Loading...
Loading...
Found 1,060 Skills
Performs API inventory and discovery to identify all API endpoints in an organization's environment including documented, undocumented, shadow, zombie, and deprecated APIs. The tester uses passive traffic analysis, active scanning, DNS enumeration, JavaScript analysis, and cloud resource inventory to build a comprehensive API catalog. Maps to OWASP API9:2023 Improper Inventory Management. Activates for requests involving API discovery, shadow API detection, API inventory audit, or attack surface mapping.
Use when the user has a video + an SRT and wants the subtitles either burned into the pixels (libass, always-visible) or soft-muxed as a togglable track. Also handles the final composite step for the localization pipeline — burn subs, mix a dub track, and keep the original audio as a low-volume bed, all in ONE ffmpeg encode (no cascade). Verifies libass availability and auto-downloads a static evermeet ffmpeg build when Homebrew's stripped binary lacks it. Triggers — "烧字幕", "硬字幕", "burn subtitles", "burn-in subs", "embed subtitle", "soft mux SRT", "把字幕烧进视频", "做最终合成".
Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gates, human-tone writing, templates by vuln class, CVSS 3.1, PoC generation, always-rejected list, conditional chain table, submission checklist). Use for ANY bug bounty task — starting a new target, doing recon, hunting specific vulns, auditing source code, testing AI features, validating findings, or writing reports. 中文触发词:漏洞赏金、安全测试、渗透测试、漏洞挖掘、信息收集、子域名枚举、XSS测试、SQL注入、SSRF、安全审计、漏洞报告
Guides beginner-to-intermediate developers through web development, Claude Code skills creation, and AI-assisted coding workflows. Use when the user asks about "vibe coding," "learning to code," "web development basics," "Claude skills," "building websites," "frontend," "backend," or wants help with HTML, CSS, JavaScript, or deployment.
Refactor Express.js/Node.js code to improve maintainability, readability, and adherence to best practices. Transforms callback hell, fat route handlers, and outdated patterns into clean, modern JavaScript/TypeScript code. Applies async/await, controller-service-repository architecture, proper middleware patterns, and ESM modules. Identifies and fixes anti-patterns including blocking event loop, improper error handling, forEach with async callbacks, and memory leaks.
Browser automation and E2E testing with Playwright. Auto-detects dev servers, writes clean test scripts. Test pages, fill forms, take screenshots, check responsive design, validate UX, test login flows, check links, automate any browser task. Use for cross-browser testing, visual regression, API testing, component testing in TypeScript/JavaScript and Python projects.
Integrates the Gleap customer feedback SDK into projects. Detects the platform (JavaScript, iOS, Android, React Native, Flutter, Ionic Capacitor, Cordova, FlutterFlow) and guides through installation, initialization, permissions, and common API usage like user identification and event tracking. Use when adding Gleap, setting up feedback SDK, or integrating Gleap SDK.
MeshJS patterns: tx building, wallet connectors, script interactions. TypeScript/JavaScript Cardano development.
Generate professional Mermaid diagrams with multiple themes, SVG/ASCII output, batch rendering, and a built-in template library for common diagram patterns. Supports flowcharts, sequence diagrams, class diagrams, state diagrams, ER diagrams, C4 architecture, and Gantt charts.
Guides commercial contract review and negotiation support for B2B agreements—MSAs, SaaS/order forms, vendor and customer contracts, DPAs, SLAs, limitation of liability, indemnity, IP, payment terms, and redline/issue logs with business impact notes. Use when reviewing or negotiating commercial terms, comparing vendor or customer paper, drafting negotiation positions, or triaging contract risk before sign-off—not for SOC/ISO GRC programs or vendor questionnaire ops (compliance-specialist), technical audit evidence (compliance-engineer), revenue recognition under ASC 606 (senior-revenue-accountant), or product requirements (business-analyst), strategy (business-consultant). Corporate/board: corporate-counsel. AI architecture for contract review: applied-ai-architect-commercial-enterprise. M&A economics mandate: transaction-principal. Drafting assistance only; human counsel must approve.
Optimize web performance for faster loading and better user experience. Use when asked to "speed up my site", "optimize performance", "reduce load time", "fix slow loading", "improve page speed", or "performance audit".
Comprehensive skills for working with @hairy/utils core utilities