hacking-skills
Installation
Add the marketplace
/plugin marketplace add securityfortech/hacking-skillsInstall plugins
/pluginRun these commands in Claude Code to add this plugin to your environment. The marketplace must be added before you can install its plugins.
Plugins
web
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
mobile
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
cicd
CI/CD pipeline security skills covering GitHub Actions script injection, cache poisoning, pwn-request, bot command injection, and self-hosted runner poisoning.
meta
Paste any source → SKILL.md (/distill-skill); log run outcomes (/observe-skill); inspect failure history and propose amendments (/amend-skill).
Skills
web-fingerprinting
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
auth-bypass
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
default-credentials
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
password-reset-flaws
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
jwt-misconfig
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
cookie-attacks
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
session-fixation
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
authz-bypass
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
bola-idor
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
path-traversal
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
mass-assignment
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
sql-injection
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
xss-reflected
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
xss-stored
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
cmd-injection
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
ssrf
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
ssti
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
xxe
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
http-request-smuggling
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
dom-xss
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
csrf
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
cors-misconfig
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
clickjacking
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
cspt
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
open-redirect
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
business-logic-flaws
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
insecure-file-upload
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
graphql-idor-via-introspection-leak
Web application security skills covering recon, authentication, authorization, session management, injection, client-side attacks, and business logic. Distilled from OWASP WSTG, security research, and bug bounty writeups.
mobile-insecure-storage
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
mobile-weak-crypto
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
mobile-auth-bypass
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
mobile-network-security
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
mobile-platform-interaction
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
mobile-code-quality
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
mobile-resilience
Mobile application security skills covering Android and iOS: insecure storage, weak cryptography, authentication bypass, network security, platform interaction, code quality, and resilience against reverse engineering.
github-actions-script-injection
CI/CD pipeline security skills covering GitHub Actions script injection, cache poisoning, pwn-request, bot command injection, and self-hosted runner poisoning.
github-actions-cache-poisoning
CI/CD pipeline security skills covering GitHub Actions script injection, cache poisoning, pwn-request, bot command injection, and self-hosted runner poisoning.
pwn-request
CI/CD pipeline security skills covering GitHub Actions script injection, cache poisoning, pwn-request, bot command injection, and self-hosted runner poisoning.
cicd-bot-command-injection
CI/CD pipeline security skills covering GitHub Actions script injection, cache poisoning, pwn-request, bot command injection, and self-hosted runner poisoning.
self-hosted-runner-poisoning
CI/CD pipeline security skills covering GitHub Actions script injection, cache poisoning, pwn-request, bot command injection, and self-hosted runner poisoning.
distill-skill
Paste any source → SKILL.md (/distill-skill); log run outcomes (/observe-skill); inspect failure history and propose amendments (/amend-skill).
observe-skill
Paste any source → SKILL.md (/distill-skill); log run outcomes (/observe-skill); inspect failure history and propose amendments (/amend-skill).
amend-skill
Paste any source → SKILL.md (/distill-skill); log run outcomes (/observe-skill); inspect failure history and propose amendments (/amend-skill).