[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-74262":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":33,"readmeContent":34,"aiSummary":35,"trendingCount":16,"starSnapshotCount":16,"syncStatus":36,"lastSyncTime":37,"discoverSource":38},74262,"Claude-Red","SnailSploit\u002FClaude-Red","SnailSploit","claude-red is a curated library of offensive security skills designed for the Claude skills system. Each skill is a structured SKILL.md file that primes Claude with expert-level methodology for a specific attack surface — from SQLi to shellcode, EDR evasion to exploit development.","",null,"Python",2245,353,21,3,0,167,606,998,501,29.65,"MIT License",false,"main",true,[27,28,29,30,31,32],"claude-ai","claude-pt","claude-skills","redteam","redteam-tools","skills","2026-06-12 02:03:24","![claude-red banner](\u002Fassets\u002Fbanner.png)\n\n\u003Cdiv align=\"center\">\n\n# claude-red\n\n**Offensive security skills for Claude — drop-in `SKILL.md` files that turn Claude into a context-aware red team operator.**\n\n[![License: MIT](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-MIT-blue.svg)](LICENSE)\n[![Skills](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fskills-58-red.svg)](#skill-index)\n[![Categories](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fcategories-13-orange.svg)](#categories)\n[![Stars](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fstars\u002FSnailSploit\u002Fclaude-red?style=social)](https:\u002F\u002Fgithub.com\u002FSnailSploit\u002Fclaude-red)\n[![Forks](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fforks\u002FSnailSploit\u002Fclaude-red?style=social)](https:\u002F\u002Fgithub.com\u002FSnailSploit\u002Fclaude-red\u002Fnetwork\u002Fmembers)\n\nBuilt by **[SnailSploit](https:\u002F\u002Fsnailsploit.com)** — GenAI Security Research.\n\n\u003C\u002Fdiv>\n\n---\n\n## Table of Contents\n\n- [What is this](#what-is-this)\n- [Quickstart](#quickstart)\n- [Categories](#categories)\n- [Skill Index](#skill-index)\n  - [Web Application](#web-application)\n  - [Auth & Identity](#auth--identity)\n  - [Active Directory](#active-directory)\n  - [Wireless](#wireless)\n  - [Cloud](#cloud)\n  - [Mobile](#mobile)\n  - [IoT & Embedded](#iot--embedded)\n  - [Infrastructure & Red Team](#infrastructure--red-team)\n  - [Exploit Development](#exploit-development)\n  - [Fuzzing & Vulnerability Research](#fuzzing--vulnerability-research)\n  - [Reconnaissance](#reconnaissance)\n  - [AI Security](#ai-security)\n  - [Utility](#utility)\n- [Roadmap](#roadmap)\n- [Contributing](#contributing)\n- [License](#license)\n- [Acknowledgements](#acknowledgements)\n\n---\n\n## What is this\n\n`claude-red` is a curated library of offensive security skills for the [Claude Skills system](https:\u002F\u002Fdocs.claude.com). Each skill is a structured `SKILL.md` file that primes Claude with expert-level methodology for a specific attack surface — from SQLi to shellcode, EDR evasion to ADCS abuse.\n\nDrop a skill into your Claude environment and it behaves like a specialist: it knows the techniques, the tooling, the edge cases, and the escalation paths. Skills load on demand based on conversational triggers — you don't pay context for skills you aren't using.