[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-950":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":24,"hasPages":24,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":26,"readmeContent":27,"aiSummary":28,"trendingCount":16,"starSnapshotCount":16,"syncStatus":29,"lastSyncTime":30,"discoverSource":31},950,"hack-skills","yaklang\u002Fhack-skills","yaklang","Helping AI Agent become an awesome practical hacker!","",null,"CSS",1041,148,5,1,0,94,196,481,282,19.52,false,"main",true,[],"2026-06-12 02:00:21","# HACK.SKILLS - Hacker Arsenal for Agents\n\n\u003Cp align=\"right\">English | \u003Ca href=\".\u002FREADME_CN.md\">中文\u003C\u002Fa>\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n    \u003Cimg src=\".\u002Fassets\u002Freadme-hero-banner.jpg\" alt=\"HackSkills Hero Banner\" width=\"100%\" \u002F>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n    \u003Cstrong>Master Entry → Category Entries → Deep Topic Skills\u003C\u002Fstrong>\u003Cbr\u002F>\n    One master entry, six category entries, and \u003Cstrong>101\u003C\u002Fstrong> deep topic skills across \u003Cstrong>14 security domains\u003C\u002Fstrong>.\n\u003C\u002Fp>\n\nAn Agent Skills knowledge base covering web security, API security, authentication & authorization, OS privilege escalation (Linux\u002FWindows\u002FmacOS), Active Directory attacks, mobile security, binary exploitation (Pwn), reverse engineering, cryptography attacks, blockchain & smart contract security, AI\u002FML & LLM security, network protocols & pivoting, and digital forensics — built for bug bounty, penetration testing, CTF competitions, and authorized security research.\n\nThe current branch has converged to a standard directory structure: every skill lives in its own directory, uniformly using `skills\u002F{semantic-identifier}\u002FSKILL.md`. The design goal is not to expose every minor tip as an entry point, but to compress what the loader truly needs to see into one master entry, six category entries, and deep topic skills drilled down on demand.\n\nThe objective is straightforward: organize security knowledge that is genuinely useful in real engagements and easy to audit and maintain into a set of installable, searchable, and composable HackSkills.\n\n## Browse Online\n\nThis repo is published in three forms — pick whichever your workflow prefers; they are kept in sync on every push to `main`.\n\n| Channel | What you get | When to use |\n|---|---|---|\n| **Web UI** — \u003Chttps:\u002F\u002Fskills.hackbenchmark.com> | Fuzzy search, category sidebar, P0\u002FP1\u002FP2 tier filter, copy-paste install commands, encrypted ZIP download | Quick lookup, sharing links to a specific skill, demoing the catalog |\n| **GitHub source** — this repo | Plain `SKILL.md` per skill, full markdown rendering, pull-request review | Diff review, contributing, deep reading offline |\n| **Encrypted ZIP** — see [Offline ZIP](#offline-zip-encrypted) | One-shot download of all `*.md` for air-gapped use | No internet on target, AV strips plain markdown |\n\nThe website is a static, fully client-side build of `site\u002F` — no tracking, no backend. Source: [`site\u002F`](.\u002Fsite), workflow: [`.github\u002Fworkflows\u002Fdeploy-pages.yml`](.\u002F.github\u002Fworkflows\u002Fdeploy-pages.yml). Search uses a weighted fuzzy index over name \u002F id \u002F category \u002F description with field qualifiers like `category:auth`, `tier:deep`, `lines:>200`.\n\n```text\n                        ┌─────────────────────────────────────┐\n                        │   skills.hackbenchmark.com (static) │  ── search \u002F filter \u002F copy install cmd\n                        └─────────────────────────────────────┘\n                                          ▲\n   github.com\u002Fyaklang\u002Fhack-skills ───────►┤  same repo, three views\n                                          ▼\n                        ┌─────────────────────────────────────┐\n                        │   hack-skills.zip (AES-256, public  │  ── offline \u002F behind AV\n                        │   password: hack-skills, via CDN)   │\n                        └─────────────────────────────────────┘\n```\n\n## Knowledge Sources & Distillation Boundaries\n\nThis repository is not a mirror of external materials — it is a distillation layer aimed at Agents.\n\nPrimary reference sources (all publicly available, used strictly for educational distillation):\n\n| Source | What It Provides | How We Use It |\n|---|---|---|\n| `swisskyrepo\u002FPayloadsAllTheThings` | 64 vulnerability categories, payload families, bypass techniques, exploit chains | Distilled into scenario-based indices, method matrices, per-engine\u002Fper-database payload sections |\n| `PentesterSpecialDict` | OS-specific payload dictionaries, Java middleware path fuzzing lists, file extension databases | Distilled into parameter naming patterns, endpoint frequency tables, middleware fingerprint matrices |\n| `Dictionary-Of-Pentesting` | BugBounty bypass techniques (12 topics), cloud metadata endpoints, XXE payload collections, one-liner toolchains | Distilled into bypass pattern matrices, cloud metadata endpoint tables, WAF vendor bypass sections |\n| `Hello-CTF` | CTF web security tutorials with hands-on tricks for PHP\u002FPython\u002FJava challenges | Distilled into CTF-specific technique sections (handler