Security
Security scanning and vulnerability detection
owasp-cloud-native-top-10
by yariv1025
"OWASP Cloud-Native Application Security Top 10 - prevention, detection, and remediation for containers, orchestration, and cloud-native apps. Use when securing insecure config, injection, auth, CI/CD and supply chain, secrets, network policies. Note - official list has 6 risks; project archived."
django-reviewer
by physics91
WHEN: Django project review, ORM queries, views/templates, admin customization WHAT: ORM optimization + View patterns + Template security + Admin config + Migration safety WHEN NOT: FastAPI → fastapi-reviewer, Flask → flask-reviewer, DRF API only → consider api-expert
sql-optimizer
by physics91
WHEN: SQL query review, query optimization, index usage, N+1 detection, performance analysis WHAT: Query plan analysis + Index recommendations + N+1 detection + Join optimization + Performance tuning WHEN NOT: Schema design → schema-reviewer, ORM code → orm-reviewer
security-scanner
by physics91
WHEN: Security scan, vulnerability detection, XSS/CSRF analysis, secret exposure, OWASP Top 10 WHAT: XSS/injection detection + hardcoded secrets + auth/authz issues + severity-based vulnerability list WHEN NOT: Performance → perf-analyzer, Cloud security → cloud-security-expert
architecture
by dy9759
Comprehensive system architecture design and implementation workflow that orchestrates expert analysis, technical decision-making, and architectural pattern selection using the integrated toolset. Handles everything from initial system analysis to implementation-ready technical specifications.
backend-dev
by dy9759
Comprehensive backend development workflow that orchestrates expert analysis, architecture design, implementation, and deployment using the integrated toolset. Handles everything from API design and database architecture to security implementation and DevOps automation.
code-test-review-expert
by dy9759
Advanced code testing and review expert system that provides comprehensive code quality analysis, security vulnerability assessment, test strategy design, and quality assurance through multi-expert collaboration and intelligent tool integration.
infra-security-reviewer
by physics91
WHEN: Infrastructure security audit, secrets management, network policies, compliance checks WHAT: Secrets scanning + Network policies + IAM/RBAC audit + Compliance validation + Security hardening WHEN NOT: Application security → security-scanner, Docker only → docker-reviewer
code-reviewer
by physics91
WHEN: Code review, quality check, code smell detection, refactoring suggestions WHAT: Complexity analysis + code smell list + severity-based issues + improvement suggestions WHEN NOT: Next.js specific → nextjs-reviewer, Security → security-scanner, Performance → perf-analyzer
fastapi-reviewer
by physics91
WHEN: FastAPI project review, Pydantic models, async endpoints, dependency injection WHAT: Pydantic validation + Dependency injection + Async patterns + OpenAPI docs + Security WHEN NOT: Django → django-reviewer, Flask → flask-reviewer, General Python → python-reviewer
bug-bounty
by Mikacr1138
Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gates, human-tone writing, templates by vuln class, CVSS 3.1, PoC generation, always-rejected list, conditional chain table, submission checklist). Use for ANY bug bounty task — starting a new target, doing recon, hunting specific vulns, auditing source code, testing AI features, validating findings, or writing reports.
htmx-universal-patterns
by ecelayes
The definitive guide for building Hypermedia-Driven Applications (HDA) using HTMX, prioritizing security and UX patterns.
native-app-publish-ready
by ameistad
Comprehensive app store submission readiness checker for mobile apps. Audits iOS App Store and Google Play Store requirements including build config, privacy compliance, store assets, metadata, technical requirements, and common rejection causes. Use when the user asks to "check if my app is ready to submit", "review for app store", "app store checklist", "pre-submission check", "ready for Play Store", "ready for App Store", "submission readiness", or wants to audit a mobile app before publishing. Supports native iOS (Swift/ObjC), native Android (Kotlin/Java), Flutter, and React Native (including Expo) projects.
macos-distribution
by makgunay
macOS app distribution covering code signing (Developer ID, App Store certificates), notarization (notarytool), DMG/pkg creation, App Store submission workflow, sandboxing entitlements, StoreKit for in-app purchases and subscriptions (SubscriptionOfferView, appTransactionID, Transaction.currentEntitlements, subscriptionStatusTask), StoreKit testing with local configuration files, PrivacyInfo.xcprivacy manifest, and dual distribution strategies (App Store + direct). Use when preparing an app for distribution, implementing purchases/subscriptions, configuring signing, or troubleshooting App Store rejection.
SSH Penetration Testing
by jcastillotx
This skill should be used when the user asks to "pentest SSH services", "enumerate SSH configurations", "brute force SSH credentials", "exploit SSH vulnerabilities", "perform SSH tunneling", or "audit SSH security". It provides comprehensive SSH penetration testing methodologies and techniques.
javascript-best-practices
by jcastillotx
JavaScript coding standards and best practices. This skill should be used when writing, reviewing, or refactoring JavaScript code. Triggers on tasks involving vanilla JavaScript, DOM manipulation, async operations, or performance optimization.
rails-security-audits
by shivamsinghchahar
Audit Rails applications for security vulnerabilities using Brakeman, Bundler Audit, and security best practices. Use when scanning for CVEs, setting up security checks, or implementing security headers.
wcag-audit
by waseemkhan00777
Automated WCAG 2.1 AA accessibility audit using Puppeteer and axe-core across all application routes.
django-development
by rcgsheffield
Comprehensive guide for building Django web applications following Django 5.2 standards and industry best practices. Use when developing Django projects, implementing models/views/templates, configuring settings, handling forms, ensuring security, or deploying Django applications.
pre-pr-scan
by jonathanprozzi
Pre-PR compliance and security scan. Checks diff against CLAUDE.md guidelines and security best practices before creating a pull request.
poc-validator
by whatyourname12345
Automated Vulnerability Verification and Payload Replay Probe. Dynamically executes HTTP requests and analyzes HTTP status codes, error traces, time delays, and response lengths (e.g., Error-based, Time-based, and Boolean Blind SQLi). Use when: Testing specific payloads, verifying vulnerabilities, checking for blind injection conditions, or replaying raw HTTP requests. NOT for: Automated mass scanning, DDoS attacks, or unauthorized exploitation.
security-audit
by dtsvetkov1
Scans code for security vulnerabilities, hardcoded secrets, and unsafe patterns in React Native and Expo applications. Use before merging sensitive changes or as part of a regular audit.
python-best-practices
by Nomik94
Python 코드 리뷰 및 베스트 프랙티스 검증. Use when: /python-best-practices, 코드 품질 분석, .py 파일 리뷰, 타입 힌트 검증, 린팅, 테스트 커버리지 분석, 의존성 점검. NOT for: 아키텍처 리뷰 (/code-review), 보안 전문 분석 (/security-audit).
gleam-review
by bromanko
This skill should be used when the user asks to "review Gleam", "full Gleam review", "review all Gleam", "comprehensive Gleam review", or wants a complete review covering code quality, security, performance, and testing for Gleam code.