\n\n**Use it for:** authorized red team engagements, bug bounty triage, security research, CTF preparation, training operators, and exploring attack surfaces methodically.\n\n---\n\n## Quickstart\n\n### Claude Skills System (recommended)\n\n```bash\n# Clone into a directory Claude will scan\ngit clone https:\u002F\u002Fgithub.com\u002FSnailSploit\u002Fclaude-red ~\u002F.claude\u002Fskills\u002Fclaude-red\n\n# Or install only one category\ngit clone --filter=blob:none --sparse https:\u002F\u002Fgithub.com\u002FSnailSploit\u002Fclaude-red\ncd claude-red && git sparse-checkout set Skills\u002Fweb Skills\u002Factive-directory\n```\n\nClaude will auto-load matching skills based on conversational triggers (e.g. mentioning SQLi loads `offensive-sqli`).\n\n### Claude Code\n\n```bash\n# Point Claude at a single skill before a session\ncat Skills\u002Fweb\u002Foffensive-sqli\u002FSKILL.md | claude --system-file -\n\n# Or load a whole category\ncat Skills\u002Factive-directory\u002F**\u002FSKILL.md | claude --system-file -\n```\n\n### Claude.ai (Manual)\n\nPaste the contents of a `SKILL.md` into a Project's system prompt or prepend to your conversation.\n\n### Install Script\n\n```bash\n.\u002Finstall.sh                           # interactive\n.\u002Finstall.sh --target ~\u002F.claude\u002Fskills # explicit target\n.\u002Finstall.sh --category web            # one category\n```\n\n---\n\n## Categories\n\n| Category | Skills | Focus |\n|---|---:|---|\n| [Web Application](#web-application) | 16 | OWASP Top 10 + business logic + advanced web bug classes |\n| [Auth & Identity](#auth--identity) | 2 | JWT, OAuth |\n| [Active Directory](#active-directory) | 1 | On-prem AD attack methodology *(expanding)* |\n| [Wireless](#wireless) | 13 | 802.11, WPA2\u002F3, EAP, WPS, evil-twin, BLE, Zigbee, Z-Wave, LoRa, sub-GHz |\n| [Cloud](#cloud) | 1 | AWS \u002F Azure \u002F GCP attack paths *(expanding)* |\n| [Mobile](#mobile) | 1 | Android + iOS pentest *(expanding)* |\n| [IoT & Embedded](#iot--embedded) | 1 | Hardware, firmware, RTOS, ICS *(expanding)* |\n| [Infrastructure & Red Team](#infrastructure--red-team) | 7 | Initial access, EDR evasion, Windows ops |\n| [Exploit Development](#exploit-development) | 6 | Stack\u002Fheap, mitigations, crash analysis, TOCTOU |\n| [Fuzzing & VR](#fuzzing--vulnerability-research) | 4 | libFuzzer, AFL++, bug ID, vuln classes |\n| [Reconnaissance](#reconnaissance) | 2 | OSINT tooling and methodology |\n| [AI Security](#ai-security) | 1 | Prompt injection, jailbreaks, RAG poisoning |\n| [Utility](#utility) | 2 | Fast-checking, professional reporting |\n\n---\n\n## Skill Index\n\n### Web Application\n\n`Skills\u002Fweb\u002F`\n\n| Skill | Description |\n|---|---|\n| [`offensive-sqli`](Skills\u002Fweb\u002Foffensive-sqli\u002FSKILL.md) | SQL injection — error\u002Fblind\u002FOOB, DB-specific, ORM CVEs, cloud paths |\n| [`offensive-xss`](Skills\u002Fweb\u002Foffensive-xss\u002FSKILL.md) | Cross-site scripting — stored, reflected, DOM, mutation |\n| [`offensive-ssrf`](Skills\u002Fweb\u002Foffensive-ssrf\u002FSKILL.md) | Server-side request forgery — cloud metadata, filter bypass |\n| [`offensive-ssti`](Skills\u002Fweb\u002Foffensive-ssti\u002FSKILL.md) | Server-side template injection — engine ID, RCE paths |\n| [`offensive-xxe`](Skills\u002Fweb\u002Foffensive-xxe\u002FSKILL.md) | XML external entity — OOB exfil, blind exploitation |\n| [`offensive-idor`](Skills\u002Fweb\u002Foffensive-idor\u002FSKILL.md) | Insecure direct object references — enumeration, business logic |\n| [`offensive-file-upload`](Skills\u002Fweb\u002Foffensive-file-upload\u002FSKILL.md) | File upload — extension bypass, polyglots, webshells |\n| [`offensive-rce`](Skills\u002Fweb\u002Foffensive-rce\u002FSKILL.md) | Remote code execution — chaining, command injection |\n| [`offensive-deserialization`](Skills\u002Fweb\u002Foffensive-deserialization\u002FSKILL.md) | Insecure deserialization — Java\u002FPHP\u002F.NET gadget chains |\n| [`offensive-race-condition`](Skills\u002Fweb\u002Foffensive-race-condition\u002FSKILL.md) | Race conditions — TOCTOU, single-packet, limit bypass |\n| [`offensive-request-smuggling`](Skills\u002Fweb\u002Foffensive-request-smuggling\u002FSKILL.md) | HTTP request smuggling — CL.TE, TE.CL, h2 desync |\n| [`offensive-open-redirect`](Skills\u002Fweb\u002Foffensive-open-redirect\u002FSKILL.md) | Open redirect — OAuth abuse, phishing, SSRF pivots |\n| [`offensive-parameter-pollution`](Skills\u002Fweb\u002Foffensive-parameter-pollution\u002FSKILL.md) | HTTP parameter pollution — WAF bypass, logic confusion |\n| [`offensive-graphql`](Skills\u002Fweb\u002Foffensive-graphql\u002FSKILL.md) | GraphQL — introspection, batching, IDOR via aliases |\n| [`offensive-waf-bypass`](Skills\u002Fweb\u002Foffensive-waf-bypass\u002FSKILL.md) | WAF bypass — encoding, chunking, case mutation |\n| [`offensive-business-logic`](Skills\u002Fweb\u002Foffensive-business-logic\u002FSKILL.md) | Business logic — workflow bypass, pricing, refunds, chains |\n\n### Auth & Identity\n\n`Skills\u002Fauth\u002F`\n\n| Skill | Description |\n|---|---|\n| [`offensive-jwt`](Skills\u002Fauth\u002Foffensive-jwt\u002FSKILL.md) | JWT — alg:none, key confusion, secret cracking |\n| [`offensive-oauth`](Skills\u002Fauth\u002Foffensive-oauth\u002FSKILL.md) | OAuth — open redirect abuse, token leakage, PKCE bypass |\n\n### Active Directory\n\n`Skills\u002Factive-directory\u002F`\n\n| Skill | Description |\n|---|---|\n| [`offensive-active-directory`](Skills\u002Factive-directory\u002Foffensive-active-directory\u002FSKILL.md) | AD — Kerberoast, ASREProast, ACL abuse, ADCS ESC1-15, delegation, persistence, hybrid AAD |\n\n> **Note:** This category is being expanded. The AD overview is being split into 16 focused skills (Kerberoasting, ASREProasting, ADCS, coercion, NTLM relay, BloodHound, ticket forgery, GPO abuse, etc.). See [Roadmap](#roadmap).