Penetration Testing

This skill enables Claude to automatically scan source code for potential input validation vulnerabilities. It identifies areas where user-supplied data is not properly sanitized or validated before being used in operations, which could lead to security exploits like SQL injection, cross-site scripting (XSS), or command injection. Use this skill when the user asks to "scan for input validation issues", "check input sanitization", "find potential XSS vulnerabilities", or similar requests related to securing user input. It is particularly useful during code reviews, security audits, and when hardening applications against common web vulnerabilities. The skill leverages the input-validation-scanner plugin to perform the analysis.

This skill enables Claude to detect SQL injection vulnerabilities in code. It uses the sql-injection-detector plugin to analyze codebases, identify potential SQL injection flaws, and provide remediation guidance. Use this skill when the user asks to find SQL injection vulnerabilities, scan for SQL injection, or check code for SQL injection risks. The skill is triggered by phrases like "detect SQL injection", "scan for SQLi", or "check for SQL injection vulnerabilities".

Performs comprehensive security audits identifying vulnerabilities, misconfigurations, and security best practice violations. Trigger keywords: security, audit, vulnerability, CVE, OWASP, penetration, security review, hardening.

Data validation patterns including schema validation, input sanitization, output encoding, and type coercion. Use when implementing form validation, API input validation, JSON Schema, Zod, Pydantic, sanitization, XSS prevention, or custom validators.

プラグインアーキテクチャの専門スキル。レジストリパターン、動的ロード、依存性注入を活用し、拡張可能なシステム設計を提供する。Anchors:• Clean Architecture (Robert C. Martin) / 適用: 拡張性設計 / 目的: 柔軟性確保• Dependency Injection Principles and Practices (Mark Seemann) / 適用: DI設計 / 目的: 疎結合実現• Design Patterns: Elements of Reusable Object-Oriented Software (Gang of Four) / 適用: レジストリパターン / 目的: 型安全な登録管理Trigger:Use when designing plugin systems, implementing extension points, managing dynamic module loading, creating registry patterns, or building workflow engines with pluggable executors.plugin architecture, registry pattern, dependency injection, dynamic loading, extension points, workflow executor

This skill enables Claude to automatically scan source code for potential input validation vulnerabilities. It identifies areas where user-supplied data is not properly sanitized or validated before being used in operations, which could lead to security exploits like SQL injection, cross-site scripting (XSS), or command injection. Use this skill when the user asks to "scan for input validation issues", "check input sanitization", "find potential XSS vulnerabilities", or similar requests related to securing user input. It is particularly useful during code reviews, security audits, and when hardening applications against common web vulnerabilities. The skill leverages the input-validation-scanner plugin to perform the analysis.

This skill enables Claude to automatically scan for XSS (Cross-Site Scripting) vulnerabilities in code. It is triggered when the user requests to "scan for XSS vulnerabilities", "check for XSS", or uses the command "/xss". The skill identifies reflected, stored, and DOM-based XSS vulnerabilities. It analyzes HTML, JavaScript, CSS, and URL contexts to detect potential exploits and suggests safe proof-of-concept payloads. This skill is best used during code review, security audits, and before deploying web applications to production.

Webアプリケーションにおける包括的な入力検証とサニタイズ。型安全な検証、許可リストフィルタリング、コンテキスト対応エンコーディングを通じて、XSS、SQLインジェクション、コマンドインジェクション、パストラバーサルなどの入力ベースの攻撃を防止。Anchors:• OWASP Top 10 / 適用: 全ての入力検証判断 / 目的: 業界標準のセキュリティベースライン• CWE-20 (不適切な入力検証) / 適用: 検証戦略設計 / 目的: 一般的な脆弱性パターン防止• OWASP ASVS 5.1 / 適用: 検証要件仕様 / 目的: セキュリティ検証標準Trigger:Use when implementing user input handling, form validation, API request validation, file upload processing,database query construction, command execution with user input, URL parameter processing, or any data from untrusted sources.

Comprehensive security vulnerability analysis for codebases and infrastructure. Scans dependencies (npm, pip, gem, go, cargo), containers (Docker, Kubernetes), cloud IaC (Terraform, CloudFormation), and detects secrets exposure. Fetches live CVE data from OSV.dev, calculates risk scores, and generates phased remediation plans with TDD validation tests. Use when users mention security scan, vulnerability, CVE, exploit, security audit, penetration test, OWASP, hardening, dependency audit, container security, or want to improve security posture.

