and margin right now, broken down by product? -> pax8-cli mrr
- Which usage summaries are running hot before they hit the invoice? -> pax8-cli overage
- What changed in my book of business this week - new, cancelled, resized subscriptions? -> pax8-cli since 7d
- Which customers cost the most across every invoice? -> pax8-cli spend
- Everything about one customer - subscriptions, contacts, invoices, usage - in one view? -> pax8-cli company show <companyId>
- Which products can I resell that match a vendor or keyword? -> pax8-cli search "microsoft 365"

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Pax8 MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Pax8 data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Do I need to be a Pax8 partner, and what credentials does it use?
A: Yes - it talks to the Pax8 Partner API with your own partner credentials. Create an OAuth2 Client ID and Client Secret in the Pax8 portal under Integrations, then set PAX8_CLIENT_ID and PAX8_CLIENT_SECRET. The CLI exchanges them for a bearer token at Pax8's token endpoint and caches it. PAX8_AUDIENCE (default api://p8p.client) and PAX8_OAUTH_SCOPE are optional overrides. The credential's own permissions are the real boundary - scope it to what you want the AI to reach.
Q: Will this hit my Pax8 API rate limits?
A: After the first sync, the analytics commands (reconcile, mrr, overage, spend, since, company show, search) run against your local SQLite mirror with zero API calls. Live calls respect a --rate-limit throttle, and sync is incremental - it only fetches what changed since the last checkpoint.
Q: Does this replace the Pax8 portal?
A: No. Provisioning, ordering, and support workflows stay in the portal. This skill answers the cross-entity billing and revenue questions the portal cannot compose in one place, from your terminal or agent.

Governance: The skill drives the pax8-cli and pax8-mcp binaries, authenticating with a Pax8 Partner API OAuth2 client ID and secret read from the environment (PAX8_CLIENT_ID, PAX8_CLIENT_SECRET) - never logged and never sent anywhere except Pax8's own API. Read commands (reconcile, mrr, overage, spend, since, company show, search, and the find/get queries) change nothing. Writes are not gated by default: --dry-run is an opt-in preview flag, so the recommended policy is an agent-level rule - preview with --dry-run, show the exact command, get approval, then run the write. Keep subscription cancellation, contact deletion, and order creation human-only. The strongest control is the permission scope on the API credential you create.

### Pipedrive (CRM)

Page: https://msp-skills.compoundingteams.com/skills/pipedrive/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/pipedrive/install.sh)

Ask your AI "which deals are dying and who do I call today," and get a ranked answer in seconds. The Pipedrive skill keeps a local copy of your pipeline so it can join deals, people, activities, and notes the portal shows on separate screens - surfacing stale deals by dollar at risk, a weighted forecast, stage bottlenecks, and rep leaderboards without exporting a single CSV.

Outcomes (question -> command your AI agent runs):
- Which open deals has nobody touched in two weeks, worst dollar value first? -> pipedrive-cli stale --quiet-days 14 --agent
- What's my weighted forecast for this quarter, and what's expected to close? -> pipedrive-cli forecast --period this-quarter --agent
- Which deals are stuck in a stage longer than that stage usually takes? -> pipedrive-cli aging --agent
- Which open deals have no next activity scheduled? -> pipedrive-cli next-activity --missing --agent
- Rank my reps by won value over the last 90 days. -> pipedrive-cli leaderboard --by won-value --window 90d --agent
- What changed since yesterday, and who do I need to call today? -> pipedrive-cli digest --for-me --agent
- Which deals did we lose in the last six months, with reasons, for a re-engagement push? -> pipedrive-cli lost --since 180d --agent
- Find likely-duplicate organizations so I can clean up the CRM. -> pipedrive-cli dupes --entity organizations --agent
- Search every synced deal, person, and organization for a name. -> pipedrive-cli search "Acme Corp" --agent
- Pull my whole pipeline into a local copy for offline, zero-API-call analysis. -> pipedrive-cli sync --agent

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Pipedrive MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Pipedrive data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Does this need a higher Pipedrive plan or the paid Insights tier?
A: No. Any Pipedrive plan that issues an API token works - find it under Settings > Personal preferences > API. The skill talks to the standard Pipedrive API, and the cross-entity analytics (stale, forecast, aging, leaderboard) run locally on your synced data, so they are not gated behind a reporting add-on.
Q: Will this burn through my Pipedrive API rate limits?
A: Day-to-day questions answer from the local mirror after a `sync`, so they make zero API calls. `sync` itself paginates politely - tune `--rate-limit` and `--concurrency`, and use `--since 24h` to refresh only what changed - and live calls only happen when local data is missing or stale.

Governance: The skill can read your whole pipeline and can create, update, and delete CRM records, so treat it like any account with write access. Reads - the reports, the analytics rollups, and search - are always safe. Routine writes such as `deals add`, `deals update`, and the bulk `import` should be previewed with `--dry-run` and approved before they run. Deletes and token commands are human-in-the-loop only. The recommended agent policy is read plus previewed writes, with a human approving anything that mutates or removes data.

### Proofpoint TAP (Security)

Page: https://msp-skills.compoundingteams.com/skills/proofpoint/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/proofpoint/install.sh)

Proofpoint TAP's dashboard answers one threat, one clicker, one campaign at a time, and every SIEM pull spends against a hard daily quota. This skill backfills clicks, messages, campaigns, Very Attacked People, and clickers into a local SQLite store, then answers the questions the console can't: who is both heavily attacked and clicking, every event that touched one user, and a full incident brief from a single threatId - offline, in seconds.