\n\n### Wireless\n\n`Skills\u002Fwireless\u002F`\n\n| Skill | Description |\n|---|---|\n| [`offensive-wifi`](Skills\u002Fwireless\u002Foffensive-wifi\u002FSKILL.md) | 802.11 overview — entrypoint into the wireless category |\n| [`offensive-wifi-recon`](Skills\u002Fwireless\u002Foffensive-wifi-recon\u002FSKILL.md) | Adapter selection, monitor mode, multi-band airspace mapping |\n| [`offensive-wpa2-psk`](Skills\u002Fwireless\u002Foffensive-wpa2-psk\u002FSKILL.md) | Handshake capture, PMKID, hashcat 22000 cracking |\n| [`offensive-wpa3-sae`](Skills\u002Fwireless\u002Foffensive-wpa3-sae\u002FSKILL.md) | Transition-mode downgrade, Dragonblood, SAE side-channels |\n| [`offensive-wpa-enterprise`](Skills\u002Fwireless\u002Foffensive-wpa-enterprise\u002FSKILL.md) | 802.1X \u002F EAP attacks, eaphammer evil-twin RADIUS |\n| [`offensive-wps`](Skills\u002Fwireless\u002Foffensive-wps\u002FSKILL.md) | Pixie Dust, online PIN brute, vendor PIN generators |\n| [`offensive-evil-twin`](Skills\u002Fwireless\u002Foffensive-evil-twin\u002FSKILL.md) | KARMA, Mana, captive portal, post-association MITM |\n| [`offensive-krack-fragattacks`](Skills\u002Fwireless\u002Foffensive-krack-fragattacks\u002FSKILL.md) | KRACK + FragAttacks supplicant testing |\n| [`offensive-deauth-disassoc`](Skills\u002Fwireless\u002Foffensive-deauth-disassoc\u002FSKILL.md) | Targeted\u002Fbroadcast deauth, PMF awareness, action frames |\n| [`offensive-bluetooth-ble`](Skills\u002Fwireless\u002Foffensive-bluetooth-ble\u002FSKILL.md) | BLE GATT enum, pairing downgrade, sniffing, MITM |\n| [`offensive-bluetooth-classic`](Skills\u002Fwireless\u002Foffensive-bluetooth-classic\u002FSKILL.md) | BR\u002FEDR — SDP, SPP, KNOB, BlueBorne, HID spoofing |\n| [`offensive-zigbee-thread-matter`](Skills\u002Fwireless\u002Foffensive-zigbee-thread-matter\u002FSKILL.md) | 802.15.4 mesh — KillerBee, Touchlink abuse, ZCL command injection |\n| [`offensive-z-wave`](Skills\u002Fwireless\u002Foffensive-z-wave\u002FSKILL.md) | S0 key derivation flaw, S2 commissioning, hub pivots |\n| [`offensive-lorawan-sub-ghz`](Skills\u002Fwireless\u002Foffensive-lorawan-sub-ghz\u002FSKILL.md) | LoRaWAN ABP\u002FOTAA, KeeLoq garage doors, fixed-code, TPMS |\n\n### Cloud\n\n`Skills\u002Fcloud\u002F`\n\n| Skill | Description |\n|---|---|\n| [`offensive-cloud`](Skills\u002Fcloud\u002Foffensive-cloud\u002FSKILL.md) | AWS \u002F Azure \u002F GCP — privesc, IMDS, cross-account, persistence, CSPM evasion |\n\n> **Note:** Cloud-identity (Entra\u002FAAD\u002FOkta hybrid) skills coming separately. See [Roadmap](#roadmap).\n\n### Mobile\n\n`Skills\u002Fmobile\u002F`\n\n| Skill | Description |\n|---|---|\n| [`offensive-mobile`](Skills\u002Fmobile\u002Foffensive-mobile\u002FSKILL.md) | Android + iOS — Frida, pinning, storage, biometric, deep links |\n\n### IoT & Embedded\n\n`Skills\u002Fiot\u002F`\n\n| Skill | Description |\n|---|---|\n| [`offensive-iot`](Skills\u002Fiot\u002Foffensive-iot\u002FSKILL.md) | Hardware recon, firmware, RTOS, ICS\u002FOT, MQTT\u002FCoAP |\n\n> **Note:** Being split into 10 focused skills (UART\u002FJTAG, flash dump, fault injection, U-Boot, secure boot, RTOS, ICS protocols). See [Roadmap](#roadmap).\n\n### Infrastructure & Red Team\n\n`Skills\u002Finfrastructure\u002F`\n\n| Skill | Description |\n|---|---|\n| [`offensive-initial-access`](Skills\u002Finfrastructure\u002Foffensive-initial-access\u002FSKILL.md) | Phishing, drive-by, supply chain — TA0001 |\n| [`offensive-advanced-redteam`](Skills\u002Finfrastructure\u002Foffensive-advanced-redteam\u002FSKILL.md) | Full kill chain, C2, OPSEC, lateral, persistence |\n| [`offensive-edr-evasion`](Skills\u002Finfrastructure\u002Foffensive-edr-evasion\u002FSKILL.md) | Unhooking, indirect