Hunt Csrf
Hunting skill for csrf vulnerabilities. Built from 15 public bug bounty reports including modern variants — SameSite=Lax sibling-subdomain bypass (Argo CD CVE-2024-22424), GraphQL mutations-via-GET (GitLab $3,370), framework-wide CSRF middleware disabled (Stripe Dashboard $5,000), path-traversal CSRF-token bypass (GitHub Enterprise CVE-2022-23732 $10k), Origin-omission bypass (TikTok $2,500), OAuth-state null-byte (Streamlabs), WebSocket CSRF / CSWSH (Coda), default-SameSite email-change → ATO (YoYo Games $400), social-account-link CSRF (HackerOne), JSON-CSRF via text/plain on email-change (TikTok $500). Use when hunting modern CSRF — heavy emphasis on chain-to-ATO patterns.
What this skill does
Hunt Csrf is a community-contributed Claude Code skill in the web-security sub-category. It ships as a SKILL.md file that Claude Code auto-discovers under ~/.claude/skills/hunt-csrf/ and loads when your prompt matches the skill's trigger.
When to invoke it: Use when hunting modern CSRF — heavy emphasis on chain-to-ATO patterns.
Who uses this skill
The Hunt Csrf Claude Code skill is built for security engineers, penetration testers, DevSecOps practitioners, and development teams hardening codebases and infrastructure. It's part of ClaudSkills (also referred to as Claude Skills or Claude Code Skills) — the open community-curated registry of 116,000+ SKILL.md files for Anthropic's Claude Code agent and the wider Claude ecosystem (Claude API, Claude Agent SDK).
How to install
Free
Manual install (2 steps)
mkdir -p ~/.claude/skills/hunt-csrf
curl -L https://claudskills.com/skills/hunt-csrf/SKILL.md \
-o ~/.claude/skills/hunt-csrf/SKILL.md
Or just download SKILL.md directly and drop it into ~/.claude/skills/hunt-csrf/. Claude Code auto-discovers it on next session.
Skills live at ~/.claude/skills/hunt-csrf/SKILL.md on macOS/Linux, or %USERPROFILE%\.claude\skills\hunt-csrf\SKILL.md on Windows. See the full install guide for step-by-step instructions.
Telegram
📱 Install from your phone or desktop Telegram
Open @claudskills_bot on Telegram, tap Open Desktop App, and the desktop app installs this skill for you. Or share the bot link with a colleague — they get the same one-tap install. Learn more →
Pro
One-click install via the desktop app
The ClaudSkills desktop app installs any skill directly into ~/.claude/skills/ with one click — no terminal required. Pro starts at $9/mo or $149 lifetime.
Pro
For the full experience including quality scoring and one-click install features for each skill — upgrade to Pro.
Frequently asked questions
How do I install the Hunt Csrf Claude Code skill?
Install via the ClaudSkills desktop app (one click) or copy
SKILL.md from the source repository to
~/.claude/skills/hunt-csrf/SKILL.md and restart Claude Code. Both flows are detailed at
claudskills.com/install/.
What does the Hunt Csrf skill do?
Hunting skill for csrf vulnerabilities. Built from 15 public bug bounty reports including modern variants — SameSite=Lax sibling-subdomain bypass (Argo CD CVE-2024-22424), GraphQL mutations-via-GET (GitLab $3,370), framework-wide CSRF middleware disabled (Stripe Dashboard $5,000), path-traversal CSRF-token bypass (GitHub Enterprise CVE-2022-23732 $10k), Origin-omission bypass (TikTok $2,500), OAuth-state null-byte (Streamlabs), WebSocket CSRF / CSWSH (Coda), default-SameSite email-change → ATO (YoYo Games $400), social-account-link CSRF (HackerOne), JSON-CSRF via text/plain on email-change (TikTok $500). Use when hunting modern CSRF — heavy emphasis on chain-to-ATO patterns.
Is this skill free to install?
Yes. ClaudSkills is an open registry — every skill keeps its source repository's license, and manual install via copy is free. ClaudSkills Pro ($9/mo, $79/yr, or $149 one-time) adds one-click install via the desktop app and a multi-signal Quality Score.
When should I use the Hunt Csrf skill?
Use Hunt Csrf when your Claude Code task falls under the Security category — specifically in the web security area. Claude Code auto-discovers installed skills and invokes the right one based on the task description, so you can also ask Claude directly (e.g. "use Hunt Csrf" or describe the task and let Claude pick). Browse related skills at
/category/security/.
What is a Claude Code skill and how does the Hunt Csrf skill fit in?
A Claude Code skill is a
SKILL.md file that lives under
~/.claude/skills/<name>/ and tells the Claude Code CLI agent how to perform a specific task (instructions, prompts, allowed tools). Skills are auto-discovered at session start. Hunt Csrf is one of 67,000+ skills indexed in the open ClaudSkills catalog, classified under the Security category. Learn more at
/learn/what-is-a-claude-skill/.
Attribution & license
Cite this skill
If you reference this skill in a blog post, paper, or documentation, you can cite it as:
APA
elementalsouls. (2026). Hunt Csrf [Claude Code skill]. ClaudSkills. https://claudskills.com/skills/hunt-csrf/
BibTeX
@misc{hunt-csrf-2026,
author = {elementalsouls},
title = {Hunt Csrf [Claude Code skill]},
year = {2026},
publisher = {ClaudSkills},
url = {https://claudskills.com/skills/hunt-csrf/}
}Embed this skill
Promote, attribute, or link this skill from your own README, blog post, or documentation. All three snippets are free to use — no sign-up, no API key. More distribution surfaces →
Badge
[](https://claudskills.com/skills/hunt-csrf/?utm_source=badge&utm_medium=readme&utm_campaign=skill_badge)
<script>
<script src="https://claudskills.com/embed/hunt-csrf.js" async></script>
<iframe>
<iframe src="https://claudskills.com/embed/hunt-csrf.html" width="100%" height="160" frameborder="0" loading="lazy" title="ClaudSkills: Hunt Csrf"></iframe>
More Security skills
Browse all Security skills in the ClaudSkills registry, or explore these other picks from the same category:
Part of Acreator Store — Adam Lankamer's AI tools:
PerfectStudio ·
Ucaption ·
UTagger ·
AutoXPoster ·
TestYourSkills ·
AutomationFlows ·
Au Naturel ·
Telegram @acreatorstore