Outcomes (question -> command your AI agent runs):
- What malicious clicks and messages got through overnight? -> proofpoint-cli backfill --since 12h
- Who is both Very Attacked and a top clicker? -> proofpoint-cli risk-overlap --window 30
- Give me the full incident brief for a threatId -> proofpoint-cli incident "threat-abc123"
- What indicators should I block from this threat? -> proofpoint-cli iocs --threat-id "threat-abc123" --csv
- Show me every event that touched one user -> proofpoint-cli user "jane.doe@example.com"
- Who are my Very Attacked People this month? -> proofpoint-cli people list-vap --window 30
- Which permitted clicks and delivered threats still need a response? -> proofpoint-cli siem list-issues
- What threats are inside this campaign? -> proofpoint-cli campaign-threats "campaign-xyz789"
- Decode this urldefense-rewritten link to its real target -> proofpoint-cli url --urls "https://urldefense.com/v3/__https://example.com__;!!abc"
- Is my synced threat data fresh enough to trust an offline query? -> proofpoint-cli workflow status

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Proofpoint MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Proofpoint data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local, and the bundled MCP server exposes read-only threat-intelligence tools only. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this blow through my Proofpoint TAP API limits?
A: No - avoiding that is the point. TAP caps you at 1,800 SIEM requests and 50 campaign-id lookups per rolling 24 hours. The skill backfills once into a local SQLite store, then answers repeat and cross-endpoint questions from that mirror, so re-querying a window or looping over users costs zero additional API calls. Live calls fire only when you ask for fresh data.
Q: Do I need a special Proofpoint partner API or Essentials admin access?
A: No. It uses your standard TAP (Targeted Attack Protection) Service Principal and Secret, created under Settings then Connected Applications in the TAP dashboard. It reads the Threat Insight endpoints your account already exposes; it does not require Proofpoint Essentials administration or a separate partner program.

Governance: The skill reads your Proofpoint TAP threat data - SIEM click and message events, campaigns, Very Attacked People, top clickers, and forensic evidence - and can sync it into a local SQLite mirror; all of that is read-only and safe to let an agent run, and the bundled MCP server exposes only those read tools. The one API write path is CLI-only bulk import, which supports --dry-run - preview it and keep it human-reviewed. The local auth commands (auth set-token, auth logout) manage your stored TAP credentials and should stay operator-only.

### QuickBooks Online (Billing)

Page: https://msp-skills.compoundingteams.com/skills/quickbooks/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/quickbooks/install.sh)

Ask your books a question and get the answer, not a CSV export. The skill syncs your QuickBooks Online company into a local SQLite mirror, then answers who owes you (ar-aging), what you owe (ap-aging), where the cash is (balances), which invoices to chase first (invoices stale), and whether the books are clean to close (reconcile) - instantly, offline, across the whole book. No portal clicking, no per-question API call.

Outcomes (question -> command your AI agent runs):
- Who owes us money, bucketed 0-30 / 31-60 / 61-90 / 90+? -> quickbooks-cli ar-aging --agent
- What do we owe vendors, and when is it due? -> quickbooks-cli ap-aging --agent
- Which overdue invoices should I chase first? -> quickbooks-cli invoices stale --days 30 --agent
- Where does our cash stand across accounts, AR, and AP? -> quickbooks-cli balances --agent
- What net cash movement is scheduled over the next 4 weeks? -> quickbooks-cli cash-forecast --weeks 4 --agent
- What is our DSO, and who are the slowest payers? -> quickbooks-cli dso --agent
- Are the books clean enough to close this month? -> quickbooks-cli reconcile --agent
- Which payments came in but were never applied to an invoice? -> quickbooks-cli payments unapplied --agent
- Which customers are duplicated in our list? -> quickbooks-cli dupes customers --agent
- Who slipped an aging bucket since our last check? -> quickbooks-cli aging-delta --agent

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local QuickBooks Online MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my QuickBooks Online data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my QuickBooks API rate limits?
A: Rarely. The only API-heavy step is the one-time sync that mirrors your company into local SQLite; after that, ar-aging, dso, cash-forecast, reconcile and the rest run entirely offline against the mirror. Intuit throttles per company (realm), and the CLI paginates and rate-limits sync for you, so day-to-day questions never touch the API.
Q: Do I need to be an Intuit partner to use it?
A: No. You need a QuickBooks Online company and an OAuth access token scoped to com.intuit.quickbooks.accounting, plus your company realm ID. You mint the token from the Intuit Developer portal or the OAuth 2.0 Playground, and `quickbooks-cli auth refresh` turns a refresh token into a fresh access token - no partner status required.

Governance: The skill reads everything - aging, balances, DSO, cash forecast, reconciliation, search - and read commands cannot change anything. Writes are explicit create/update/delete commands on invoices, bills, payments, customers, vendors, accounts, items, and journal entries, and `--dry-run` is opt-in, so the recommended agent policy is: read freely, preview every write, and keep a human on deletes. Credentials are read from the environment only and are never written to disk or logged.

### RocketCyber (Security)

Page: https://msp-skills.compoundingteams.com/skills/rocketcyber/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/rocketcyber/install.sh)

Ask your AI "what broke across all my RocketCyber clients overnight?" and get one ranked board - open incidents, malicious event counts, and offline agents - instead of clicking through a per-client console. The same skill ranks devices at risk, computes incident MTTR for QBRs, trends Microsoft 365 secure scores, and flags stale suppression rules that quietly hide real detections. All from the terminal.

Outcomes (question -> command your AI agent runs):
- What broke across all my clients overnight? -> rocketcyber-cli triage --since 24h
- Which devices went dark this week? -> rocketcyber-cli agents stale --since 7d
- How fast is my SOC actually resolving incidents? -> rocketcyber-cli incidents mttr --since 90d
- Which machines are riskiest in Defender right now? -> rocketcyber-cli defender riskiest --top 10
- Is this client's Microsoft 365 posture improving? -> rocketcyber-cli office trend --account-id 2
- Which suppression rules are stale and may hide detections? -> rocketcyber-cli suppression audit --stale-after 90d
- What detection events fired, by verdict? -> rocketcyber-cli events summary --account-id 2

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local RocketCyber MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your RocketCyber API token once.
Q: Is my RocketCyber data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local SQLite mirror are all local. The AI sees query results, not raw bulk data, and your API token is never bundled or transmitted by MSP Skills - only sent to the RocketCyber API you point it at.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: What RocketCyber access do I need?
A: A RocketCyber provider account and an API token you generate in the RocketCyber app. The skill talks to the RocketCyber Customer API v3 (US region by default; set ROCKETCYBER_BASE_URL for the EU endpoint) and reads your own SOC data - incidents, agents, detection events, Defender, Microsoft 365 posture, and suppression rules - scoped to the accounts your token can see.

