What this gives you

Once the plugin is installed, Claude can translate natural-language security questions into precise armoctl commands and summarize the results for you. Ask Claude "show me critical incidents in production" and it runs armoctl incidents list --severity Critical --cluster production, parses the JSON response, and gives you a human-readable summary with the most actionable findings highlighted. You stay in the conversation — no terminal-switching, no flag-hunting. Read operations work immediately; mutations such as creating exceptions or generating policies show you a dry-run diff first, then commit only when you confirm.

Supported surfaces

Both Claude Code CLI (the claude terminal command) and Claude Code web (claude.ai/code) are supported with the same install command. The plugin manifest, skills, and hooks are identical across both surfaces — Anthropic's plugin format is unified, so you get the same behaviour whether you're in a terminal session or the web IDE.

Install

/plugin marketplace add armosec/armoctl
/plugin install armoctl@armosec

The first time a session starts after install, the SessionStart hook checks whether the armoctl binary is present on PATH and runs the official installer if it is not. After that, the hook keeps the binary on the same version as the plugin by running armoctl update whenever they drift.

Configure once

You need two credentials:

• Customer GUID — ARMO Platform UI → top-right account dropdown.
• Access Key — generate one at cloud.armosec.io/settings/workspace/agent-access-keys (EU) or cloud.us.armosec.io/settings/workspace/agent-access-keys (US).

Then either run the interactive setup:

armoctl configure

Or set environment variables (preferred for headless agents and CI):

export ARMO_CUSTOMER_GUID=...
export ARMO_ACCESS_KEY=...
export ARMO_API_BASE_URL=api.armosec.io   # api.us.armosec.io for US tenants

Credentials are stored at ~/.armoctl/config.yaml.

What's in the plugin

• Root armoctl skill — covers setup, the JSON output contract (--full / --fields / --query), the mutation safety contract (--dry-run / --yes), and error semantics. This skill is always active.
• 13 per-cluster skills auto-loaded by description match when your request touches that cluster: armoctl-incidents, armoctl-vulns, armoctl-posture, armoctl-risks, armoctl-attack-chains, armoctl-inventory, armoctl-network-policies, armoctl-seccomp, armoctl-runtime-rules, armoctl-runtime-policies, armoctl-integrations, armoctl-cloud-accounts, armoctl-repo-posture.
• SessionStart hook — verifies the binary is present and version-matched at the start of every session, so the plugin stays self-sufficient after the first install.

Example prompts

• "What's the most critical security risk in cluster prod-eu?"
• "List Critical CVEs that are loaded at runtime, not just sitting on disk."
• "Create a 30-day exception for risk R-1234 — we have planned remediation in Q2."
• "Generate a NetworkPolicy for the frontend workload in the payments namespace."
• "Which posture controls are failing in cluster staging, grouped by framework?"
• "Open a Jira ticket for every Critical incident from the last 24 hours."

Troubleshooting

• armoctl: command not found — the SessionStart hook should auto-install the binary. If it keeps failing, install manually: curl -fsSL https://package-distribution.armosec.io/armoctl/install.sh | bash
• Authentication errors — run armoctl configure or verify your environment variables are set correctly.
• 401 / 403 responses — your credentials have expired or belong to a different tenant. Regenerate an access key at the URL above and re-run armoctl configure.

See also

• armoctl CLI reference — the underlying binary and its full command surface
• Gemini CLI extension — same skills, different agent