# Six Days, 82 Skills, and a Community PR: How NetClaw Went from Idea to 160 Stars
Six days ago I pushed the first commit of [NetClaw](https://github.com/automateyournetwork/netclaw) — an open-source, CCIE-level AI network engineering agent built on [OpenClaw](https://github.com/openclaw/openclaw). The idea was simple: give Claude the same mental models a senior network engineer carries, then connect it to the real tools we already use. Not a chatbot. Not a dashboard. A coworker that reasons about networks.
In six days the project has grown to **160+ GitHub stars**, **35+ forks**, and — the part that matters most — **our first community pull request**.
Here is what we built, why it matters, and where it is going.
—
## The Core Idea: Automate the Reasoning, Not Just the Commands
Every network automation project I have ever seen focuses on execution. Push configs. Collect show commands. Template the output. That is necessary work, but it is not the hard part.
The hard part is the thinking. When a BGP peer is stuck in ACTIVE, a human engineer does not just run `show ip bgp summary` — they check the transport, verify the neighbor statement, look at the interface state, check for ACLs, confirm the AS numbers, and reason about what they find at each step. That chain of reasoning is what NetClaw automates.
Each of NetClaw’s **82 skills** is a structured markdown file that teaches the agent *when* to use specific tools, *what* to look for in the output, and *which decisions* to make based on findings. Skills are composable — a topology discovery feeds into a diagram generator; a security audit cross-references CVE data; a troubleshooting session pulls from health checks, routing analysis, and log inspection simultaneously.
—
## 82 Skills Across 16 Domains
Here is the full inventory. Every one of these is a real, working skill backed by MCP server tools.
### pyATS Device Automation (18 skills)
The foundation. These skills connect to live network devices (Cisco IOS/IOS-XE/NX-OS/ASA, Juniper JunOS, Arista EOS, F5 BIG-IP, Linux hosts, VMware ESXi) through pyATS and execute real commands with real reasoning:
– **pyats-network** — Core device automation (8 MCP tools: show commands, config push, ping, traceroute)
– **pyats-health-check** — Device health + NetBox cross-reference + parallel fleet checks
– **pyats-routing** — OSPF, BGP, EIGRP, IS-IS analysis with full protocol state reasoning
– **pyats-security** — Security audit + ISE integration + NVD CVE scanning
– **pyats-topology** — Discovery + NetBox reconciliation
– **pyats-config-mgmt** — Change control with ServiceNow gating + GAIT audit
– **pyats-troubleshoot** — End-to-end troubleshooting with escalation logic
– **pyats-parallel-ops** — Fleet-wide parallel operations across hundreds of devices
– **pyats-dynamic-test** — Dynamic pyATS test generation and execution
– **pyats-asa-firewall** — Cisco ASA firewall operations (failover, NAT, ACLs, VPN tunnels)
– **pyats-junos-interfaces** — JunOS interface diagnostics via pyATS
– **pyats-junos-routing** — JunOS routing table and protocol analysis
– **pyats-junos-system** — JunOS system health (CPU, memory, alarms, chassis)
– **pyats-f5-ltm** — F5 BIG-IP LTM/GTM operations via pyATS
– **pyats-f5-platform** — F5 BIG-IP platform health (HA, memory, disk, certificates)
– **pyats-linux-network** — Linux host networking (interfaces, routes, iptables, bridges)
– **pyats-linux-system** — Linux host system ops (processes, services, storage, logs)
– **pyats-linux-vmware** — VMware ESXi host operations (vSwitches, VMs, datastores)
### Source of Truth (3 skills)
– **netbox-reconcile** — NetBox DCIM/IPAM reconciliation
– **nautobot-sot** — Nautobot as alternative IPAM/DCIM source
– **infrahub-sot** — OpsMill Infrahub schema-driven SoT with GraphQL
### Cisco Meraki (5 skills)
Full Meraki Dashboard coverage through ~804 API endpoints:
– **meraki-network-ops** — Org inventory, networks, devices, clients
– **meraki-wireless-ops** — SSIDs, RF profiles, channel utilization
– **meraki-switch-ops** — Switch ports, VLANs, ACLs, QoS
– **meraki-security-appliance** — MX firewall, VPN, content filtering
– **meraki-monitoring** — Diagnostics, cameras, config change audit
### Cisco CML Lab Simulation (5 skills)
– **cml-lab-lifecycle** — Create, start, stop, wipe, delete labs
– **cml-topology-builder** — Add nodes, interfaces, wire links, design topologies
– **cml-node-operations** — Console access, CLI execution on lab nodes
– **cml-packet-capture** — Capture packets on lab links with BPF filters, hand off to Packet Buddy
– **cml-admin** — Server administration, user/group management, licensing
### ContainerLab (1 skill) — Community PR from Sean Mahoney
– **clab-lab-management** — Deploy, inspect, execute, destroy containerized network labs (SR Linux, cEOS, FRR, IOS-XR, NX-OS) via the ContainerLab API
This one deserves special mention. Sean Mahoney submitted our first community pull request, adding ContainerLab support with a complete MCP server and skill. This is exactly the kind of contribution that makes open source work — someone sees a gap, fills it, and everyone benefits.