Governance: The skill reads your RocketCyber SOC data - incidents, agents, detection events, Defender and Microsoft 365 posture, and suppression rules - and computes the analytics locally. The only command that writes to the API is `import` (create/upsert from a JSONL file), and it supports `--dry-run` to preview every request before sending. `auth set-token` and `auth logout` manage your stored credential. Keep autonomous agents on read plus previewed imports, and require a human for credential changes.

### Rootly (Incident Response)

Page: https://msp-skills.compoundingteams.com/skills/rootly/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/rootly/install.sh)

Ask "who's on call for this service right now?" or "what's our MTTR by service this quarter?" and get the answer in one command. Rootly syncs to a local SQLite mirror, so incident-similarity, resolution mining, on-call coverage audits, and MTTA/MTTR analytics run instantly and offline - no portal clicking, no per-question API call.

Outcomes (question -> command your AI agent runs):
- Who's on call right now across every service and schedule? -> rootly-cli oncall-now
- What past incidents are most similar to this one? -> rootly-cli related <incident-id>
- What actually fixed this service the last time it broke? -> rootly-cli fixed-last-time <service>
- What's our MTTA and MTTR by service this quarter? -> rootly-cli mttr --by service --since 90d
- Where does an on-call schedule have an unstaffed gap? -> rootly-cli coverage-gaps --days 14
- Is it safe to deploy this service right now? -> rootly-cli deploy-guard <service>
- Give me one screen for this active incident. -> rootly-cli war-room <incident-id>
- Which incidents are breaching or about to breach SLA? -> rootly-cli sla-breach --within 2h
- Which open action items are overdue, grouped by owner? -> rootly-cli action-items-overdue --group-by owner
- Draft a paste-ready post-mortem skeleton for this incident. -> rootly-cli postmortem-skeleton <incident-id>

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Rootly MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Rootly data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my Rootly API rate limits?
A: Rarely. Read questions run against the local SQLite mirror, not the API - you sync once, then analytics, search, and the on-call views are offline. Only sync and live writes call Rootly.

Governance: The skill reads incidents, alerts, schedules, and on-call data, and can create or update incidents and related objects - but never changes anything unless you ask. Reads are always safe to run; routine writes should be previewed with --dry-run and then approved; credential, destructive, and config commands (secrets, deletes, key rotation) are human-in-the-loop only.

### runZero (Security)

Page: https://msp-skills.compoundingteams.com/skills/runzero/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/runzero/install.sh)

runZero's API answers one entity at a time; it cannot join assets to services to vulnerabilities in a single call. This skill syncs your whole attack surface into a local SQLite copy, then ranks exposure, diffs what changed since the last sync, and traces any CVE to the exact assets it hits - offline, at zero API quota. Ask in plain language; your agent runs the command and reads back the answer.

Outcomes (question -> command your AI agent runs):
- Which of our assets are most exposed right now? -> runzero-cli triage --agent
- Only the internet-facing ones? -> runzero-cli triage --internet-facing --agent
- What changed on our attack surface since last week? -> runzero-cli diff --since 7d
- What newly became exposed or vulnerable since the last sync? -> runzero-cli exposure-delta --agent
- Which assets are affected by a given CVE? -> runzero-cli affected "CVE-2024-3094" --agent
- Where are risky services concentrated in a subnet? -> runzero-cli exposure-map "10.0.0.0/8" --agent
- Which TLS certificates are expiring soon or using weak crypto? -> runzero-cli certs-expiring --days 90 --weak
- Which assets are stale, end-of-life, or unowned? -> runzero-cli stale --days 90 --json
- How many assets run a given software product, by version? -> runzero-cli software rollup "openssl" --agent
- Scan a subnet on a site and wait for the result? -> runzero-cli scan-watch "<site_id>" --targets "10.0.0.0/24"

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local runZero MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your runZero API key once.
Q: Is my runZero data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local SQLite copy are all local. The AI sees query results, not raw bulk data, and your API key is never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Does this burn my runZero API quota?
A: Only 'inventory sync' and live queries call the API. The cross-entity analysis - triage, diff, affected, exposure-map, exposure-delta, certs-expiring, software rollup - runs entirely against the local SQLite copy, so re-slicing your attack surface a hundred ways costs zero additional API calls.
Q: Does it work with self-hosted runZero?
A: Yes. It defaults to the hosted console at console.runzero.com; point it at your own console with RUNZERO_BASE_URL. The same API-token scopes apply.
Q: What token scope do I need?
A: A read/Export token (Export ET, Organization OT, or Account CT key) covers sync and every analysis command. Launching a scan with scan-watch or org create-scan needs a token with scan permission. Scope the credential to only what your workflow uses.

Governance: The skill reads your runZero attack surface - assets, services, software, vulnerabilities, and certificates - and keeps a local copy you can query offline. It can also write: launch network scans, create sites, manage account users and keys, and import data, all opt-in. Most read commands are safe, but the credential, token, and key reads (e.g. account get-apitoken, get-credentials, get-keys) return or mint secrets, so treat them like writes. Keep an autonomous agent to non-secret reads plus previewed (--dry-run) writes, and require a human for scan launches, any credential / token / key operation, and any delete.

### Salesbuildr (CRM)

Page: https://msp-skills.compoundingteams.com/skills/salesbuildr/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/salesbuildr/install.sh)

Ask your AI which quotes are aging, which lines are bleeding margin, and where your pipeline is stalling - and get the answer from your own Salesbuildr data in seconds. salesbuildr-cli syncs your quotes, opportunities, products, and pricing books into a local mirror, so the cross-quote questions the portal can't answer in one click become a single command.