bypass, filter chain tricks, Flask PIN) |\n| `ctf-wiki` | CTF competition knowledge base covering Pwn, Crypto, Reverse Engineering, Forensics, and Misc | Distilled into binary exploitation techniques (stack\u002Fheap\u002Fkernel), crypto attack patterns (RSA\u002Flattice\u002Fsymmetric), RE methodology, steganography, and traffic analysis skills |\n| `hacktricks` | Penetration testing encyclopedia covering web tricks, Linux\u002FWindows\u002FmacOS privilege escalation, Active Directory, containers, mobile, and AI security | Distilled into OS-specific privilege escalation playbooks, AD attack chains (Kerberos\u002FACL\u002FADCS), mobile pentesting checklists, container escape techniques, and network pivoting strategies |\n| Public security research papers and CVE advisories | Methodology frameworks, vulnerability pattern taxonomies, statistical distributions | Distilled into attack pattern matrices, systematic testing checklists, decision trees |\n\nProcessing principles:\n\n- No direct copying of large dictionaries or full payload lists.\n- Prioritize distilling into routable, composable, and auditable security skills.\n- Use small, stable samples, taxonomies, and cross-references to improve Agent stability in real security scenarios.\n- No customer-specific information, no vendor-identifiable case details, purely educational methodology.\n\n## Quick Start\n\nThe preferred entry point is `hack`:\n\n```bash\nnpx skills add yaklang\u002Fhack-skills\n```\n\nIf your tooling supports pulling a single SKILL.md directly, you can also use:\n\n- frontmatter name: `hack`\n- raw URL: `https:\u002F\u002Fraw.githubusercontent.com\u002Fyaklang\u002Fhack-skills\u002Fmain\u002Fskills\u002Fhack\u002FSKILL.md`\n\nAfter installing, the recommended order is simple: start from the master entry, then move into category entries, and only then drill into deep topic skills.\n\n## Loader Priority\n\n| Layer | Role | Recommended Exposure | Representative Skill |\n|---|---|---|---|\n| Master Entry | Global routing, test sequencing, cross-category switching | Expose first | [hack](.\u002Fskills\u002Fhack\u002FSKILL.md) |\n| Category Entry | Route by attack surface to stable topic families | Expose first | [recon-for-sec](.\u002Fskills\u002Frecon-for-sec\u002FSKILL.md), [api-sec](.\u002Fskills\u002Fapi-sec\u002FSKILL.md), [auth-sec](.\u002Fskills\u002Fauth-sec\u002FSKILL.md) |\n| Deep Topic | Provide complete attack playbooks and execution details | Load on demand | [xss-cross-site-scripting](.\u002Fskills\u002Fxss-cross-site-scripting\u002FSKILL.md), [sqli-sql-injection](.\u002Fskills\u002Fsqli-sql-injection\u002FSKILL.md) |\n\n## Main Entry Points\n\n| Type | Skill | Purpose | When to Use First |\n|---|---|---|---|\n| Master Entry | [hack](.\u002Fskills\u002Fhack\u002FSKILL.md) | Global routing, phase assessment, cross-category switching | New target, unknown attack surface |\n| Category Entry | [recon-for-sec](.\u002Fskills\u002Frecon-for-sec\u002FSKILL.md) | Asset discovery, technology identification | Just received the target |\n| Category Entry | [api-sec](.\u002Fskills\u002Fapi-sec\u002FSKILL.md) | REST, GraphQL, mobile backend routing | Observed API interfaces |\n| Category Entry | [auth-sec](.\u002Fskills\u002Fauth-sec\u002FSKILL.md) | Authentication, sessions, OAuth, JWT, authorization | Login, tokens, object IDs |\n| Category Entry | [injection-checking](.\u002Fskills\u002Finjection-checking\u002FSKILL.md) | XSS, SQLi, SSRF, XXE, SSTI, CMDi, NoSQL routing | Input enters interpreter |\n| Category Entry | [file-access-vuln](.\u002Fskills\u002Ffile-access-vuln\u002FSKILL.md) | Upload, download, LFI, path control | File operations |\n| Category Entry | [business-logic-vuln](.\u002Fskills\u002Fbusiness-logic-vuln\u002FSKILL.md) | Race conditions, pricing, workflow, state machines | Business process testing |\n\n## Complete Skill Index (101 Skills)\n\n### Reconnaissance & Methodology\n\n| Skill | SKILL.md | SCENARIOS.md | Key Content |\n|---|---|---|---|\n| [hack](.\u002Fskills\u002Fhack\u002FSKILL.md) | 161 lines | - | Master router, phenomenon-to-skill mapping, expert intuitions |\n| [recon-for-sec](.\u002Fskills\u002Frecon-for-sec\u002FSKILL.md) | 28 lines | - | Category router for reconnaissance phase |\n| [recon-and-methodology](.\u002Fskills\u002Frecon-and-methodology\u002FSKILL.md) | 389 lines | - | Methodology framework, Java middleware fingerprint matrix, leak detection checklist |\n\n### API Security\n\n| Skill | SKILL.md | SCENARIOS.md | Key Content |\n|---|---|---|---|\n| [api-sec](.\u002Fskills\u002Fapi-sec\u002FSKILL.md) | 48 lines | - | Category router for API testing |\n| [api-recon-and-docs](.\u002Fskills\u002Fapi-recon-and-docs\u002FSKILL.md) | 60 lines | - | API discovery, OpenAPI\u002FSwagger, hidden endpoints |\n| [api-authorization-and-bola](.\u002Fskills\u002Fapi-authorization-and-bola\u002FSKILL.md) | 47 lines | - | BOLA\u002FBFLA, mass assignment, object-level authz |\n| [api-auth-and-jwt-abuse](.\u002Fskills\u002Fapi-auth-and-jwt-abuse\u002FSKILL.md) | 75 lines | - | JWT attacks, API key abuse, token manipulation |\n| [graphql-and-hidden-parameters](.\u002Fskills\u002Fgraphql-and-hidden-parameters\u002FSKILL.md) | 49 lines | - | GraphQL introspection, batching, hidden param discovery |\n\n### Authentication & Authorization\n\n| Skill | SKILL.md | SCENARIOS.md | Key Content |\n|---|---|---|---|\n| [auth-sec](.