### Cisco NSO Orchestration (2 skills)
– **nso-device-ops** — Device config, state, sync status via RESTCONF
– **nso-service-mgmt** — Service discovery, deployment, and NED management
### Cisco SD-WAN (1 skill)
– **sdwan-ops** — vManage read-only monitoring: fabric devices, WAN Edge inventory, templates, policies, alarms, BFD sessions, OMP routes, control connections (12 tools)
### Cisco Secure Firewall (1 skill)
– **fmc-firewall-ops** — FMC access policy search, FTD targeting, multi-FMC profile support
### Observability (2 skills)
– **grafana-observability** — Grafana dashboards, Prometheus PromQL, Loki LogQL, alerting, incidents, OnCall (75+ tools)
– **prometheus-monitoring** — Direct Prometheus PromQL queries, metric discovery, scrape target health (6 tools)
### Kubernetes Traffic Analysis (1 skill)
– **kubeshark-traffic** — L4/L7 traffic capture, pcap export, TLS decryption via eBPF, KFL filtering (6 tools)
### ThousandEyes (2 skills)
– **te-network-monitoring** — Tests, agents, path visualization, dashboards
– **te-path-analysis** — Path analysis and network troubleshooting
### AWS Cloud (5 skills)
– **aws-network-ops** — VPCs, Transit Gateways, Cloud WAN, VPN tunnels, Network Firewalls (27 tools)
– **aws-cloud-monitoring** — CloudWatch metrics, alarms, Logs Insights, VPC flow logs
– **aws-security-audit** — IAM users/roles/policies, CloudTrail events, credential rotation
– **aws-cost-ops** — Cost Explorer queries, budget forecasts, resource cost attribution
– **aws-architecture-diagram** — Auto-generate AWS architecture diagrams
### GCP Cloud (3 skills)
– **gcp-compute-ops** — Compute Engine instances, disks, networks
– **gcp-cloud-monitoring** — Cloud Monitoring metrics and alerting
– **gcp-cloud-logging** — Cloud Logging queries and analysis
### F5 BIG-IP (3 skills)
– **f5-health-check** — Pool/member health, SSL certificates, HA status
– **f5-config-mgmt** — Virtual server, pool, and iRule management
– **f5-troubleshoot** — Connection table analysis, traffic flow debugging
### Cisco ACI + ISE + Catalyst Center (8 skills)
– **aci-fabric-audit** / **aci-change-deploy** — ACI fabric health and change management
– **ise-posture-audit** / **ise-incident-response** — ISE security posture and incident handling
– **catc-inventory** / **catc-client-ops** / **catc-troubleshoot** — Catalyst Center device, client, and troubleshooting ops
### Itential Automation (1 skill)
– **itential-automation** — 65+ tools for network automation orchestration, config management, compliance, golden config, and workflow execution
### Juniper JunOS (1 skill)
– **junos-network** — PyEZ/NETCONF automation: CLI, config management, Jinja2 templates, facts, batch ops (10 tools)
### Arista CloudVision (1 skill)
– **arista-cvp** — Device inventory, events, connectivity monitoring, tag management (4 tools)
### Protocol Participation (1 skill)
– **protocol-participation** — Live BGP/OSPF/GRE control-plane peering. NetClaw does not just observe via SSH — it sits in the control plane, peers with your routers, injects/withdraws routes, queries RIB/LSDB, and adjusts metrics in real time (10 tools built on scapy-based protocol speakers from WontYouBeMyNeighbour)
### RADKit Remote Access (1 skill)
– **radkit-remote-access** — Cisco RADKit cloud-relayed CLI, SNMP, and device inventory (5 tools)
### Diagrams and Visualization (3 skills)
– **drawio-diagram** — Draw.io network topology diagrams
– **markmap-viz** — Markmap mind map visualization
– **uml-diagram** — 27+ diagram types via Kroki (class, sequence, nwdiag, rackdiag, packetdiag, C4, Mermaid, D2, Graphviz, ERD, BPMN)
### Microsoft 365 (3 skills)
– **msgraph-files** — OneDrive/SharePoint file operations
– **msgraph-teams** — Teams notifications and channel management
– **msgraph-visio** — Visio diagram generation via Graph API
### Slack Operations (4 skills)
– **slack-incident-workflow** — Incident management from Slack
– **slack-network-alerts** — Network alert delivery to channels
– **slack-report-delivery** — Report generation and delivery
– **slack-user-context** — User identity and context for access control
### Utility and Reference (6 skills)
– **gait-session-tracking** — Immutable audit trail for every action
– **servicenow-change-workflow** — ITSM change request gating
– **github-ops** — Issues, PRs, code search, config-as-code
– **packet-analysis** — pcap/pcapng deep analysis via tshark
– **rfc-lookup** — IETF RFC search and retrieval
– **nvd-cve** — NVD vulnerability database search
– **subnet-calculator** — IPv4 + IPv6 subnet calculations
– **wikipedia-research** — Wikipedia research for context
—
## 37 MCP Server Backends (46 Table Entries)
Behind those 82 skills sit 37 distinct MCP (Model Context Protocol) server backends — 46 entries in the table when you count each AWS and GCP service separately. The transport mix tells you something about the ecosystem maturity:
– **stdio (JSON-RPC 2.0)** — Most servers: pyATS, F5, NetBox, Nautobot, Infrahub, Itential, NSO, Meraki (~804 endpoints), CML, FMC, ContainerLab, SD-WAN, JunOS, Arista CVP, UML, Protocol, Prometheus, RADKit, Packet Buddy
– **Docker** — GitHub MCP
– **uvx** — AWS MCPs (6), Grafana (75+ tools)
– **npx** — ThousandEyes official (remote HTTP relay)
– **Remote HTTP** — GCP (4, hosted by Google), ThousandEyes official, Kubeshark (in-cluster)
No persistent connections. No port management. Everything talks JSON-RPC 2.0.