Outcomes (question -> command your AI agent runs):
- Which sent or approved quotes are aging, and how much is at risk? -> salesbuildr-cli quote stale --days 14
- Which quote line items are priced below my markup floor? -> salesbuildr-cli quote thin --floor 20
- How does my quote pipeline convert stage by stage, in count and dollars? -> salesbuildr-cli quote funnel
- Where have per-company pricing-book prices drifted from the master catalog? -> salesbuildr-cli pricing drift
- What's my win rate by owner, stage, or category? -> salesbuildr-cli opportunity winrate --by owner
- What's my probability-weighted recurring-revenue forecast on the open pipeline? -> salesbuildr-cli opportunity mrr-forecast
- Which catalog products have I never quoted to a given company? -> salesbuildr-cli company whitespace "Acme Managed IT"
- Which records are missing the external ID my PSA sync depends on? -> salesbuildr-cli reconcile-psa

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Salesbuildr MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Salesbuildr data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hammer my Salesbuildr API rate limits?
A: No. The analytics read a local SQLite mirror, not the live API - you sync once, then ask as many questions as you want offline with zero further API calls. The sync itself honors a configurable --rate-limit, and you control how often it runs.
Q: Do I need to be a Salesbuildr customer, and will this replace my PSA sync?
A: You need a Salesbuildr account, a Public API key from your portal, and your tenant subdomain. It does not replace your Autotask/ConnectWise sync - it reads your Salesbuildr data and flags the records missing the external ID that sync depends on, so you can fix the gaps. It never writes to your PSA.

Governance: The skill reads your Salesbuildr quotes, opportunities, products, companies, and pricing books, and can create, update, or delete those records through the Public API. Reads - every get/list, the analytics rollups, search, sql, export, and sync - are safe to run unattended. Routine writes (create/update/upsert, the bulk import, winning or losing an opportunity) should be previewed with --dry-run and approved. The delete commands and the local auth/credential commands are human-in-the-loop only.

### SentinelOne (Security)

Page: https://msp-skills.compoundingteams.com/skills/sentinelone/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/sentinelone/install.sh)

Running SentinelOne across a book of customer sites? Ask your AI "what should I triage first across every client," "which endpoints went dark or dropped to detect-only," or "where did this malicious file spread," and get one cross-site answer the console can't compose. Every site is mirrored into a local store, so one triage worklist, one fleet-health rollup, and one posture scorecard replace the morning ritual of flipping the console scope selector tenant by tenant.

Outcomes (question -> command your AI agent runs):
- What should I triage first across all my client sites right now? -> sentinelone-cli threats triage
- Where did this malicious file spread, and which endpoints are still active? -> sentinelone-cli threats blast-radius "Mimikatz"
- Which endpoints are decaying - offline, out-of-date, infected, or under-protected? -> sentinelone-cli fleet-health stale --min-score 50
- Which clients have protection gaps (detect-only, Ranger off, firewall off)? -> sentinelone-cli coverage gaps
- What changed across the whole fleet since yesterday? -> sentinelone-cli whatchanged --since 24h
- Which threats keep coming back after we mitigated them? -> sentinelone-cli threats recurrence
- Are we hitting our mitigation SLA, and where are the breaches? -> sentinelone-cli threats mttr --sla 4
- Rank my clients by risk so I know which tenant to call first? -> sentinelone-cli sites risk
- Give me one posture scorecard per client for the QBR deck? -> sentinelone-cli posture
- Pull every site's SentinelOne data into a local mirror for offline queries? -> sentinelone-cli sync

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local SentinelOne MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my SentinelOne data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my SentinelOne API rate limits?
A: The local mirror exists so reads stop hitting the API. After the first sync, the cross-site views (threats triage, blast-radius, fleet-health, coverage gaps, posture, sites risk, whatchanged) run against local SQLite with zero API calls, and live calls respect a --rate-limit throttle. The history-aware analytics (whatchanged, MTTR, versions rollout, verdicts --changed) need at least two syncs to have something to diff.
Q: What API token do I need, and how do I scope it?
A: A SentinelOne API token from your management console (a Service User token is the durable choice; a personal user token works but expires). The token inherits the role of the user that mints it, so that role is the real permission boundary - mint a read-scoped token for reporting workflows and keep write or admin scope for the rare case you actually need it.
Q: Does it work across more than one SentinelOne console?
A: Each install points at one console URL plus its token, which already spans every Account, Site, and Group that token can see - the usual MSSP setup. For genuinely separate consoles, run a profile per console (see 'sentinelone-cli profile') and point each at its own credential.
Q: Does it replace the SentinelOne console?
A: No. The console stays best for hunting, policy authoring, and the interactive response workflow. This skill adds cross-site queries and scriptable actions to your AI agent so you stop scoping into each site to answer book-wide questions.

Governance: The skill drives the sentinelone-cli and sentinelone-mcp binaries, authenticating with a SENTINELONE_API_TOKEN read from the environment, never logged and never sent anywhere except the SentinelOne API. The read commands (threats triage, blast-radius, recurrence, mttr, verdicts; fleet-health, coverage gaps, posture, sites risk, versions rollout, ranger exposure, exclusions audit, whatchanged, search) change nothing. Writes are not gated by default: --dry-run is an opt-in preview flag, so the recommended policy is an agent-level rule - preview with --dry-run, show the exact command, get approval, then run the write. Keep the destructive and credential tiers (agents uninstall / decommission, exclusions delete, sites delete, config-override delete, users delete, uninstall-password and API-token commands) human-only. The strongest control is the role you scope the API token to.

### Servosity (Backup/DR)

Page: https://msp-skills.compoundingteams.com/skills/servosity/
Badge: Live-verified
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/servosity/install.sh)

MSPs run Servosity as the backup and DR platform - M365, DR Server, and DR Desktop protection across a whole book of clients. Ask your AI "where is my attention needed today", "which backups went stale this week", or "build Acme's QBR backup section" and get fleet-wide answers the per-client dashboard can't compose: ranked attention sweeps, day-over-day drift, ready-to-send stale-backup follow-ups, and the whole book's QBR reports in one pass.

