Essential command-line tools and system utilities.
Scan Android APKs for Firebase misconfigurations and exposed credentials. Use when analyzing Android applications for insecure Firebase configurations, leaked API keys, open Realtime Database or Firestore instances, exposed Cloud Storage buckets, or misconfigured authentication settings.
Review security patches and fixes for completeness and correctness. Use when evaluating whether a security fix actually addresses the root cause, checking for fix bypasses, verifying regression tests cover the vulnerability, and ensuring the fix doesn't introduce new issues.
Create custom Semgrep rules for detecting security vulnerabilities and code patterns. Use when writing new Semgrep YAML rules, defining taint tracking sources/sinks, building pattern-based detections, or creating organization-specific security checks.
Search and analyze session logs (older/parent conversations) stored as JSONL files using jq and rg. Use when the user asks about prior chats, previous conversations, conversation history, what was said before, session costs, token usage, or tool usage breakdown across past sessions.
Identifies error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes. Use when reviewing API designs, configuration schemas, cryptographic library ergonomics, or evaluating whether code follows 'secure by default' and 'pit of success' principles. Triggers: footgun, misuse-resistant, secure defaults, API usability, dangerous configuration.
Generate spectrograms and feature-panel visualizations from audio with the songsee CLI. Use when the user wants to visualize an audio file, create a spectrogram image, render mel or chroma panels, analyze frequency content, or produce a multi-panel audio feature grid from MP3 or WAV files.
Static analysis toolkit with CodeQL, Semgrep, and SARIF parsing for security vulnerability detection. Use when running static analysis scans, writing custom detection rules, or processing analysis results.
Atheris is a coverage-guided Python fuzzing framework built on libFuzzer for finding bugs, crashes, and security vulnerabilities in pure Python code and Python C extensions. It provides AddressSanitizer integration for detecting memory corruption, buffer overflows, and use-after-free errors. Assists with writing fuzz harnesses, configuring sanitizers, managing corpora, running fuzzing campaigns, and setting up Docker-based fuzzing environments. Covers instrumentation of Python imports, parallel fuzzing with workers, corpus minimization, and troubleshooting common issues like LD_PRELOAD configuration and compiler flag setup.
Guides the agent through CodeQL static analysis, including creating databases, writing custom QL queries, running interprocedural data flow and control flow analysis, detecting security vulnerabilities, setting up GitHub Actions code scanning, and managing query packs. Covers C, C++, Go, Java, Kotlin, JavaScript, TypeScript, Python, Ruby, Swift, and SARIF output processing.
Guides developers through detecting and preventing side-channel attacks, timing leaks, and constant-time violations in cryptographic implementations. Covers techniques for identifying timing side channels in crypto code, including cache-timing attacks, secret-dependent branching, and microarchitectural leakage. Applies formal verification, statistical analysis (dudect), and dynamic tracing (timecop) to audit crypto primitives for timing vulnerabilities and ensure constant-time execution.
The agent uses coverage analysis to measure which code paths, branches, and functions are exercised during fuzzing campaigns. It generates LLVM and GCC coverage reports, identifies uncovered code blocks, detects magic value checks that block fuzzer progress, and tracks coverage trends over time. The agent applies this technique when assessing harness effectiveness, diagnosing coverage plateaus, comparing differential coverage between campaigns, or integrating coverage instrumentation into CMake and Rust builds using llvm-cov, gcovr, and cargo-fuzz coverage toolchains.
Semgrep is a fast, lightweight static analysis tool for finding bugs, security vulnerabilities, and enforcing code standards across a codebase. The agent should use this skill when asked to run static analysis, scan code for security issues, detect code patterns or anti-patterns, write or test custom Semgrep rules, set up SAST in CI/CD pipelines, triage scan findings, suppress false positives, or perform a rapid security audit without building the project.
Find variants of known vulnerabilities across a codebase. Use when a vulnerability has been found and you need to search for similar patterns elsewhere, when performing systematic variant hunting after a security advisory, or when generalizing a specific bug into a broader detection query.
Searches for local businesses and points of interest via a Google Places API proxy running on localhost. Resolves vague locations, applies filters for type, rating, and price, and returns structured place details. Use when the user asks to find restaurants, nearby places, coffee shops, business search, local recommendations, or anything involving place discovery by location.
Use the ClawHub CLI to search, install, update, and publish agent skills from clawhub.com. Use when you need to fetch new skills on the fly, sync installed skills to latest or a specific version, or publish new/updated skill folders with the npm-installed clawhub CLI.
Google Workspace CLI for Gmail, Calendar, Drive, Contacts, Sheets, and Docs. Use when the user asks to send an email, check inbox, search Gmail, create or list calendar events, search Google Drive files, look up contacts, read or update spreadsheets, or export Google Docs. Handles OAuth-authenticated access to Google services via the gog command-line tool.
Discover and call paid third-party API services through the Nightmarket marketplace. Use this skill whenever the user needs a third-party API, wants to find available API services, or when you encounter a 402 Payment Required response from a nightmarket.ai URL. Also use when the user mentions Nightmarket, browsing APIs for their agent, or paying for API calls with USDC. Even if the user doesn't mention Nightmarket by name, use this skill if they need external data, analytics, automation, or any paid API service their agent could call.
Capture and automate macOS UI with the Peekaboo CLI. Provides screenshot capture, screen recording, click automation, keyboard input, window management, menu interaction, and accessibility-driven element targeting on macOS. Use when the user asks to take a screenshot, capture the screen, click a UI element, automate mouse or keyboard input, manage application windows, interact with menus or the Dock, scroll, drag, swipe, type text into fields, or inspect on-screen elements.
Use when the agent needs to send, edit, delete, or read Slack messages, add or list emoji reactions, pin or unpin messages, fetch member info, or list custom emoji in Slack channels and DMs. Handles all Slack workspace interactions including message management, reaction workflows, pinned-item management, and user lookups via the configured bot token.
The agent uses OSS-Fuzz, Google's free distributed continuous fuzzing platform, to build, run, and manage fuzzing infrastructure for open-source projects. It configures project enrollment files (project.yaml, Dockerfile, build.sh), builds fuzzers locally with helper.py, runs harnesses with AddressSanitizer and other sanitizers, generates coverage reports, and troubleshoots build failures. The agent applies this technique when setting up continuous fuzzing for C/C++, Rust, Python (Atheris), or Go projects, reproducing crashes from OSS-Fuzz bug reports, analyzing Fuzz Introspector coverage data, evaluating criticality scores for project acceptance, or hosting a private OSS-Fuzz instance for closed-source targets that need Docker-based fuzzing infrastructure with libFuzzer or AFL++ engines.
Send WhatsApp messages to other people or search/sync WhatsApp history via the wacli CLI (not for normal user chats). Use when the user asks to send a WhatsApp message, text someone on WhatsApp, search WhatsApp chat history, sync WhatsApp conversations, backfill message history, or forward a file via WhatsApp to a third party.
Manage Apple Notes via the `memo` CLI on macOS (create, view, edit, delete, search, move, and export notes). Use when a user asks Otto to add a note, list notes, search notes, or manage note folders.
