aeondave
376 verified skills1,008 total stars
adaptixc2-dev
Auth/lab dev: AdaptixC2 extenders; agents, listeners, services, AxScript UI, configs, protocols, templates, build/validation workflows.
development4
osint-ctf
Lab/CTF: OSINT challenges; people/usernames/email, domains/infra, images/video/geolocation, DNS/archive/social/public records.
testing4
linux-internals-dev
Auth/lab dev: Linux internals; ELF loader, procfs, namespaces/caps, eBPF verifier/maps, LSM hooks for tooling/telemetry design.
tools4
c-bof
Auth/lab dev: C BOF engineering; entrypoint/linking, DFR, heap/state, multi-mode design, embedded data, build/test constraints.
development4
edr-evasion-dev
Auth/lab dev: Windows detection-resilience research; syscall dispatch, stack traces, sleep-state, memory permissions, ETW/AMSI telemetry tradeoffs.
development4
writeup-ctf
Lab/CTF: reproducible writeups; solved notes, command logs, artifacts, proof output, solver scripts, final reports, evidence checks.
testing4
misc-ctf
Lab/CTF: misc challenges; jails, encodings, esolangs, VMs, DNS oddities, Linux puzzles, Unicode, QR/audio, multi-stage artifacts.
development4
forensics-ctf
Lab/CTF: forensics/stego challenges; disk, memory, PCAP, EVTX/logs, archives, media, firmware-like blobs, evidence recovery.
development4
agentic-offensive-orchestration
Coordinate scoped offensive-security work across subagents, MCP tools, or serial workstreams. Use for pentest/red-team routing, CTF/lab solving, recon/research/forensic/exploit/reverse/cloud/mobile/OSINT/crypto splits, tool/skill curation, and large evidence-heavy tasks with independent decision boundaries. Avoid for simple one-step commands or single-role tasks where orchestration adds overhead.
tools4
evidence-before-claims
Evidence gate for security research, scanner triage, code review, and reporting. Use before confirming vulnerability impact, auth material, control results, cleanup, or root cause.
development4
game-ctf
Lab/CTF: game/GamePwn challenges; Unity Mono/IL2CPP, native game binaries, assets, save files, memory dumps, game network captures.
tools4
mobile-ctf
Lab/CTF: mobile challenges; APK/AAB/IPA, Android backups, DEX/smali, SQLite/XML/keystore, Unity/IL2CPP, mobile forensics.
data-ai4
hardware-technique
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
development4
ics-technique
Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).
development4
game-technique
Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).
tools4
osint-technique
Open-source intelligence (OSINT) methodology bridging systematic research workflow with online tool discovery and API leverage. Covers target definition, source prioritization, online research across people/identity, infrastructure, breach data, geospatial/media analysis, and threat actor tracking. Use when conducting reconnaissance against a target person/organization/domain/infrastructure, investigating breach impacts, tracing cryptocurrency flows, geolocating events, or mapping an attack surface using only public online sources. Methodology-first: what to research first, which online sources answer that question, and how to synthesize findings rather than tool recipes.
tools4
mobile-technique
Mobile application security testing methodology for Android and iOS: static analysis (decompilation, manifest review, hardcoded secrets), dynamic analysis (Frida hooking, objection, traffic interception, SSL pinning bypass), storage analysis, root/jailbreak detection bypass, and API testing. Use when testing mobile applications during authorized security assessments.
development4
asm-offensive-patterns
Auth/lab ASM patterns; x86-64/ARM64, syscalls, SSN resolution, stack traces, PEB/IAT-free lookup, PIC data access, ETW/AMSI telemetry, BOF/loader review.
data-ai4
bore
ekzhang/bore: minimal Rust-based reverse TCP tunnel exposing a local port through a public relay (default bore.pub) or a self-hosted server, with optional HMAC `--secret` auth. Use when you need a fast, raw TCP ingress endpoint for callback listeners, payload hosting on arbitrary ports, reverse shell handlers, OAST collectors, C2 staging, or pivoting into NAT'd lab environments during authorized red-team or pentest engagements. Not for covert persistence, unauthorized exposure of third-party services, or HTTP/TLS termination — for HTTPS with debugger features use pinggy/ngrok/cloudflared, for SOCKS pivoting over a compromised host use chisel/ligolo-ng.
development4
webhook-site
webhook.site: hosted out-of-band application security testing (OAST) collector — instantly generates a unique HTTPS URL plus DNSHook subdomain that records every HTTP request and DNS query, with a Web UI, JSON API, and the `whcli` Node/Docker companion for `forward` (relay captured traffic to a local target) and `exec` (run a local command per request). Use during authorized testing for blind SSRF, blind XXE, blind XSS, blind RCE / DNS exfil, OAuth/SAML redirect inspection, webhook integration debugging, phishing-callback validation, supply-chain template injection, and any callback channel that needs a public HTTPS endpoint with full request introspection. Not for unauthorized data interception, third-party traffic relay, or covert long-term C2 — for raw TCP use bore, for HTTPS tunnels to a local app use pinggy/ngrok, for self-hosted OAST use interactsh.
tools4
offensive-windows-ad-role
Vertical operator role for scoped Windows, Active Directory, Kerberos, AD CS, credential, relay, share, and lateral-movement paths. Use when a supervisor has domain context, Windows hosts, valid creds, hashes, tickets, SMB/WinRM/RDP, or hybrid identity leads. Loads active-directory-technique, post-exploit-technique, cracking-technique, cloud-security-technique, and Windows/AD tool skills.
tools4
codemachine-template
Create, validate, and structure CodeMachine AI orchestrator workflow packages. Use when the user asks to build a CodeMachine workflow, write a .workflow.js file, define agents for CodeMachine, scaffold a codemachine package, or create multi-agent pipelines with CodeMachine CLI. Also triggers for: codemachine template, codemachine workflow design, main.agents.js, sub.agents.js, modules.js, resolveStep, resolveModule, directive.json, codemachine.json. Does NOT cover general Claude API usage or non-CodeMachine orchestration frameworks.
tools4
offensive-supervisor-role
Supervise scoped offensive-security work across agents, operators, or serial workstreams. Use for red-team/pentest planning, recon/research/forensic/vuln/exploit/reverse/cloud/mobile/OSINT/crypto routing, attack-chain design, task packets, evidence review, and large skill/tool curation. Avoid for simple one-step fixes or tool syntax questions where orchestration adds overhead.
tools4
offensive-web-role
Vertical operator role for scoped web, API, browser, and application exploitation. Use when a supervisor needs authenticated app mapping, request replay, vulnerability validation, exploit chain design, or evidence-backed impact for OWASP-style issues. Loads web-exploit-technique, vuln-search-technique, vuln-exploit-technique, and precise web tool skills.
tools4
offensive-osint-role
Scoped routing: OSINT operator; domains, identities, email, breach/code/cloud hints, social footprint, passive evidence packages.
development4
offensive-recon-role
Scoped routing: recon operator; passive/active asset mapping, hosts/services, web/cloud/email/DNS exposure, prioritized target package.
development4
offensive-linux-pivot-role
Vertical operator role for scoped Linux footholds, local privilege escalation, credential/key discovery, service discovery, tunneling, pivoting, containers, and internal movement. Use when a supervisor has a Linux shell, SSH access, container workload, internal subnet, or Unix service path. Loads post-exploit-technique, network-technique, cloud-security-technique, cracking-technique, and Linux/pivot tool skills.
tools4
offensive-crypto-role
Scoped routing: crypto operator; ciphertexts, keys, signatures, tokens, hashes, weak RNG, protocol math, recovery/audit evidence.
testing4
offensive-researcher-role
Scoped routing: research operator; CVEs, advisories, PoCs, commits, writeups, applicability judgment, negative findings, source evidence.
documentation4
pwn-ctf
Lab/CTF: pwn/binary challenges; native binaries, memory corruption, format strings, heap/ROP/SROP, shellcode artifacts, seccomp, kernel labs.
development4
rop-development-dev
Auth/lab dev: ROP chain research; gadget quality, calling conventions, pivots, leak-first ASLR labs, NX/DEP modeling, reliability.
development4
offensive-linux-role
Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.
data-ai4
offensive-cloud-role
Scoped routing: cloud/SaaS/IAM operator for authorized assessments; auth material, buckets, metadata, containers, workload identity, evidence handoff.
devops4
offensive-forensic-role
Scoped routing: forensic operator; disk, memory, PCAP, logs, archives, media/stego, mobile/cloud snapshots, timeline/evidence handoff.
development4
offensive-mobile-role
Scoped routing: mobile operator; APK/IPA, device/emulator, storage, auth, traffic, crypto, privacy, static/dynamic evidence.
development4
offensive-reverse-role
Scoped routing: reverse operator; binaries, malware/config triage, firmware/protocol formats, patch deltas, behavior and IOC evidence.
development4
reverse-ctf
Lab/CTF: reverse challenges; compiled binaries, bytecode, mobile/firmware, custom VMs, packed samples, anti-debug, validators.
development4
sleep-masking-dev
Auth/lab dev: sleep-state research; timers/APC/waitable timers, memory-at-rest, permission transitions, key lifecycle, reliability checks.
development4
crypto-ctf
Lab/CTF: crypto challenges; ciphertexts, keys, signatures, oracles, transcripts, PRNG, RSA/ECC/lattice/math protocol code.
development4
shellcode-dev
Auth/lab dev: shellcode-format engineering; PIC, ABI, syscalls, encoders, memory permissions, reflective-loader labs, emulator validation.
development4
blockchain-ctf
Lab/CTF: blockchain/Web3 challenges; Solidity/Vyper/EVM, ABI, storage, calldata, proxies, delegatecall, tx traces, Foundry/Hardhat.
