Auth
Authentication and authorization
obra-writing-plans
by faulkdev
Use when the user asks for a plan, roadmap, or step-by-step breakdown for a multi-step task in VS Code Copilot Agent mode.
implementing-casbin
by meriley
Implement role-based (RBAC) and attribute-based (ABAC) access control in Go using Casbin. Covers model configuration, GORM adapters, Chi/gRPC middleware, and production patterns. Use when implementing authorization in Go services.
jwt-misuse-anti-pattern
by igbuend
"Security anti-pattern for JWT misuse vulnerabilities (CWE-287). Use when generating or reviewing code that creates, validates, or uses JSON Web Tokens. Detects 'none' algorithm attacks, weak secrets, sensitive data in payloads, and missing expiration."
writing-plans
by eyadsibai
Use when you have a spec or requirements for a multi-step task, before touching code
wfc-vibe
by sam-fakhreddine
Divergent thinking engine for pre-structure exploration. Use when generating possibilities, questioning assumptions, or expanding a problem space with NO concrete artifacts, files, or implementation targets referenced. Pure ideation only — creates options, does not select or execute them. Load when: - Intent is creative/exploratory (brainstorm, ideate, speculate, "what if") - No files, code, schemas, or named system components are referenced - Goal is to expand possibilities, not organize, decide, or implement Not for: - Sentiment, tone, aesthetic analysis, or "vibe checks" → general chat - Organizing, prioritizing, or roadmapping formed ideas → wfc-plan - Concrete artifacts or implementation targets → wfc-build - Debugging, error analysis, or troubleshooting → wfc-build - Decision-making or option selection → wfc-plan
backlog-cli
by simochee
CLI for Backlog project management (by Nulab). Use this skill when: (1) Listing, creating, editing, closing, or commenting on issues (2) Creating, listing, merging, or commenting on pull requests (3) Viewing, creating, or editing Wiki pages (4) Querying project settings (issue types, statuses, categories, milestones, members) (5) Checking notifications, stars, or watches (6) Making raw API requests via backlog api
digital-signature-pattern
by igbuend
Security pattern for implementing digital signatures. Use when implementing document signing, code signing, certificate signing, non-repudiation, or verifying authenticity and integrity of messages using asymmetric cryptography (RSA, ECDSA, Ed25519).
authorisation-pattern
by igbuend
Security pattern for implementing access control and authorization. Use when designing permission systems, implementing RBAC/ABAC, preventing unauthorized access, addressing privilege escalation, or ensuring users can only perform allowed actions on permitted resources. Addresses "Entity performs disallowed action" problem.
codebase-discovery
by igbuend
Generate security-focused DISCOVERY.md for code review and threat modeling. Use when assessing unfamiliar codebases.
Django Framework
by pluginagentmarketplace
Build production-ready web applications with Django MVC, ORM, authentication, and REST APIs
hifi-download
by psylch
Discover music, get personalized recommendations, and download high-fidelity audio files. Use when user wants to find new music based on their taste, search for songs/albums/artists, get recommendations similar to artists they like, or download lossless audio (FLAC/Hi-Res) from Qobuz or TIDAL. Trigger phrases include "find music like", "recommend songs", "download album", "lossless", "Hi-Res", "FLAC", "music discovery", "similar artists", "setup music".
excalidraw-design-guide
by opencoredev
Load when drawing any Excalidraw diagram. Provides color palette (hex codes), sizing formulas to prevent text truncation, spacing rules to prevent overlaps, arrow styles, layout patterns, and diagram templates for architecture, flowchart, and ER diagrams. Use when asked to draw, visualize, diagram, or create any chart.
missing-authentication-anti-pattern
by igbuend
"Security anti-pattern for missing or broken authentication (CWE-287). Use when generating or reviewing code for login systems, API endpoints, protected routes, or access control. Detects unprotected endpoints, weak password policies, and missing rate limiting on authentication."
log-forensics
by SherifEldeeb
Analyze system, application, and security logs for forensic investigation. Use when investigating security incidents, insider threats, system compromises, or any scenario requiring analysis of log data. Supports Windows Event Logs, Syslog, web server logs, and application-specific log formats.
reviewing-casbin
by meriley
Review Go code using Casbin authorization for security issues, model correctness, policy design, and common anti-patterns. Use when reviewing PRs with Casbin code or auditing authorization implementations.
log-entity-actions-pattern
by igbuend
Security pattern for implementing security logging and audit trails. Use when designing logging systems for security events, implementing non-repudiation, creating audit trails, or addressing security monitoring and incident response needs. Addresses "Entity repudiates action request" problem.
manage-branch
by meriley
Creates and manages git branches with enforced mriley/ prefix naming convention. Validates branch names, switches branches safely, and handles branch creation with proper base branch selection.
limit-request-rate-pattern
by igbuend
Security pattern for implementing rate limiting and throttling. Use when protecting against brute-force attacks, DoS/DDoS mitigation, preventing resource exhaustion, or limiting API abuse. Addresses "Entity absorbs excessive resources" problem.
security-assessment
by spjoshis
Master security assessments with vulnerability scanning, penetration testing, security testing, and security audits.
insufficient-randomness-anti-pattern
by igbuend
"Security anti-pattern for insufficient randomness vulnerabilities (CWE-330). Use when generating or reviewing code that creates security tokens, session IDs, encryption keys, nonces, or any security-critical random values. Detects use of Math.random() or predictable seeds."
gigaverse
by Gigaverse-Games
Enter the Gigaverse as an AI agent. Create a wallet, quest through dungeons, battle echoes, and earn rewards. The dungeon awaits.
bug-bounty
by Mikacr1138
Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gates, human-tone writing, templates by vuln class, CVSS 3.1, PoC generation, always-rejected list, conditional chain table, submission checklist). Use for ANY bug bounty task — starting a new target, doing recon, hunting specific vulns, auditing source code, testing AI features, validating findings, or writing reports.
payment-integration
by samhvw8
"Payment gateway integration. Providers: SePay (Vietnamese: VietQR, bank transfer, cards), Polar (global SaaS: subscriptions, usage-based billing). SDKs: Node.js, PHP, Python, Go, Laravel, Next.js. Capabilities: checkout flows, subscription management, webhooks, QR code generation, benefit automation, tax compliance. Actions: integrate, implement, configure, handle payments/subscriptions/webhooks. Keywords: payment gateway, SePay, Polar, VietQR, bank transfer, subscription, usage-based billing, checkout, webhook, QR code, API key, OAuth2, product management, customer portal, tax compliance, MoR, recurring payment, invoice. Use when: integrating payment processing, implementing checkout, managing subscriptions, handling payment webhooks, generating payment QR codes, building billing systems."
backend-development
by samhvw8
"Production backend systems development. Stack: Node.js/TypeScript, Python, Go, Rust NestJS, FastAPI, Django, Express PostgreSQL, MongoDB, Redis. Capabilities: REST/GraphQL/gRPC APIs, OAuth 2.1/JWT auth, OWASP security, microservices, caching, load balancing, Docker/K8s deployment. Actions: design, build, implement, secure, optimize, deploy, test APIs and services. Keywords: API design, REST, GraphQL, gRPC, authentication, OAuth, JWT, RBAC, database, PostgreSQL, MongoDB, Redis, caching, microservices, Docker, Kubernetes, CI/CD, OWASP, security, performance, scalability, NestJS, FastAPI, Express, middleware, rate limiting. Use when: designing APIs, implementing auth/authz, optimizing queries, building microservices, securing endpoints, deploying containers, setting up CI/CD."