Security-first decision framework for threat modeling, vulnerability assessment, and compliance review.
Secure Persona API keys, webhook secrets, PII handling in verification data. Use when working with Persona identity verification.
Persona-driven exploratory browser testing against a live URL. Drives a browser as a specific user persona using a Plan → Act → Reflect loop, takes screenshots at each step,…
Personal Habit Optimization for disaster response networks. Use when work requires personal habit optimization for disaster response networks with guardrails, traceable execution,…
Use when scanning an external macro environment with PESTEL/PESTLE (and its variant family STEEPLE, STEEPLED, PESTLIED, STEEP, DESTEP, LoNGPESTLE): political, economic, social,…
Searches and downloads royalty-free images from Pexels API with smart filtering by orientation, color, and size.
PostgreSQL DB에 직접 접근하는 스킬. DB 조회, 테이블 구조 확인, 데이터 검증이 필요할 때 사용한다. Node.js 스크립트로 직접 연결하며 접속 정보는 환경변수 또는 credentials 파일에서 읽는다.
Build frontend Solana applications with Phantom Connect SDK and Helius infrastructure. Covers React, React Native, and browser SDK integration, transaction signing via He — from…
Runtime enforcement phase overview. Policy-as-code with Kyverno, resource limits, image source verification, security context enforcement, and policy observability for production…
Use when a multi-slice phase has been implemented and the operator wants an independent audit of ALL slices before sign-off, or asks to "audit the phase", "review all slices",…
Adaptive post-implementation phase verification through fresh subagents with S/M/L sizing (bug-fix → feature → architecture).
Philips Hue スマートライトの制御スキル。Hue BridgeのローカルCLIP API v2を使用して照明のON/OFF、明るさ調整、色変更、シーン制御を行う。「Hueの電気をつけて」「リビングを暖色にして」「全部の照明を消して」「ライトの一覧」などの依頼時に使用。
Bauleiter Phishing-Incident-Triage: Erstbewertung, Containment, Beweissicherung, betroffene Konten, Hauptansprechpartner. Pruefraster fuer IT-Sec und Datenschutz.
Leitfaden Meldepflichten Phishing: Art. 33 DSGVO Aufsichtsbehoerde 72 Stunden, Art. 34 Betroffene, BSI bei KRITIS, Versicherer. Pruefraster Eskalationsstufen.
Phishing am Arbeitsplatz: Arbeitnehmer-Haftung fuer durch Phishing verursachten Schaden. Innerbetriebliche Schadensausgleichung (BAG-Rechtsprechung), gestufte Haftung.
Phishing-Arten erkennen: E-Mail-Phishing, Smishing (SMS), Vishing (Anruf), Spear-Phishing, Pharming, Man-in-the-Middle (Tan-Abfangen). Indikatoren pro Art.
BaFin-Beschwerde gegen Bank bei verweigerter Rueckbuchung: § 4 Abs. 4 FinDAG, BaFin-Verbraucherbeschwerde. Output: Beschwerde-Entwurf, Eskalationsstrategie.
Anschreiben an Bank bei Phishing-Vorfall: Sachverhalt, Forderung Rueckbuchung § 675u BGB, Fristsetzung, Hinweis auf BGB-Beweislastregel, ggf. Verbraucherzentrale-Andeutung.
Banking-App-Malware (Anubis, Cerberus, BRATA): Trojaner uebernimmt App und pushTAN, Overlay-Attacke. Forensische Hinweise: ungewoehnliche App-Berechtigungen, beobachtete SMS.
Phishing gegen Anwalts-beA: Sofort Karte sperren, BRAK informieren, Mandanten informieren, Datenschutzverstoss pruefen Art. 33 DSGVO (72h-Frist).
§ 675u BGB Haftung des Zahlungsdienstleisters bei nicht autorisierter Zahlung: Erstattungspflicht, Beweislast bei Bank, dass Kunde authentifiziert hat. Ausnahmen § 675v BGB.
§ 675v Abs. 3 BGB Haftung Kunde bei grober Fahrlaessigkeit: Vollhaftung. Pruefraster: PIN/TAN weitergegeben? Auf Phishing-Seite eingegeben? Bei pushTAN: Geraetebindung umgangen?…
Erstkontakt Mandant nach Phishing-Vorfall: Eilfragen, Schaden Vorfall, Bank kontaktiert (Sperre Konto, Sperre Karten), Polizei (Strafanzeige § 263a StGB), beA-Notruf (bei…
Phishing bei aelteren Mandanten: Enkeltrick per Mail, gefaelschte Bank-Schreiben, telefonische Bestaetigungs-Masche.
Phishing mit Kryptowaehrung: Recovery praktisch unmoeglich, aber Blockchain-Forensik (Chainalysis, TRM) kann Empfaenger-Wallet identifizieren. Strafrechtlich § 263a StGB.
Phishing gegen Geschaeftskonto: keine Verbraucherregeln § 675f BGB, ggf. abweichende AGB der Bank, hoehere Sorgfaltsanforderungen.
Praeventionscheckliste fuer Kanzleien und Mandanten: 2FA, separate Geraete fuer Banking, Phishing-Filter, BSI-Hinweise, Mitarbeiterschulung.
Praeventionscheckliste für Kanzleien und Mandanten: 2FA, separate Geraete für Banking, Phishing-Filter, BSI-Hinweise, Mitarbeiterschulung.