development4
heap-exploitation-dev
Auth/lab dev: heap exploitability research; glibc/musl/Windows allocators, UAF/double-free/overflow models, heap shaping, mitigations.
development4
hardware-ctf
Lab/CTF: hardware/embedded/RF challenges; Saleae/sigrok traces, UART/I2C/SPI/CAN/JTAG/SWD/USB/BLE/RF, firmware, side-channel data.
data-ai4
cloud-ctf
Lab/CTF: cloud security challenges; AWS/GCP/Azure creds, buckets, IAM, metadata, KMS/secrets, snapshots, object versions, identity chains.
testing4
stack-exploitation-dev
Auth/lab dev: stack exploitability research; frame layout, canaries, ret2libc/ROP/SROP/JOP paths, mitigations, data-only outcomes.
development4
stack-spoofing-dev
Auth/lab dev: Windows call-stack research; unwind metadata, synthetic frames, NtContinue, thread-pool traces, gadget constraints.
development4
ics-ctf
Lab/CTF: ICS/OT protocol challenges; Modbus, DNP3, BACnet, S7, OPC UA, MQTT, PLC/HMI data, registers/coils, safe read-only reasoning.
data-ai4
skill-creator
Design, create, update, and package Agent Skills following the open AgentSkills specification (agentskills.io). Use when asked to create a new skill, improve an existing skill, scaffold a skill directory, validate a SKILL.md, or package a skill into a distributable .skill file.
testing4
1337
Mode: /1337 compressed output; exact terms, evidence, warnings, verification. Use for no-fluff terse replies; not a security bypass.
testing4
fsop-dev
Auth/lab dev: glibc FILE/FSOP exploitability research; libio structures, vtables, wide data, trigger paths, mitigation-aware modeling.
development4
ai-ml-ctf
Lab/CTF: AI/ML challenges; model artifacts, checkpoints, embeddings, LoRA, classifiers, model APIs, RAG/tool-use, adversarial ML.
tools4
windows-internals-dev
Auth/lab dev: Windows internals; PEB/TEB, PE/COFF, syscalls, unwinding, memory/heap, tokens, kernel objects, ETW/AMSI telemetry.
development4
cpp-bof
Auth/lab dev: C++ BOF engineering; RAII/templates, DFR, COM/GDI+, dual-build layouts, runtime constraints, build/test workflow.
development4
indirect-syscall-dev
Auth/lab dev: Windows syscall-dispatch research; SSN resolution, indirect gates, ntdll stubs, gadget scanning, stack-spoof integration.
development4
offensive-exploit-role
Scoped routing: exploitability operator; CVE applicability, crash analysis, PoC repro, fuzz findings, module reliability in lab scope.
research4
malware-ctf
Lab/CTF: malware-analysis challenges; obfuscated scripts, PE/.NET/ELF, shellcode artifacts, memory/PCAP, configs, encrypted traffic.
development4
web-ctf
Lab/CTF: web challenges; HTTP apps, APIs, browser clients, auth, uploads, SSRF, XSS, SQLi, SSTI, XXE, deserialization, smuggling.
tools4
malware-analysis
Malware-analysis workflow; suspicious PE/ELF/Mach-O/APK/docs/scripts, static/dynamic triage, strings, disassembly, YARA, configs, IOCs, reports.
testing4
hypothesis-driven
Investigation discipline for extremely complex problems where the root cause, exploit path, or solution is unknown: hard bugs, flaky systems, CTF challenges, reverse engineering puzzles, incident triage, multi-system failures, and research questions backed by data. Forces explicit hypothesis generation, falsifiable predictions, prioritized experiments, and evidence-based iteration instead of trial-and-error patching or confirmation-biased reasoning. Use when symptoms are far from causes, when guesses keep failing, or when a problem spans tools, layers, or unknowns that defeat linear debugging.
tools3
cve-search
Enumerate CVEs for a vulnerability class, find credible public PoC references with GitHub preferred, verify collected URLs, and write structured Markdown evidence for downstream use. Use when asked to build or refresh a CVE list, PoC tracker, exploit reference sheet, or vulnerability-type digest from public sources.
development3
massdns
High-performance DNS resolver for bulk subdomain resolution. Use when you have a large subdomain list and need to resolve all entries quickly using public resolvers.
data-ai3
agentic-offensive-orchestration
Coordinate multi-agent or multi-threaded offensive-security research and development work. Use for scoped recon analysis, exploit triage, payload/tool development, code review, and large skill curation tasks that can be split into independent subproblems. Avoid for simple one-step tasks where orchestration adds overhead.
tools3
keras
Keras model loading and structure-inspection workflow for `.keras`, SavedModel, and HDF5 artifacts. Use when you need to inspect layers, summaries, configs, weights, or quick inference behavior from TensorFlow/Keras model files.
data-ai3
rsactftool
RSA attack automation tool for weak public keys. Use when targeting RSA key recovery or plaintext recovery from public data (n, e, ciphertext, partial leaks). Covers attack triage, selective attack execution (Wiener, Hastad, Boneh-Durfee, factorization families), and result validation workflows.
tools3
revshells
Reverse shell one-liner generator (web UI and CLI) supporting 50+ shells. Use when quickly generating encoded reverse shell payloads for bash, Python, PowerShell, PHP, and other languages during exploitation.
tools3
arduino
Build, review, debug, and scaffold professional Arduino projects across classic AVR boards (`Uno`, `Nano`, `Mega`), Renesas-based R4 boards (`Uno R4 Minima`, `Uno R4 WiFi`, `Nano R4`), ESP32-based Arduino boards, and other common Arduino-family targets. Use when asked for sketches, `.ino` files, Arduino IDE 2, Arduino CLI, PlatformIO, or Arduino Cloud workflows, board-specific pin maps, wiring/BOM notes, unit tests, debug plans, upload/serial monitor troubleshooting, or refactors that must stay practical on real hardware.
tools3
network-technique
Technique-first network investigation methodology for incident-driven triage, service exposure mapping, traffic analysis, and pivoting across scan, packet, and protocol logs. Use when you need to choose the right network tool family per case, reconstruct attacker movement, and produce evidence-backed conclusions without turning the skill into a per-tool command manual.
tools3
phishing-technique
Phishing infrastructure and campaign methodology for authorized red team engagements: domain reconnaissance (dnstwist), GoPhish campaign management, Evilginx2 adversary-in-the-middle setup, email authentication (SPF/DKIM/DMARC), template design, pretext development, and campaign metrics. Use when setting up phishing infrastructure, configuring Evilginx2 or GoPhish, or building phishing campaigns during authorized social engineering assessments.
development3
rust-performance
Rust performance workflow: benchmark and profile first, identify hotspots, reduce allocations and contention, improve data layout, tune release profiles, and verify gains with repeatable evidence. Use only after you have a real Rust performance symptom, regression, or hotspot in `.rs` code.
development3
beef
Browser Exploitation Framework — hook browsers via XSS/injected JS and perform client-side attacks. Use when you have XSS on a target to pivot into browser-side attacks, session hijacking, and social engineering.
tools3
mftecmd
NTFS metadata triage with MFTECmd for $MFT/$J/$I30/$Boot artifacts. Use when reconstructing file timelines, finding deleted/hidden files, checking entry-number-based questions, and extracting deterministic metadata from Windows disk artifacts for incident reconstruction.
testing3
solc
solc: Solidity compiler for generating ABI, bytecode, metadata, and standard-json outputs. Use when compiling smart contracts directly, validating compiler settings, producing artifacts for audit tooling, or reproducing builds outside a framework wrapper.
tools3
fcrackzip
fcrackzip: ZIP password-cracking utility for dictionary and brute-force attacks. Use when you need a focused CLI workflow against password-protected ZIP archives before escalating to heavier cracking stacks.
tools3
vuln-search-technique
Active vulnerability discovery methodology for AI agents. Covers the full find loop: service version fingerprinting, CVE correlation and prioritization, automated scanner orchestration (nuclei/nikto/openvas), nmap NSE script probing, targeted tool scanning (testssl/wpscan/sqlmap probe), fuzzing integration, and manual logic review. Use when you have a scoped target inventory from recon and need to systematically identify exploitable vulnerabilities before attempting initial access.
tools3
wireless-technique
Wireless attack methodology for 802.11 (Wi-Fi) and Bluetooth/BLE environments. Covers passive survey, WPA2/WPA3 handshake capture, PMKID attack, deauthentication, evil twin / captive portal attacks, WPS exploitation, BLE enumeration, and credential handoff to cracking or post-exploitation. Use when assessing wireless network security or gaining initial access via RF attack surface.
testing3
web-exploit-technique
Exploitation methodology for web application vulnerabilities confirmed in vuln-search-technique. Covers injection exploitation (SQLi full chain, SSTI-to-RCE, XXE data extraction, command injection), auth attacks (JWT manipulation, OAuth bypass, cookie tossing, session hijacking), SSRF escalation (cloud metadata, internal pivoting), XSS impact (session theft, phishing, keylogging, mXSS context), file upload to RCE, deserialization chain execution, WAF bypass strategies, request smuggling, and parser/protocol confusion chains. Use when you have a confirmed web vulnerability class and need to exploit it to gain access, extract data, or escalate impact. Integrates with atomic skills: command-injection, reflected-xss, dom-xss, open-redirect, lfi, upload-rce, weak-session-ids, token-bypass, csp-bypass, backend-state-diagnostics.
development3
pacu
pacu: modular AWS exploitation framework for authorized cloud assessments. Use when you have valid AWS credentials and need guided enumeration, privilege-escalation discovery, service abuse modules, attack logging, and repeatable session-based workflows across AWS accounts and regions.
