Skill catalog

All 71 skills in the bundle, grouped by domain. Each auto-loads when your prompt matches its trigger keywords — no need to invoke by name. Use your browser’s find (⌘/Ctrl-F) or the docs search box.

Generated by scripts/gen_skill_catalog.py — do not edit by hand.

Hunt — web app vuln classes (48)

Skill	What it does	Reports
`hunt-api-misconfig`	Hunt API security misconfiguration — mass assignment, JWT attacks, prototype pollution, HTTP verb tampering.	—
`hunt-aspnet`	Hunt ASP.NET-specific surface — ViewState deserialization (signed-only vs encrypted), machineKey recovery, dual-parser MAC-bypass anti-pattern, request-validator bypass, trace.axd/elmah.axd disclosure, load-balanced ViewState cross-node…	1
`hunt-ato`	Hunt account takeover taxonomy — 9 distinct paths to ATO, plus chains.	—
`hunt-auth-bypass`	Hunting skill for auth bypass vulnerabilities.	12
`hunt-brute-force`	Hunt Missing/Weak Rate Limiting — login brute force, OTP/2FA brute force (10^6), credential stuffing, username/email enumeration via error differences or timing, weak password policy, missing CAPTCHA, IP-based rate limit bypass via…	33
`hunt-business-logic`	Hunting skill for business logic vulnerabilities.	12
`hunt-cache-poison`	Hunting skill for cache poison vulnerabilities.	10
`hunt-cicd`	Hunt CI/CD pipeline vulnerabilities — GitHub Actions workflow injection (pull_request_target + untrusted input), Jenkins script console RCE, GitLab CI runner token exposure, Terraform state file leakage, artifact leakage, GitHub Actions…	18
`hunt-cloud-misconfig`	Hunt cloud / infrastructure misconfigurations.	—
`hunt-cors`	Hunt CORS Misconfiguration — wildcard with credentials, null origin, regex with subdomain trust, pre-flight bypass, postMessage origin checks.	19
`hunt-csrf`	Hunting skill for csrf vulnerabilities.	15
`hunt-deserialization`	Hunt Insecure Deserialization — Java gadget chains (ysoserial), PHP object injection (phpggc), Python pickle RCE, .NET BinaryFormatter, Ruby Marshal.load, JNDI/Log4Shell.	22
`hunt-dispatch`	Skill-set loader for /hunt orchestrator.	—
`hunt-dom`	Hunt client-side DOM vulnerabilities — DOM Clobbering (overwrite JS globals via HTML injection), PostMessage hijacking (missing origin check), Service Worker abuse (intercept requests), CSS Injection/Exfiltration (attribute selectors →…	17
`hunt-file-upload`	Hunt file upload bugs — RCE via webshell, XSS via SVG/HTML, SSRF via XXE in DOCX, path traversal via filename.	—
`hunt-graphql`	Hunting skill for graphql vulnerabilities.	12
`hunt-grpc`	Hunt gRPC vulnerabilities — server reflection enabled (enumerate all services/methods), missing authentication on internal endpoints, plaintext gRPC over HTTP/2, internal endpoint disclosure, proto file leakage, gRPC-Web proxy injection,…	6
`hunt-host-header`	Hunt Host Header Injection — password reset poisoning → ATO, cache poisoning via unkeyed host, X-Forwarded-Host injection, SSRF via Host header, routing-based SSRF, OAuth redirect_uri poisoning.	16
`hunt-http-smuggling`	Hunt HTTP request smuggling (CL.TE, TE.CL, H2.CL, H2.TE).	—
`hunt-idor`	Hunting skill for idor vulnerabilities.	26
`hunt-k8s`	Hunt Kubernetes and Docker specific vulnerabilities — Kubernetes API anonymous access, kubelet 10250 unauth exec, etcd 2379 unauth, dashboard exposure, RBAC misconfig, secret leakage, docker.sock exposure, privileged container escape,…	13
`hunt-laravel`	Hunt Laravel specific vulnerabilities — Debug mode leakage (APP_DEBUG=true exposes full stack trace + env vars), Laravel Telescope/Horizon dashboard unauthorized access, Ignition RCE (CVE-2021-3129), Signed URL manipulation, Queue Worker…	14
