[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-83894":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":16,"stars90d":15,"forks30d":15,"starsTrendScore":17,"compositeScore":18,"rankGlobal":10,"rankLanguage":10,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":24,"readmeContent":25,"aiSummary":10,"trendingCount":15,"starSnapshotCount":15,"syncStatus":26,"lastSyncTime":27,"discoverSource":28},83894,"skills","superagent-ai\u002Fskills","superagent-ai","A collection of security skills","https:\u002F\u002Fsuperagent.sh",null,"Python",68,9,51,0,17,5,53.2,"MIT License",false,"main",true,[],"2026-06-12 04:01:42","# Security Skills\n\nSecurity skills for AI coding agents — distilled from real security work on codebases that serve 100M+ users a week.\n\nEach skill ships in the open [Agent Skills](https:\u002F\u002Fagentskills.io\u002F) format and loads automatically when the agent hits a relevant task. They turn the model itself into the auditor: encoded rules and offline scanners, not another service to wire up.\n\n## Skills\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>hacker\u003C\u002Fb>: offensive engagement and exploitability validation\u003C\u002Fsummary>\n\nUse it when you need an authorized offensive workflow for scoped web, network, cloud, mobile, Active Directory, bug bounty, or red-team engagement planning with phase gates, role handoffs, templates, and reports. Use `validate-findings` mode when defensive audits found issues and you need to know which are actually exploitable.\n\nIt is **instruction-only**: it ships no scanners, validators, payload builders, exploit runners, or local scripts. In `engagement` mode, it routes through Kill Chain style phases with scope gates and role-based subagent handoffs. In `validate-findings` mode, it ingests defensive JSON, then runs a bounded background autoresearch loop — hypothesize, experiment, observe, refine — for a user-defined number of cycles (it asks up front, so it never runs indefinitely), chaining confirmations and reformulating inconclusive paths on each pass.\n\nRequires explicit written scope for live validation. Never attacks production by default. Without written scope, it stays in planning or local-only validation and marks live checks `unsafe_to_test`. `recon-security` remains the focused external recon\u002Fpentest workflow; `hacker` is the broader offensive engagement orchestrator.\n\n```\nRun a hacker web-app engagement for this scoped lab\nPlan a red-team workflow with phase gates and templates\nValidate these defensive findings: deduped-findings.json\nCan any of these issues actually be exploited?\nAutonomous attack loop on deduped findings with subagents\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>redteam-autoresearch\u003C\u002Fb>: generate LLM guardrail training data via a bounded red-team loop\u003C\u002Fsummary>\n\nUse it when you need to red-team an LLM and turn the results into a dataset — stress-testing a model for harmful content, jailbreaks, prompt injection, or backdoor\u002Ftrigger behavior, and capturing every attempt as labeled JSONL for fine-tuning guardrails.\n\n**You (the agent running the skill) are the attacker and the judge** — you craft the attacks and label every response. The only model the harness calls is the **target** under test, over any OpenAI-compatible API — OpenRouter by default (one key, any model id), plus Ubicloud and other inference providers — with its key in a local `.env`. The loop is bounded and gated like `hacker`'s, with the `confirmed`\u002F`mitigated`\u002F`inconclusive`\u002F`false_positive`\u002F`unsafe_to_test` outcome taxonomy. A thin harness queries the target and records your judgments; every attempt (pass and fail) is saved, and refusals become the `safe` negatives a guardrail needs. An exporter converts the log to Llama Guard (S1–S14) and chat-classification training formats.\n\nIt is authorization-first and local-only: run it against models you are authorized to test, and keep generated content local for guardrail training. It complements `hacker` (code\u002Finfra exploitability) by targeting model behavior and producing data.\n\n```\nRed-team this model for jailbreaks and prompt injection and build a dataset\nGenerate guardrail training data across harmful content, jailbreaks, backdoors\nRun a bounded red-team autoresearch loop for N rounds against an OpenRouter model\nMine novel jailbreaks at scale and export Llama Guard training JSONL\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>ci-cd-security\u003C\u002Fb>: supply-chain and pwn-request bugs in GitHub Actions\u003C\u002Fsummary>\n\nUse it when you're reviewing `.github\u002Fworkflows\u002F`, hardening a release pipeline, or chasing `pull_request_target`, template injection, action pinning, or cache poisoning.