development3
openssl
OpenSSL CLI for encryption, decryption, digesting, certificate inspection, and key handling. Use when working with PEM/DER material, password-based symmetric crypto, TLS certificates, RSA key sanity checks, or quick cryptographic transformations from the shell.
tools3
factordb
FactorDB: public factorization database and simple JSON API for checking whether integers are prime, composite, or already factored. Use when triaging RSA moduli, large composites, or challenge numbers before spending local compute on factoring.
development3
sagemath
Computer algebra and number-theory environment for cryptanalysis scripting. Use when crypto tasks require finite fields, polynomial rings, elliptic curves, lattice reduction (LLL), small-roots methods, symbolic algebra, or direct Sage-powered Python scripts (.sage / sage.all).
development3
foundry-cast
Foundry cast: command-line utility for interacting with Ethereum-compatible chains. Use when you need to query balances, call read-only functions, inspect bytecode or storage, encode/decode ABI data, or send transactions during authorized blockchain lab and audit workflows.
tools3
vuln-research
Exploit research workflow for a target software version or CVE: triage CVSS severity, find public PoCs on NVD/sploitus/PoC-in-GitHub/ExploitDB, assess exploitability, and locate Metasploit modules. Use when you have a software version or CVE and need to determine if a public exploit exists and whether it is practical to use.
research3
evtxecmd
Windows EVTX parsing and timeline extraction with EvtxECmd. Use when investigating PowerShell activity, process execution traces, account events, and security-control tampering from exported event logs, with deterministic CSV/JSON output for incident reconstruction.
testing3
exiftool
exiftool: metadata extraction, copy, conversion, and editing utility for images, video, documents, archives, executables, and many other file types. Use when investigating EXIF, GPS, XMP, IPTC, embedded previews, sidecar metadata, or batch metadata manipulation in forensic, OSINT, or content-processing workflows.
tools3
networkminer
Network artifact extraction from PCAP files with NetworkMiner. Use when reconstructing sessions, extracting transferred files, parsing credentials/metadata, and accelerating incident investigations where packet-level context must be converted into host, protocol, and object-level evidence.
testing3
saleae-logic-2
Saleae Logic 2 capture and export workflow for `.sal` traces, raw CSV export, analyzer-table export, and automation API control. Use when you need to inspect or convert Saleae captures, script analyzer exports, or bridge hardware traces into text or CSV for later protocol analysis.
tools3
wireshark
Wireshark: network and wireless protocol analyzer for capturing and inspecting packets. Use when analysing pcap files, triaging network-forensics evidence, capturing live traffic, following streams, extracting files or credentials from captures, inspecting 802.11 management/data traffic, reviewing EAPOL or WPA-Enterprise handshakes, or investigating network anomalies during red team operations. CLI equivalent: tshark.
tools3
report-generation-technique
Penetration test report generation methodology: executive summaries, detailed findings with CVSS scoring, attack narratives, MITRE ATT&CK mapping, and remediation guidance. Use when writing penetration test reports, compiling findings into professional documentation, or creating executive summaries for security assessment deliverables.
testing3
cyberchef
Web-based data transformation and crypto analysis workbench. Use when rapidly decoding layered encodings, transforming binary/text formats, prototyping crypto/decode pipelines, or sharing reproducible recipes. Covers browser workflow, deep-link recipes, Magic heuristics, and Node API automation handoff.
tools3
recon-technique
Technique-first reconnaissance methodology for mapping an attack surface before active testing. Covers passive collection (zero target contact), active enumeration (controlled probing), the iterative transition between phases, and how to produce a prioritized attack plan for vulnerability scanning. Use when you need to scope a target, identify high-value entry points, and decide where to invest deeper analysis.
testing3
social-engineering-technique
Social engineering methodology for authorized red team engagements: pretext development, phishing campaign design, vishing, physical social engineering, target research, and security awareness metrics. Use when planning social engineering campaigns, designing pretexts, or assessing human-factor security controls during authorized engagements.
development3
name-that-hash
Name-That-Hash: hash-identification helper for narrowing candidate algorithms before cracking. Use when you have unknown hash strings and need fast guesses, likely modes, or follow-on direction into `john`, `hashcat`, or archive-password workflows.
tools3
hydra
Online brute-force and password spraying tool supporting 50+ protocols (SSH, HTTP, FTP, SMB, RDP, WinRM, and more). Use when asked to brute-force logins, perform password spraying, test default credentials, or attack authentication on any network service.
tools3
john
CPU-based password cracker supporting hundreds of hash formats with wordlist, rules, and incremental modes. Use when cracking hashes offline with CPU resources, applying mangling rules, or when GPUs are unavailable.
development3
vuln-exploit-technique
Methodology for exploiting confirmed vulnerabilities to achieve initial access. Covers the full exploit loop: research and source selection, exploit adaptation and reliability validation, framework-based exploitation (Metasploit), tool-based exploitation (sqlmap/commix/xsstrike/metasploit modules), manual exploit development in Python/C, payload generation and delivery, and post-exploitation handoff. Use after vuln-search-technique has produced a confirmed, prioritized vulnerability list.
tools3
metasploit
Full exploit framework: search and run exploits, generate payloads with msfvenom, manage sessions, and run post-exploitation modules. Use when exploiting known CVEs, generating shellcode or staged payloads, pivoting through compromised hosts, or running post-exploitation automation against any OS target.
tools3
autopsy
GUI digital forensics platform built on The Sleuth Kit. Use to investigate disk images (.dd/.E01/.img/.vmdk) for deleted files, browser history, registry artifacts, keyword matches, file carving, and timeline analysis. Fastest way to visually triage a disk image: open image, run ingest modules, search artifacts. Supports NTFS, FAT, ext2/3/4, HFS+, APFS. Works on Windows natively; Linux via CLI build.
tools3
capa
Mandiant capa: capability detection for executables, shellcode, and sandbox reports. Identifies what a binary can do — persistence, credential access, C2, discovery, defense evasion — mapped to MITRE ATT&CK and MBC without running the file. Use to triage unknown binaries before RE, understand malware behavior for AV/EDR evasion research, classify dropper vs payload vs loader, and prioritize which functions to analyze in Ghidra/radare2.
development3
steghide
steghide: steganography tool for embedding and extracting payloads from JPEG, BMP, WAV, and AU files. Use when investigating passphrase-protected hidden content, validating steg findings from a challenge artifact, or creating controlled stego test data.
tools3
foremost
Foremost: file-carving utility for recovering files from disk images, raw dumps, and corrupted media based on headers and footers. Use when you need quick recovery of documents, archives, images, or executables from unstructured forensic data.
tools3
ftk-imager
FTK Imager: forensic acquisition and image viewing tool for disk images, logical files, and memory. Use to open and browse .dd/.E01/.img/.vmdk disk images without Autopsy, acquire memory dumps, convert image formats, export specific files from images, and verify integrity with hash verification. Also provides a free CLI version (ftkimager) for scriptable acquisition.
tools3
chainsaw
Fast DFIR triage for Windows forensic artifacts (EVTX, MFT, registry, ESE/SRUM) with Sigma and built-in detection logic. Use when analyzing exported Windows event logs, performing first-response hunting, detecting log tampering gaps, or producing CSV/JSON findings quickly without full SIEM infrastructure.
testing3
sleuth-kit
CLI file-system forensics toolkit for analyzing disk images (.dd/.img/.E01/.vmdk). Enumerates partitions, walks file systems, recovers deleted files, extracts inodes, builds MACB timelines, and carves data — all scriptable from the command line. Use on any raw disk image to find files, recover deleted content, analyze NTFS/ext4/FAT structures, and build investigation timelines.
tools3
stegseek
Stegseek: high-speed wordlist attacker for steghide-protected files. Use when you suspect a JPEG/BMP/WAV/AU artifact contains steghide data but extraction is blocked by a passphrase.
data-ai3
jadx
jadx: Android Dex-to-Java decompiler with CLI and GUI support. Use when you need readable Java/Kotlin-like output from APK, DEX, AAB, or JAR files, want fast static triage of Android apps, need deobfuscation support, or want to export a Gradle-like project for analysis.
tools3
testssl
testssl.sh: comprehensive TLS/SSL testing script checking protocol support, cipher suites, vulnerabilities (BEAST, POODLE, Heartbleed, ROBOT, DROWN, etc.), and certificate issues. Use when assessing TLS configuration of any HTTPS service — web servers, mail servers, VPNs, or any TLS endpoint.
development3
dalfox
dalfox: fast Go-based XSS scanner for parameter analysis and DOM-based XSS detection. Use when scanning web applications for reflected/stored/DOM XSS vulnerabilities, testing individual URLs or bulk lists, or setting up blind XSS callbacks. Integrates cleanly into recon pipelines.
development3
grype
grype: fast vulnerability scanner for container images, filesystems, SBOMs, and directories. Use when you need CVE scanning with composite risk scoring (CVSS + EPSS + KEV), clean ignore rules, and tight syft/SBOM integration. Lower false positives than trivy for pure vulnerability scanning.
testing3
mythril
mythril: symbolic-execution-based security analyzer for Solidity and EVM bytecode. Use when you need deeper path exploration, transaction-sequence findings, or SWC-oriented vulnerability reports for Ethereum and EVM-compatible contracts beyond what static lint-style analysis alone can provide.
development3
openvas
OpenVAS / Greenbone Community Edition: comprehensive network vulnerability scanner checking 90,000+ NVTs across hosts, services, and web apps. Use when performing infrastructure-level vulnerability assessments — CVE scanning, service enumeration, misconfiguration detection, and compliance checks across subnets or single hosts. CLI via gvm-cli; web UI via GSA.
tools3
osv-scanner
osv-scanner: Google's dependency vulnerability scanner using the OSV.dev database (30+ ecosystem sources). Use when scanning lockfiles and dependency manifests for CVEs with minimal false positives. Supports 19+ lockfile formats across 11+ languages. Best choice for PR gates on dependency changes.
