Probe a target for accidentally-served secret-bearing files in the web root — `.git/`, `.env`, `.DS_Store`, backup files, database dumps, key files, CI configs, IDE configs.
Audit a project's dependency licenses against an explicit policy (allow-list / deny-list / review-required) and flag incompatibilities before they ship to production.
Build a dependency-tree map of a project (npm or Python) and trace the path from each known-vulnerable transitive package back to one or more direct dependencies.
Parse the ROE scope definition, enumerate every in-scope target (hostnames, IPs, CIDRs, URLs, cloud accounts, SaaS tenants), validate syntax, detect overlap with out-of-scope or…
Package an engagement's findings, scan outputs, evidence, and signed ROE into a timestamped archive with a SHA-256 manifest covering every file.
Audit a Node.js project's installed npm dependency tree for known CVEs by wrapping the npm audit JSON output and emitting findings in the canonical penetration-tester schema.
Audit a target's HTTP security headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and the Cross-Origin trio (COOP, COEP, CORP).
Scan a source-code tree for hardcoded credentials embedded in source files: AWS access keys, GitHub tokens, Stripe keys, Slack tokens, Anthropic API keys, OpenAI keys, JWT signing…
Scan a source tree for weak cryptographic primitives: MD5 / SHA-1 used for security purposes, DES / 3DES / RC4 ciphers, ECB block mode, custom-built crypto (XOR loops, hand-rolled…
Probe a target for accidentally-public admin / debug / introspection endpoints — Spring Boot Actuator, Apache server-status, Prometheus metrics, GraphQL playground, Swagger UI,…
Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java…
Scan a source tree for dynamic-code-execution APIs that an attacker can hijack: Python eval / exec / compile, JavaScript eval / Function() / setTimeout(string), Ruby eval /…
Scan a source tree for command-injection vulnerable patterns: shell=True calls in Python subprocess, os.system / os.popen with interpolated strings, Node child_process.exec with…
Probe a target for directories that return auto-generated index listings instead of denying or serving a specific file — exposes the full file tree under any reachable directory,…
Identify the server software, framework, and component versions a target is running from its HTTP response signatures — Server header, X-Powered-By, Via, X-AspNet-Version,…
Audit a target's TLS certificate beyond protocol/expiry — chain ordering, OCSP stapling, revocation status, Certificate Transparency presence, key-usage flags, and over-broad…
Read findings JSONL files from cluster 1-4 skills, deduplicate by fingerprint, group by severity, and compose a deliverable- grade markdown vulnerability report with per-finding…
Compose an exec-readable summary from a unified findings JSONL plus the OWASP coverage report. Computes a single engagement risk score (0-100, severity-weighted with OWASP-breadth…
Annotate every pentest finding with its OWASP Top 10 (2021) category by applying a deterministic rule table keyed on source skill, finding category, detail keywords, and CWE…
Probe a target for HTTP methods that should not be enabled in production — TRACE (XST attack), unrestricted PUT/DELETE, DEBUG/CONNECT, WebDAV (PROPFIND/MKCOL/COPY/MOVE), and Allow…
Scan a source tree for SQL-injection vulnerable patterns: string concatenation into queries, f-string interpolation in SQL, string-format substitution into raw queries, deprecated…
Audit a Python project's installed dependencies for known CVEs by wrapping pip-audit (PyPA's official vulnerability auditor) and emitting findings in the canonical…
Verify that a penetration test has explicit, written, signed authorization before any scanning begins.
Analyze a target's TLS configuration — negotiated protocol version, cipher suite, certificate chain, expiry, and downgrade vectors.
Audit a target's CORS posture — Access-Control-Allow-Origin handling, reflected-origin bypass, credentials+wildcard mismatch, preflight OPTIONS behavior, Vary header correctness.
Deploy and orchestrate Vertex AI ADK agents using A2A protocol. Manages AgentCard discovery, task submission, Code Execution Sandbox, and Memory Bank.
Validate a Claude Code plugin directory against the official Anthropic spec and Intent Solutions enterprise standard.
Dolt and DoltHub-aware workflow for the beads (bd) task tracker. Diagnoses why bead work is not visible on DoltHub (no Dolt remote configured), applies the bd dolt remote — from…
Dolt and DoltHub-aware workflow for the beads (bd) task tracker. Diagnoses why bead work is not visible on DoltHub (no Dolt remote configured), applies the bd dolt remote — from…
Generate production-ready Google Cloud code examples from official repositories including ADK samples, Genkit templates, Vertex AI notebooks, and Gemini patterns.