\u002Fskills\u002Fauth-sec\u002FSKILL.md) | 40 lines | - | Category router for auth testing |\n| [authbypass-authentication-flaws](.\u002Fskills\u002Fauthbypass-authentication-flaws\u002FSKILL.md) | 441 lines | - | Password reset 22-pattern matrix, captcha bypass 20 methods, insecure randomness (UUID v1\u002Fmt_rand\u002FObjectId) |\n| [jwt-oauth-token-attacks](.\u002Fskills\u002Fjwt-oauth-token-attacks\u002FSKILL.md) | 301 lines | - | JWT alg confusion, key confusion, claim tampering, JWKS abuse |\n| [oauth-oidc-misconfiguration](.\u002Fskills\u002Foauth-oidc-misconfiguration\u002FSKILL.md) | 45 lines | - | OAuth flow hijacking, OIDC misconfiguration |\n| [saml-sso-assertion-attacks](.\u002Fskills\u002Fsaml-sso-assertion-attacks\u002FSKILL.md) | 40 lines | - | SAML assertion manipulation, SSO bypass |\n| [idor-broken-object-authorization](.\u002Fskills\u002Fidor-broken-object-authorization\u002FSKILL.md) | 336 lines | - | 8-category systematic IDOR testing, ORM filter chain leaks (Django\u002FPrisma\u002FRansack) |\n\n### Injection Attacks\n\n| Skill | SKILL.md | SCENARIOS.md | Key Content |\n|---|---|---|---|\n| [injection-checking](.\u002Fskills\u002Finjection-checking\u002FSKILL.md) | 49 lines | - | Category router for injection testing |\n| [xss-cross-site-scripting](.\u002Fskills\u002Fxss-cross-site-scripting\u002FSKILL.md) | 368 lines | 278 lines | Polyglot payloads, WAF bypass by vendor (Cloudflare\u002FAkamai\u002FIncapsula\u002FWordFence), CSP bypass, DOM clobbering, CSS injection data exfiltration |\n| [sqli-sql-injection](.\u002Fskills\u002Fsqli-sql-injection\u002FSKILL.md) | 475 lines | 575 lines | DB2\u002FCassandra\u002FBigQuery\u002FSQLite specifics, SQLite RCE, WAF bypass matrix, CTF techniques (handler\u002Fprepare\u002Finnodb) |\n| [ssrf-server-side-request-forgery](.\u002Fskills\u002Fssrf-server-side-request-forgery\u002FSKILL.md) | 314 lines | 226 lines | Cloud metadata 6-platform matrix, DNS rebinding, headless browser attacks, Gopher\u002FRedis RCE chain |\n| [ssti-server-side-template-injection](.\u002Fskills\u002Fssti-server-side-template-injection\u002FSKILL.md) | 340 lines | 319 lines | 15+ engine coverage (Jinja2\u002FTwig\u002FPug\u002FHandlebars\u002FEJS\u002FRazor\u002FEEx\u002FSmarty), blind SSTI, Flask PIN calculation |\n| [cmdi-command-injection](.\u002Fskills\u002Fcmdi-command-injection\u002FSKILL.md) | 494 lines | - | WAF bypass (wildcards\u002Fxor\u002Fbase64), PHP disable_functions 6 bypass paths, component RCE (ImageMagick\u002FFFmpeg\u002FES) |\n| [nosql-injection](.\u002Fskills\u002Fnosql-injection\u002FSKILL.md) | 341 lines | - | Blind extraction automation scripts, duplicate key bypass, aggregation pipeline injection, $where JS execution |\n| [xxe-xml-external-entity](.\u002Fskills\u002Fxxe-xml-external-entity\u002FSKILL.md) | 326 lines | 112 lines | Local DTD injection (17+ paths for Windows\u002FLinux\u002FJAR), blind XXE, Gopher\u002FFTP OOB |\n| [deserialization-insecure](.\u002Fskills\u002Fdeserialization-insecure\u002FSKILL.md) | 714 lines | - | Java\u002FPHP\u002FPython + Ruby Marshal\u002FYAML chains, .NET BinaryFormatter\u002FViewState\u002FJSON.NET, Node.js node-serialize\u002Ffuncster |\n| [ghost-bits-cast-attack](.\u002Fskills\u002Fghost-bits-cast-attack\u002FSKILL.md) | 400+ lines | PAYLOAD_COOKBOOK.md | Java char-to-byte narrowing WAF bypass (Black Hat Asia 2026): re-enables WAF-blocked SQLi\u002Fdeser\u002Fupload\u002Ftraversal\u002FCRLF\u002Fsmuggling across Tomcat\u002FSpring\u002FJetty\u002FJackson\u002FFastjson\u002FBCEL\u002FHttpClient\u002FAngus Mail; 255 Unicode bypass candidates per dangerous byte |\n| [expression-language-injection](.\u002Fskills\u002Fexpression-language-injection\u002FSKILL.md) | 243 lines | - | SpEL, OGNL, Java EL injection with RCE chains |\n| [jndi-injection](.\u002Fskills\u002Fjndi-injection\u002FSKILL.md) | 265 lines | - | JNDI\u002FLDAP\u002FRMI exploitation, Log4Shell patterns |\n| [crlf-injection](.\u002Fskills\u002Fcrlf-injection\u002FSKILL.md) | 175 lines | - | Header injection, HTTP response splitting |\n| [request-smuggling](.\u002Fskills\u002Frequest-smuggling\u002FSKILL.md) | 298 lines | - | CL.TE\u002FTE.CL\u002FTE.TE with 8 obfuscation variants, HTTP\u002F2 downgrade, client-side desync |\n| [prototype-pollution](.\u002Fskills\u002Fprototype-pollution\u002FSKILL.md) | 190 lines | - | Express black-box probing keys, EJS\u002FKibana gadget chains, CVE-2019-7609 |\n| [type-juggling](.\u002Fskills\u002Ftype-juggling\u002FSKILL.md) | 291 lines | - | PHP loose comparison table, magic hash (MD5\u002FSHA1\u002FSHA256), HMAC 0e brute-force, CTF patterns |\n| [http-parameter-pollution](.\u002Fskills\u002Fhttp-parameter-pollution\u002FSKILL.md) | 208 lines | - | Server behavior matrix (9 platforms), HPP+WAF bypass combos |\n| [xslt-injection](.\u002Fskills\u002Fxslt-injection\u002FSKILL.md) | 281 lines | - | Three RCE chains (PHP\u002FJava\u002F.NET), EXSLT file write, vendor detection |\n| [csv-formula-injection](.\u002Fskills\u002Fcsv-formula-injection\u002FSKILL.md) | 144 lines | - | DDE\u002Frundll32 payloads, Google Sheets IMPORT* exfiltration |\n\n### File & Path Attacks\n\n| Skill | SKILL.md | SCENARIOS.md | Key Content |\n|---|---|---|---|\n| [file-access-vuln](.