Outcomes (question -> command your AI agent runs):
- Where is my attention needed today, ranked worst-first? -> servosity-cli attention --top 5
- What got worse since yesterday, and what recovered? -> servosity-cli drift
- Which clients have backups stale for 7+ days? -> servosity-cli stale-backups --days 7
- Draft the follow-up email for every client with a stale backup -> servosity-cli email-draft --stale --days 7
- Build the backup section of Acme's QBR as a PDF -> servosity-cli qbr "Acme Co" --out acme-q1.pdf
- Quarter-end: every client's QBR backup report in one pass -> servosity-cli qbr-all --quarter 2026-Q1 --out ./qbrs/
- Watch every client's restore queue during a DR event -> servosity-cli restore-queue watch
- Does my Servosity bill match what I invoice my clients? -> servosity-cli bill --reconcile invoices.csv

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Servosity MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Servosity and client data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local fleet mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: What credentials do I need?
A: A Servosity partner API token from the partner portal. Set SERVOSITY_MSP_TOKEN in your environment or run servosity-cli auth set-token. The token carries your reseller scope - the CLI sees exactly the clients your Servosity account sees, nothing more.
Q: Can this change anything in my Servosity account?
A: The day-to-day surface is read-only. The write surface is issue triage (triage --ignore / --archive / --reactivate / --comment) and import, plus raw create/update/delete subcommands under the API resource groups. --dry-run is an opt-in preview, not a default - the recommended agent policy is preview, approve, then run. Restores and backup configuration stay in the dashboard.
Q: Is it fast enough for the morning sweep?
A: After a sync, the fleet views (attention, drift, stale-backups, backup-facts, qbr) read the local store - instant and offline. Pass --refresh when you want a live pull; restore-queue watch polls live by design.
Q: Do I need to be a Servosity partner?
A: Yes - the CLI authenticates with an MSP partner token. If you're not a partner yet, start at servosity.com; the skill itself is Apache-2.0 and free either way.

Governance: First-party: published by Servosity for MSP partners. The skill drives the servosity-cli and servosity-mcp binaries, authenticating with your partner token (SERVOSITY_MSP_TOKEN) - never logged and never sent anywhere except the Servosity API. The fleet views are reads; the write surface is issue triage (ignore/archive/reactivate/comment), import, and raw CRUD under the resource groups, all with the opt-in --dry-run preview. The token's reseller scope is the permission boundary.

### Sherweb (Billing)

Page: https://msp-skills.compoundingteams.com/skills/sherweb/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/sherweb/install.sh)

MSPs resell Microsoft 365, Azure, and security through Sherweb, then spend the monthly close reconciling what they owe Sherweb against what they bill customers. Ask your AI "what's my net margin per customer," "which subscriptions am I paying for but not billing," or "what will this seat change cost," and get answers the Sherweb portal cannot compose: payable charges joined to receivable charges and subscriptions, computed offline from a local mirror in one query instead of a CSV export and a spreadsheet.

Outcomes (question -> command your AI agent runs):
- What is my net margin per customer this month - receivable minus payable? -> sherweb-cli margin --month 2026-04
- Whose margin is sliding month over month before an account goes negative? -> sherweb-cli margin-trend --last 6
- Which active subscriptions am I paying Sherweb for but not billing the customer? -> sherweb-cli orphans
- Where am I absorbing metered usage I never billed back? -> sherweb-cli usage-leak
- Which subscriptions have more seats paid than seats actually used? -> sherweb-cli right-size
- What changed on my payable charges since the last sync - new, vanished, or repriced? -> sherweb-cli drift
- What subscriptions were added, cancelled, or resized across my whole book this month? -> sherweb-cli sub-changes --since 30d
- How many total seats of each product do I carry across every customer? -> sherweb-cli fleet-subs --product "Microsoft 365"
- What will a seat change cost before I actually submit the amendment? -> sherweb-cli amend-preview --sub "SUB123" --qty 25

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Sherweb MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Sherweb data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Do I need to be a Sherweb partner, and what credentials does it use?
A: Yes - it talks to the Sherweb Partner API with your own partner credentials, using composed authentication. You need an OAuth2 client-credentials Client ID and Secret (with a scope) for the bearer token, plus an APIM gateway subscription key that rides on every call. Create the OAuth2 application and copy the subscription key from cumulus.sherweb.com under Security > APIs, then set SHERWEB_CLIENT_ID, SHERWEB_CLIENT_SECRET, SHERWEB_OAUTH_SCOPE, and SHERWEB_SUBSCRIPTION_KEY. The credential's own permissions are the real boundary - scope it to what you want the AI to reach. Run sherweb-cli doctor to confirm auth and connectivity.
Q: Will this hit my Sherweb API rate limits?
A: After deep-sync, the analytics commands (margin, margin-trend, orphans, usage-leak, right-size, drift, sub-changes, fleet-subs, amend-preview) run against your local SQLite mirror with zero API calls. Live calls respect a --rate-limit throttle, and sync is resumable and incremental - it only fetches what changed since the last checkpoint.
Q: Does this replace the Sherweb portal?
A: No. Provisioning, ordering, and subscription management stay in the portal. This skill answers the cross-entity margin and billing questions the portal cannot compose in one place, from your terminal or agent.

