| 6.2 | skills.sh | xslt-injection xslt-injection covers server-side xslt processing vulnerabilities across processor families (java, .net, php, libxslt) via document(), external entities, exslt, and extension functions. includes fingerprinting techniques and platform-specific escalation chains. |
| 5.8 | skills.sh | graphql-and-hidden-parameters graphql-and-hidden-parameters covers introspection queries, schema discovery, and parameter enumeration techniques for graphql endpoints. handles batching and undocumented field exploration when introspection is available or partially restricted. |
| 5.2 | skills.sh | saml-sso-assertion-attacks saml-sso-assertion-attacks covers signature validation, binding confusion, and trust model weaknesses in enterprise saml login flows. focuses on identifying misconfigured assertion signing, weak audience validation, and account mapping risks. |
| 5.2 | skills.sh | classical-cipher-analysis classical-cipher-analysis documents identification and attack methods for historical ciphers including Caesar, Vigenere, Enigma, and transposition types. incomplete procedure documentation limits operational utility. |
| 4.9 | skills.sh | memory-forensics-volatility memory-forensics-volatility documents volatility 2 and 3 techniques for memory acquisition, process analysis, injection detection, and credential extraction, but lacks procedural depth and executable runbooks. |
| 4.5 | skills.sh | expression-language-injection expression-language-injection documents detection and exploitation vectors for java el evaluation in spring, struts2, and jsp/jsf contexts, distinguishing them from template injection attacks. |
| 4.3 | skills.sh | business-logic-vuln business-logic-vuln routes vulnerability assessment toward state machine and workflow abuse patterns. it identifies check-then-act timing issues and multi-step authorization gaps without detailed procedural guidance. |
| 4.2 | skills.sh | smart-contract-vulnerabilities smart-contract-vulnerabilities catalogs attack patterns across reentrancy, integer overflow, access control, and delegatecall. lacks actionable audit procedures and decision trees for practitioners applying these patterns to real contracts. |
| 4.2 | skills.sh | prototype-pollution-advanced prototype-pollution-advanced covers server-side rce escalation via template engines and node.js gadgets, but lacks complete step-by-step procedures and concrete detection examples. |
| 4.2 | skills.sh | tunneling-and-pivoting tunneling-and-pivoting covers ssh port forwarding, socks proxies, transparent tunneling tools (chisel, ligolo-ng, socat), and windows pivoting techniques with cross-layer chaining guidance. |
| 4.2 | skills.sh | dangling-markup-injection dangling-markup-injection documents exfiltration via unclosed html tags when script execution is blocked, routing to csp-bypass and csrf scenarios, but lacks actionable procedure and concrete examples. |
| 4.2 | skills.sh | linux-lateral-movement linux-lateral-movement documents ssh agent hijacking, credential harvesting, and privilege reuse techniques for moving between linux hosts. covers ssh_auth_sock exploitation, sudo session hijacking via ptrace, and service escalation patterns with incomplete procedural detail. |
| 4.2 | skills.sh | linux-privilege-escalation linux-privilege-escalation documents enumeration and exploitation vectors including suid binaries, capabilities, cron abuse, and kernel exploits, but lacks actionable step-by-step procedures and concrete decision logic. |
| 4.2 | skills.sh | recon-and-methodology recon-and-methodology outlines a hierarchical bug bounty reconnaissance framework covering asset discovery through endpoint mapping, but lacks actionable procedural steps and specific trigger conditions for deployment. |
| 4.2 | skills.sh | heap-exploitation heap-exploitation documents ptmalloc2 internals and glibc version constraints but lacks actionable step-by-step procedures for actual exploitation chains. references are present but the skill stops at structure enumeration rather than delivering executable attack workflows. |
| 4.2 | skills.sh | websocket-security websocket-security covers protocol headers, cswsh risk patterns, and vulnerability classes relevant to websocket implementations. fragments included; no complete procedure or decision logic present. |
| 4.2 | skills.sh | auth-sec auth-sec is a routing skill that categorizes auth and authorization issues into testing buckets (bypass, idor, jwt, oauth, csrf, cors, saml) without prescriptive steps or concrete procedures. |
| 4.2 | skills.sh | api-authorization-and-bola api-authorization-and-bola covers broken object and function-level authorization testing through cross-account token replay, object id manipulation, and http verb abuse patterns. |