Comprehensive codebase cleanup across 11 quality dimensions: dead code, duplication, weak types, circular deps, defensive cruft, legacy code, AI slop, type consolidation,…
Use when a prompt is rough, vague, or under-specified and you want it rewritten to high quality before running it.
Use when the user wants to manually flush a deferred-commit queue from a prior or interrupted chain. Reads .hyperflow/commits-queue/manifest.json, fast-forwards the staging branch…
Inspect and validate Vertex AI Agent Engine deployments including Code Execution Sandbox, Memory Bank, A2A protocol compliance, and security posture.
Analyzes public X/Twitter complaints to detect, cluster, and triage bugs with repo evidence and owner routing. Use when monitoring product health from social signals.
Use when the user wants to set auto-routing mode: on (every task-shaped message routes), auto (intent-verb messages route — default), or off (no auto-routing).
Validate production readiness of Vertex AI Agent Engine deployments across security, monitoring, performance, compliance, and best practices.
Set up a local development loop for MaintainX integration development. Use when configuring dev environment, testing API calls locally, or setting up a sandbox workflow for…
Migrate Miro integrations from REST API v1 to v2 and upgrade @mirohq/miro-api SDK. Use when upgrading SDK versions, migrating v1 widget endpoints to v2 item endpoints, or handling…
Build a complete HubSpot CRM contact-to-deal pipeline workflow. Use when implementing lead capture, contact management, deal creation, or end-to-end sales pipeline automation with…
Implement Figma Webhooks V2 for real-time file, comment, and library events. Use when setting up webhook endpoints, handling FILE_UPDATE events, or building event-driven Figma…
Scale Sentry for high-traffic applications handling millions of events per day. Use when optimizing SDK performance at high volume, implementing adaptive sampling, managing quotas…
Enterprise reference architecture for Guidewire InsuranceSuite Cloud deployments. Trigger: "guidewire reference architecture", "reference-architecture".
Form Builder Helper - Auto-activating skill for Business Automation. Triggers on: form builder helper, form builder helper Part of the Business Automation skill category.
Optimize Exa costs through search type selection, caching, and usage monitoring. Use when analyzing Exa billing, reducing API costs, or implementing budget controls and usage…
Configure CI/CD pipelines for HubSpot integrations with GitHub Actions. Use when setting up automated testing, configuring CI with HubSpot secrets, or integrating HubSpot API…
Set up monitoring and observability for Supabase projects using Dashboard reports, CLI inspect commands, pg_stat_statements, log drains, and alerting.
Apply ElevenLabs security best practices for API keys, webhook HMAC validation, and voice data protection.
Track and monitor Kling AI video generation task status. Use when building dashboards, tracking batch jobs, or debugging stuck tasks.
Implement security best practices with Clerk authentication. Use when securing your application, reviewing auth implementation, or hardening Clerk configuration.
Together AI rate limits for inference, fine-tuning, and model deployment. Use when working with Together AI's OpenAI-compatible API. Trigger: "together rate limits".
Optimize AppFolio API performance with caching and batch operations. Trigger: "appfolio performance".
Implement reliability patterns for Canva Connect API — circuit breakers, idempotency, graceful degradation.
Handle Figma REST API rate limits with exponential backoff and request queuing. Use when encountering 429 errors, implementing retry logic, or optimizing API request throughput…
Tensorflow Serving Setup - Auto-activating skill for ML Deployment. Triggers on: tensorflow serving setup, tensorflow serving setup Part of the ML Deployment skill category.
Rebuild a feature as if the correct product architecture existed from day one — remove compatibility cruft, dead abstractions, and historical compromises instead of preserving…
Together AI ci integration for inference, fine-tuning, and model deployment. Use when working with Together AI's OpenAI-compatible API. Trigger: "together ci integration".
Configure enterprise role-based access control for Deepgram integrations. Use when implementing team permissions, managing API key scopes, or setting up organization-level access…
Master Guidewire SDK patterns: REST API Client, Jutro Digital SDK, and Gosu best practices. Trigger: "guidewire sdk patterns", "sdk-patterns".
Codebase comprehension and investigation specialist. Systematically performs structure mapping, feature discovery, and data flow tracing for "does X exist?", "how does Y work?",…