\u002Fskills\u002Ffile-access-vuln\u002FSKILL.md) | 32 lines | - | Category router for file access testing |\n| [path-traversal-lfi](.\u002Fskills\u002Fpath-traversal-lfi\u002FSKILL.md) | 603 lines | - | LFI-to-RCE 7 paths, PHP wrapper matrix (filter chains\u002Foracle\u002Fphar), pearcmd 4 methods, parameter naming dictionary |\n| [upload-insecure-files](.\u002Fskills\u002Fupload-insecure-files\u002FSKILL.md) | 287 lines | 158 lines | Success rate formula, editor path matrix, validation defect 5-dimension taxonomy, IIS\u002FApache\u002FNginx parsing tricks |\n\n### Business Logic & Session\n\n| Skill | SKILL.md | SCENARIOS.md | Key Content |\n|---|---|---|---|\n| [business-logic-vuln](.\u002Fskills\u002Fbusiness-logic-vuln\u002FSKILL.md) | 32 lines | - | Category router for business logic testing |\n| [business-logic-vulnerabilities](.\u002Fskills\u002Fbusiness-logic-vulnerabilities\u002FSKILL.md) | 339 lines | 298 lines | Payment manipulation matrix (10 attacks), state machine bypass methodology, coupon\u002Fstock race |\n| [race-condition](.\u002Fskills\u002Frace-condition\u002FSKILL.md) | 286 lines | - | TOCTOU model, HTTP\u002F1.1 last-byte sync, HTTP\u002F2 single-packet attack, Turbo Intruder templates, CVE-2022-4037 |\n| [csrf-cross-site-request-forgery](.\u002Fskills\u002Fcsrf-cross-site-request-forgery\u002FSKILL.md) | 324 lines | - | JSON CSRF 3 techniques, multipart upload CSRF, CSPT2CSRF modern variant |\n| [clickjacking](.\u002Fskills\u002Fclickjacking\u002FSKILL.md) | 163 lines | - | Frame-based attacks, X-Frame-Options\u002FCSP bypass |\n| [cors-cross-origin-misconfiguration](.\u002Fskills\u002Fcors-cross-origin-misconfiguration\u002FSKILL.md) | 50 lines | 152 lines | Origin reflection, null origin, subdomain trust abuse |\n| [open-redirect](.\u002Fskills\u002Fopen-redirect\u002FSKILL.md) | 184 lines | - | Redirect chain abuse, tabnabbing (reverse tabnabbing) |\n| [web-cache-deception](.\u002Fskills\u002Fweb-cache-deception\u002FSKILL.md) | 211 lines | - | Path confusion, cache key manipulation |\n\n### Advanced Web Security\n\n| Skill | Key Content |\n|---|---|\n| [subdomain-takeover](.\u002Fskills\u002Fsubdomain-takeover\u002FSKILL.md) | Dangling DNS records (CNAME\u002FNS\u002FA), cloud service fingerprinting, verification bypass, multi-provider takeover playbooks |\n| [waf-bypass-techniques](.\u002Fskills\u002Fwaf-bypass-techniques\u002FSKILL.md) | Encoding chains, chunked transfer tricks, HTTP smuggling for WAF evasion, vendor-specific bypass matrices (Cloudflare\u002FAWS WAF\u002FAkamai\u002FModSecurity) |\n| [csp-bypass-advanced](.\u002Fskills\u002Fcsp-bypass-advanced\u002FSKILL.md) | Script gadgets, base-uri abuse, JSONP callback injection, trusted CDN exploitation, CSP nonce\u002Fhash leak, strict-dynamic bypass |\n| [http-host-header-attacks](.\u002Fskills\u002Fhttp-host-header-attacks\u002FSKILL.md) | Password reset poisoning, web cache poisoning via Host, routing-based SSRF, absolute-URL override tricks |\n| [dangling-markup-injection](.\u002Fskills\u002Fdangling-markup-injection\u002FSKILL.md) | HTML injection for data exfiltration without JavaScript, img\u002Fform\u002Fbase tag abuse, CSP-safe data theft |\n| [dns-rebinding-attacks](.\u002Fskills\u002Fdns-rebinding-attacks\u002FSKILL.md) | DNS rebinding for internal network access, TTL manipulation, same-origin policy bypass, browser mitigation evasion |\n| [email-header-injection](.\u002Fskills\u002Femail-header-injection\u002FSKILL.md) | SMTP header injection, CC\u002FBCC manipulation, mail relay abuse, phishing via injected headers |\n| [http2-specific-attacks](.\u002Fskills\u002Fhttp2-specific-attacks\u002FSKILL.md) | HTTP\u002F2 request smuggling (H2.CL\u002FH2.TE), HPACK header compression attacks, stream multiplexing abuse, HTTP\u002F2→HTTP\u002F1.1 downgrade |\n| [prototype-pollution-advanced](.\u002Fskills\u002Fprototype-pollution-advanced\u002FSKILL.md) | Server-side gadget chain discovery, framework-specific PP→RCE (Express\u002FFastify\u002FNext.js), AST injection, prototype poisoning in build tools |\n| [401-403-bypass-techniques](.\u002Fskills\u002F401-403-bypass-techniques\u002FSKILL.md) | Path normalization tricks, HTTP verb tampering, header-based bypass (X-Original-URL\u002FX-Rewrite-URL), proxy misconfiguration, IP-based ACL evasion |\n\n### Infrastructure & Network\n\n| Skill | Key Content |\n|---|---|\n| [unauthorized-access-common-services](.\u002Fskills\u002Funauthorized-access-common-services\u002FSKILL.md) | Service exposure checklist, reverse proxy misconfiguration (Nginx off-by-slash, X-Forwarded-For trust, Caddy template injection) |\n| [insecure-source-code-management](.\u002Fskills\u002Finsecure-source-code-management\u002FSKILL.md) | .git\u002F.svn\u002F.hg\u002F.bzr recovery, 403 vs 404 detection, backup file patterns |\n| [dependency-confusion](.\u002Fskills\u002Fdependency-confusion\u002FSKILL.md) | npm\u002Fpip\u002Fgem public registry hijacking, manifest identification, scope\u002Fnamespace defense |\n| [websocket-security](.\u002Fskills\u002Fwebsocket-security\u002FSKILL.md) | CSWSH, Origin validation, wsrepl\u002Fws-harness tooling |\n| [network-protocol-attacks](.\u002Fskills\u002Fnetwork-protocol-attacks\u002FSKILL.md) | ARP spoofing, DNS poisoning, LLMNR\u002FNBT-NS poisoning, DHCP starvation, IPv6 attacks, protocol-level MitM |\n| [tunneling-and-pivoting](.