development3
tplmap
tplmap: classic server-side template injection and code injection detection/exploitation tool for black-box web testing. Use when an input parameter appears SSTI-prone and you want engine fingerprinting plus file read, command execution, upload/download, or shell primitives across Jinja2, Mako, Twig, Smarty, Freemarker, Velocity, Pug, Nunjucks, and similar engines.
tools3
trivy
trivy: comprehensive vulnerability scanner for containers, filesystems, repos, IaC, and SBOMs. Use when assessing Docker images, Kubernetes manifests, or code repositories for CVEs, misconfigurations, secrets, and license issues. Fast, low false positives, integrates into CI/CD.
development3
mqtt-pwn
MQTT-PWN: interactive `cmd2`-based shell for IoT MQTT broker pentesting — connect, topic/message discovery, credential brute-force, broker fingerprinting ($SYS), Sonoff/Owntracks exploitation, and a publish/subscribe C2. Use when assessing exposed MQTT brokers (1883/8883), enumerating IoT topics, recovering broker credentials, or chaining MQTT to smart-home/ICS/IoT-device abuse in authorized engagements.
development3
burpsuite
Burp Suite: integrated web application security testing platform with proxy, scanner, intruder, and repeater. Use when testing web apps by intercepting/modifying HTTP traffic, fuzzing endpoints, exploiting SQLi/XSS/IDOR manually, or running automated active scans. Community free; Pro required for scanner and Turbo Intruder.
development3
semgrep
semgrep: fast static analysis tool for finding security vulnerabilities, misconfigurations, and secrets in source code. Use when reviewing code for injection patterns, hardcoded credentials, insecure configurations, or OWASP Top 10 issues. Supports 30+ languages. Community rules cover OWASP, secrets, supply chain, and more.
tools3
ssrfmap
SSRFmap: automated SSRF (Server-Side Request Forgery) exploitation tool using Burp-style request files. Use when you have confirmed or suspected SSRF to read local files, enumerate internal ports, extract cloud metadata (AWS/GCP/Azure), or pivot to internal services (Redis, SMTP, memcached). Supports 10+ exploitation modules.
tools3
nosqlmap
NoSQLMap: automated NoSQL injection detection and exploitation tool targeting MongoDB, CouchDB, and other NoSQL databases. Use when testing web apps backed by MongoDB for authentication bypass, data extraction, server-side JS injection, or exploiting unauthenticated database access. Conceptually similar to sqlmap but for NoSQL.
tools3
xsstrike
XSStrike: advanced XSS detection suite with context-aware payload generation, DOM XSS analysis, site crawler, WAF detection, and blind XSS mode. Use when testing for reflected/stored/DOM XSS on WAF-protected targets or complex filter scenarios. Preferred over dalfox when deep filter analysis and WAF evasion matter; use dalfox for speed.
testing3
kismet
Passive wireless sniffer, WIDS, and wardriving platform for Wi‑Fi, Bluetooth, Zigbee, and other RF sources. Use when performing passive wireless reconnaissance, multi-sensor collection, distributed capture, long-running logging, or API-driven RF monitoring without active injection.
development3
sqlmap
sqlmap: automated SQL injection detection and exploitation tool. Use when testing web applications for SQLi vulnerabilities to enumerate databases, extract data, read/write files, or escalate to OS shell. Handles GET/POST/cookie/header injection points. Supports MySQL, MSSQL, PostgreSQL, Oracle, SQLite, and more.
tools3
sstimap
SSTImap: actively maintained SSTI detection and exploitation tool with interactive and predetermined modes across Jinja2, Twig, Smarty, Freemarker, Velocity, ERB, Pug, Nunjucks, and more. Use when testing for server-side template injection and escalating from expression evaluation to file read or OS command execution.
tools3
zap
OWASP ZAP: free open-source web application scanner and intercepting proxy. Use for automated DAST scanning in CI/CD pipelines, API security testing (OpenAPI/GraphQL/SOAP), passive/active vulnerability scanning, and headless scanning with Docker. Best free alternative to Burp Suite Pro for automated workflows.
development3
jwt-tool
jwt-tool: comprehensive JWT testing and exploitation toolkit. Use when testing JWT authentication — alg:none bypass, RS256→HS256 algorithm confusion, secret brute-force, KID path traversal/SQLi, JKU/X5U header injection, claim tampering. Runs automated playbook for full JWT audit.
tools3
smuggler
smuggler: HTTP/1.1 request smuggling and desync detection tool testing CL.TE, TE.CL, and TE.TE variants. Use when testing reverse proxies, load balancers, or CDN-backed web apps for request desynchronization vulnerabilities that enable cache poisoning, authentication bypass, or request hijacking.
tools3
corsy
Corsy: lightweight CORS misconfiguration scanner detecting 10+ vulnerability types including origin reflection, null origin, pre/post-domain bypass, regex bypass, and wildcard. Use when auditing CORS policies on web APIs and SPAs to find cross-origin data theft vectors.
development3
liffy
liffy: modern Python 3 Local File Inclusion exploitation tool with wrapper payloads, WAF bypasses, log poisoning, /proc tricks, and automated file read workflows. Use when exploiting confirmed LFI or path traversal issues, especially on PHP targets where wrappers and poisoning can turn file read into RCE.
tools3
bloodhound
Active Directory attack path visualization using graph theory. Finds shortest path to Domain Admin, identifies Kerberoastable/AS-REP-roastable users, unconstrained delegation, ACL abuses, ADCS ESC vulnerabilities, and lateral movement vectors. Use after initial foothold in AD: collect data with SharpHound (Windows) or bloodhound-python (Linux/remote), import to BloodHound CE GUI, run Cypher queries to build and execute attack paths.
development3
impacket
Python toolkit for SMB/Kerberos/NTLM/LDAP protocol attacks in Active Directory. Core scripts: secretsdump (cred dump), ntlmrelayx (relay), psexec/wmiexec/smbexec/dcomexec (lateral movement), GetNPUsers (AS-REP roast), GetUserSPNs (Kerberoast), ticketer (Golden/Silver tickets), rbcd/addcomputer (delegation abuse), dacledit/owneredit (ACL abuse), smbclient (file ops). Use when attacking AD from Linux or when Python-based tooling is preferred over .NET binaries.
tools3
certipy
Python-based AD Certificate Services attack tool. Enumerate ADCS misconfigurations (ESC1-ESC13), request certificates for privilege escalation (ESC1/ESC2/ESC3/ESC6), relay NTLM to ADCS HTTP/RPC (ESC8/ESC11), abuse template ACLs (ESC4), set shadow credentials, authenticate via PKINIT to retrieve NTLM hashes. Cross-platform alternative to Certify + Rubeus. Use whenever ADCS is present.
tools3
inveigh
Windows .NET LLMNR/NBT-NS/mDNS/DNS poisoner and NTLM credential capture tool. Performs man-in-the-middle attacks by responding to broadcast name resolution requests and capturing NTLMv1/v2 hashes. Use when operating from a Windows host without access to Responder, when needing to capture NTLM hashes from network traffic, or when performing LLMNR/NBT-NS poisoning in AD environments.
tools3
mimikatz
Windows credential extraction: dump NTLM hashes from LSASS/SAM/NTDS, extract plaintext passwords (WDigest), Kerberos tickets, DPAPI secrets (browser creds, vault, wifi, RDP), and perform Pass-the-Hash, Pass-the-Ticket, Golden/Silver Ticket, and token impersonation attacks. Also runs in-memory via Invoke-Mimikatz, SafetyKatz BOF, or C# reflective loader when EDR is active.
development3
powerview
PowerView: PowerShell Active Directory reconnaissance tool for mapping domain structure, finding privilege escalation paths, and enumerating security controls. Use when performing AD enumeration, identifying admin accounts, finding unconstrained delegation, searching for misconfigurations, or building attack surface maps in Active Directory environments.
tools3
snaffler
Active Directory share enumeration and credential hunting tool. Scans domain-joined hosts for accessible shares and identifies files containing credentials, secrets, and sensitive data using configurable rule sets. Use when performing credential harvesting across domain shares, hunting for passwords in scripts/configs, or mapping accessible file shares in AD environments.
tools3
sharphound
SharpHound: BloodHound data collector that gathers Active Directory domain structure, users, groups, computers, ACLs, and attack paths. Use when enumerating Active Directory for BloodHound visualization, mapping privilege escalation paths, identifying misconfigurations, or collecting comprehensive domain intelligence.
data-ai3
watson
Watson: Windows patch vulnerability analyzer that identifies missing KB patches and maps to known exploitable CVEs. Use when assessing local privilege escalation vectors via kernel exploits, determining patchability before attacking, or prioritizing which unpatched systems are vulnerable to public CVE exploits.
testing3
winpeas
WinPEAS: Windows privilege escalation enumeration tool that identifies misconfigurations, weak permissions, unpatched services, and privilege escalation paths. Use when assessing Windows privilege escalation opportunities post-compromise, enumerating system weaknesses, or building a complete picture of attack surface before escalation attempts.
tools3
lswifi
CLI-centric Windows Wi‑Fi scanning tool exposing richer nearby-network data than built-in commands, including RSSI, security details, information elements, 6 GHz Reduced Neighbor Reports, JSON/CSV export, and event watching. Use when auditing nearby Wi‑Fi networks from Windows, exporting scan data, or scripting Windows-native wireless analysis without monitor-mode tooling.
tools3
wifite
Automated Wi‑Fi auditing wrapper for WEP/WPA/WPA2/PMKID workflows with minimal operator input. Use when rapidly triaging or attacking multiple Wi‑Fi targets from Linux without manually orchestrating each aircrack-ng step.