\n\nEvery finding comes with a severity (P0–P3) and a concrete rewrite. It catches:\n\n- Dangerous triggers — `pull_request_target`, `workflow_run`\n- Over-broad `GITHUB_TOKEN` permissions\n- Mutable action pins (tags\u002Fbranches instead of a SHA)\n- Shell\u002Ftemplate injection in `run:` blocks\n- Untrusted checkout, cache poisoning, artifact-borne injection\n- Release hardening (OIDC, environments, provenance) and self-hosted runner risk\n\nRules track the consensus from Astral, OpenSSF, GitHub Security Lab, Chainguard, and zizmor — without running any of them.\n\n```\nReview this GitHub Actions workflow for security issues\nCheck .github\u002Fworkflows\u002Fci.yml for pull_request_target vulnerabilities\nAudit our release workflow for cache poisoning risks\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>skill-security\u003C\u002Fb>: answer \"is this skill safe to install?\"\u003C\u002Fsummary>\n\nUse it before you install or trust a skill, plugin, `SKILL.md`, or agent tool — a local folder, a `.zip`\u002F`.skill`, or a cloned repo.\n\nIt runs in two stages. First, a deterministic, offline scanner (`scripts\u002Fscan.py` — regex, Python AST, source-to-sink taint tracking, YARA signatures) does the high-recall pass and scores the skill 0–100. Then the model judges intent and runs the contract check: does what the skill *claims* to do match what its code *actually* does? It catches:\n\n- Prompt injection and audit-manipulation attempts\n- Credential\u002Fsecret exfiltration and outbound data theft\n- Persistence and agent-memory poisoning\n- Malicious code, webshells, cryptominers (YARA)\n- Supply-chain and dependency risk\n- Description-vs-behavior mismatch\n\n```\nIs this skill safe to install? ~\u002FDownloads\u002Fsome-skill.zip\nAudit .\u002Fvendor\u002Fskill-foo\u002FSKILL.md for prompt injection or credential theft\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>authz-security\u003C\u002Fb>: broken access control (IDOR\u002FBOLA) in your application code\u003C\u002Fsummary>\n\nUse it when you're reviewing routes, controllers, or resolvers, auditing a PR that adds or changes endpoints, or hardening a multi-tenant SaaS — anywhere you need to answer \"can one user reach another user's data?\"\n\nIt reads your source offline — routes, handlers, and data models — and reports the missing ownership or role check at `file:line` with a framework-correct fix. No running app, no credentials, no tools. Every finding comes with a severity (P0–P3) and a concrete rewrite. It catches:\n\n- Object-level gaps — IDOR \u002F Broken Object Level Authorization (OWASP API1): objects loaded by id with no owner scoping\n- Function-level gaps — Broken Function Level Authorization (OWASP API5): privileged actions behind authentication but no role check\n- Mass assignment (OWASP API3) — request bodies that can set `role`\u002F`owner_id`\u002F`tenant_id`\n- Multi-tenant isolation leaks — unscoped collection and list endpoints\n- Identity trusted from client input, and authentication mistaken for authorization\n\nRules encode OWASP's #1 web risk (A01) and top two API risks, applied as a source-code read rather than a live pentest — the defensive complement to a dynamic BOLA tester.\n\n```\nReview this endpoint for broken access control \u002F IDOR\nCan a user access another user's data through this controller?\nAudit our multi-tenant API for BOLA and missing authorization\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>recon-security\u003C\u002Fb>: external pentest workflow with free\u002Fopen-source tools\u003C\u002Fsummary>\n\nUse it when you're running an authorized external pentest: recon, validation, scoped exploitation, and reporting on domains, IPs, web apps, TLS, SIP\u002FVoIP, or exposed storage — without commercial APIs.\n\nIt guides the agent end to end: scope\u002FRoE, passive recon, normalization, active scanning, web and infrastructure checks, triage, manual validation (Burp\u002FZAP), scoped exploitation when approved, and final reporting. No bundled scripts — the model proposes commands and checklists; the user runs tools locally. It covers:\n\n- Recon: DNS, WHOIS\u002FRDAP, RIPEstat, CT, `subfinder`, `amass`, `gau`, `waybackurls`, `httpx`, `nmap`, `nuclei`\n- Web: `ffuf`, `arjun`, `sqlmap` detection mode, `dalfox`, misconfiguration checks\n- Infra: SIP\u002FVoIP and NAS\u002FSMB\u002FNFS exposure checks when in scope\n- Validation and PoC bar; exploitation boundaries in `references\u002Fexploitation-roe.md`\n- Pairing with `authz-security` for IDOR\u002FBOLA when source or two-account testing is available\n\n```\nPlan a full external pentest for example.com with free tools only\nRun validation on these nuclei findings before we report\nWhat exploitation is allowed under our RoE for this SQLi lead?