This skill enables Claude to perform automated fuzz testing on APIs to discover vulnerabilities, crashes, and unexpected behavior. It leverages malformed inputs, boundary values, and random payloads to generate comprehensive fuzz test suites. Use this skill when you need to identify potential SQL injection, XSS, command injection vulnerabilities, input validation failures, and edge cases in APIs. Trigger this skill by requesting fuzz testing, vulnerability scanning, or security analysis of an API. The skill is invoked using the `/fuzz-api` command.

Expert guidance for working with the AppConfig runtime configuration system in squareone. Use this skill when implementing configuration loading, working with YAML config files, setting up new pages that need configuration, troubleshooting config hydration issues, or migrating from next/config patterns. Covers server-side loadAppConfig(), client-side useAppConfig(), MDX content loading, Sentry configuration injection, and Kubernetes ConfigMap patterns.

セキュリティ診断レポートの作成と脆弱性報告の文書化を支援するスキル。脅威分析、脆弱性評価、リスク採点、レポート生成の一連のプロセスを体系化し、専門的で実用性の高いセキュリティドキュメントを作成する。Anchors:• OWASP Top 10 (2021) / 適用: 脆弱性分類・評価基準 / 目的: 業界標準への準拠• CVSS v3.1 (FIRST) / 適用: リスクスコア計算 / 目的: 定量的脆弱性評価• Web Application Security (Andrew Hoffman) / 適用: 脅威モデリング / 目的: 体系的分析手法• CWE Top 25 / 適用: 脆弱性分類 / 目的: 共通語彙での報告Trigger:Use when creating security audit reports, vulnerability assessments, penetration test documentation, or risk analysis documents.security report, vulnerability report, security audit, penetration test report, risk assessment, 脆弱性レポート, セキュリティ監査

This skill enables automated penetration testing of web applications. It uses the penetration-tester plugin to identify vulnerabilities, including OWASP Top 10 threats, and suggests exploitation techniques. Use this skill when the user requests a "penetration test", "pentest", "vulnerability assessment", or asks to "exploit" a web application. It provides comprehensive reporting on identified security flaws.

This skill automates security vulnerability testing. It is triggered when the user requests security assessments, penetration tests, or vulnerability scans. The skill covers OWASP Top 10 vulnerabilities, SQL injection, XSS, CSRF, authentication issues, and authorization flaws. Use this skill when the user mentions "security test", "vulnerability scan", "OWASP", "SQL injection", "XSS", "CSRF", "authentication", or "authorization" in the context of application or API testing.

依存関係の脆弱性検出、評価、修正計画を体系化するスキル。CVSS評価と修正優先度を整理し、継続的な監査を支援する。Anchors:• CVSS v3.1 Specification / 適用: 重大度評価 / 目的: 優先度の整合性• The Pragmatic Programmer / 適用: 自動化と継続改善 / 目的: 監査の継続性• OWASP Dependency-Check / 適用: 依存監査 / 目的: 脆弱性検出の標準化Trigger:Use when auditing dependencies, evaluating vulnerability reports, prioritizing remediation, or integrating security scans into CI/CD.dependency audit, CVE, GHSA, CVSS, npm audit, pnpm audit, security scanning

Identifies and fixes XSS, SQL injection, and command injection vulnerabilities with validation schemas, sanitization libraries, and safe coding patterns. Use for "input validation", "XSS prevention", "SQL injection", or "sanitization".

This skill enables automated penetration testing of web applications. It uses the penetration-tester plugin to identify vulnerabilities, including OWASP Top 10 threats, and suggests exploitation techniques. Use this skill when the user requests a "penetration test", "pentest", "vulnerability assessment", or asks to "exploit" a web application. It provides comprehensive reporting on identified security flaws.

This skill automates security vulnerability testing. It is triggered when the user requests security assessments, penetration tests, or vulnerability scans. The skill covers OWASP Top 10 vulnerabilities, SQL injection, XSS, CSRF, authentication issues, and authorization flaws. Use this skill when the user mentions "security test", "vulnerability scan", "OWASP", "SQL injection", "XSS", "CSRF", "authentication", or "authorization" in the context of application or API testing.

This skill enables Claude to automatically scan for XSS (Cross-Site Scripting) vulnerabilities in code. It is triggered when the user requests to "scan for XSS vulnerabilities", "check for XSS", or uses the command "/xss". The skill identifies reflected, stored, and DOM-based XSS vulnerabilities. It analyzes HTML, JavaScript, CSS, and URL contexts to detect potential exploits and suggests safe proof-of-concept payloads. This skill is best used during code review, security audits, and before deploying web applications to production.

Comprehensive knowledge about vulnerability exploitation and initial access. Provides expertise on finding and adapting exploits, adapting proof-of-concepts, gaining shells, and capturing user flags. Covers reverse shells, file uploads, SQL injection, and RCE vulnerabilities.