Strafanzeige § 263a StGB (Computerbetrug) vorbereiten: Sachverhalt, Beweismittel (Mail-Header, Logs, Kontoauszug), Tatverdacht, Verfasser-Hinweise.
Business Email Compromise (BEC), Rechnungs-Phishing: gefaelschte Lieferantenrechnung mit geaenderter IBAN. Vertragsrechtliche Folgen, schuldbefreiende Zahlung an falsche IBAN.
TAN-Verfahren vergleichen aus Haftungssicht: smsTAN (veraltet), pushTAN, photoTAN, chipTAN. Welches Verfahren wurde manipuliert? Geraetebindung pushTAN als Sicherheitsanker.
Cyberversicherung pruefen: Deckungsumfang bei Phishing/Social Engineering, Selbstbehalt, Ausschluesse (z. B. grobfahrlaessige Pflichtverletzung).
Prüft Online-Banking-Phishing, pushTAN, Call-ID-Spoofing, grobe Fahrlässigkeit, Beweislast, Banklogs, Ombudsmann und Klage gegen Zahlungsdienstleister.
Zivilklage gegen Bank wenn Rueckbuchung verweigert: § 675u BGB Anspruch, Beweislast bei Bank Authentifizierung. Output: Klageentwurf vor LG. Streitwert Schadenshoehe.
Letter-sound relationships, decoding strategies, and word-attack skills for reading unfamiliar text. Covers alphabetic principle, phoneme-grapheme correspondences (single letters,…
Use when essential PHP security patterns including input validation, SQL injection prevention, XSS protection, CSRF tokens, password hashing, secure session management, and…
Phrack magazine article analysis, binary exploitation, vulnerability research, exploit development, Use-After-Free (UAF), heap exploitation, ROP chain, GDB debugging, pwntools,…
CORS (Cross-Origin Resource Sharing) misconfiguration auditor. Probes any API endpoint with crafted Origin headers to detect the most dangerous CORS vulnerabilities — reflecting…
Unsafe deserialization vulnerability scanner (OWASP A08:2021). Detects Python pickle/yaml/eval, Java ObjectInputStream/XStream/XMLDecoder, PHP unserialize, Ruby Marshal.load,…
JWT and OAuth/OIDC security auditor. Decodes any JWT token (without verification) to inspect alg/exp/iss/aud/scope claims, detects the "alg:none" bypass vulnerability, expired or…
Kubernetes manifest security auditor (CIS Kubernetes Benchmark). Scans all YAML/JSON manifests in your repository for privileged containers, hostNetwork/hostPID/hostIPC, dangerous…
Path traversal and Local File Inclusion (LFI) vulnerability scanner (OWASP A01:2021). Detects user-controlled paths passed to file system sinks in Python/Java/PHP/Node.js/Go/Ruby…
Static ReDoS (Regular Expression Denial of Service) vulnerability scanner and regex quality auditor for codebases.
HTTP security header auditor that fetches response headers from any URL and grades them against OWASP, Mozilla Observatory, and Google standards.
Server-Side Request Forgery (SSRF) vulnerability scanner (OWASP A10:2021). Detects URL-fetching sinks in Python/Java/Node.js/PHP/Go/Ruby that accept user-controlled URLs without…
Threat library for physical-access threats that STRIDE and OWASP Top 10 don't cover — evil-maid, DMA, hostile peripheral, travel-host, coercion, cold-boot, supply-chain implant,…
Picoclaw security posture skill with advisory awareness, configuration drift detection, and supply-chain verification guidance.
Use picocom to interact with IoT device UART consoles for pentesting operations including device enumeration, vulnerability discovery, bootloader manipulation, and gainin — from…
Inter-session pmail - send and receive messages between Claude Code sessions running in different project directories. Uses global SQLite database at ~/.claude/pmail.db.
Helps configure and use the GoBilda Pinpoint odometry computer for robot localization. Use when setting up Pinpoint, configuring pod offsets, troubleshooting LED status, tuning…
Deep GitHub Actions workflow expert. Covers trigger strategy, security hardening, performance optimization, PR automation, and Reusable Workflow design.
Pipedream is a developer-focused workflow platform for connecting APIs and running automation logic in hosted workflows.
Connect 2,000+ APIs with managed OAuth via Pipedream. Includes full UI integration for OpenClaw Gateway dashboard with per-agent app isolation.
Pipedrive integration. Manage crm and sales data, records, and workflows. Use when the user wants to interact with Pipedrive data.
Use Pipedrive REST API v1 from an integration. Use when reading or writing deals, persons, organizations, leads, or activities.
Automate Pipedrive CRM operations including deals, contacts, organizations, activities, notes, and pipeline management via Rube MCP (Composio).
Store and inject Salesforce auth URLs, JWT keys, and API credentials into CI without leaking them. NOT for runtime secrets in Apex.
Writes a radio programme pitch document for submission to a network or station commissioner, covering format, audience, editorial proposition, and production credentials.
Use after completing any PRD, spec, plan, or code implementation — verifies that artifact-specific pitfalls (security, idempotency, integration contracts, edge cases, LLM output)…
Security patterns for session keys, caching, logging, and environment variables. Use when implementing authentication, caching sensitive data, or setting up logging.