\nGive me passive recon commands for example.com and where to save evidence\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>supply-chain-security\u003C\u002Fb>: malicious or compromised dependencies before they land\u003C\u002Fsummary>\n\nUse it when you're adding or upgrading a dependency, reviewing a PR that changes `package.json`, `requirements.txt`, `go.mod`, or a lockfile, or deciding whether a package is safe to install — anywhere you need to answer \"is this dependency safe to add?\"\n\nIt reads your manifests, lockfiles, install scripts, and dependency diffs offline — across npm\u002Fpnpm\u002Fyarn, PyPI, Go, Cargo, RubyGems, Maven\u002FGradle, NuGet, and Composer — and reports each risk at `file:line` with a concrete fix. No install, no execution, no phoning home. Every finding comes with a severity (P0–P3). It catches:\n\n- Malicious install scripts — `preinstall`\u002F`postinstall` hooks that harvest and exfiltrate secrets (the Shai-Hulud and nx `s1ngularity` worm pattern), and **`binding.gyp`\u002F`node-gyp` execution** that bypasses lifecycle-script scanners (June 2026 worm)\n- Obfuscated payloads, credential harvesting, exfiltration, persistence, and worm self-propagation\n- Typosquatting and slopsquatting (AI-hallucinated package names) of real dependencies\n- Dependency \u002F namespace confusion — unscoped internal names a public registry can hijack\n- Maintainer account takeover, and version hygiene gaps (floating ranges, missing lockfile\u002Fintegrity, no cooldown or provenance)\n\nRules track the consensus from OpenSSF, OSV, Socket, Datadog, and the 2025 npm worm post-mortems — applied as a pre-install source read, the defensive complement to a continuous SCA scanner.\n\n```\nIs this dependency safe to add?\nReview this PR's package.json and lockfile changes for supply-chain risks\nCheck this package's postinstall script for Shai-Hulud \u002F credential theft\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>vulnerability-triage\u003C\u002Fb>: is this advisory a real finding, by-design, or noise?\u003C\u002Fsummary>\n\nUse it when a GitHub Advisory (GHSA\u002FCVE) lands against a dependency, a bug bounty or HackerOne\u002FBugcrowd\u002FIntigriti report hits your inbox, or a researcher files an issue — anywhere you need to answer \"is this real, by-design, or noise?\"\n\nIt reads the report offline, cross-references the project's documented intent — `SECURITY.md`, README, code comments, closed issues, changelog — statically audits any PoC without executing it, and emits a structured markdown triage report. No Docker, no network, no PoC execution. Every verdict comes with a severity (P0–P3 \u002F Informational \u002F By-Design) and a recommended action. It catches:\n\n- By-design behavior dressed up as a vuln — CORS preflight, documented rate limits, intentional public assets, debug verbosity, admin-only features\n- Unreproduced or theoretical claims — gated to Informational until a PoC is confirmed\n- Reporter severity inflation — scored independently from reproduced evidence\n- Verdict-steering and prompt-injection attempts inside the report itself\n- The real-bug twin of each by-design pattern, so genuine findings aren't waved through\n\nReproduction is model-audited and user-run: the model inspects the PoC for dangerous behavior and hands you safe, pinned-version steps to run in your own sandbox.\n\n```\nTriage this vulnerability report: \u003CURL or file>\nIs this advisory a real finding or by-design?\nReproduce and score this GitHub advisory: GHSA-xxxx\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>crypto-secrets\u003C\u002Fb>: hardcoded secrets and broken cryptography in application code\u003C\u002Fsummary>\n\nUse it when you're reviewing source that handles credentials, encryption, JWTs, TLS clients, sessions, or password hashing — anywhere you need to answer \"are we leaking secrets or relying on broken crypto?\"\n\nIt runs in two stages, like `infra-security` and `skill-security`. A deterministic, dependency-free scanner (`scripts\u002Fscan.py` — pure stdlib, no network, no `pip install`) finds high-signal candidates with `file:line` anchors; then the model confirms impact, suppresses fixtures\u002Fplaceholders, redacts secret values, and writes concrete fixes. It catches:\n\n- Exposed credentials — API keys, OAuth\u002FBearer tokens, Slack\u002FGitHub\u002FStripe keys, database URLs, PEM private keys, committed `.env` values\n- Weak crypto — MD5\u002FSHA1 password hashing, DES\u002F3DES\u002FRC4, AES-ECB, CBC\u002FCTR without authentication, static IVs\u002Fnonces\n- Token and transport bugs — weak token randomness, hardcoded JWT secrets, `alg: none`, missing `exp`, disabled TLS verification, SSL\u002FTLS 1.0\u002F1.1\n- Key-management and serialization risks — hardcoded encryption keys, private keys in source, unsafe `pickle`\u002F`yaml.load`\n\nRules track OWASP, NIST, CWE, and language-specific crypto guidance — applied as an offline source read rather than a live credential validator.