| 4.2 | skills.sh | traffic-analysis-pcap traffic-analysis-pcap sketches forensic PCAP workflows including repair, Wireshark filters, and protocol analysis, but lacks actionable procedures, executable decision trees, and concrete output contracts. |
| 4.2 | skills.sh | 401-403-bypass-techniques 401-403-bypass-techniques catalogs path normalization, http method override, and header-based access control evasion tactics, with emphasis on proxy-backend desynchronization vectors. |
| 3.9 | skills.sh | clickjacking clickjacking covers ui redress attack mechanics including iframe transparency, header bypass techniques, and multi-step chaining, positioned as offensive exploitation rather than defensive mitigation. |
| 3.9 | skills.sh | rsa-attack-techniques rsa-attack-techniques outlines cryptanalytic approaches for rsa including factorization, small exponent, lattice-based, broadcast, and padding oracle attacks. lacks procedural depth and actionable steps. |
| 3.9 | skills.sh | reverse-shell-techniques reverse-shell-techniques documents attack patterns for establishing reverse and bind shells, covering encryption, web shells, pty upgrades, and payload generation. lacks procedural depth and actionable step sequences. |
| 3.8 | skills.sh | file-access-vuln file-access-vuln is a routing entry point that categorizes file-related vulnerabilities into path traversal/lfi and upload validation issues, but lacks concrete procedural steps for exploitation or remediation. |
| 3.8 | skills.sh | jndi-injection jndi-injection documents java naming and directory interface exploitation covering rmi/ldap class loading and log4shell attack surface, but procedure is incomplete and lacks execution guidance. |
| 3.8 | skills.sh | upload-insecure-files upload-insecure-files documents attack patterns for file upload validation bypass and storage abuse across multiple platforms, but lacks actionable step-by-step procedure and concrete decision logic. |
| 3.8 | skills.sh | hash-attack-techniques hash-attack-techniques documents cryptanalytic attack patterns including length extension, collision generation, and timing side channels, but lacks executable procedures and decision logic to guide practitioners through attack selection and implementation. |
| 3.7 | skills.sh | lattice-crypto-attacks lattice-crypto-attacks documents expert cryptanalysis techniques including lll/bkz reduction and coppersmith methods but lacks actionable procedures, concrete decision trees, or outcome validation criteria. |
| 3.6 | skills.sh | sandbox-escape-techniques sandbox-escape-techniques documents attack patterns across python, lua, seccomp, chroot and container contexts but lacks actionable procedures, decision frameworks, and clear failure mode handling. |
| 3.6 | skills.sh | symbolic-execution-tools symbolic-execution-tools documents angr, Z3, and Unicorn Engine techniques for CTF challenges, but lacks concrete procedures, trigger specificity, and actionable guidance beyond abstract problem areas. |
| 3.5 | skills.sh | csp-bypass-advanced csp-bypass-advanced outlines attack surface categories (nonce abuse, trusted cdn exploitation, directive gaps) and cross-references related attack chains, but lacks procedural depth and actionable exploitation steps. |
| 3.5 | skills.sh | waf-bypass-techniques waf-bypass-techniques outlines generic evasion categories and references product-specific matrices, but lacks procedural depth, numbered steps, and concrete decision logic beyond category names. |
| 3.4 | skills.sh | steganography-techniques steganography-techniques catalogues detection methods across image, audio, file, and text domains but lacks actionable procedures, concrete trigger conditions, and explicit failure handling. |
| 3.2 | skills.sh | path-traversal-lfi path-traversal-lfi documents attack techniques including encoding bypass and filter evasion, but the skill is incomplete and lacks actionable procedure depth needed for consistent execution. |
| 3.2 | skills.sh | format-string-exploitation format string exploitation covers attack patterns including stack reading, arbitrary writes via %n, and protection bypass techniques, but lacks actionable procedural steps and concrete decision logic. |
| 3.2 | skills.sh | deserialization-insecure deserialization-insecure documents attack surface across multiple languages and frameworks but lacks procedural steps, decision logic, and concrete outcome signals needed for reproducible execution. |
| 3.2 | skills.sh | browser-exploitation-v8 browser-exploitation-v8 documents v8 engine internals and exploitation primitives (addrof, fakeobj, pointer compression) but lacks actionable procedures, concrete examples, or decision logic to execute actual attacks. |