syscalls, PPID spoofing |\n| [`offensive-shellcode`](Skills\u002Finfrastructure\u002Foffensive-shellcode\u002FSKILL.md) | Writing, encoding, injection techniques |\n| [`offensive-keylogger-arch`](Skills\u002Finfrastructure\u002Foffensive-keylogger-arch\u002FSKILL.md) | Keylogger architecture and input-capture techniques |\n| [`offensive-windows-mitigations`](Skills\u002Finfrastructure\u002Foffensive-windows-mitigations\u002FSKILL.md) | Windows mitigations — ACG, Arbitrary Code Guard |\n| [`offensive-windows-boundaries`](Skills\u002Finfrastructure\u002Foffensive-windows-boundaries\u002FSKILL.md) | Defeating Windows boundaries — sandbox escape, privilege |\n\n### Exploit Development\n\n`Skills\u002Fexploit-dev\u002F`\n\n| Skill | Description |\n|---|---|\n| [`offensive-exploit-development`](Skills\u002Fexploit-dev\u002Foffensive-exploit-development\u002FSKILL.md) | Stack\u002Fheap, ROP chains, mitigations |\n| [`offensive-exploit-dev-course`](Skills\u002Fexploit-dev\u002Foffensive-exploit-dev-course\u002FSKILL.md) | Structured curriculum format |\n| [`offensive-basic-exploitation`](Skills\u002Fexploit-dev\u002Foffensive-basic-exploitation\u002FSKILL.md) | Linux exploitation, mitigations disabled — beginner-to-mid |\n| [`offensive-crash-analysis`](Skills\u002Fexploit-dev\u002Foffensive-crash-analysis\u002FSKILL.md) | Crash triage, exploitability assessment, root cause |\n| [`offensive-mitigations`](Skills\u002Fexploit-dev\u002Foffensive-mitigations\u002FSKILL.md) | Modern kernel mitigations — ASLR, CFG, CET, PAC |\n| [`offensive-toctou`](Skills\u002Fexploit-dev\u002Foffensive-toctou\u002FSKILL.md) | Time-of-check\u002Fuse across binary, kernel, web, container |\n\n### Fuzzing & Vulnerability Research\n\n`Skills\u002Ffuzzing\u002F`\n\n| Skill | Description |\n|---|---|\n| [`offensive-fuzzing`](Skills\u002Ffuzzing\u002Foffensive-fuzzing\u002FSKILL.md) | libFuzzer, AFL++, coverage-guided, mutation strategies |\n| [`offensive-fuzzing-course`](Skills\u002Ffuzzing\u002Foffensive-fuzzing-course\u002FSKILL.md) | Curriculum — finding vulns via fuzzing |\n| [`offensive-bug-identification`](Skills\u002Ffuzzing\u002Foffensive-bug-identification\u002FSKILL.md) | Code review patterns, static analysis triggers |\n| [`offensive-vuln-classes`](Skills\u002Ffuzzing\u002Foffensive-vuln-classes\u002FSKILL.md) | Vulnerability classes — real-world examples, taxonomy |\n\n### Reconnaissance\n\n`Skills\u002Frecon\u002F`\n\n| Skill | Description |\n|---|---|\n| [`offensive-osint`](Skills\u002Frecon\u002Foffensive-osint\u002FSKILL.md) | OSINT tools — recon-ng, theHarvester, Maltego pipelines |\n| [`offensive-osint-methodology`](Skills\u002Frecon\u002Foffensive-osint-methodology\u002FSKILL.md) | OSINT methodology — structured intelligence collection |\n\n### AI Security\n\n`Skills\u002Fai\u002F`\n\n| Skill | Description |\n|---|---|\n| [`offensive-ai-security`](Skills\u002Fai\u002Foffensive-ai-security\u002FSKILL.md) | AI pentest — prompt injection, jailbreaking, RAG poisoning |\n\n### Utility\n\n`Skills\u002Futility\u002F`\n\n| Skill | Description |\n|---|---|\n| [`offensive-fast-checking`](Skills\u002Futility\u002Foffensive-fast-checking\u002FSKILL.md) | Fast triage checklist — quick-win identification |\n| [`offensive-reporting`](Skills\u002Futility\u002Foffensive-reporting\u002FSKILL.md) | Pro pentest reporting — CVSS, evidence, exec summary, retest |\n\n---\n\n## Roadmap\n\nThe library is being expanded in seven phases. Track progress in [CHANGELOG.md](CHANGELOG.md).