—
## The First Community PR
On day 4, [Sean Mahoney](https://github.com/seanerama) submitted a pull request adding [ContainerLab MCP server](https://github.com/seanerama/clab-mcp-server) support. ContainerLab lets you spin up multi-vendor network topologies in containers — SR Linux, cEOS, FRR, Cisco IOS-XR, NX-OS, and more. Sean built a Python MCP server wrapping the ContainerLab API (6 tools: authenticate, list, deploy, inspect, exec, destroy) and wrote the full skill definition.
This matters because it validates the architecture. The BYOMCP/BYOSKILL pattern (Bring Your Own MCP, Bring Your Own Skill) is designed so that anyone can add a new backend without touching core code. Clone an MCP server, write a SKILL.md, add a step to the installer, done. Sean proved it works.
—
## What “CCIE-Level” Actually Means
I keep using the phrase “CCIE-level” and I want to be precise about what that means here. It does not mean NetClaw has passed the CCIE lab. It means the skills encode the depth of knowledge you would expect from a CCIE — understanding protocol state machines, knowing that OSPF EXSTART stuck means check MTU, knowing that a BGP route with a longer AS-path might still be preferred because of LOCAL_PREF, knowing that an F5 pool member marked down needs different investigation than a pool member marked disabled.
The agent does not just run commands. It reasons about what it finds, the same way a senior engineer would.
—
## Safety by Design
Network automation that can push configs is inherently dangerous. NetClaw addresses this with multiple layers:
1. **ServiceNow Change Request gating** — Route mutations, config changes, and firewall policy updates require an approved CR (unless `LAB_MODE=true`)
2. **GAIT (Generative AI Immutable Transcript)** — Every action the agent takes is recorded in an append-only audit trail with timestamps, tool calls, reasoning, and outcomes
3. **Read-only defaults** — SD-WAN, AWS security, ThousandEyes, and several other integrations are explicitly read-only
4. **Protocol participation safeguards** — BGP route injection/withdrawal requires CR approval, RIB verification (no loops), and peer state confirmation (only to Established peers)
—
## The Numbers After Six Days
– **160+ GitHub stars**
– **35+ forks**
– **82 skills** across 16 domains
– **37 MCP server backends** (46 table entries)
– **1 community PR** merged (ContainerLab from Sean Mahoney)
– **~1,000+ MCP tools** available to the agent
– **Zero proprietary dependencies** — everything is open source
—
## What Is Next
The project is moving fast. The current focus areas:
– **More community skills** — The BYOSKILL pattern makes it straightforward to add new domains. Palo Alto, Fortinet, Nokia SR OS, and more vendor coverage is on the radar.
– **Protocol participation refinement** — The BGP/OSPF/GRE control-plane integration (from the WontYouBeMyNeighbour project) is working in lab; production hardening is underway.
– **Observability depth** — Grafana, Prometheus, and Kubeshark were just added. Correlating network state with application metrics is the next frontier.
– **Security hardening** — Runtime policy enforcement, role-based access, and deployment guides for production environments are in progress, informed by community feedback.
—
## Try It
“`bash
git clone https://github.com/automateyournetwork/netclaw.git
cd netclaw
./scripts/install.sh
“`
The installer handles everything — 37 MCP servers, 82 skills, two-phase setup wizard. Works on macOS, Ubuntu/Debian, WSL2, and any Linux with Python 3.10+.
If you have an MCP server for a network platform we do not cover yet, PRs are welcome. Write a SKILL.md, add an install step, and submit. The architecture is designed for exactly this.
**GitHub:** [automateyournetwork/netclaw](https://github.com/automateyournetwork/netclaw)
—
*John Capobianco is a network automation engineer and the creator of NetClaw and automate your network. He can be reached on LinkedIn (https://www.linkedin.com/in/john-capobianco-644a1515/) and GitHub (https://github.com/automateyournetwork).*
One Reply to “6 days of netclaw – by netclaw”