Governance: The skill drives the sherweb-cli and sherweb-mcp binaries, authenticating with Sherweb Partner API credentials read from the environment (SHERWEB_CLIENT_ID, SHERWEB_CLIENT_SECRET, SHERWEB_OAUTH_SCOPE, SHERWEB_SUBSCRIPTION_KEY) - never logged and never sent anywhere except Sherweb's own API. The analytics and list/get read commands (margin, margin-trend, orphans, usage-leak, right-size, drift, sub-changes, fleet-subs, amend-preview, distributor, and the service-provider list/get queries) change nothing. Writes are not gated by default: --dry-run is an opt-in preview flag, so the recommended policy is an agent-level rule - preview with --dry-run, show the exact command, get approval, then run the write. Keep subscription amendments, order placement, and especially subscription cancellation human-only, and treat the auth commands as credential operations. The strongest control is the permission scope on the OAuth2 application and subscription key you create.

### SkyKick (Backup/DR)

Page: https://msp-skills.compoundingteams.com/skills/skykick/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/skykick/install.sh)

Run one fleet-sync, then ask your AI which SkyKick customers have a backup gap right now. It reads every subscription's Exchange/SharePoint posture, snapshot recency, coverage, and retention from a local copy and answers across all your tenants at once - the cross-customer view the per-tenant SkyKick portal never rolls up.

Outcomes (question -> command your AI agent runs):
- Which customers have a protection gap right now? -> skykick-cli fleet-health --flag-gaps --agent
- Whose mailboxes haven't been snapshotted in 48 hours? -> skykick-cli stale-snapshots --hours 48 --agent
- What's discovered but not actually being backed up? -> skykick-cli coverage-gaps --type all --agent
- Which tenants fall below our retention floor? -> skykick-cli retention-audit --floor-days 365 --agent
- Where is autodiscover off, so new mailboxes silently never enroll? -> skykick-cli autodiscover-audit --only-off --agent
- What protection changed since my last review? -> skykick-cli drift --agent
- What open alerts exist across the whole fleet, worst first? -> skykick-cli alert-sweep --agent
- How does backup posture roll up by partner? -> skykick-cli partner-rollup --agent

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local SkyKick MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my SkyKick data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Do I need to be a SkyKick partner, and will this hit my API rate limits?
A: Yes - it authenticates with SkyKick Partner API client credentials (your API user ID and partner subscription key) from your SkyKick / ConnectWise Cloud Services partner account, and reads only what those credentials already permit. On rate limits: fleet-sync fans out per subscription with bounded concurrency and caches results in local SQLite, and SkyKick rate-limits the token endpoint aggressively, so the CLI mints and reuses cached tokens. Day-to-day questions run against the local store and never re-hit the API; you control --workers and --rate-limit.

Governance: The skill is read-first: every posture, staleness, coverage, retention, autodiscover, drift, alert, and partner view only reads. It can change a small, explicit set of things, all of which POST to the live SkyKick API: marking alerts complete (one at a time, or in bulk only with --apply), triggering Exchange mailbox and SharePoint site discovery, and bulk import from JSONL. There are no delete, credential, or admin commands. Keep an autonomous agent to read plus previewed writes, and require a human to approve the completion, discovery, and import commands.

### SuperOps (PSA)

Page: https://msp-skills.compoundingteams.com/skills/superops/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/superops/install.sh)

SuperOps unifies PSA and RMM on one database, but the console still answers one entity at a time. Ask your AI "who's about to breach SLA, and on whose queue," "what's the full picture on Acme before the QBR," or "which endpoints are unpatched and actively alerting," and get cross-entity answers computed offline from a local SQLite mirror of your tenant - one query instead of five console screens or a scheduled report.

Outcomes (question -> command your AI agent runs):
- Who's about to breach SLA, grouped by technician? -> superops-cli sla-watch --by tech --window 4h
- Which clients have alerts still sitting unresolved? -> superops-cli alert-coverage --client Acme
- Which endpoints are missing a critical patch and actively alerting? -> superops-cli at-risk-assets --client Acme
- Which open tickets has nobody touched in a week? -> superops-cli stale-tickets --days 7
- Everything about one client - sites, users, contracts, tickets, assets, open invoices? -> superops-cli client-360 "Acme Corp"
- Where is billable time concentrated before this month's invoicing? -> superops-cli unbilled --since 2026-05-01
- Give my triage agent one ticket with its worklogs, client, and SLA in a single read -> superops-cli context-ticket 12345 --agent --select ticket.subject,client.name,sla.name
- Search every synced ticket, asset, and client for "disk full" -> superops-cli search "disk full"

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local SuperOps MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my SuperOps data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: Will this hit my SuperOps API rate limits?
A: The local mirror exists so reads stop hitting the API. After the first `sync`, the cross-entity views (sla-watch, client-360, at-risk-assets, alert-coverage, unbilled, stale-tickets) run against local SQLite with zero API calls. Live calls respect a `--rate-limit` throttle, and sync is incremental and resumable - it only fetches what changed, and it treats resources your token can't reach as warnings, not failures.
Q: Does it work with the US and EU SuperOps regions?
A: Yes. The US host is the default; set SUPEROPS_REGION=eu to target the EU host (euapi.superops.ai). Your tenant subdomain goes in SUPEROPS_SUBDOMAIN, which the CLI sends as the CustomerSubDomain header on every request.
Q: Can it create or update tickets?
A: The typed commands are read-only by design - inspection, export, sync, and analysis. The one write path is `raw mutation`, the supported escape hatch for operations the typed commands don't wrap (for example createTicket, updateTicket, resolveAlerts). Pair it with --dry-run to preview the exact GraphQL request, and keep a human in the loop; `raw query` is the read-only counterpart.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.

Governance: The skill drives the superops-cli and superops-mcp binaries, authenticating with a SUPEROPS_API_TOKEN (plus SUPEROPS_SUBDOMAIN for your tenant) read from the environment - never logged, never sent anywhere except the SuperOps API. Every typed command is read-only: tickets, assets, alerts, clients, contracts, invoices, worklogs, and the cross-entity views change nothing. The single write path is `raw mutation`; the recommended policy is to preview it with --dry-run, show the exact GraphQL request, get approval, then run. The strongest control is the scope of the API token you mint.