`hunt-ldap`	Hunt LDAP Injection and XPath Injection — authentication bypass, data exfiltration from Active Directory, directory traversal, AD user/group enumeration.	8
`hunt-lfi`	Hunt Local File Inclusion (LFI), Remote File Inclusion (RFI), and Path Traversal — /etc/passwd read, log poisoning → RCE, PHP wrappers, zip:// and phar:// chains, directory traversal read/write/delete.	31
`hunt-llm-ai`	Hunt LLM/AI feature bugs — prompt injection, indirect injection, exfiltration via tool-use, ASCII smuggling, agentic AI security framework (ASI01-ASI10).	—
`hunt-mfa-bypass`	Hunt MFA / 2FA bypass — 7 distinct patterns.	—
`hunt-misc`	Hunting skill for misc vulnerabilities.	225
`hunt-nextjs`	Hunt Next.js specific vulnerabilities — Server Actions arbitrary function execution, Middleware auth bypass via static asset paths, ISR cache poisoning, Image Optimization SSRF (/_next/image), RSC payload leakage, getServerSideProps…	19
`hunt-nodejs`	Hunt Node.js specific vulnerabilities — Prototype Pollution → RCE chains (lodash/merge/assign), Express trust proxy misconfiguration, child_process/eval injection, template engine SSTI (EJS/Pug/Handlebars), path traversal in file servers,…	24
`hunt-nosqli`	Hunt NoSQL Injection — MongoDB operator injection ($where, $regex, $gt, $ne), CouchDB, Redis command injection, auth bypass via NoSQLi, data dump.	14
`hunt-ntlm-info`	Hunt NTLM/Negotiate information disclosure on internet-reachable IIS/SharePoint/Exchange.	1
`hunt-oauth`	Hunting skill for oauth vulnerabilities.	19
`hunt-open-redirect`	Hunt Open Redirect — all types including low-impact, chained to OAuth token theft → ATO, phishing chains.	28
`hunt-race-condition`	Hunting skill for race condition vulnerabilities.	12
`hunt-rce`	Hunting skill for rce vulnerabilities.	67
`hunt-saml`	Hunt SAML / SSO attacks.	—
`hunt-session`	Hunt Session Management vulnerabilities — session fixation, session prediction (low entropy), insufficient invalidation on logout/password change, concurrent session abuse, JWT as session without expiry or revocation, cookie attribute…	18
`hunt-sharepoint`	Hunt Microsoft SharePoint Server (2013/2016/2019/Subscription Edition) on-prem farms — anonymous endpoint enumeration, version disclosure, legacy SOAP login bypass (Authentication.asmx), ToolShell precondition chain (CVE-2025-53770),…	1
`hunt-source-leak`	Hunt source code and build artifact leakage — JavaScript source maps (.js.map) reconstructing TypeScript/ES6 source, Swagger/OpenAPI JSON endpoint discovery, .env/.git exposure, webpack chunks with hardcoded secrets,…	31
`hunt-springboot`	Hunt Spring Boot specific vulnerabilities — Actuator endpoints (heapdump, env, loggers, mappings, shutdown), Spring Expression Language (SpEL) injection → RCE, H2 console RCE, Jolokia JMX exposure, Spring4Shell (CVE-2022-22965), Spring…	16
`hunt-sqli`	Hunting skill for sqli vulnerabilities.	12
`hunt-ssrf`	Hunting skill for ssrf vulnerabilities.	15
`hunt-ssti`	Hunt server-side template injection (SSTI) across Jinja2 (Flask/Django), Twig (Symfony), Freemarker (Java), ERB (Rails), Spring, Velocity, Mako, Thymeleaf, Smarty.	—
`hunt-subdomain`	Hunting skill for subdomain vulnerabilities.	15
`hunt-tls-network`	Hunt TLS/SSL and DNS misconfigurations — missing HSTS (downgrade attack), weak cipher suites, expired/invalid certificates, mTLS bypass, missing SPF/DKIM/DMARC (email spoofing), DNS Zone Transfer (AXFR), dangling CNAME subdomain takeover,…	9
`hunt-websocket`	Hunt WebSocket vulnerabilities — Cross-Site WebSocket Hijacking (CSWSH), missing authentication on WS handshake, message tampering, event authorization bypass, WS→HTTP request smuggling.	11
`hunt-xss`	Hunting skill for xss vulnerabilities.	174
`hunt-xxe`	Hunting skill for xxe vulnerabilities.	10

