Marketplaces
hacking-skills
Claude Code skills for finding bugs and vulnerabilities — bug bounty, pentest, CTF, code review.
Plugins
web
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
mobile
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
cicd
CI/CD pipeline security skills covering GitHub Actions script injection, cache poisoning, pwn-request, bot command injection, and self-hosted runner poisoning.
meta
Paste any source → SKILL.md (/distill-skill); log run outcomes (/observe-skill); inspect failure history and propose amendments (/amend-skill).
Skills
web-fingerprinting
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
auth-bypass
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
default-credentials
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
password-reset-flaws
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
jwt-misconfig
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
cookie-attacks
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
session-fixation
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
authz-bypass
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
bola-idor
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
path-traversal
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
mass-assignment
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
sql-injection
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
xss-reflected
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
xss-stored
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
cmd-injection
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
ssrf
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
ssti
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
xxe
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
http-request-smuggling
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
dom-xss
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
csrf
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
cors-misconfig
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
clickjacking
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
cspt
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
open-redirect
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
business-logic-flaws
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
insecure-file-upload
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
graphql-idor-via-introspection-leak
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
mobile-insecure-storage
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
mobile-weak-crypto
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
mobile-auth-bypass
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
mobile-network-security
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
mobile-platform-interaction
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
mobile-code-quality
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
mobile-resilience
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
github-actions-script-injection
CI/CD pipeline security skills covering GitHub Actions script injection, cache poisoning, pwn-request, bot command injection, and self-hosted runner poisoning.
github-actions-cache-poisoning
CI/CD pipeline security skills covering GitHub Actions script injection, cache poisoning, pwn-request, bot command injection, and self-hosted runner poisoning.
pwn-request
CI/CD pipeline security skills covering GitHub Actions script injection, cache poisoning, pwn-request, bot command injection, and self-hosted runner poisoning.
cicd-bot-command-injection
CI/CD pipeline security skills covering GitHub Actions script injection, cache poisoning, pwn-request, bot command injection, and self-hosted runner poisoning.
self-hosted-runner-poisoning
CI/CD pipeline security skills covering GitHub Actions script injection, cache poisoning, pwn-request, bot command injection, and self-hosted runner poisoning.
distill-skill
Paste any source → SKILL.md (/distill-skill); log run outcomes (/observe-skill); inspect failure history and propose amendments (/amend-skill).
observe-skill
Paste any source → SKILL.md (/distill-skill); log run outcomes (/observe-skill); inspect failure history and propose amendments (/amend-skill).
amend-skill
Paste any source → SKILL.md (/distill-skill); log run outcomes (/observe-skill); inspect failure history and propose amendments (/amend-skill).