development3
nuclei
Template-based vulnerability and exposure scanner from ProjectDiscovery. Use when asked to scan a host or list for known vulnerabilities, misconfigurations, exposed panels, CVEs, default credentials, or security issues using community-maintained templates.
testing3
slither
slither: smart contract static analyzer for Solidity and Vyper with detectors, printers, and custom analysis APIs. Use when auditing Foundry, Hardhat, Brownie, or standalone contracts for reentrancy, unsafe delegatecall, tx.origin misuse, upgradeability mistakes, weak randomness, and other EVM security issues.
development3
wpscan
WPScan: WordPress vulnerability and enumeration scanner. Use when targeting WordPress installations to find outdated/vulnerable plugins and themes with CVEs, enumerate valid usernames for password attacks, verify xmlrpc.php/REST API exposure, check for default configurations, or brute-force credentials. Requires free API token from wpscan.com for CVE data.
tools3
trufflehog
trufflehog: secrets scanner that finds AND verifies leaked credentials via live API calls. Use when you need to confirm if exposed secrets are still valid, scan beyond git repos (S3, Docker, cloud, CI/CD), or run comprehensive organization-wide audits. 800+ secret types, 700+ with live verification.
development3
aircrack-ng
802.11 auditing suite for monitor-mode Wi‑Fi assessment, including handshake capture, deauthentication-assisted testing, WEP workflows, injection checks, precomputed PMK cracking, and offline traffic decryption. Use when performing Linux-based wireless assessments that require precise control over monitor mode, captures, and classic aircrack-ng attack chains.
testing3
nikto
Nikto: open-source web server scanner checking for 6700+ known vulnerabilities, outdated software, misconfigurations, and dangerous CGI/default files. Use when performing quick web server reconnaissance to identify low-hanging fruit, server banners, default content, and misconfigs before deeper manual testing. Fast, noisy — good for CTF/authorized pentests.
development3
commix
commix: automated OS command injection detection and exploitation tool. Use when testing web parameters, cookies, or headers for command injection vulnerabilities and escalating to an interactive OS shell. Supports classic, time-based blind, file-based, and semi-blind techniques with tamper scripts for WAF bypass.
tools3
gitleaks
gitleaks: fast git secrets scanner detecting hardcoded credentials, API keys, tokens, and passwords in git repositories, directories, and stdin. Use when auditing code for leaked secrets, blocking commits via pre-commit hooks, or integrating secret detection into CI/CD pipelines. Regex + entropy based, highly configurable.
development3
privesccheck
PrivescCheck: pure PowerShell Windows privilege escalation enumeration focused on services, scheduled tasks, registry policy, DLL/COM hijacking, and stored credentials. Use when winPEAS is blocked, when a PS1-only workflow is safer, or when you need readable findings and optional HTML reporting from a low-privileged Windows foothold.
development3
sparrow-wifi
Linux Wi‑Fi and Bluetooth analyzer with GPS, remote agent, JSON API, and SDR integrations including HackRF One and Ubertooth. Use when you need combined Wi‑Fi/Bluetooth situational awareness, remote wireless sensors, spectrum overlays, Bluetooth visibility, or HackRF-assisted spectrum workflows beyond simple CLI capture.
tools3
pinggy
Pinggy localhost tunneling service for HTTP(S), TCP, UDP, TLS, and TLSTCP tunnels over SSH, Pinggy CLI, Docker, GUI app, Node.js SDK, or Python SDK. Use when exposing authorized local services, receiving webhooks, debugging requests, sharing files, testing callbacks, remote-accessing IoT/dev devices, routing custom domains, or comparing with ngrok/cloudflared/chisel/ligolo-ng. Not for covert persistence or unapproved third-party access.
tools3
reversing-technique
Objective-driven reverse engineering methodology: structured workflows for malware analysis, software protection analysis, patch diffing, firmware, protocol RE, and memory-corruption exploitation handoff. Covers triage, static/dynamic analysis patterns, anti-reversing bypass, exploitability assessment, and tool selection. Use when you need to understand unknown code, bypass protections, extract secrets, validate exploitability, or analyze threats based on a specific goal.
tools3
bluez
BlueZ Bluetooth stack and CLI workflow for Linux, covering bluetoothctl-driven discovery, pairing, BLE inspection, and low-level troubleshooting utilities. Use when scanning Bluetooth Classic or BLE devices, validating adapter state, enumerating services/characteristics, or building Bluetooth reconnaissance workflows on Linux.
tools3
searchsploit
Offline CLI search tool for Exploit-DB. Use when finding public exploits for discovered CVEs and software versions, filtering exploits by type (local/remote/webapps/dos), or parsing Nmap XML output to automatically surface applicable exploits.
tools3
pytorch
PyTorch model inspection and checkpoint workflow for loading tensors, `state_dict` data, modules, and parameters. Use when working with `.pt` or `.pth` artifacts, auditing model structure, extracting weights, or scripting inference-oriented inspection of deep-learning checkpoints.
testing3
hashcat
GPU-accelerated offline password cracking tool supporting 300+ hash types. Use when asked to crack password hashes, recover passwords from NTLM/Net-NTLMv2/Kerberos/bcrypt/MD5/SHA hashes, perform wordlist or rule-based attacks, or conduct mask brute-force against any captured hash.
tools3
cracking-technique
Technique-first password/hash cracking methodology for AI agents. Covers triage, target modeling, strategy selection (dictionary/rules/hybrid), corpus and candidate engineering, campaign orchestration, and reproducible result analysis for audits, breach analysis, and credential recovery. Use when you need the right cracking flow without turning the skill into a per-tool command manual.
tools3
asm-performance
Assembly performance optimization workflow: collect compiler-emitted ASM, classify bottlenecks with TMA, audit for codegen issues (bounds checks, register spills, dependency chains, missed vectorization, memory traffic, bad instruction selection, store-forwarding stalls, frontend pressure, data layout), apply one change at a time, measure, and report. Use after profiling confirms ASM is the bottleneck.
development3
code-guidelines
Behavioral guidelines to reduce common LLM coding mistakes, derived from Andrej Karpathy's observations on LLM coding pitfalls (Dec 2025). Use when writing, reviewing, or refactoring code across any language to avoid hidden assumptions, overengineering, orthogonal edits, vague goals, and sycophantic approval of bad requests. Especially relevant in agent-first workflows where errors are subtle conceptual mistakes rather than simple syntax issues.
development3
golang-performance
Go performance workflow: benchmark and profile (pprof/trace), identify hotspots, reduce allocations/GC and contention, and verify improvements with repeatable measurement. Use only after you have evidence the Go code is the bottleneck.
development3
rust-patterns
Idiomatic Rust patterns and best practices for readable, safe, maintainable Rust: ownership, borrowing, API design, enums/traits, error handling, iterators, module layout, and tooling. Use when writing or reviewing `.rs` code, refactoring crates, porting non-idiomatic code into Rust, or designing Rust APIs.
tools3
sensors
Select, compare, and integrate sensors for Arduino, ESP32, robotics, model-making, and home automation with focus on signal quality, false positives, debounce, and practical wiring. Use when asked which sensor to choose, how to detect an event reliably, how to map signals into code, or how to design sensor-driven systems such as break-beams, PIR, vibration, IMU, climate, occupancy, or binary-sensor style automations.
tools3
fuzzing-technique
Technique-first fuzzing methodology for AI agents to discover vulnerabilities across file parsers, binaries, network protocols, and web APIs. Focuses on target modeling, oracle design, harness/request-model quality, corpus engineering, campaign orchestration, and reproducible triage. Use when you need a complete fuzzing flow and decision logic, while keeping tool commands in offensive-tools skills.
tools3
golang-patterns
Idiomatic Go patterns, best practices, and conventions for building robust, readable, and maintainable Go code. Use when writing, reviewing, or refactoring Go (APIs, packages, errors, interfaces, concurrency, and code style).
development3
langchain-py
Build and maintain production-grade LangChain Python systems (LangChain 1.2.x baseline) with create_agent, middleware, tools, structured output, and multi-agent architectures (subagents, handoffs, router, skills). Activate for Python agent design, debugging, migrations from older APIs, context engineering, and Tavily-backed web search integration.
tools3
asm-patterns
Assembly language patterns, calling conventions, and code structure for x86-64 and ARM64. Use when writing, reviewing, or generating .asm/.s/.S files; when implementing functions that interoperate with C/system code; or when establishing correct prologues, epilogues, stack management, SIMD loops, syscall stubs, or PIC data access.
development3
cpp-patterns
Modern C++ patterns and best practices for readable, safe, maintainable C++ code: RAII, ownership, error handling, API design, concurrency basics, and build/tooling hygiene. Use when writing or reviewing C++ (C++20+) code.
tools3
python-async-patterns
Async Python patterns for building non-blocking I/O with asyncio and async/await: task orchestration, cancellation, timeouts, backpressure, rate limiting, and safe sync/async boundaries. Use when implementing concurrent network/DB workflows or async services.
development3
c-patterns
C language patterns and best practices for safe, maintainable C: ownership, API contracts, error handling, integer safety, portability, and concurrency boundaries. Use when writing or reviewing C code (C11+), designing module interfaces, refactoring legacy C, or hardening low-level code paths.
development3
python-reverse
Binary reverse engineering with Python: analyze, parse, and disassemble ELF/PE executables using pwntools, capstone, Frida, and custom parsing tools. Use when understanding malware, debugging binary failures, analyzing section structure, extracting strings/entropy, or instrumenting runtime behavior.
tools3
python-patterns
Pythonic patterns and best practices for writing readable, robust Python: typing, error handling, data modeling, iteration, resource management, project layout, and tooling. Use when writing or reviewing Python code and APIs.