### Syncro (PSA)

Page: https://msp-skills.compoundingteams.com/skills/syncro/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/syncro/install.sh)

Ask your AI "which customers have logged time we never invoiced?" and get the unbilled hours ranked by customer in seconds - no report exports, no portal clicking. Syncro plus your agent answers billing-leakage, AR-aging, SLA-breach, and patch-gap questions across every customer at once, from one local mirror of your Syncro PSA and RMM data. Free, open source, runs on your laptop.

Outcomes (question -> command your AI agent runs):
- Which customers have logged time we never invoiced? -> syncro-cli billing uninvoiced
- Which closed tickets had billable time that was never invoiced? -> syncro-cli billing drift
- How is our unpaid AR aging (0-30/30-60/60-90/90+)? -> syncro-cli billing ar-aging
- What is our revenue per labor hour by customer this quarter? -> syncro-cli customers margin
- Which open tickets are going stale with no recent activity? -> syncro-cli tickets aging
- Which assets are missing the most critical patches? -> syncro-cli assets patch-gaps
- Which customers generate the most RMM alert noise? -> syncro-cli alerts noise
- Which RMM alerts never became a ticket? -> syncro-cli alerts orphans
- Give me one cross-entity card for a single customer. -> syncro-cli customers profile 12345

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Syncro MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Syncro data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my Syncro API rate limits?
A: Day-to-day questions read from the local SQLite mirror, not the live API, so they don't touch your rate limit at all. Only `sync` and live reads call Syncro, and the CLI has a built-in `--rate-limit` flag plus response caching to stay polite.
Q: Do I need to be a Syncro partner or on a specific plan?
A: You just need a Syncro account and an API token from your own portal (Admin area). It authenticates as you, against your subdomain, with whatever permissions that token is scoped to - no partner program or special tier required.
Q: Will this replace my Syncro portal?
A: No. It reads from your Syncro account and is for the cross-customer questions and bulk analysis the portal makes tedious. You still run tickets, billing, and RMM day-to-day in Syncro; this is the fast lane for the questions an owner keeps re-asking.

Governance: The skill is read-first: reporting, rollups, and cross-entity views can't change anything in Syncro. Mutating commands (create/update/delete tickets, invoices, customers, and the like) send immediately unless you pass `--dry-run` to preview first, so the safe agent policy is read plus previewed writes, with a human approving anything that creates, updates, or deletes. The CLI can only ever do what the API token you supply is scoped to do.

### Tactical RMM (RMM)

Page: https://msp-skills.compoundingteams.com/skills/tactical-rmm/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/tactical-rmm/install.sh)

Ask plain-English questions about your whole self-hosted Tactical RMM fleet and get answers the web UI can't assemble in one view: which agents went dark, where patches and reboots are pending across every client, what changed overnight, and which endpoints are unmonitored. `tactical-rmm-cli` mirrors your fleet into local SQLite, then answers cross-client rollups instantly and offline - and can fan a command across a filtered cohort, preview-first.

Outcomes (question -> command your AI agent runs):
- What's the overall health of my fleet right now? -> tactical-rmm-cli fleet health
- Which agents need attention first? -> tactical-rmm-cli triage --limit 20
- Which agents have gone dark or stopped checking in? -> tactical-rmm-cli agents stale --days 7
- Where are patches and reboots pending across every client? -> tactical-rmm-cli patch posture --by client
- What changed across the fleet in the last few hours? -> tactical-rmm-cli since "2h"
- Which endpoints have no checks configured (monitoring gaps)? -> tactical-rmm-cli coverage
- What's each client's posture in a single row? -> tactical-rmm-cli clients scorecard
- Which checks are failing on the most agents? -> tactical-rmm-cli checks worst
- Which agents have a given software package installed? -> tactical-rmm-cli software find --name openssl
- Summarize alerts by severity over the last day -> tactical-rmm-cli alerts digest --since 24h --by severity
- Which agents have a named Windows service stopped? -> tactical-rmm-cli services down --name Spooler

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Tactical RMM MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Tactical RMM data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: It's self-hosted - how does it find my server?
A: You point it at your own instance: set TACTICAL_RMM_BASE_URL to your Tactical RMM API URL (for example https://api.yourdomain.com) and TRMM_API_KEY to a key from Settings > Global Settings > API Keys. Both are set once; nothing is hard-coded to a vendor cloud.
Q: Do I need to be a Tactical RMM customer or partner?
A: No. Tactical RMM is free and open source and you self-host it. You only need an API key on your own instance; any Tactical RMM server with API access works.
Q: Will this hit my server's rate limits?
A: Rarely. Most questions run against the local SQLite mirror after a one-time sync, so they make zero API calls. The few commands that fan out live (like services down or actions pending) are paced and capped with --max-scan-agents.
Q: Will this replace my Tactical RMM web UI?
A: No - it complements it. The UI stays your system of record and remote-access console; this skill adds the cross-client query-and-automation layer it doesn't offer.

Governance: The skill reads everything across your fleet - agents, clients, sites, checks, alerts, patches, software, services, and the cross-client rollups - and through the API it can also create and update config, delete records, run scripts and commands on endpoints, reboot or shut machines down, install Windows updates, and manage users, roles, and API keys. Reads are safe to run unattended, with one exception: listing API keys or reading the keystore, codesign token, or core settings can return stored secrets, so treat those as credential-tier. Keep an autonomous agent to reads plus previewed writes; require a human for anything that runs on an endpoint, deletes, or touches credentials. The CLI can only do what your API key is permitted to do, so scope the key to the workflow.

### ThreatLocker (Security)

Page: https://msp-skills.compoundingteams.com/skills/threatlocker/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/threatlocker/install.sh)

Running ThreatLocker across a whole book of customer tenants? Ask your AI "what approvals are pending everywhere," "which agents went dark this week," or "which clients are about to lose audit evidence," and get one cross-tenant answer the Portal can't compose. Every tenant is mirrored into a local store, so one approval queue, one audit archive, and one health rollup replace dozens of one-tenant-at-a-time Portal logins.