Enterprise platform attack (9)

Skill	What it does	Reports
`apk-redteam-pipeline`	End-to-end Android APK red-team pipeline — automated APK acquisition (Play Store + apkpure + apkmirror fallback), jadx decompilation, secret/URL/JWT/Firebase grep, pinned-cert extraction, exported-component enumeration, Frida runtime…	1
`cloud-iam-deep`	Cloud IAM red-team attack chain across AWS, Azure, GCP — focused on EXTERNAL exploitation paths and post-credential-discovery privilege analysis.	6
`enterprise-vpn-attack`	External SSL VPN / remote-access appliance attack matrix — Cisco ASA/AnyConnect, Fortinet FortiGate/FortiOS, Citrix NetScaler/ADC, Palo Alto GlobalProtect, Pulse Secure / Ivanti Connect Secure, SonicWall, F5 Big-IP.	1
`m365-entra-attack`	Microsoft 365 / Entra ID red-team attack chain — current 2026 reality.	1
`meme-coin-audit`	Meme coin and token security audit — rug pull detection (honeypot, hidden mint, fee manipulation, LP lock bypass), Solana SPL token analysis (freeze authority, mint authority, metadata mutability), Token-2022 extension risks (transfer…	—
`okta-attack`	Okta-as-IdP red-team attack chain — tenant discovery, user enumeration (multiple vectors), authentication flow analysis (factors enumeration, push-notification fatigue, SMS bypass), password spray with lockout discipline, Okta-specific…	8
`supply-chain-attack-recon`	External recon for software supply-chain attack surface — package-namespace squatting candidates, dependency-confusion vulnerabilities, GitHub Actions injection openings, container image registry exposure, SBOM mining,…	12
`vmware-vcenter-attack`	VMware vSphere / vCenter Server external attack matrix — version fingerprinting, the high-impact CVE chain (CVE-2021-21972 vRealize unauth file upload, CVE-2021-21985 vSAN plugin RCE, CVE-2022-22954 Workspace ONE SSTI, CVE-2023-20887 Aria…	10
`web3-audit`	Smart contract security audit — 10 DeFi bug classes (accounting desync, access control, incomplete path, off-by-one, oracle, ERC4626, reentrancy, flash loan, signature replay, proxy), pre-dive kill signals (TVL < $500K etc), Foundry PoC…	—

Recon & OSINT (4)

Skill	What it does	Reports
`offensive-osint`	Operational arsenal for authorized external red-team and bug-bounty recon.	—
`osint-methodology`	Comprehensive OSINT methodology for external red-team operations and authorized attack-surface assessments.	—
`security-arsenal`	Security payloads, bypass tables, wordlists, gf pattern names, always-rejected bug list, and conditionally-valid-with-chain table.	—
`web2-recon`	Web2 recon pipeline — subdomain enumeration (subfinder, Chaos API, assetfinder), live host discovery (dnsx, httpx), URL crawling (katana, waybackurls, gau), directory fuzzing (ffuf), JS analysis (LinkFinder, SecretFinder), continuous…	—

Methodology & mindset (4)

Skill	What it does	Reports
`bb-local-toolkit`	Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability…	—
`bb-methodology`	Use at the START of any bug bounty hunting session, when switching targets, or when feeling lost about what to do next.	—
`bug-bounty`	Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability…	—
`redteam-mindset`	Red-team operator discipline — the mindset corrections that separate offensive testing from defensive WAPT.	1

Reporting & validation (6)

Skill	What it does	Reports
`bugcrowd-reporting`	Bugcrowd-specific reporting tactics complementing report-writing: VRT category search-and-fallback strategy when no exact match exists, manual severity override when VRT defaults underrate impact, severity-request paragraph as first body…	—
`evidence-hygiene`	Evidence-capture and PoC-redaction discipline for bug-bounty submissions: cookie redaction protocol (which fields to mask, Preview annotation / Burp panel hiding / DevTools workflow), PII black-bar discipline (what to mask in other-user…	—
`mid-engagement-ir-detection`	Methodology for detecting client SOC patches, attacker activity, and security-state changes that occur DURING a red-team engagement — and converting those observations into deliverable findings.	1
`redteam-report-template`	Client-facing red-team deliverable format — codifies the Subject / Observations / Description / Impact / Recommendation / PoC structure used for external red-team engagements (not bug-bounty platform reports).	1
`report-writing`	Bug bounty report writing for H1/Bugcrowd/Intigriti/Immunefi — report templates, human tone guidelines, impact-first writing, CVSS 3.1 scoring, title formula, impact statement formula, severity decision guide, downgrade counters,…	—
`triage-validation`	Finding validation before writing any report — 7-Question Gate (all 7 questions), 4 pre-submission gates, always-rejected list, conditionally valid with chain table, CVSS 3.1 quick reference, severity decision guide, report title formula,…	—