tools3
zero-day-hunter
LLM-assisted workflow for hunting likely zero-day candidates in source code repositories. Use when asked to scan a file or repo for externally reachable vulnerabilities, prioritize suspicious files, generate per-file security context, and skeptically review candidate findings with local code search. Best suited for C and C++ projects but also useful for Go, Rust, Python, Java, JavaScript, TypeScript, PHP, and C#. Includes Python helpers for file discovery, scan orchestration, evidence gathering, and Markdown/JSON result output.
tools3
verification-before-completion
Use when about to claim work is done, fixed, passing, validated, merged, report-ready, or safe to proceed. Requires fresh verification evidence before success claims, commits, pull requests, task completion, operator reports, cleanup claims, or moving to the next step.
testing3
design-before-implementation
Use before creative or multi-file implementation work: new features, behavior changes, refactors, new skills, offensive tooling workflows, exploit chains, research pipelines, or architecture decisions. Clarifies intent, scope, alternatives, constraints, success criteria, and non-goals before coding or executing.
tools3
llm-technique
LLM application red-teaming methodology: prompt injection (direct and indirect), jailbreaks, system prompt extraction, tool/function-call abuse, RAG poisoning, training-data exfiltration probes, output-handling vulnerabilities (XSS via LLM output, SQL via generated queries), agent loops, and cost/DoS attacks. Use when testing LLM-powered applications (chatbots, RAG, copilots, autonomous agents) during authorized security assessments.
tools3
cloud-security-technique
Cloud security assessment methodology for AWS, Azure, and GCP environments. Covers IAM enumeration and privilege escalation (31+ paths), storage bucket discovery and abuse, metadata service exploitation (IMDSv1/v2), container/Kubernetes escape and pivot, serverless and managed-service abuse (Lambda, Glue, CodeBuild, SageMaker, Automation Accounts), OIDC/workload identity federation abuse, Service Principal and Managed Identity escalation, secrets and environment variable harvesting. Use when you have cloud credentials, a cloud account ID, or shell access in a cloud workload and need to enumerate, escalate, or pivot within the cloud environment.
tools3
crypto-technique
Cryptanalysis methodology for problem diagnosis, attack selection, and exploitation workflow. Covers RSA weak-key attacks, ECC singular curves, lattice-based attacks, PRNG state recovery, padding oracles, symmetric cipher weaknesses, and mathematical shortcuts in cryptographic implementations. Use when analyzing encrypted data, server oracles, key material, or cryptographic protocols to identify exploitable weaknesses and recover secrets.
testing3
forensic-technique
Technique-first digital forensics methodology for incident-driven investigations across disk images (E01/DD/RAW), ISO media, memory captures, and network PCAP evidence. Focuses on preservation, triage, timeline reconstruction, artifact correlation, and report-ready findings while mapping each phase to the right forensic tool family without becoming a per-tool command manual.
tools3
beginner-ctf
Beginner-friendly challenge-solving entrypoint for users who do not know which CTF category or skill to use. Use when the prompt contains a vague challenge description, unknown artifact, URL, service, source bundle, binary, PCAP, image, model, smart contract, hardware trace, or the user asks what to do first. Explains category choice in plain language, chooses the smallest next 1-3 actions, and then hands off to the correct dedicated ctf-solving skill.
development3
scikit-learn
scikit-learn model inspection workflow for loading persisted estimators, pipelines, and tree models. Use when you need to inspect `joblib` or pickle-based model artifacts, view parameters, feature names, importances, or pipeline structure, or run lightweight predictions for analysis.
testing3
vec2text
vec2text: embedding-inversion library for reconstructing approximate text from sentence embeddings. Use when working with saved embedding tensors, privacy/inversion research, or AI/ML challenge workflows where you need to load a corrector model and invert strings or embeddings directly.
development3
known-problem-hint-research
Targeted post-triage online research for a known technical problem signature, not broad discovery. Use after the agent has already analyzed the artifact, ranked hypotheses, and hit a wall, to find the missing hint in papers, blogs, articles, public writeups, source discussions, specifications, commits, issues, changelogs, advisories, PoCs, or implementation notes. Useful for cryptography, protocol debugging, reversing, AI/ML behavior, web/API behavior, exploit constraints, version-specific bugs, build/runtime errors, and standards mismatches where one external clue unlocks the next local test.
development3
solve-challenge-ctf
Fast challenge-solving router for multi-category CTF tasks. Integrates recon-technique, forensic-technique, reversing-technique, web-exploit-technique, network-technique, wireless-technique, and crypto-technique to classify unknown bundles, remote services, mixed artifacts, and category-ambiguous tasks, then route immediately to the smallest dedicated CTF skill chain. Use for unknown artifacts, partial hints, firmware, RF/SDR, blockchain/Web3, cloud, ICS/OT, hardware captures, AI/ML artifacts, malware samples, or any challenge where speed, precision, and shortest-path solving matter more than explanation.
development3
volatility3
Memory forensics framework for analyzing RAM dumps. Extracts running processes, injected code, network connections, registry hives, credentials, files, and malware artifacts from memory images. Use on any .raw/.dmp/.mem/.vmem file to investigate what was running at capture time: processes, DLLs, network state, user activity, credentials in memory, and hidden/injected code.
development3
mcp-patterns
Design and implement local Model Context Protocol (MCP) servers, mainly in Python, using the official SDK and host-integration patterns. Use when building or refactoring MCP servers, choosing between tools/resources/prompts, wiring stdio or local HTTP transports, handling lifecycle and capability negotiation, connecting to Claude Desktop-class hosts, debugging Inspector/client issues, or packaging local servers for reuse and distribution.
tools3
amass
OWASP attack surface mapping tool for subdomain enumeration, DNS brute-forcing, and infrastructure discovery using 50+ data sources. Use when performing thorough subdomain enumeration, mapping an organization's full internet-facing attack surface, tracking asset changes over time, or feeding a list of hosts into web app testing.
tools3
jazzer
Coverage-guided in-process fuzzing for JVM (Java/Kotlin/etc), based on libFuzzer concepts. Use for JVM API/parser fuzzing with JUnit integration, sanitizer-like bug detectors, and reproducible regression corpora.
development3
honggfuzz
Feedback-driven, high-speed fuzzer with multi-process/thread execution and persistent fuzzing. Use for local binary fuzzing, instrumentation-guided campaigns, sanitizer-assisted triage, and corpus minimization workflows.
documentation3
libfuzzer
In-process, coverage-guided fuzzing engine integrated with Clang/LLVM. Use for fast unit-level fuzz targets, parser hardening, sanitizer-first bug discovery, and corpus-driven regression loops in C/C++ code.
development3
radamsa
General-purpose mutation engine for generating malformed test inputs. Use as a payload mutator feeding other fuzzers, API testers, parsers, protocol harnesses, or custom replay scripts.
development3
wfuzz
Classic web application fuzzer using FUZZ placeholders across URL, headers, forms, auth, and request components. Use for endpoint discovery, payload injection workflows, and advanced response-filter triage.
development3
winafl
Coverage-guided fuzzing framework for Windows binaries. Use when fuzzing desktop apps, DLL harnesses, or Windows services with DynamoRIO/TinyInst/Intel PT instrumentation and persistent-loop target functions.
development3
linux-persistence
Linux post-exploitation persistence mechanisms: cron jobs, systemd services, SSH backdoors, LD_PRELOAD rootkits, PAM hijacking. Use when establishing long-term access post-privilege escalation, creating resilient backdoors across system restarts, or hiding malicious activity from process monitoring.
testing3
mosquitto-clients
Mosquitto client tools, primarily `mosquitto_pub` and `mosquitto_sub`, for interacting with MQTT brokers. Use when subscribing to topics, publishing test messages, validating credentials, or observing IoT message flow in authorized environments.
tools3
netcat
Netcat (nc/ncat): TCP/UDP Swiss Army knife for reverse shells, bind shells, port checks, banner grabbing, file transfer, port forwarding, and listener setup. Use when catching reverse shells, sending bind shells, testing port connectivity, grabbing service banners, or transferring files without SCP/FTP.
testing3
pwntools
Python CTF/exploitation framework for interacting with remote services, local processes, and binary exploitation. Core use case: scripting interactive protocols over TCP/process tubes — recv/send loops, oracle interactions, multi-round crypto challenges, and shell exploitation. Use when writing a CTF solver that talks to a service, automating a multi-step protocol, or building binary exploitation payloads.
tools3
ltrace
ltrace: Linux library-call tracer for glibc and dynamically linked userspace APIs. Use when you need to watch `malloc`, `strcmp`, crypto helpers, networking wrappers, or other imported functions at a level above raw syscalls during reverse engineering or runtime triage.
tools3
spiderfoot
Automated OSINT platform with 200+ modules for target profiling: DNS, email, username, IP, ASN, breach data, dark web, social media, threat intel. Use when you need automated multi-source OSINT on a domain, IP, email, or username — runs all relevant modules and correlates results. CLI for scripting; web UI for interactive investigation.
tools3
theharvester
Harvest emails, subdomains, hostnames, employee names, open ports, and banners for a target domain from public sources. Use at the start of recon to build an attack surface map: enumerate email addresses for phishing, discover subdomains for web app testing, and identify infrastructure from passive sources.
development3
gau
Passive URL mining tool that fetches known URLs from Wayback Machine, Common Crawl, URLScan, and OTX. Use when asked to discover historical URLs, find old endpoints, mine parameters, or gather URLs passively without touching the target.
tools3
gcloud-cli
Google Cloud CLI for authenticating, configuring projects, and enumerating GCP resources from the terminal. Use when verifying active identity and project scope, listing compute or storage resources, or scripting repeatable GCP recon in authorized environments.