\n\n| Phase | Category | New Skills | Status |\n|---|---|---:|---|\n| 1 | Internal AD\u002FWindows (rename `active-directory\u002F` → `internal\u002F`) | +16 | Planned |\n| 2 | Cloud Identity (Entra\u002FAAD, ADFS, Okta, M365) | +10 | Planned |\n| 3 | Wireless split (WPA2\u002F3, EAP, BLE, Zigbee, Z-Wave, LoRa, sub-GHz) | +12 | **Mandatory** |\n| 4 | IoT split (UART\u002FJTAG, flash, fault injection, RTOS, ICS) | +10 | Planned |\n| 5 | Web Basics (recon, auth bypass, access control, CSRF, headers, CORS, cache, clickjack) | +8 | Planned |\n| 6 | Web Advanced (proto pollution, SAML, OIDC, WebSocket, gRPC, postMessage, SSI\u002FESI, CSTI) | +10 | Planned |\n| 7 | Polish (README, LICENSE, manifest, install) | — | **In progress** |\n\nEnd state: ~107 skills across the same 13+ categories.\n\n---\n\n## Contributing\n\nContributions welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for the skill template, frontmatter standard, and review process. Focused, single-surface skills are preferred over monolithic overviews.\n\n## License\n\n[MIT](LICENSE) — use freely, attribution appreciated.\n\n## Acknowledgements\n\n- **Author:** Kai Aizen (SnailSploit) — [snailsploit.com](https:\u002F\u002Fsnailsploit.com)\n- **Original Checklists:** [Sahar Shlichov](https:\u002F\u002Fgithub.com\u002Fsahar042\u002Foffensive-checklist) — the offensive checklist collection many of these skills are based on.\n- **Community:** PRs and feedback that keep the library current with the threat landscape.\n\n---\n\n\u003Cdiv align=\"center\">\n\n> *\"Give Claude the right skill and it stops being a chatbot. It becomes an operator.\"*\n\n\u003C\u002Fdiv>\n\n\u003C!-- snailsploit-backlink:start -->\n\n---\n\n## 📚 Documentation & Author\n\nThis project's full writeup, methodology, and related research lives at:\n\n**[https:\u002F\u002Fsnailsploit.com\u002Fclaude-red](https:\u002F\u002Fsnailsploit.com\u002Fclaude-red)**\n\nCreated by **Kai Aizen** — independent offensive security researcher.\n\n[snailsploit.com](https:\u002F\u002Fsnailsploit.com) · [Research](https:\u002F\u002Fsnailsploit.com\u002Fresearch) · [Frameworks](https:\u002F\u002Fsnailsploit.com\u002Fframeworks) · [GitHub](https:\u002F\u002Fgithub.com\u002FSnailSploit) · [LinkedIn](https:\u002F\u002Flinkedin.com\u002Fin\u002Fkaiaizen) · [ResearchGate](https:\u002F\u002Fwww.researchgate.net\u002Fprofile\u002FKai-Aizen-2) · [X\u002FTwitter](https:\u002F\u002Fx.com\u002FSnailSploit)\n\n> *Same attack. Different substrate.*\n\n\u003C!-- snailsploit-backlink:end -->\n","Claude-Red 是一个专为 Claude 技能系统设计的进攻性安全技能库。项目包含一系列结构化的 SKILL.md 文件，这些文件为 Claude 提供了从 SQL 注入到 shellcode、EDR 逃避到漏洞开发等特定攻击面的专业级方法论。每个技能都是独立且可按需加载的，确保只有在相关对话触发时才会激活相应技能，从而节省上下文资源。Claude-Red 适用于授权红队演练、漏洞赏金分类、安全研究、CTF 准备、操作员培训以及系统化探索攻击面等多种场景。该项目使用 Python 编写，并遵循 MIT 许可证。",2,"2026-06-11 03:49:44","high_star"]