Outcomes (question -> command your AI agent runs):
- What application approvals are pending across all my clients right now? -> threatlocker-cli approvals triage --all-tenants
- Approve this file hash everywhere it's pending, but show me the plan first? -> threatlocker-cli approvals approve-batch --hash <sha256> --all-tenants --dry-run
- Which clients are about to lose audit evidence to the 31-day retention cliff? -> threatlocker-cli audit retention-check
- Export every client's audit log before it ages off? -> threatlocker-cli audit export --all-tenants --since 30d
- What security-relevant changes (protection off, policy edits, maintenance) happened across all tenants this week? -> threatlocker-cli audit drift --since 7d --all-tenants
- Which ThreatLocker agents are offline or stale across every client? -> threatlocker-cli devices health --all-tenants
- Where does this binary live across my whole book, approved or pending? -> threatlocker-cli applications hunt --hash <sha256>
- Pull every tenant's ThreatLocker data into a local mirror for offline queries? -> threatlocker-cli sync

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local ThreatLocker MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my ThreatLocker data safe?
A: Your data stays on your machine. The CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my ThreatLocker API rate limits?
A: The local mirror exists so reads stop hitting the API. After the first sync, the cross-tenant views (approvals triage, audit drift, devices health, applications hunt) run against local SQLite with zero API calls. Live calls respect a --rate-limit throttle, and sync is incremental, fetching only what changed since the last checkpoint.
Q: How does it handle ThreatLocker's 31-day audit retention?
A: ThreatLocker's Unified Audit log keeps about 31 days by default. audit export persists each tenant's log to JSONL or CSV locally so evidence outlives that window, and audit retention-check reports, per tenant, how close your archive is to the cliff and how stale your last sync is, so nothing ages off unnoticed.
Q: Do I need to be a ThreatLocker MSP or have child tenants?
A: You need API access in your own ThreatLocker Portal. The cross-tenant features assume a managed (parent) organization with child tenants, which is the MSP setup; a single organization works too, you just get the one-tenant view. The credential you mint is the real permission boundary.
Q: Does it replace the ThreatLocker Portal?
A: No. The Portal stays best for authoring policies and the interactive approve/deny workflow. This skill adds cross-tenant queries and scriptable writes to your AI agent so you stop logging into each tenant to answer book-wide questions.

Governance: The skill drives the threatlocker-cli and threatlocker-mcp binaries, authenticating with a THREATLOCKER_API_KEY read from the environment, never logged and never sent anywhere except the ThreatLocker API. Read commands (approvals triage, audit drift, audit export, audit retention-check, devices health, applications hunt, search) change nothing. Writes are not gated by default: --dry-run is an opt-in preview flag, so the recommended policy is an agent-level rule, preview with --dry-run, show the exact command, get approval, then run the write. Keep computers delete and policies delete human-only. The strongest control is the scope of the API key you mint in the Portal.

### Xero (Billing)

Page: https://msp-skills.compoundingteams.com/skills/xero/
Badge: Awaiting live verification
Install: bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/xero/install.sh)

Ask in plain English who owes you and how overdue, which authorised invoices still have no payment applied, and whether the general ledger ties to outstanding invoices at close - for a Xero organisation, in one call. Xero plus your AI agent reads a local mirror of the org, so the aging, reconciliation, and tie-out questions the web reports make you export and pivot become one instant, offline answer.

Outcomes (question -> command your AI agent runs):
- Who owes us, and how overdue is each invoice? -> xero-cli aging --agent
- What do we owe suppliers, bucketed by age? -> xero-cli aging --payable --agent
- Which contacts carry the most receivable risk? -> xero-cli exposure --agent
- Which authorised invoices are still owed with no applied payment? -> xero-cli reconcile --agent
- Which bank transactions are unreconciled, and what might they match? -> xero-cli bank-recon --agent
- Do the GL control accounts tie to outstanding invoices at close? -> xero-cli tie-out --agent
- What posted to a single account, as a running balance? -> xero-cli ledger 200 --agent
- What changed in the organisation since last week? -> xero-cli since 7d --agent
- Give me one state-of-the-org summary in a single call. -> xero-cli snapshot --agent
- Find every synced record matching a keyword. -> xero-cli search "overdue" --agent

FAQ:
Q: Does this work with ChatGPT?
A: Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local Xero MCP server via a secure bridge. Step-by-step in the install guide.
Q: Do I need to know how to code?
A: No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Q: Is my Xero data safe?
A: Your data stays on your machine - the CLI, MCP server, and the local mirror are all local. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
Q: What does it cost?
A: Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Q: Will this hit my Xero API rate limits?
A: Rarely. After one sync into the local mirror, aging, reconciliation, tie-out, exposure, ledger, and search run entirely offline - zero API calls. Only sync, explicit live reads, and writes touch the API, which Xero caps at 60 calls per minute and 5,000 per day per organisation; the local-first design is built around that limit.
Q: Which Xero credentials does it need, and does it create them?
A: You mint an OAuth2 token in the Xero developer portal - a Custom Connection is the simplest for machine-to-machine use - then pass it plus your organisation's tenant id via XERO_ACCESS_TOKEN and XERO_TENANT_ID. The CLI never creates or rotates tokens; it only uses the one you give it. Run xero-cli doctor to confirm both are set before syncing.
Q: Does it cover one organisation or several?
A: One organisation per XERO_TENANT_ID. The local mirror holds a single tenant; for a multi-entity portfolio, point the tenant id at each organisation in turn and loop.

Governance: Everything analytical reads from a local mirror - aging, exposure, reconcile, bank-recon, tie-out, ledger, snapshot, since, and search are always safe to run and cannot change anything. Writes (creating or updating invoices, contacts, accounts, payments, bank transactions, and items, plus the bulk import) send to your live Xero organisation, so the recommended agent policy is preview-then-approve. Deletes of accounts, items, and payments are destructive and removing stored auth tokens is credential-tier - keep both human-in-the-loop. The strongest control is the scope of the OAuth2 token you grant.