tools3
wafw00f
WAF detection tool. Fingerprints Web Application Firewalls by analyzing HTTP responses to crafted requests. Identifies vendor and product (Cloudflare, AWS WAF, ModSecurity, Akamai, F5, Imperva, etc.) to inform bypass strategy selection.
tools3
adb
adb: Android Debug Bridge CLI for device discovery, shell access, file transfer, package install, port forwarding, and log collection. Use when validating static Android findings on a real device or emulator, pulling app data, installing patched APKs, or bridging dynamic tooling such as Frida.
tools3
upx
UPX: executable packer and unpacker for PE, ELF, Mach-O, and several embedded formats. Use when you need to unpack a UPX-packed sample for analysis, verify whether a binary is compressed, or repack a controlled payload for lab use and size reduction.
development3
radare2
CLI reverse engineering framework with disassembly, decompilation (r2ghidra/r2dec), debugging, ESIL emulation, scripting, and binary patching. Use when analyzing binaries headlessly, scripting RE tasks via r2pipe, patching executables, diffing firmware, emulating code, or working in resource-constrained/headless environments.
tools3
evidence-before-claims
Evidence gate for security research, offensive workflows, exploit development, scanner triage, and technical reporting. Use before claiming a vulnerability, exploit, credential, bypass, persistence, clean result, or root cause is confirmed. Does not perform exploitation; it forces claim quality, reproducibility, and honest uncertainty handling.
development3
python-testing
Python testing patterns with pytest: TDD loop, fixtures, parametrization, mocking, test organization, async testing, coverage, and CI hygiene. Use when writing or reviewing Python tests to improve correctness and reduce flakiness.
development3
c-testing
C testing workflow for unit and integration tests: deterministic harnesses, CMake/CTest execution strategy, sanitizer-first debugging, and fuzzing escalation. Use when writing or fixing tests for C (C11+) modules, stabilizing flaky suites, or reproducing memory/UB bugs.
development3
asm-testing
Assembly code testing, debugging, and bug-hunting workflow for hand-written and injected assembly: C/Go harness testing, GDB/LLDB/WinDbg/x64dbg verification, objdump structural analysis, Python helpers (Capstone/Unicorn/Keystone), Frida dynamic instrumentation, offensive ASM debugging (trampolines, callgates, syscall stubs, stack spoofing, PIC shellcode), reverse engineering own binaries, and common bug pattern diagnosis. Use when verifying correctness of .asm/.s/.S files, debugging crashes in injected code, hunting silent corruption in offensive tooling, or building ad-hoc Python analysis scripts.
tools3
systematic-debugging
Root-cause-first debugging workflow for software, exploit tooling, fuzzing harnesses, reverse-engineering helpers, C2/client code, flaky tests, crashes, races, and environment-specific failures. Use when a failure is not immediately obvious or when repeated quick fixes risk hiding the real defect.
tools3
verification-before-completion
Use when about to claim work is done, fixed, passing, validated, merged, report-ready, or safe to proceed. Requires fresh verification evidence before success claims, commits, pull requests, task completion, operator reports, cleanup claims, or moving to the next step.
testing3
rust-testing
Rust testing patterns for unit, integration, async, doc, property, snapshot, and benchmark-adjacent tests. Use when writing or reviewing tests for `.rs` code, reducing flakiness, designing fixtures/fakes, or improving CI confidence in Rust crates and workspaces.
development3
cpp-testing
C++ testing workflow for unit and integration tests: GoogleTest/GoogleMock, CMake/CTest integration, diagnosing flaky tests, and running sanitizers and coverage for correctness signal. Use when writing or fixing C++ tests and test infrastructure.
development3
design-before-implementation
Use before creative or multi-file implementation work: new features, behavior changes, refactors, new skills, offensive tooling workflows, exploit chains, research pipelines, or architecture decisions. Clarifies intent, scope, alternatives, constraints, success criteria, and non-goals before coding or executing.
tools3
implementation-planning
Use after an approved design, spec, issue, or requirement set and before multi-step implementation. Produces bite-sized tasks with exact files, commands, verification gates, review checkpoints, and stop conditions for coding, skill curation, offensive tooling, or research automation.
tools3
external-feedback-triage
Triage external technical feedback before applying it. Use for code reviews, scanner findings, exploit PoC notes, blog advice, LLM suggestions, issue comments, and advisory recommendations. Verifies context fit, evidence, risk, and minimal changes instead of accepting or rejecting feedback performatively.
development3
testing-reliability
Cross-language testing reliability skill for flaky tests, bad mocks, sleep-based timing, test-only production hooks, brittle fixtures, incomplete fakes, and weak assertions. Use alongside language-specific testing skills when tests pass locally but fail in CI, hide real defects, or create false confidence.
testing3
golang-testing
Go testing patterns for unit tests, table-driven tests, subtests, test helpers, mocking/fakes, benchmarks, fuzzing, and coverage. Use when writing or reviewing Go tests to improve correctness, stability, and maintainability.
tools3
test-driven-development
Use when implementing persistent code, bug fixes, refactors, scripts, exploit tooling, harnesses, or skill utilities before writing implementation code. Applies when tests, reproducers, assertions, or verification can be written first; treat disposable spikes separately and convert them to tested code before claiming reliability.
tools3
tcpdump
CLI packet capture and BPF filter tool. Use to capture network traffic to .pcap files, filter existing PCAPs for specific hosts/ports/protocols, extract payloads as ASCII/hex, and quickly triage network activity from the command line. Pairs with Wireshark/tshark for deep analysis and Zeek for structured log extraction. Essential for network forensics and PCAP investigation.
tools3
sherlock
Hunt username presence across 400+ social networks and output found profile URLs. Use when pivoting on a discovered username during OSINT to map a target's digital footprint, build a list of active platforms, and feed results into further profiling. Complement with maigret for dossier building.
development3
active-directory-technique
Active Directory attack methodology for AI agents. Covers domain enumeration (BloodHound, PowerView), credential attacks (Kerberoasting, AS-REP, password spray), NTLM relay chains (Coercer + Responder + ntlmrelayx), certificate abuse (ESC1-13 via Certipy), lateral movement (crackmapexec, evil-winrm, impacket), domain trust escalation (child-to-parent, cross-forest), and domain dominance (DCSync, Golden/Silver/Diamond ticket, persistence). Use after post-exploit-technique delivers a domain-joined foothold or domain credential.
development3
post-exploit-technique
Post-exploitation methodology for Linux and Windows targets after initial shell access. Covers shell stabilization, situational awareness, local privilege escalation (Linux/Windows), credential harvesting, persistence, and lateral movement handoff. Use after vuln-exploit-technique delivers a shell — this skill drives from low-privilege foothold to full host control and network expansion.
tools3
zsteg
zsteg: PNG and BMP steganography analyzer for bit-plane, color-channel, and payload extraction. Use when hunting LSB-style hidden data in images, especially after basic metadata and strings checks show nothing useful.
testing3
ffuf
High-speed HTTP fuzzing engine for endpoint discovery and input mutation on web/API targets. Use for directory/file discovery, parameter name fuzzing, vhost discovery, header/body fuzzing, and recursive content mapping when the task needs FUZZ-token wordlist workflows with strong response filtering/calibration.
development3
tesseract
Tesseract OCR engine for extracting text from images and scanned documents. Use when a challenge artifact, screenshot, photo, or scan may contain readable text, flags, serials, or labels that need machine-readable extraction.
documentation3
dotdotpwn
DotDotPwn: directory traversal fuzzer for HTTP, FTP, and TFTP with built-in encoding variants (null byte, URL, double-URL, unicode). Use for path traversal fuzzing, LFI-oriented payload generation, and protocol-specific traversal checks where generic HTTP fuzzers are weaker. Strong companion to ffuf when you need traversal-specialized payload mutation.
development3
crlfuzz
Specialized web fuzzing tool for CRLF injection and HTTP response splitting detection. Use when validating header injection, cookie injection, cache poisoning, and response-splitting vectors by mutating URL/query/header inputs with CR/LF payload families at scale.
tools3
zeek
Protocol-aware network analysis engine that converts raw PCAP or live traffic into structured logs (conn.log, dns.log, http.log, ssl.log, files.log, etc.). Use on any .pcap/.pcapng file to extract DNS queries, HTTP requests/responses, TLS certificates, file transfers, connection summaries, and anomalies. Faster and more structured than Wireshark for scripted analysis. Integrates with zeek-cut and standard UNIX tools for rapid investigation.
tools3
schemathesis
OpenAPI/GraphQL property-based API fuzzer. Use to auto-generate API tests, catch schema violations, triage failures systematically, and run high-coverage stateful campaigns in REST/GraphQL services.
development3
boofuzz
Python network protocol fuzzing framework (Sulley successor). Use for stateful TCP/UDP protocol fuzzing, request-graph modeling, monitor-driven crash detection, and reproducible protocol campaign workflows.
development3
arjun
Arjun: HTTP parameter discovery fuzzer with a large curated parameter dictionary. Use when hunting hidden GET/POST/JSON/XML parameters on web apps and APIs before SQLi/XSS/IDOR testing. Designed for fast attack-surface expansion and easy handoff into ffuf, dalfox, sqlmap, and custom replay pipelines.
development3
htb-challenge-downloader
Download Hack The Box CTF challenge artifacts and metadata through BrowserMCP. Use when given an HTB CTF event URL, a destination path, and a selector describing either a challenge category or a challenge name. If any of those three inputs is missing, return an error and stop. The workflow filters matching challenges, downloads files when present, always spawns Docker when a spawn control exists, and writes one `readme.md` per challenge folder with title, description, and an `ip:porta` array when endpoints are exposed.
tools3
aflplusplus
Coverage-guided fuzzing framework for source and binary targets. Use when fuzzing C/C++ projects, parsers, CLI tools, or emulated binaries with high throughput, sanitizer-driven triage, and mature campaign orchestration.