| 3.2 | skills.sh | unauthorized-access-common-services unauthorized-access-common-services documents exploitation techniques for unauthenticated infrastructure services including redis, rsync, php-fpm, ajp, and hadoop yarn. lacks actionable procedures, decision logic, and failure handling. |
| 3.2 | skills.sh | network-protocol-attacks network-protocol-attacks lists attack surface areas (arp spoofing, dns poisoning, vlan hopping, ipv6 attacks) but provides no actionable procedures, decision trees, or outcome signals. references related skills without defining its own boundary or execution model. |
| 3.2 | skills.sh | stack-overflow-and-rop stack-overflow-and-rop documents rop chain construction and stack exploitation techniques including buffer overflow, ret2libc, gadget selection, and canary bypass, but lacks actionable procedures. |
| 3.2 | skills.sh | ios-pentesting-tricks ios-pentesting-tricks outlines attack surface areas for ios application security testing including jailbreak methodology, keychain extraction, and runtime hooking, but lacks actionable procedures and decision logic. |
| 2.8 | skills.sh | active-directory-acl-abuse active-directory-acl-abuse references advanced attack vectors like bloodhound enumeration and dangerous acl primitives but lacks procedural depth, actionable steps, and explicit failure modes needed for reliable execution. |
| 2.8 | skills.sh | http2-specific-attacks http2-specific-attacks documents protocol-level attack techniques including h2c smuggling, pseudo-header manipulation, hpack attacks, and downgrade injection, but the skill file is incomplete and cuts off mid-section. |
| 2.5 | skills.sh | ghost-bits-cast-attack ghost-bits-cast-attack describes a java unicode-to-ascii byte narrowing technique for bypassing waf/ids filters in injection attacks. incomplete implementation guidance and vague on concrete steps. |
| 2.3 | skills.sh | hack routing skill for security testing that delegates to specialized techniques. lacks concrete methodology, trigger phrases, and actionable procedure steps. |
| 2.3 | skills.sh | kernel-exploitation kernel-exploitation claims expertise in kernel attack techniques but provides no actual exploit steps, decision trees, input specifications, or working examples. content is a partial outline without actionable procedure. |
| 2.3 | skills.sh | active-directory-certificate-services active-directory-certificate-services documents ad cs attack variants (esc1-esc13) and certificate persistence techniques, but lacks actionable procedure, decision logic, and concrete output contracts. |
| — | skills.sh | cors-cross-origin-misconfiguration CORS misconfiguration testing playbook. Use when analyzing cross-origin trust, credentialed browser reads, origin reflection, preflight policy bugs, and… |
| — | skills.sh | csrf-cross-site-request-forgery CSRF testing playbook. Use when reviewing state-changing web flows, anti-CSRF defenses, SameSite behavior, JSON CSRF, login CSRF, and OAuth state handling. |
| — | skills.sh | oauth-oidc-misconfiguration OAuth and OIDC misconfiguration testing playbook. Use when reviewing redirect URI handling, state and nonce validation, PKCE, token audience, callback binding,… |
| — | skills.sh | recon-for-sec Entry P1 category router for reconnaissance and methodology. Use when mapping scope, discovering assets, fingerprinting technology, building endpoint… |
| — | skills.sh | kubernetes-pentesting Kubernetes penetration testing playbook. Use when targeting Kubernetes clusters via API server, RBAC enumeration, service account abuse, etcd access, Kubelet… |
| — | skills.sh | idor-broken-object-authorization IDOR and broken object authorization testing playbook. Use when requests expose object identifiers, tenant boundaries, writable fields, or missing object-level… |
| — | skills.sh | injection-checking Entry P1 category router for injection testing. Use when routing between XSS, SQLi, SSRF, XXE, SSTI, command injection, and NoSQL injection workflows based on… |
| — | skills.sh | authbypass-authentication-flaws Authentication bypass testing playbook. Use when assessing login flows, password reset logic, account recovery, MFA bypass, token predictability, brute-force… |
| — | skills.sh | jwt-oauth-token-attacks JWT and OAuth token attack playbook. Use when validating token trust, signing algorithms, key handling, claim abuse, bearer flows, and OAuth account-binding… |
| — | skills.sh | business-logic-vulnerabilities Business logic vulnerability playbook. Use when reasoning about workflows, race conditions, price manipulation, coupon abuse, state machines, and multi-step… |
| — | skills.sh | api-auth-and-jwt-abuse API authentication and JWT abuse playbook. Use when testing bearer tokens, API keys, claim trust, header spoofing, rate limits, and API auth boundary… |