\u002Fskills\u002Ftunneling-and-pivoting\u002FSKILL.md) | SSH tunneling (local\u002Fremote\u002Fdynamic), SOCKS proxy chains, chisel\u002Fligolo-ng, port forwarding, DNS\u002FICMP tunneling |\n| [reverse-shell-techniques](.\u002Fskills\u002Freverse-shell-techniques\u002FSKILL.md) | Multi-language shell generation, encrypted reverse shells (OpenSSL\u002Fncat), staged\u002Fstageless payloads, firewall evasion, web shells |\n\n### Linux & Container Security\n\n| Skill | Key Content |\n|---|---|\n| [linux-privilege-escalation](.\u002Fskills\u002Flinux-privilege-escalation\u002FSKILL.md) | SUID\u002FSGID abuse, kernel exploits, sudo misconfig, cron jobs, Linux Capabilities, writable service files, NFS no_root_squash |\n| [container-escape-techniques](.\u002Fskills\u002Fcontainer-escape-techniques\u002FSKILL.md) | Docker socket abuse, privileged container escape, cgroup breakout, runc vulnerabilities, mounted sensitive paths |\n| [linux-security-bypass](.\u002Fskills\u002Flinux-security-bypass\u002FSKILL.md) | SELinux\u002FAppArmor bypass, seccomp filter evasion, namespace abuse, LD_PRELOAD tricks |\n| [linux-lateral-movement](.\u002Fskills\u002Flinux-lateral-movement\u002FSKILL.md) | SSH key harvesting, credential reuse, service exploitation, NFS\u002Fshared mount abuse, cron-based persistence |\n| [kubernetes-pentesting](.\u002Fskills\u002Fkubernetes-pentesting\u002FSKILL.md) | Pod security policy bypass, RBAC abuse, ServiceAccount token theft, etcd access, container image backdoors, kubelet API |\n\n### Windows & Active Directory\n\n| Skill | Key Content |\n|---|---|\n| [windows-privilege-escalation](.\u002Fskills\u002Fwindows-privilege-escalation\u002FSKILL.md) | Token manipulation, service misconfig, DLL hijacking, UAC bypass, AlwaysInstallElevated, unquoted service paths, PrintSpoofer\u002FPotato |\n| [active-directory-kerberos-attacks](.\u002Fskills\u002Factive-directory-kerberos-attacks\u002FSKILL.md) | Kerberoasting, AS-REP Roasting, Golden\u002FSilver Ticket, delegation abuse (unconstrained\u002Fconstrained\u002FRBCD), Diamond Ticket |\n| [active-directory-acl-abuse](.\u002Fskills\u002Factive-directory-acl-abuse\u002FSKILL.md) | ACL\u002FDACL exploitation, DCSync, object ownership abuse, WriteDACL\u002FGenericAll\u002FGenericWrite attack paths, BloodHound integration |\n| [active-directory-certificate-services](.\u002Fskills\u002Factive-directory-certificate-services\u002FSKILL.md) | ESC1–ESC8 attack patterns, certificate template abuse, PKINIT exploitation, Shadow Credentials, CA persistence |\n| [ntlm-relay-coercion](.\u002Fskills\u002Fntlm-relay-coercion\u002FSKILL.md) | PetitPotam, PrinterBug, NTLM relay chains, coercion techniques, WebDAV relay, NTLM downgrade |\n| [windows-lateral-movement](.\u002Fskills\u002Fwindows-lateral-movement\u002FSKILL.md) | PsExec, WMI, WinRM, DCOM, Pass-the-Hash\u002FPass-the-Ticket, RDP hijacking, scheduled tasks, service deployment |\n| [windows-av-evasion](.\u002Fskills\u002Fwindows-av-evasion\u002FSKILL.md) | AMSI bypass, ETW patching, API unhooking, shellcode loaders, Living-off-the-Land (LOLBins), payload encryption\u002Fobfuscation |\n\n### macOS Security\n\n| Skill | Key Content |\n|---|---|\n| [macos-security-bypass](.\u002Fskills\u002Fmacos-security-bypass\u002FSKILL.md) | Gatekeeper bypass, TCC abuse, SIP\u002FAMFI considerations, LaunchAgent\u002FLaunchDaemon persistence, quarantine flag evasion |\n| [macos-process-injection](.\u002Fskills\u002Fmacos-process-injection\u002FSKILL.md) | Dylib injection\u002Fhijacking, task_for_pid, XPC exploitation, Electron app injection, DYLD_INSERT_LIBRARIES |\n\n### Mobile Security\n\n| Skill | Key Content |\n|---|---|\n| [android-pentesting-tricks](.\u002Fskills\u002Fandroid-pentesting-tricks\u002FSKILL.md) | APK analysis & reverse engineering, Frida hooking, Intent exploitation, root detection bypass, Content Provider leaks, WebView attacks |\n| [ios-pentesting-tricks](.\u002Fskills\u002Fios-pentesting-tricks\u002FSKILL.md) | IPA analysis, Objective-C runtime manipulation, jailbreak detection bypass, Keychain access, URL scheme abuse, binary protections |\n| [mobile-ssl-pinning-bypass](.\u002Fskills\u002Fmobile-ssl-pinning-bypass\u002FSKILL.md) | Certificate pinning bypass for Android\u002FiOS, Frida\u002FObjection scripts, dynamic instrumentation, network security config manipulation |\n\n### Binary Exploitation (Pwn)\n\n| Skill | Key Content |\n|---|---|\n| [stack-overflow-and-rop](.\u002Fskills\u002Fstack-overflow-and-rop\u002FSKILL.md) | Buffer overflow, ROP chain construction, ret2libc, SROP (Sigreturn-Oriented Programming), stack pivoting, one-gadget |\n| [heap-exploitation](.\u002Fskills\u002Fheap-exploitation\u002FSKILL.md) | Use-after-free, double free, tcache poisoning, fastbin attack, House of series techniques, safe-linking bypass |\n| [format-string-exploitation](.\u002Fskills\u002Fformat-string-exploitation\u002FSKILL.md) | Format string read\u002Fwrite primitives, GOT overwrite, arbitrary address write, FORTIFY_SOURCE bypass |\n| [kernel-exploitation](.\u002Fskills\u002Fkernel-exploitation\u002FSKILL.md) | Kernel ROP, ret2usr, SMEP\u002FSMAP\u002FKPTI bypass, kernel race conditions, modprobe_path overwrite, msg_msg exploitation |\n| [browser-exploitation-v8](.