\n\n```\nAudit this repo for hardcoded secrets and weak crypto\nScan for exposed API keys in this codebase\nReview JWT handling for algorithm confusion or weak secrets\nFind verify=False \u002F InsecureSkipVerify \u002F rejectUnauthorized false\n```\n\n\u003C\u002Fdetails>\n\n\u003Cdetails>\n\u003Csummary>\u003Cb>infra-security\u003C\u002Fb>: misconfigurations in your Terraform, Kubernetes, CloudFormation, and Docker\u003C\u002Fsummary>\n\nUse it when you're about to apply a Terraform plan, reviewing a PR that changes K8s\u002FHelm manifests or a Dockerfile, checking CloudFormation before deploy, or prepping for a SOC-2 \u002F PCI-DSS \u002F ISO-27001 audit — anywhere you need to answer \"what's the blast radius if this infra is wrong?\"\n\nIt runs in two stages, like `skill-security`. A deterministic, dependency-free scanner (`scripts\u002Fscan.py` — pure stdlib, no `pip install`, no `hcl2`\u002F`pyyaml`) does the high-recall first pass over every `.tf`\u002F`.yaml`\u002F`Dockerfile` with `file:line` anchors and a CI-friendly exit code; then the model adds the judgment a regex can't — blast radius, cross-resource chains, and false-positive suppression. Every finding comes with a severity (P0–P3) and a corrected snippet. It catches:\n\n- Network — security groups open to `0.0.0.0\u002F0` on SSH\u002FRDP\u002Fdatabase ports, all-ports ingress, unrestricted egress\n- IAM — wildcard `Action`\u002F`Resource`, `*` principals on resource and KMS policies, `PassRole` on `*`, over-broad roles on compute\n- Storage — public S3 ACLs, missing public-access-block, encryption-at-rest disabled (S3\u002FEBS\u002FRDS)\n- Containers — privileged\u002Froot pods, host namespaces, the Docker socket mounted in, `:latest` images, missing limits\n- Secrets — plaintext credentials in variables\u002Fenv\u002FConfigMaps, missing TLS, plaintext-HTTP endpoints\n\nRules track the CIS Benchmarks, AWS Well-Architected, and the Kubernetes Pod Security Standards — applied as a source read rather than another scanner to wire up.\n\n```\nAudit this Terraform for security issues: \u003Cdir>\nReview these Kubernetes manifests before deploy: \u003Cdir>\nCheck this CloudFormation for public S3 buckets: \u003Cfile>\nWhat's the blast radius if this Terraform is wrong?\n```\n\n\u003C\u002Fdetails>\n\n## Install\n\n```bash\n# everything\nnpx skills add superagent-ai\u002Fskills\n\n# or pick one\nnpx skills add superagent-ai\u002Fskills --skill hacker -a cursor -y\nnpx skills add superagent-ai\u002Fskills --skill redteam-autoresearch -a cursor -y\nnpx skills add superagent-ai\u002Fskills --skill ci-cd-security -a cursor -y\nnpx skills add superagent-ai\u002Fskills --skill skill-security -a cursor -y\nnpx skills add superagent-ai\u002Fskills --skill authz-security -a cursor -y\nnpx skills add superagent-ai\u002Fskills --skill recon-security -a cursor -y\nnpx skills add superagent-ai\u002Fskills --skill supply-chain-security -a cursor -y\nnpx skills add superagent-ai\u002Fskills --skill vulnerability-triage -a cursor -y\nnpx skills add superagent-ai\u002Fskills --skill crypto-secrets -a cursor -y\nnpx skills add superagent-ai\u002Fskills --skill infra-security -a cursor -y\n```\n\nOnce installed, skills load on their own when a task matches — nothing to remember or invoke by hand.\n\n**Migration:** Use `--skill hacker` for the offensive engagement framework.\n\n## Repo layout\n\n```\nskills\u002F\n  hacker\u002F                 SKILL.md + references\u002F (instruction-only engagement framework)\n  redteam-autoresearch\u002F   SKILL.md + references\u002F + scripts\u002F (red-team autoresearch harness)\n  ci-cd-security\u002F         SKILL.md + references\u002F\n  skill-security\u002F         SKILL.md + scripts\u002F (scanner) + rules\u002F (YARA) + references\u002F\n  authz-security\u002F         SKILL.md + references\u002F\n  recon-security\u002F         SKILL.md + references\u002F\n  supply-chain-security\u002F  SKILL.md + references\u002F\n  vulnerability-triage\u002F   SKILL.md + references\u002F\n  crypto-secrets\u002F         SKILL.md + scripts\u002F (scanner) + references\u002F\n  infra-security\u002F         SKILL.md + scripts\u002F (scanner) + references\u002F\n```\n\nA skill is a `SKILL.md` (the agent's instructions) plus optional `references\u002F`, `scripts\u002F`, and `rules\u002F`.\n\n## Contributing\n\nNew skills and rule improvements are welcome — see [CONTRIBUTING.md](CONTRIBUTING.md). The bar is a real security problem the model gets wrong by default, encoded as durable rules that run offline.\n\n## License\n\nReleased under the [MIT License](LICENSE).\n",2,"2026-06-11 04:11:48","CREATED_QUERY"]