KnowBe4 + AI in 60 seconds
Unofficial. Community-built Claude Code Skill and MCP server for the KnowBe4 API. Not affiliated with, endorsed by, or sponsored by KnowBe4, Inc.
Awaiting live verification - passes every mechanical gate (build, command-surface, claims, install). Be the first to confirm it against your tenant: report it works.
KnowBe4’s console reports one tenant, one phishing test, one chart at a time. This skill syncs your KMSAT data into a local SQLite mirror and answers the questions the portal can’t: which users clicked the bait in multiple phishing tests, whose risk score is deteriorating this quarter, and who clicked a phish but finished zero training - across every client, in seconds, from your terminal.
New to the term? An MCP server is the same thing ChatGPT calls an app or connector, Claude on the web calls a connector, and Claude Code calls a Skill. One thing, many names →
Install in 60s → View on GitHub →
Instead of clicking through KnowBe4, just ask
Instead of Exporting a phishing-test CSV from every client tenant and pivot-tabling to find who failed more than once
just ask: “Which users clicked the bait in two or more phishing tests in the last 90 days?”
Your agent runs: knowbe4-cli repeat-clickers --min-clicks 2 --since 90d --top 25
Instead of Clicking through each user’s risk-score chart in the console to guess who is getting worse
just ask: “Rank the users whose risk score worsened the most this quarter”
Your agent runs: knowbe4-cli risk-drift --window 90d --worsened --top 20
Instead of Cross-referencing the phishing report against the training report by hand to find people who failed and never trained
just ask: “Who clicked a phish but has no passed training to show for it?”
Your agent runs: knowbe4-cli untrained-clickers --since 180d
See it in 30 seconds
Demo data is simulated. Every command shown exists in the real CLI.
What it does
| Question your MSP keeps asking | Command your agent runs |
|---|---|
| Who clicked the bait in more than one phishing test? | knowbe4-cli repeat-clickers --min-clicks 2 --since 90d |
| Whose risk score is getting worse this quarter? | knowbe4-cli risk-drift --window 90d --worsened --top 20 |
| Who clicked a phish but never passed training? | knowbe4-cli untrained-clickers --since 180d |
| Which active users have zero training or zero phishing coverage? | knowbe4-cli coverage-gaps |
| Is training actually working for the Finance group? | knowbe4-cli phish-prone-trend --group "Finance" --since 12mo |
| Who are my highest-risk users, with the why behind the score? | knowbe4-cli risk-leaderboard --top 25 |
| Which departments are driving our risk up? | knowbe4-cli group-risk-contribution --window 90d --top 10 |
| Assemble the full client quarterly review in one command | knowbe4-cli qbr --since 90d |
| Who never reports a simulated phish? | knowbe4-cli report-rate --bottom 25 |
| Is my synced data fresh enough to trust a clicker hunt? | knowbe4-cli freshness |
Full command reference at github.com/servosity/msp-skills/blob/main/skills/knowbe4/guide.md.
What makes this one different
Most KnowBe4 integrations and MCP servers proxy each question into a single live API call - fine for one user, one test. But repeat-clicker hunts, risk drift, and untrained-clicker anti-joins need data fused across many phishing tests and against the training records the console keeps in a separate report. This skill syncs KnowBe4 into a local SQLite mirror, so those cross-test, cross-report questions become one instant offline join instead of a wall of API pulls.
KnowBe4’s console and Virtual Risk Officer give you per-tenant dashboards; this skill adds the cross-client, cross-test rollups and anti-joins the portal never exposes - repeat clickers across every phishing test, risk drift ranked across all users, and clicked-but-untrained remediation lists - all from your own synced data and pointed at by your AI agent.
The pain this closes
- MSPs running KnowBe4 across dozens of client tenants live in CSV exports: the console answers one account and one phishing test at a time, so ‘who are my repeat clickers across all clients’ becomes an afternoon of spreadsheets.
- At QBR time a vCISO needs the short list - who is deteriorating, who never reports, who failed and never trained - but the portal shows risk numbers without the why, and nothing correlates phishing results against training completion.
Install
Works in any of these agents - pick yours:
| Agent | Quick install |
|---|---|
| Claude Desktop | Step-by-step → |
| ChatGPT (Plus/Pro+) | Step-by-step → |
| Claude Code | Step-by-step → |
| Codex CLI | Step-by-step → |
| Cursor, Windsurf, Cline, Continue, Zed, Copilot, Gemini, Hermes, OpenClaw | Which agent? → |
Quickest path for everyone else (terminal):
macOS / Linux:
bash <(curl -fsSL https://raw.githubusercontent.com/servosity/msp-skills/main/skills/knowbe4/install.sh)
Windows (PowerShell):
iwr -useb https://raw.githubusercontent.com/servosity/msp-skills/main/skills/knowbe4/install.ps1 | iex
After install, authenticate once with your KnowBe4 credentials, then verify with knowbe4-cli --version.
Safety model
| Tier | Examples | Recommended agent policy |
|---|---|---|
| Read | account info, users list, groups list, phishing-tests list, training-enrollments list, risk-leaderboard, repeat-clickers, sync, search, qbr | Allow |
| Write (routine) | events create, import | Preview with –dry-run, then a reviewed write |
| Destructive / config | events delete | Human-in-the-loop only |
The skill reads your KnowBe4 reporting data - accounts, users, groups, phishing tests, training, risk scores - and can sync it to a local SQLite mirror; all of that is read-only and safe to let an agent run, and the bundled MCP server exposes only those read tools. The only write paths are CLI-only: pushing or deleting custom risk events on a user’s timeline (a separate, opt-in User Event API key) and bulk import. Keep those human-reviewed and preview them with –dry-run first. Full details in governance.md.
Frequently asked questions
Does this work with ChatGPT?
Yes, on paid ChatGPT plans. ChatGPT connects to remote MCP servers over HTTPS, so you expose the local KnowBe4 MCP server via a secure bridge. Step-by-step in the install guide.
Do I need to know how to code?
No. Paste one sentence into Claude Code or Codex and your agent does the install, or run a one-line installer. You enter your credentials once.
Is my KnowBe4 data safe?
Your data stays on your machine. The CLI, MCP server, and the local mirror are all local, and the bundled MCP server exposes read-only reporting tools only. The AI sees query results, not raw bulk data, and credentials are never bundled or transmitted by MSP Skills.
What does it cost?
Free. Apache-2.0 licensed. You pay only for whichever AI agent you already use.
Does this replace the KnowBe4 console or need a special partner API?
Neither. It uses your standard KMSAT Reporting API key (Account Settings - API - enable Reporting API) and your region (us, eu, ca, uk, or de). It reads what your account already exposes and adds the cross-client rollups the console doesn’t. The one write path that needs extra setup is pushing custom risk events, which uses a separate, opt-in User Event API key.
Status
Beta. Validated against the KnowBe4 API surface and being validated with MSPs running it live against their own production tenants in our weekly Build Sessions.
Standards. Conforms to the open Agent Skills spec (Anthropic, Dec 2025; 40+ agents). MCP-compatible - works with any MCP-capable agent including Hermes. OpenClaw-ready (frontmatter pre-wired, awaiting OpenClaw launch).
Maintained by Servosity for the MSP community. Apache-2.0 licensed. Built with CLI Printing Press.