\u002Fskills\u002Fbrowser-exploitation-v8\u002FSKILL.md) | V8 engine exploitation, JIT compilation bugs, type confusion, OOB read\u002Fwrite, sandbox escape chains, wasm abuse |\n| [sandbox-escape-techniques](.\u002Fskills\u002Fsandbox-escape-techniques\u002FSKILL.md) | Browser sandbox escape, seccomp bypass, IPC abuse, kernel exploitation for sandbox breakout, policy file manipulation |\n| [binary-protection-bypass](.\u002Fskills\u002Fbinary-protection-bypass\u002FSKILL.md) | ASLR\u002FNX\u002FPIE\u002FCanary\u002FFull RELRO bypass techniques, information leak exploitation, partial overwrite, GOT dereference |\n| [arbitrary-write-to-rce](.\u002Fskills\u002Farbitrary-write-to-rce\u002FSKILL.md) | Write primitive to code execution (GOT\u002F__free_hook\u002F__malloc_hook), FSOP, _IO_FILE exploitation, exit handler overwrite |\n\n### Reverse Engineering\n\n| Skill | Key Content |\n|---|---|\n| [anti-debugging-techniques](.\u002Fskills\u002Fanti-debugging-techniques\u002FSKILL.md) | ptrace detection, timing checks, self-modifying code, anti-VM techniques, debug flag inspection, exception-based anti-debug |\n| [code-obfuscation-deobfuscation](.\u002Fskills\u002Fcode-obfuscation-deobfuscation\u002FSKILL.md) | Control flow flattening, opaque predicates, string encryption, obfuscation tool analysis (OLLVM\u002FThemida\u002FVMProtect), automated deobfuscation |\n| [symbolic-execution-tools](.\u002Fskills\u002Fsymbolic-execution-tools\u002FSKILL.md) | angr, Z3, Triton for automated vulnerability discovery, constraint solving, path exploration, concolic execution |\n| [vm-and-bytecode-reverse](.\u002Fskills\u002Fvm-and-bytecode-reverse\u002FSKILL.md) | Custom VM\u002Fbytecode analysis, Python\u002FJava\u002F.NET decompilation, VM handler reconstruction, opcode mapping |\n\n### Cryptography Attacks\n\n| Skill | Key Content |\n|---|---|\n| [rsa-attack-techniques](.\u002Fskills\u002Frsa-attack-techniques\u002FSKILL.md) | Wiener attack, Boneh-Durfee, Hastad broadcast, common modulus, Coppersmith (small roots), Franklin-Reiter, padding oracle (PKCS#1 v1.5) |\n| [symmetric-cipher-attacks](.\u002Fskills\u002Fsymmetric-cipher-attacks\u002FSKILL.md) | Padding oracle (CBC), bit-flipping, ECB cut-and-paste, meet-in-the-middle, known-plaintext, IV reuse exploitation |\n| [lattice-crypto-attacks](.\u002Fskills\u002Flattice-crypto-attacks\u002FSKILL.md) | LLL\u002FBKZ lattice reduction, Hidden Number Problem, NTRU attacks, CVP\u002FSVP solving, knapsack cryptosystem attacks |\n| [hash-attack-techniques](.\u002Fskills\u002Fhash-attack-techniques\u002FSKILL.md) | Length extension attack, birthday attack, hash collision exploitation, bcrypt\u002Fscrypt\u002Fargon2 analysis, HMAC timing |\n| [classical-cipher-analysis](.\u002Fskills\u002Fclassical-cipher-analysis\u002FSKILL.md) | Frequency analysis, Vigenère\u002FKasiski, Hill cipher, substitution cipher, transposition cipher, Enigma-style analysis, automated solving |\n\n### Blockchain & Smart Contract\n\n| Skill | SKILL.md | Supplementary | Key Content |\n|---|---|---|---|\n| [smart-contract-vulnerabilities](.\u002Fskills\u002Fsmart-contract-vulnerabilities\u002FSKILL.md) | 314 lines | 460 lines | Reentrancy (4 variants), integer overflow, delegatecall storage collision, signature replay, CREATE2 exploitation, flash loan patterns |\n| [defi-attack-patterns](.\u002Fskills\u002Fdefi-attack-patterns\u002FSKILL.md) | 355 lines | - | Flash loan oracle manipulation, MEV sandwich\u002FJIT\u002Fliquidation, first depositor vault attack, governance flash borrow, bridge exploits, fee-on-transfer tokens |\n\n### AI\u002FML & LLM Security\n\n| Skill | SKILL.md | Supplementary | Key Content |\n|---|---|---|---|\n| [llm-prompt-injection](.\u002Fskills\u002Fllm-prompt-injection\u002FSKILL.md) | 357 lines | 306 lines | Direct\u002Findirect injection, RAG poisoning, tool\u002Ffunction abuse, markdown exfiltration, MCP security risks, encoding bypass |\n| [ai-ml-security](.\u002Fskills\u002Fai-ml-security\u002FSKILL.md) | 425 lines | - | Pickle RCE in model files, adversarial examples (FGSM\u002FPGD\u002FC&W), training data poisoning, model extraction, membership inference, agent security |\n\n### Forensics & Steganography\n\n| Skill | Key Content |\n|---|---|\n| [memory-forensics-volatility](.\u002Fskills\u002Fmemory-forensics-volatility\u002FSKILL.md) | Volatility framework, process\u002Fmodule analysis, network artifact extraction, malware detection, registry hive analysis, timeline reconstruction |\n| [steganography-techniques](.\u002Fskills\u002Fsteganography-techniques\u002FSKILL.md) | LSB extraction, file format analysis, audio\u002Fimage stego tools (zsteg\u002Fstegsolve\u002Fsteghide), EXIF metadata, multi-layer embedding |\n| [traffic-analysis-pcap](.\u002Fskills\u002Ftraffic-analysis-pcap\u002FSKILL.md) | Wireshark\u002Ftshark analysis, protocol dissection, data extraction from captures, encrypted traffic identification, stream reconstruction |\n\n## Skill Selection Guide\n\n| Symptom | Recommended Entry | Notes |\n|---|---|---|\n| New target, insufficient information | [recon-for-sec](.\u002Fskills\u002Frecon-for-sec\u002FSKILL.md) | Start with methodology and asset understanding |\n| REST API, GraphQL, mobile backend | [api-sec](.\u002Fskills\u002Fapi-sec\u002FSKILL.md) | Route to recon, authz, token, or GraphQL |\n| Login, password reset, 2FA, JWT, OAuth | [auth-sec](.