Penetration Testing

Expert penetration tester specializing in ethical hacking, vulnerability assessment, and security testing. Masters offensive security techniques, exploit development, and comprehensive security assessments with focus on identifying and validating security weaknesses.

Agent Skill: Security audit patterns for PHP/OWASP. Use when conducting security assessments, identifying vulnerabilities (XXE, SQL injection, XSS), or CVSS scoring. By Netresearch.

Centralized JSON validation for AGENT_SUCCESS_CRITERIA with defensive parsing and injection attack prevention (CVSS 8.2)

XSS attack prevention with input sanitization, output encoding, Content Security Policy. Use for user-generated content, rich text editors, web application security, or encountering stored XSS, reflected XSS, DOM manipulation, script injection errors.

WordPress plugin development with hooks, security, REST API, custom post types. Use for plugin creation, $wpdb queries, Settings API, or encountering SQL injection, XSS, CSRF, nonce errors.

Extended firmware analysis for embedded/IoT images with deep extraction, emulation, and vulnerability assessment.

OWASPの基本を前提に、デフォルト安全（入力検証/認可/秘密情報/監査ログ/SSR/CSRF等）を落とさずに設計・実装・レビューする。脅威と攻撃面を洗い出し、最小権限と安全な失敗で守るために使う。

Guide the creation of new ECS components following established architectural patterns including component class creation, JSON serialization support, editor UI implementation, dependency injection registration, and documentation. Use when adding new component types to the engine or extending existing component functionality.

Security analyst persona with deep OWASP expertise, vulnerability classification, risk assessment, and compliance mapping

인증/인가 구현, API 추가, 사용자 입력 처리, 배포 전 검토 시 proactively 사용. OWASP Top 10, credential 노출, injection을 점검합니다. (user)

Exploit researcher persona specializing in attack surface analysis, exploit scenario generation, and vulnerability chaining

Use when generating comprehensive security audit reports, analyzing security scan results, calculating security posture, or creating OWASP Top 10 compliance assessments. Invoked for security reporting, vulnerability aggregation, and remediation planning.

Review code for proper DI patterns using DryIoc. Ensures no static singletons, validates constructor injection and service lifetimes. Use when reviewing code, refactoring static access, or debugging DI issues.

Expert frontend engineering with simplified pragmatic architecture, React 19, TanStack ecosystem, and Zustand state management. **ALWAYS use when implementing ANY frontend features.** Use when setting up project structure, creating pages and state management, designing gateway injection patterns, setting up HTTP communication and routing, organizing feature modules, or optimizing performance. **ALWAYS use when implementing Gateway Pattern (Interface + HTTP + Fake), Context API injection, Zustand stores, TanStack Router, or feature-based architecture.**

This skill provides comprehensive security assessment and vulnerability management tools through x-cmd CLI, including network reconnaissance with Shodan, vulnerability scanning with OSV, and known exploited vulnerability tracking with KEV. This skill should be used when users need to perform security assessments, vulnerability research, network reconnaissance, or security monitoring from command line interfaces.

当用户正在进行 CTF 比赛或练习，遇到 Web 类型题目时触发此 Skill。 适用场景包括： - 用户描述了 SQL 注入、XSS、SSRF、SSTI、XXE、文件包含、命令执行等 Web 安全问题 - 用户需要进行信息搜集、目录扫描、端口扫描等渗透前期工作 - 用户遇到 PHP 特性利用、反序列化、JWT 伪造等高级攻击场景 - 用户提及 "CTF"、"Web"、"渗透"、"注入"、"绕过"、"漏洞" 等关键词 - 用户需要分析 Java 代码审计、区块链安全、组件漏洞利用等问题 - 用户需要构造 payload、编写 exploit、分析 WAF 绕过策略

Implement dependency injection in PydanticAI agents using RunContext and deps_type. Use when agents need database connections, API clients, user context, or any external resources.

Reviews FastAPI code for routing patterns, dependency injection, validation, and async handlers. Use when reviewing FastAPI apps, checking APIRouter setup, Depends() usage, or response models.

Input validation and sanitization patterns. Use when validating user input, preventing injection attacks, implementing allowlists, or sanitizing HTML/SQL/command inputs.

Automated security scanning for Vigil Guard v2.0.0. Use for OWASP Top 10 checks, TruffleHog secret detection, npm/pip vulnerability scanning, 3-branch service security, heuristics-service audit, and CI/CD security pipelines.