hacking-skills

Claude Code skills for finding bugs and vulnerabilities — bug bounty, pentest, CTF, code review.

Structure

.claude-plugin/
  marketplace.json              ← plugin collections for distribution
skills/
  meta/                         ← skill generation and self-improvement tooling
    distill-skill/
    observe-skill/
    amend-skill/
  web/                          ← web application security
    recon/
    auth/
    session/
    authz/
    injection/
    client-side/
    logic/
  mobile/                       ← mobile security (Android + iOS)
    storage/
    crypto/
    auth/
    network/
    platform/
    code/
    resilience/
  cicd/                         ← CI/CD pipeline security

Agents

Role-based agents that orchestrate skills into a full engagement workflow.

Agent	Target
webapp-pentester	Web applications and APIs
mobile-pentester	Android and iOS apps
cicd-auditor	GitHub Actions and CI/CD pipelines

Skills Graph

SKILLS_GRAPH.md — a map of content (MOC) showing attack chains, topic clusters, and cross-domain patterns. Start here when you need to plan a testing approach or understand how skills relate to each other.

Plugin Collections

Collection	Skills	Description
web	28	Web application security — recon, auth, session, authz, injection, client-side, logic
mobile	7	Mobile security methodology (Android + iOS) — install for mobile coverage
cicd	5	CI/CD pipeline attack techniques — install for supply chain testing
meta	/distill-skill, /observe-skill, /amend-skill	Skill generation, run logging, and self-improvement

---

Skills

Meta

Skill	Description
distill-skill	Extract reusable offensive knowledge from any source → SKILL.md
observe-skill	Log skill run outcomes to observations/<skill-name>/runs.md
amend-skill	Inspect failure history and propose targeted amendments to a skill

---

web — Web Application Security

Recon

Skill	Source
web-fingerprinting	WSTG INFO-01–10

Auth

Skill	Source
auth-bypass	WSTG ATHN-01, 04–06
default-credentials	WSTG ATHN-02, 07
password-reset-flaws	WSTG ATHN-07, 09
jwt-misconfig	VibeSec

Session

Skill	Source
cookie-attacks	WSTG SESS-02, 06
session-fixation	WSTG SESS-01, 03, 04

Authz

Skill	Source
authz-bypass	WSTG ATHZ-02, 04
bola-idor	WSTG ATHZ-04
path-traversal	WSTG ATHZ-01
mass-assignment	VibeSec

Injection

Skill	Source
sql-injection	WSTG INPV-05
xss-reflected	WSTG INPV-01
xss-stored	WSTG INPV-02
cmd-injection	WSTG INPV-12
ssrf	WSTG INPV-19
ssti	WSTG INPV-18
xxe	WSTG INPV-07
http-request-smuggling	WSTG INPV-15

Client-Side

Skill	Source
dom-xss	WSTG CLNT-01
csrf	WSTG SESS-05
cors-misconfig	WSTG CLNT-07
clickjacking	WSTG CLNT-09
cspt	matanber.com
open-redirect	VibeSec

Logic

Skill	Source
business-logic-flaws	WSTG BUSL-01–06
insecure-file-upload	VibeSec
graphql-idor-via-introspection-leak	manual

---

mobile — OWASP Mobile Application Security Testing Guide

Skill	MASVS	Source
mobile-insecure-storage	MASVS-STORAGE-1, 2	MASTG
mobile-weak-crypto	MASVS-CRYPTO-1, 2	MASTG
mobile-auth-bypass	MASVS-AUTH-1, 2, 3	MASTG
mobile-network-security	MASVS-NETWORK-1, 2	MASTG
mobile-platform-interaction	MASVS-PLATFORM-1, 2, 3	MASTG
mobile-code-quality	MASVS-CODE-1, 2, 3, 4	MASTG
mobile-resilience	MASVS-RESILIENCE-1, 2, 3, 4	MASTG

---

cicd — CI/CD Pipeline Security

Skill	Source
github-actions-script-injection	adnanthekhan.com
github-actions-cache-poisoning	adnanthekhan.com
pwn-request	landh.tech
cicd-bot-command-injection	landh.tech
self-hosted-runner-poisoning	adnanthekhan.com

---

Adding a New Skill

From source material (recommended)

Paste any security content and run /distill-skill. Claude extracts the technique, outputs a ready-to-save SKILL.md, and tells you which collection to add it to.

Manually

1. Choose the right bucket: web/ for web vulnerabilities, mobile/ for mobile, cicd/ for CI/CD pipeline attacks, meta/ for tooling
2. Create skills/<bucket>/<category>/<technique>/SKILL.md
3. Ensure name matches the directory name exactly
4. Add the path to .claude-plugin/marketplace.json