\u002Fskills\u002Fauth-sec\u002FSKILL.md) | Distinguish auth, authz, and protocol config |\n| HTML\u002FJS reflection, template expressions | [injection-checking](.\u002Fskills\u002Finjection-checking\u002FSKILL.md) | Determine XSS, SQLi, SSRF, XXE, SSTI first |\n| File paths, downloads, uploads | [file-access-vuln](.\u002Fskills\u002Ffile-access-vuln\u002FSKILL.md) | Distinguish LFI\u002FTraversal from Upload |\n| Coupons, payments, state machines | [business-logic-vuln](.\u002Fskills\u002Fbusiness-logic-vuln\u002FSKILL.md) | Model by business rules and race conditions |\n| HTTP parsing anomalies | [request-smuggling](.\u002Fskills\u002Frequest-smuggling\u002FSKILL.md) | Front\u002Fback-end framing disagreement |\n| Node.js `__proto__` controllable | [prototype-pollution](.\u002Fskills\u002Fprototype-pollution\u002FSKILL.md) | Client-side PP→XSS, Server-side PP→RCE |\n| PHP weak comparison, 0e hash | [type-juggling](.\u002Fskills\u002Ftype-juggling\u002FSKILL.md) | Loose comparison auth bypass |\n| .git\u002F.svn\u002F.env path accessible | [insecure-source-code-management](.\u002Fskills\u002Finsecure-source-code-management\u002FSKILL.md) | Source code recovery |\n| Internal package names in manifests | [dependency-confusion](.\u002Fskills\u002Fdependency-confusion\u002FSKILL.md) | Supply chain hijacking |\n| WebSocket protocol upgrade | [websocket-security](.\u002Fskills\u002Fwebsocket-security\u002FSKILL.md) | CSWSH and WS injection |\n| CSV\u002FExcel export functionality | [csv-formula-injection](.\u002Fskills\u002Fcsv-formula-injection\u002FSKILL.md) | DDE injection in exports |\n| One-time operations (coupons, rewards) | [race-condition](.\u002Fskills\u002Frace-condition\u002FSKILL.md) | Limit-overrun via concurrent requests |\n| Smart contract, Solidity, EVM audit | [smart-contract-vulnerabilities](.\u002Fskills\u002Fsmart-contract-vulnerabilities\u002FSKILL.md) | Reentrancy, overflow, access control, delegatecall |\n| DeFi protocol, flash loan, oracle, MEV | [defi-attack-patterns](.\u002Fskills\u002Fdefi-attack-patterns\u002FSKILL.md) | Flash loan, sandwich, governance, bridge |\n| LLM, chatbot, prompt injection, RAG | [llm-prompt-injection](.\u002Fskills\u002Fllm-prompt-injection\u002FSKILL.md) | Direct\u002Findirect injection, tool abuse, MCP |\n| ML model, adversarial, model poisoning | [ai-ml-security](.\u002Fskills\u002Fai-ml-security\u002FSKILL.md) | Supply chain, adversarial examples, extraction, agents |\n| WAF blocking payloads | [waf-bypass-techniques](.\u002Fskills\u002Fwaf-bypass-techniques\u002FSKILL.md) | Encoding, chunked transfer, vendor-specific evasion |\n| Subdomain dangling CNAME\u002FDNS | [subdomain-takeover](.\u002Fskills\u002Fsubdomain-takeover\u002FSKILL.md) | Cloud service takeover, NS delegation hijacking |\n| CSP blocking XSS execution | [csp-bypass-advanced](.\u002Fskills\u002Fcsp-bypass-advanced\u002FSKILL.md) | Script gadgets, JSONP, trusted CDN, strict-dynamic |\n| 401\u002F403 on target endpoint | [401-403-bypass-techniques](.\u002Fskills\u002F401-403-bypass-techniques\u002FSKILL.md) | Path normalization, verb tampering, header tricks |\n| HTTP\u002F2 protocol endpoint | [http2-specific-attacks](.\u002Fskills\u002Fhttp2-specific-attacks\u002FSKILL.md) | H2 smuggling, HPACK abuse, downgrade attacks |\n| Linux host, SUID\u002Fsudo present | [linux-privilege-escalation](.\u002Fskills\u002Flinux-privilege-escalation\u002FSKILL.md) | Kernel, SUID, cron, capabilities, services |\n| Docker\u002FKubernetes environment | [container-escape-techniques](.\u002Fskills\u002Fcontainer-escape-techniques\u002FSKILL.md) | Docker socket, privileged escape, cgroup breakout |\n| Kubernetes cluster access | [kubernetes-pentesting](.\u002Fskills\u002Fkubernetes-pentesting\u002FSKILL.md) | RBAC abuse, SA token, etcd, pod security bypass |\n| Windows host, local admin needed | [windows-privilege-escalation](.\u002Fskills\u002Fwindows-privilege-escalation\u002FSKILL.md) | Token, service, DLL hijack, UAC, Potato attacks |\n| Active Directory, domain joined | [active-directory-kerberos-attacks](.\u002Fskills\u002Factive-directory-kerberos-attacks\u002FSKILL.md) | Kerberoast, AS-REP roast, Golden\u002FSilver Ticket |\n| AD CS, certificate templates | [active-directory-certificate-services](.\u002Fskills\u002Factive-directory-certificate-services\u002FSKILL.md) | ESC1–ESC8, template abuse, Shadow Credentials |\n| NTLM hash, relay opportunity | [ntlm-relay-coercion](.\u002Fskills\u002Fntlm-relay-coercion\u002FSKILL.md) | PetitPotam, PrinterBug, relay chains |\n| Windows AV\u002FEDR blocking execution | [windows-av-evasion](.\u002Fskills\u002Fwindows-av-evasion\u002FSKILL.md) | AMSI bypass, unhooking, LOLBins, payload obfuscation |\n| macOS endpoint access | [macos-security-bypass](.\u002Fskills\u002Fmacos-security-bypass\u002FSKILL.md) | Gatekeeper, TCC, SIP considerations |\n| Android\u002FiOS application testing | [android-pentesting-tricks](.\u002Fskills\u002Fandroid-pentesting-tricks\u002FSKILL.md) | APK analysis, Frida, Intent, root detection bypass |\n| SSL pinning blocking proxy | [mobile-ssl-pinning-bypass](.\u002Fskills\u002Fmobile-ssl-pinning-bypass\u002FSKILL.md) | Frida\u002FObjection scripts, dynamic instrumentation |\n| Binary\u002FELF\u002FPE exploitation | [stack-overflow-and-rop](.\u002Fskills\u002Fstack-overflow-and-rop\u002FSKILL.md) | Buffer overflow, ROP, ret2libc, SROP |\n| Heap corruption, UAF | [heap-exploitation](.