Loading...
Loading...
Found 743 Skills
Apply when scoping, reviewing, or documenting cross-cutting VTEX commerce architecture across storefront, IO, headless, marketplace, payments, or any other VTEX module. Grounds work in the Well-Architected Commerce framework—Technical Foundation (reliability, trust, integrity; security, infrastructure, compliance), Future-proof (innovation, simplicity, efficiency; scalable and adaptable solutions), and Operational Excellence (accuracy, accountability, data-driven improvement; process and customer experience). Routes implementation detail to product tracks (IO caching and paths, Master Data strategy, marketplace integrations). Use for solution design, architecture reviews, and RFP-level technical structure.
Override built-in Markstream node renderers and add trusted custom tags. Use when Codex needs to apply `setCustomComponents`, keep overrides scoped with `customId`, map override keys like `image`, `code_block`, `mermaid`, or `link`, or wire `customHtmlTags` and nested renderers for tags such as `thinking`.
MUST USE for anything related to mise, development tool versions, or dev environment setup. Triggers: (1) User mentions mise, mise.toml, .tool-versions, or mise commands like 'mise use', 'mise install', 'mise run'. (2) User wants to install, switch, pin, upgrade, or check versions of dev tools — node, python, go, ruby, java, rust, etc. — at project or global level, even without mentioning mise (e.g. 'set up node 22', 'what python version', 'upgrade go', 'check for outdated tools', 'configure dev environment'). (3) User wants to manage per-project environment variables via config files (e.g. 'add DATABASE_URL env var', 'set up env vars for different environments'). (4) User wants to define or run project tasks via mise (e.g. 'create a build task', 'run tests with mise'). Do NOT trigger for: Dockerfiles, package.json scripts, Makefiles, nvm/pyenv/rbenv commands, pip/npm package installation, git tags, CI/CD config, or deployment.
Insecure deserialization playbook. Use when Java, PHP, or Python applications deserialize untrusted data via ObjectInputStream, unserialize, pickle, or similar mechanisms that may lead to RCE, file access, or privilege escalation.
API authentication and JWT abuse playbook. Use when testing bearer tokens, API keys, claim trust, header spoofing, rate limits, and API auth boundary weaknesses.
Use this skill whenever performing security threat modeling, attack surface mapping, or trust boundary analysis on a codebase. Triggers on 'threat model', 'security review', 'attack surface', 'trust boundaries', or when assessing a project's security posture. Also trigger when the user is about to build security-sensitive features (auth, crypto, file I/O, network services, native bridges) and needs to understand the threat landscape first — even if they don't explicitly say "threat model." Also triggers on 'what changed' or 'diff analysis' for incremental security review of recent commits.
Security auditor for Claude Code skills and agent definitions. Scans a skill or agent directory for prompt injection, data exfiltration, privilege escalation, memory poisoning, obfuscation, malicious persistence, and 12 other threat categories (18 total). Returns a graded verdict (OK / WARNING / CRITICAL) with detailed findings. Use this skill whenever you need to audit, review, or validate the safety of a skill, an agent definition, a system prompt, or any set of instruction files before installing or trusting them. Also use it when the user mentions security scanning, threat detection, prompt injection checking, or wants to verify that a skill is safe. Triggers on: /maton, "audit this skill", "is this skill safe", "check for injection", "scan for threats", "review this agent", "security check".
Building decay and upkeep systems for survival games. Use when implementing timer-based decay, Tool Cupboard patterns (Rust-style protection radius), resource upkeep costs, or server performance management through automatic cleanup. Balances gameplay and server health.
Creates isolated Linux MicroVMs using Vercel Sandbox SDK. Use when building code execution environments, running untrusted code, spinning up dev servers, testing in isolation, or when the user mentions "sandbox", "microvm", "isolated execution", or "@vercel/sandbox".
Orchestrates the Security Ecosystem by running security-auditor and adaptive-guard in the correct order. Manages audit phases, trust scoring, guard activation, incident response, and calibration. Trigger on 'security orchestrator', 'run security', 'audit and guard', or 'security workflow'.
Grassroots-first campaign design for anyone being outspent — startups vs. incumbents, NGOs vs. corporate comms, movements vs. state-backed machines, solo brands vs. big-budget competitors. Ideates awareness, launch, fundraising, mobilization, community-build, counter-narrative, referral, founder-story, and coalition campaigns. Triggers on "campaign plan", "marketing strategy", "ad budget", "should I advertise", "paid vs organic", "launch plan", "grassroots", "low budget marketing", "NGO campaign", "outspent", "competitor has bigger budget", "how do I compete without money". Also trigger on any spend asymmetry, collapsing organic reach, rising CPAs, or a trust/credibility problem — even without the word "campaign". Nudge activation when the user debates buying ads, boosting posts, or hiring influencers; they are likely about to burn money on a channel that will not persuade.
Generate a comprehensive, structured learning guide for any technical topic or technology. Use this skill whenever a user wants to learn a new technology, programming language, framework, tool, or concept — even if they phrase it casually (e.g., "teach me Rust", "how do I get started with Kubernetes", "I want to learn React", "help me understand GraphQL", "give me a roadmap for learning Docker"). This skill covers concept identification and categorization, weekly study schedules, local dev setup, concept explanations with examples, exercises, popular libraries, project ideas, and resources. Trigger for any "how do I learn X", "roadmap for X", "getting started with X", "study plan for X", or "teach me X" request — even if they don't explicitly ask for a guide or roadmap.