security
12
input-validation
Input-Validation standards for input validation in Security environments.
williamzujkowski
testing-security
sorting
stars
current ordering strategy
query
all entries
refine the visible subset
security
12
authorization-security
Authorization security standards covering RBAC, ABAC, policy enforcement, OAuth2 scopes, resource-based access control, and NIST 800-53 compliance (AC-3, AC-4, AC-6) for production systems
williamzujkowski
testing-security
security
12
agent-penetration-tester
Expert penetration tester specializing in ethical hacking, vulnerability assessment, and security testing. Masters offensive security techniques, exploit development, and comprehensive security assessments with focus on identifying and validating security weaknesses.
Tony363
testing-security
security
12
api-security
1. Broken Object Level Authorization (BOLA) - API fails to validate user access to objects 2. Broken Authentication - Weak or missing authentication mechanisms 3. Broken Object Property Level Authorization - Missing field-level access control 4. Unrestricted Resource Consumption - No rate limiting or throttling 5. Broken Function Level Authorization - Missing authorization checks on endpoints 6. Unrestricted Access to Sensitive Business Flows - Automated abuse of legitimate workflows 7. Server Side Request Forgery (SSRF) - API accepts URLs without validation 8. Security Misconfiguration - Insecure default configs, verbose errors 9. Improper Inventory Management - Undocumented/deprecated APIs in production 10. Unsafe Consumption of APIs - Trusting third-party API data without validation
williamzujkowski
testing-security
security
12
authentication-security
Authentication security standards covering OAuth2 flows (authorization code, PKCE), JWT best practices (RS256, expiration), MFA (TOTP, WebAuthn), session management, and NIST 800-63B compliance for production systems
williamzujkowski
testing-security
security
12
vulnerability-resolver
Specialized CVE and vulnerability management for morphir-dotnet. Use when user asks to scan for vulnerabilities, fix CVEs, suppress false positives, review security reports, or manage dependency-check. Triggers include "CVE", "vulnerability", "security scan", "dependency-check", "suppress", "false positive", "CVSS", "security fix".
finos
testing-security
security
11
security-threat-model
Use when designing or reviewing systems handling sensitive data (PII, PHI, financial, auth credentials), building features with security implications (auth, payments, file uploads, APIs), preparing for security audits or compliance (PCI, HIPAA, SOC 2), investigating security incidents, integrating third-party services, or when user mentions "threat model", "security architecture", "STRIDE", "trust boundaries", "attack surface", or "security review".
lyndonkl
testing-security
security
11
dependency-risk-audit
Audit dependencies for licensing, security, and maintenance risk. Use when a senior developer needs risk assessment.
proflead
testing-security
security
11
api-security
Use when implementing API authentication, authorization, or security patterns. Covers OAuth 2.0, OIDC, JWT, API keys, rate limiting, and common API security vulnerabilities.
melodic-software
testing-security
security
11
api-security
Comprehensive API security guidance covering authentication methods, rate limiting, input validation, CORS, security headers, and protection against OWASP API Top 10 vulnerabilities. Use when designing API authentication, implementing rate limiting, configuring CORS, setting security headers, or reviewing API security.
melodic-software
testing-security
security
11
secure-coding
Provides guidance on secure coding practices including OWASP Top 10 2025, CWE Top 25, input validation, output encoding, and language-specific security patterns. Use when reviewing code for security vulnerabilities, implementing security controls, or learning secure development practices.
melodic-software
testing-security
security
11
ldap-injection-testing
This skill should be used when the user asks to "test for LDAP injection vulnerabilities", "exploit LDAP queries", "perform blind LDAP injection attacks", "bypass authentication using LDAP injection", "extract data from LDAP directories", or "assess LDAP-based application security". It provides comprehensive techniques for identifying and exploiting LDAP injection flaws in web applications.
zebbern
testing-security
security
11
external-network-penetration-testing
This skill should be used when the user asks to "perform external pentesting", "conduct external network assessment", "enumerate external attack surface", "perform OSINT reconnaissance", or "test perimeter security". It provides comprehensive external network penetration testing methodologies.
zebbern
testing-security
security
11
phishing-attacks
The assistant guides users through phishing attack simulation tools and techniques for penetration testing and security awareness. Activate when users ask about "phishing simulation," "social engineering testing," "Shellphish," "WiFi phishing," "credential harvesting," or "security awareness training."
zebbern
testing-security
security
11
security-headers
Analyzes HTTP security headers for a given URL and provides a comprehensive security score. Checks for critical headers like HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Returns detailed scoring and recommendations.
madsstoumann
testing-security
security
11
security-frameworks
Security framework alignment including ISO 27001, SOC 2, NIST CSF 2.0, and CIS Controls mapping
melodic-software
testing-security
security
11
credential-harvesting-lab-setup
This skill should be used when the user asks to "build a phishing lab", "perform credential harvesting", "set up ARP spoofing", "configure DNS spoofing", "create a fake login page", or "test social engineering attacks". It provides techniques for building a credential harvesting environment.
zebbern
testing-security
security
11
secrets-management
Use when designing secret storage, rotation, or credential management systems. Covers HashiCorp Vault patterns, AWS Secrets Manager, Azure Key Vault, secret rotation, and zero-knowledge architectures.
melodic-software
testing-security
security
11
pci-dss-compliance
PCI DSS compliance planning for payment card handling including scope reduction, SAQ selection, and security controls
melodic-software
testing-security
security
11
broken-authentication-testing
This skill should be used when the user asks to "test for broken authentication vulnerabilities", "assess session management security", "perform credential stuffing tests", "evaluate password policies", "test for session fixation", or "identify authentication bypass flaws". It provides comprehensive techniques for identifying authentication and session management weaknesses in web applications.
zebbern
testing-security
security
11
jwt-security-testing
This skill should be used when the user asks to "test JWT security", "hack JWT tokens", "bypass JWT authentication", "crack JWT secrets", or "exploit JWT vulnerabilities". It provides comprehensive JSON Web Token attack techniques and security assessment methodologies.
zebbern
testing-security
security
11
authentication-patterns
Comprehensive authentication implementation guidance including JWT best practices, OAuth 2.0/OIDC flows, Passkeys/FIDO2/WebAuthn, MFA patterns, and secure session management. Use when implementing login systems, token-based auth, SSO, passwordless authentication, or reviewing authentication security.
melodic-software
testing-security
security
11
cryptography
Comprehensive cryptography guidance covering encryption algorithms, password hashing, TLS configuration, key management, and post-quantum considerations. Use when implementing encryption, choosing hashing algorithms, configuring TLS/SSL, managing cryptographic keys, or reviewing cryptographic implementations.
melodic-software
testing-security