\u002Fskills\u002Fheap-exploitation\u002FSKILL.md) | tcache\u002Ffastbin attacks, House of techniques |\n| Kernel-level exploitation | [kernel-exploitation](.\u002Fskills\u002Fkernel-exploitation\u002FSKILL.md) | Kernel ROP, SMEP\u002FSMAP bypass, modprobe_path |\n| Browser 0-day, V8\u002FJSC | [browser-exploitation-v8](.\u002Fskills\u002Fbrowser-exploitation-v8\u002FSKILL.md) | JIT bugs, type confusion, sandbox escape |\n| Obfuscated\u002Fpacked binary | [code-obfuscation-deobfuscation](.\u002Fskills\u002Fcode-obfuscation-deobfuscation\u002FSKILL.md) | Control flow, opaque predicates, VM protection |\n| CTF crypto challenge (RSA) | [rsa-attack-techniques](.\u002Fskills\u002Frsa-attack-techniques\u002FSKILL.md) | Wiener, Coppersmith, common modulus, padding oracle |\n| CTF crypto challenge (AES\u002FDES) | [symmetric-cipher-attacks](.\u002Fskills\u002Fsymmetric-cipher-attacks\u002FSKILL.md) | Padding oracle, bit-flip, ECB mode attacks |\n| CTF crypto challenge (lattice) | [lattice-crypto-attacks](.\u002Fskills\u002Flattice-crypto-attacks\u002FSKILL.md) | LLL\u002FBKZ, Hidden Number Problem, knapsack |\n| CTF classical cipher | [classical-cipher-analysis](.\u002Fskills\u002Fclassical-cipher-analysis\u002FSKILL.md) | Frequency analysis, Vigenère, substitution |\n| Memory dump analysis | [memory-forensics-volatility](.\u002Fskills\u002Fmemory-forensics-volatility\u002FSKILL.md) | Volatility, process\u002Fnetwork analysis, malware detect |\n| Hidden data in images\u002Faudio | [steganography-techniques](.\u002Fskills\u002Fsteganography-techniques\u002FSKILL.md) | LSB, format analysis, stego tools |\n| PCAP traffic capture | [traffic-analysis-pcap](.\u002Fskills\u002Ftraffic-analysis-pcap\u002FSKILL.md) | Wireshark, protocol dissection, stream extraction |\n| Need to pivot through network | [tunneling-and-pivoting](.\u002Fskills\u002Ftunneling-and-pivoting\u002FSKILL.md) | SSH tunnel, SOCKS proxy, chisel\u002Fligolo-ng |\n| Need reverse shell on target | [reverse-shell-techniques](.\u002Fskills\u002Freverse-shell-techniques\u002FSKILL.md) | Multi-language shells, encrypted, staged payloads |\n\n## Installation\n\n### General Installation\n\n```bash\nnpx skills add yaklang\u002Fhack-skills\n```\n\n### Raw URL Installation\n\n```bash\ncurl -fsSL https:\u002F\u002Fraw.githubusercontent.com\u002Fyaklang\u002Fhack-skills\u002Fmain\u002Fskills\u002Fhack\u002FSKILL.md\n```\n\n### Local Use as a Knowledge Base\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fyaklang\u002Fhack-skills.git\ncd hack-skills\n```\n\n### Offline ZIP (encrypted)\n\nFor air-gapped environments, slow networks, or any place where AV \u002F EDR \u002F browser content scanners strip plain offensive-security markdown:\n\n```bash\ncurl -fsSLO https:\u002F\u002Foss-qn.yaklang.com\u002Fhack-skills\u002Flatest\u002Fhack-skills.zip\n7z x -phack-skills hack-skills.zip\n# or:  unzip -P hack-skills hack-skills.zip\n```\n\n| Channel | URL |\n|---|---|\n| Primary CDN | \u003Chttps:\u002F\u002Foss-qn.yaklang.com\u002Fhack-skills\u002Flatest\u002Fhack-skills.zip> |\n| Backup CDN | \u003Chttps:\u002F\u002Faliyun-oss.yaklang.com\u002Fhack-skills\u002Flatest\u002Fhack-skills.zip> |\n| Build version manifest | \u003Chttps:\u002F\u002Foss-qn.yaklang.com\u002Fhack-skills\u002Flatest\u002Fversion.txt> |\n\n**About the password.** The ZIP is wrapped with **AES-256** and a **public constant** password `hack-skills`. This is **not access control** — anyone can download, anyone can extract, the password is printed openly in the README, the website, the GitHub Actions workflow, and CI logs. It exists solely to bypass content heuristics on AV \u002F EDR \u002F browser scanners that flag plain offensive markdown and silently drop or quarantine the file in transit. Build, encryption settings, and integrity verification all live in [`.github\u002Fworkflows\u002Fupload-hack-skills.yml`](.\u002F.github\u002Fworkflows\u002Fupload-hack-skills.yml).\n\nSame ZIP is also surfaced one-click on the website's nav bar (`ZIP` button) and the `Install → Offline ZIP` tab.\n\n## Design Principles\n\n- Security knowledge takes priority over fancy packaging.\n- Content auditability takes priority over quantity expansion.\n- Prioritize authorized testing, legitimate research, and defensive verification scenarios.\n- Directory names should convey security semantics at a glance.\n- No customer-specific information; all content is generic methodology for educational use.\n\n## Contributing\n\nPRs are welcome. Key areas include:\n\n- New vulnerability categories and high-value cases\n- Better bug bounty and penetration testing methodologies\n- OS-specific privilege escalation paths and AD attack chains\n- CTF challenge techniques (Pwn, Crypto, RE, Forensics)\n- Edge conditions that Agents easily overlook\n- Risk annotations, terminology consistency, and content denoising\n\nContributions should ideally be verifiable, auditable, and helpful for Agents to reason and execute more robustly in real tasks.\n","HackSkills 是一个旨在帮助AI代理成为优秀实践黑客的知识库。该项目涵盖了14个安全领域，包括Web安全、API安全、身份验证与授权等，共计101项深度主题技能。它采用统一的目录结构和标准格式（`skills\u002F{semantic-identifier}\u002FSKILL.md`），便于安装、搜索及组合使用。特别适合于漏洞赏金猎人、渗透测试人员、CTF竞赛者以及进行授权安全研究的专业人士。通过提供在线浏览、GitHub源码访问和加密ZIP下载三种方式，确保了知识库内容在不同场景下的可用性和安全性。",2,"2026-06-11 02:40:27","CREATED_QUERY"]