Penetration Testing

Create custom Semgrep rules for vulnerability detection. Use when writing new rules for specific vulnerability patterns, creating org-specific detections, or building rules for novel attack vectors discovered during bug bounty hunting.

Security review and implementation support based on OWASP Cheat Sheet Series. Use for code review requests, security-related implementation/research, and vulnerability checks. Covers security topics such as XSS, SQL Injection, CSRF, and authentication/authorization.

Generate FastAPI endpoint files with Pydantic models, dependency injection, and async handlers. Triggers on "create fastapi endpoint", "generate fastapi router", "python API endpoint", "fastapi route".

Comprehensive security vulnerability scanning. Use when checking for OWASP vulnerabilities, scanning for secrets/API keys, auditing dependencies for CVEs, or running pre-commit security checks.

Manage NuGet/.NET dependencies with enterprise-grade safety: versioning strategy, vulnerability awareness, licensing awareness, and minimizing supply-chain risk. Use when adding/updating packages or changing restore/build behavior.

Use telnet to interact with IoT device shells for pentesting operations including device enumeration, vulnerability discovery, credential testing, and post-exploitation. Use when the user needs to interact with network-accessible shells, IoT devices, or telnet services.

Apply input validation best practices including server-side validation, early failure, specific error messages, and input sanitization. Use this skill when validating user input in n8n nodes, implementing parameter validation, checking data types and formats, sanitizing input to prevent injection attacks, or writing business rule validation. Apply when handling API endpoints, form inputs, or any data entry points in n8n node development.

Tracks untrusted input propagation from sources to sinks in binary code to identify injection vulnerabilities. Use when analyzing data flow, tracing user input to dangerous functions, or detecting command/SQL injection.

This skill should be used when the user asks about "browser tools", "DOM manipulation", "element labeling", "screenshot", "script injection", "page navigation", "browser automation", or needs to work with browser-related functionality in XSky.

Guide for creating and configuring custom OpenCode commands. Use this skill when you need to extend OpenCode capabilities, add custom workflows, or understand how to define commands with templates, arguments, and context injection.

Node.js/Express/TypeScript microservices development. Layered architecture (routes → controllers → services → repositories), BaseController, error handling, Sentry monitoring, Prisma, Zod validation, dependency injection. USE WHEN creating routes, controllers, services, repositories, middleware, API endpoints, database access, error tracking.

Architect and implement skills following the Reduce & Delegate (R&D) philosophy. This skill guides creation of both Type 1 (Model-Invoked) "Brain" skills for knowledge injection and Type 2 (Executable) "Hands" skills for deterministic automation, implementing progressive disclosure and structured output patterns.

API 보안 및 입찰 데이터 보호 검토 - Rate Limiting, CSRF, RLS, OWASP Top 10

Sanitizing and validating user input to prevent XSS, injection attacks, and security vulnerabilities in TypeScript applications

[Extends backend-developer] Python FastAPI specialist. Use for FastAPI apps, async endpoints, Pydantic v2, SQLAlchemy async, dependency injection. Invoke alongside backend-developer for Python API projects.

Identify vulnerability class, analyze root cause, and plan exploitation strategy.

Implement comprehensive input validation with server-side security, client-side UX feedback, sanitization, and consistent error messages. Use this skill when validating user input in forms, API endpoints, or data processing. When writing validation rules for data types, formats, ranges, or required fields. When sanitizing input to prevent injection attacks (SQL, XSS, command injection). When providing field-specific error messages to users. When implementing validation at system boundaries like API endpoints or background jobs.

セキュアな開発・運用のための実装指針、機密情報管理、通信の確保、入力値検証、依存ライブラリ管理のガイドラインを定義する。セキュリティ実装時、認証・認可実装時、API開発時、またはユーザーがセキュリティ、機密情報、暗号化、XSS対策、SQL injection、脆弱性管理に言及した際に使用する。

This skill should be used when the user asks about "design patterns", "SOLID principles", "factory pattern", "strategy pattern", "observer pattern", "composition vs inheritance", "Pythonic design", "singleton alternatives", "anti-patterns", "dependency injection", or needs guidance on applying Gang of Four patterns idiomatically in Python.

Autonomous penetration testing coordinator using ReAct methodology. Automatically activates when user provides a target IP or asks to start penetration testing. Orchestrates reconnaissance, exploitation, and privilege escalation until both user and root flags are captured. (project)