| — | skills.sh | api-recon-and-docs API reconnaissance and documentation review playbook. Use when discovering endpoints, schemas, versions, OpenAPI specs, hidden docs, and surface area for API… |
| — | skills.sh | ssrf-server-side-request-forgery SSRF playbook. Use when the server fetches URLs, resolves hostnames, imports remote content, or can be driven toward internal networks, cloud metadata, or… |
| — | skills.sh | xss-cross-site-scripting XSS playbook. Use when user-controlled content reaches HTML, attributes, JavaScript, DOM sinks, uploads, or multi-context rendering paths. |
| — | skills.sh | api-sec Entry P1 category router for API security. Use when choosing between API recon, authorization, token abuse, and hidden-parameter workflows before any deeper… |
| — | skills.sh | android-pentesting-tricks Android pentesting playbook. Use when testing Android applications for SSL pinning bypass, exported component abuse, WebView vulnerabilities, intent… |
| — | skills.sh | code-obfuscation-deobfuscation Code obfuscation analysis and deobfuscation playbook. Use when reversing binaries protected by junk code, opaque predicates, self-modifying code, control flow… |
| — | skills.sh | sqli-sql-injection SQL injection playbook. Use when input reaches SQL queries, authentication logic, sorting, filtering, reporting, or DB-specific blind and out-of-band execution… |
| — | skills.sh | binary-protection-bypass Binary protection bypass playbook. Use when identifying and bypassing ASLR, PIE, NX/DEP, stack canary, RELRO, FORTIFY_SOURCE, CET, and MTE protections in ELF… |
| — | skills.sh | request-smuggling HTTP request smuggling and desynchronization testing. Use when front proxies, CDNs, or load balancers disagree with the origin on message framing… |
| — | skills.sh | crlf-injection CRLF injection playbook. Use when user input reaches HTTP response headers, Location redirects, Set-Cookie values, or log files where carriage-return/line-feed… |
| — | skills.sh | insecure-source-code-management Source control and artifact exposure (.git, .svn, .hg, backups, .env). Use when recon finds VCS paths, 403 on hidden dirs, or backup/config leaks during… |
| — | skills.sh | http-parameter-pollution HTTP Parameter Pollution (HPP): duplicate query/body keys parsed differently by servers, proxies, WAFs, and app frameworks. Use when filters and application… |
| — | skills.sh | llm-prompt-injection LLM prompt injection playbook. Use when testing AI/LLM applications for direct injection, indirect injection via RAG/browsing, tool abuse, data exfiltration,… |
| — | skills.sh | open-redirect Open redirect playbook. Use when URL parameters, form actions, or JavaScript sinks control navigation targets and may redirect users to attacker-controlled… |
| — | skills.sh | xxe-xml-external-entity XXE playbook. Use when XML, SVG, OOXML, SOAP, or parser-driven imports may resolve external entities, files, or internal network resources. |
| — | skills.sh | ssti-server-side-template-injection SSTI playbook. Use when template expressions, server-side rendering, preview features, or templating engines may evaluate attacker-controlled content. |
| — | skills.sh | cmdi-command-injection Command injection playbook. Use when user input may reach shell commands, process execution, converters, import pipelines, or blind out-of-band command sinks. |
| — | skills.sh | csv-formula-injection >- |
| — | skills.sh | nosql-injection >- |
| — | skills.sh | macos-process-injection >- |
| — | skills.sh | macos-security-bypass >- |
| — | skills.sh | symmetric-cipher-attacks >- |
| — | skills.sh | container-escape-techniques >- |
| — | skills.sh | dns-rebinding-attacks >- |
| — | skills.sh | linux-security-bypass >- |
| — | skills.sh | subdomain-takeover >- |
| — | skills.sh | mobile-ssl-pinning-bypass >- |
| — | skills.sh | defi-attack-patterns >- |
| — | skills.sh | windows-lateral-movement >- |
| — | skills.sh | ntlm-relay-coercion ntlm-relay-coercion — an installable skill for AI agents, published by yaklang/hack-skills. |
| — | skills.sh | windows-privilege-escalation windows-privilege-escalation — an installable skill for AI agents, published by yaklang/hack-skills. |
| — | skills.sh | ai-ml-security >- |
| — | skills.sh | windows-av-evasion >- |
| — | skills.sh | active-directory-kerberos-attacks >- |
| — | skills.sh | anti-debugging-techniques >- |
| — | skills.sh | vm-and-bytecode-reverse >- |
| — | skills.sh | arbitrary-write-to-rce >- |
| — | skills.sh | email-header-injection >- |
| — | skills.sh | race-condition >- |
| — | skills.sh | dependency-confusion >- |
| — | skills.sh | http-host-header-attacks >- |
| — | skills.sh | prototype-pollution >- |
| — | skills.sh | type-juggling >- |
| — | skills.sh | web-cache-deception >- |