tools3
yara
Pattern-matching engine for identifying files, binaries, memory dumps, and artifacts by byte sequences, strings, regex, or structural properties. Use to scan extracted files for known malware families, find flags/hidden strings in binaries, classify suspicious artifacts, validate file content, and scan memory dumps for injected code. Rules are readable, shareable, and composable.
development3
restler
Stateful REST API fuzzer from OpenAPI specs. Use when testing complex API dependency chains, producer-consumer request sequencing, and replayable bug-bucket workflows for API reliability/security testing.
development3
oss-fuzz
Google-hosted continuous fuzzing service for open-source projects. Use for long-running, scalable fuzz campaigns, sanitizer-backed triage, and continuous bug reporting with reproducible local workflows.
development3
pwncat
pwncat-cs post-exploitation framework for Linux: catches reverse shells, connects to bind/SSH channels, runs module-driven enumeration/privilege escalation, and manages persistence implants with reconnect support. Use when stabilizing shells, automating escalation, installing/removing implants, or orchestrating Linux post-exploitation through run/use/search workflows.
development3
bettercap
Bettercap: Swiss Army knife for WiFi, Bluetooth, HID, and Ethernet network attacks including ARP spoofing, MITM, traffic sniffing, and credential harvesting. Use when performing LAN MITM, WiFi deauth/probe attacks, BLE reconnaissance, or HTTPS SSL stripping.
data-ai3
ssh-key-scanner
SSH key scanner for Linux post-exploitation: hunts SSH private keys, authorized_keys, cloud credentials, and SSH config files for lateral movement. Use when enumerating compromised Linux hosts for SSH key material, extracting credentials for pivoting, or identifying users with SSH access to other systems.
devops3
linpeas
LinPEAS: Linux privilege escalation enumeration tool that audits system for privesc vectors, weak permissions, unpatched services, and credential exposure. Use when assessing Linux privilege escalation opportunities post-compromise, building a privesc roadmap, or identifying misconfigurations before exploitation attempts.
tools3
responder
NBT-NS, LLMNR, and mDNS poisoner that captures Net-NTLMv2 hashes from Windows hosts on the local network. Use when asked to capture NTLM hashes, poison name resolution, perform NTLM relay attacks, set up a rogue SMB/HTTP server for credential capture, or collect hashes for offline cracking.
data-ai3
masscan
Masscan: ultra-fast async TCP SYN port scanner capable of scanning the entire IPv4 internet in minutes. Use when performing wide-area network sweeps, identifying open ports across large CIDR ranges, or as a first-pass discovery step before nmap service scanning.
testing3
chisel
HTTP-based TCP/UDP tunneling tool for port forwarding and SOCKS5 proxying through firewalls. Use when pivoting into internal networks without root/TUN interface, tunneling traffic over HTTP/HTTPS to bypass firewalls, or creating a SOCKS5 proxy through a compromised host. Complements ligolo-ng when TUN interfaces are unavailable.
tools3
nmap
Network port scanner for host discovery, port scanning, service/version detection, OS fingerprinting, and NSE script execution. Use when asked to scan a target, find open ports, enumerate services, identify OS, run vuln scripts, or perform network reconnaissance on an IP, range, or domain.
data-ai3
pymodbus
PyModbus: Python library for Modbus TCP and serial communication. Use when you need to read or write coils and registers programmatically, automate ICS/OT lab interactions, or build repeatable Modbus probes instead of relying on one-off manual clients.
tools3
phoneinfoga
Phone number OSINT tool — gather carrier, location, and online presence data for phone numbers. Use when pivoting on phone numbers during target profiling or social engineering preparation.
tools3
ghunt
Google account OSINT tool — enumerate Google profile data, linked services, Calendar events, Maps reviews, YouTube activity, and photo metadata from an email address or Gaia ID. Use when you have a Gmail address and need to map the target's Google footprint: profile photo, account creation hints, linked Android apps, location history artifacts, and public activity.
tools3
aws-cli
AWS CLI v2 for interacting with AWS services from the terminal. Use when enumerating identities, S3 buckets, IAM data, EC2 inventory, or other control-plane resources in authorized cloud assessments, or when scripting repeatable AWS recon and verification workflows.
tools3
ligolo-ng
Reverse tunneling tool that creates a TUN interface on the attacker machine to route traffic into internal networks via a compromised pivot host. Use when asked to pivot into an internal network, tunnel traffic through a compromised host, access internal subnets, or set up a network tunnel without SOCKS proxychains.
tools3
mitmproxy
mitmproxy: interactive TLS-capable HTTP/HTTPS proxy for intercepting, inspecting, modifying, and replaying web traffic. Use when proxying application traffic during web app tests, modifying requests/responses on the fly, or scripting request interception with Python addons.
development3
holehe
Check if an email address is registered on 120+ websites using account-recovery probes (not login attempts). Use during OSINT to enumerate a target's active accounts from a known email, confirm email validity, or map digital footprint before phishing/social engineering.
development3
hakrawler
Fast Go web crawler for discovering URLs, endpoints, and JavaScript files. Use when crawling web applications to build a URL inventory before fuzzing or during OSINT on web infrastructure.
development3
asnmap
ProjectDiscovery tool for mapping IP ranges from ASN data. Given a domain, IP, organization name, or ASN number, returns all associated CIDR ranges. Use during passive recon to discover the full IP space owned by a target organization before port sweeping, and to identify cloud vs. on-prem allocation.
tools3
maigret
Build a dossier on a person from a single username: searches 2800+ sites, extracts profile data (name, bio, location, linked accounts), and generates HTML/PDF/CSV reports. Use for deep-dive personal OSINT when you need more than a URL list — extracts actual profile content, detects linked usernames, and correlates identity across platforms.
development3
dnsx
Fast DNS resolution and brute-force tool from ProjectDiscovery. Use when asked to resolve a list of subdomains, perform DNS brute-force, extract DNS records (A, CNAME, MX, TXT, NS), or validate live DNS entries from a large list.
tools3
gobuster
Directory, DNS subdomain, and vhost brute-forcer written in Go. Use when asked to enumerate web directories, find hidden paths, brute-force subdomains via DNS, or discover virtual hosts on a web server.
development3
httpx
Fast HTTP probing tool for bulk URL processing, status codes, title extraction, tech detection, and web fingerprinting. Use when asked to probe a list of hosts/URLs for live web servers, find HTTP services, check status codes, extract page titles, or fingerprint web technologies.
tools3
rustscan
Ultra-fast port scanner that finds open ports in seconds then auto-pipes into nmap for service/version detection. Use for initial port discovery on individual hosts or small ranges where speed matters. Complements masscan (broad range) and nmap (deep single-host). Best for: CTF initial recon, quick service fingerprint after foothold, fast validation before exploitation.
development3
shodan
Shodan CLI for passive internet-wide host and service discovery. Use when asked to search Shodan, find internet-exposed services, discover infrastructure passively, look up an IP or org, query specific banners or CVEs, or enumerate assets without touching the target.
tools3
katana
ProjectDiscovery web crawler for endpoint and JS-endpoint discovery. Handles modern JS-heavy apps via headless browser mode, extracts endpoints from JavaScript files (JSLuice/regex), follows XHR/fetch calls, and integrates with the ProjectDiscovery pipeline (httpx, dnsx, subfinder). Use during active recon to enumerate all reachable endpoints, crawl APIs, extract hidden JS paths, and feed results into parameter discovery or vuln scanning.
development3
feroxbuster
Fast, recursive web content discovery tool written in Rust. Use when asked to enumerate web directories recursively, find hidden files/endpoints, fuzz a web application, or when a deep recursive scan is needed that gobuster doesn't handle natively.
tools3
dex2jar
dex2jar: Android DEX-to-JAR conversion toolkit for feeding Java bytecode into desktop decompilers and analysis tools. Use when you want a `.jar` or `.class`-oriented workflow from an APK or DEX file, especially when comparing output across `jadx`, CFR, JD-GUI, or custom JVM tooling.
tools3
androguard
androguard: Python toolkit for Android APK, DEX, resources, manifest, and certificate analysis. Use when you want scriptable extraction of package metadata, permissions, activities, strings, resources, classes, or basic code analysis from Android apps instead of only manual GUI decompilation.
tools3
eyewitness
Web screenshotting and reporting tool that captures screenshots of web services and generates an HTML report. Use when asked to visually enumerate web services, screenshot a list of URLs/hosts, generate visual web inventory, or create a report of discovered web interfaces.
tools3
checksec
checksec: Linux binary and kernel hardening inspection tool for RELRO, canary, NX, PIE, RPATH, RUNPATH, symbols, fortify, and kernel config checks. Use when triaging ELF targets for exploitability, verifying compiler hardening, or auditing Linux systems and offline root filesystems.
tools3
dnspy
.NET assembly decompiler, debugger, and editor for reverse engineering managed binaries. Use when analyzing .NET malware (C#/VB.NET), decompiling managed executables, debugging without source code, patching .NET assemblies, or extracting configs from obfuscated .NET samples.
development3
apktool
Apktool: decode and rebuild Android APK resources and smali for patching, manifest edits, resource inspection, and repackaging. Use when reversing or modifying third-party Android apps, changing permissions or resources, editing smali, or preparing an APK for reinstall after static patches.
tools3
subfinder
Passive subdomain enumeration tool using 40+ OSINT sources. Use when asked to find subdomains, enumerate attack surface, discover hidden hosts, or map a target domain's infrastructure passively without touching the target.
tools3
binwalk
Firmware analysis and extraction tool for identifying and extracting embedded file systems, compressed archives, executable code, and crypto keys from binary blobs. Use when reversing IoT firmware, embedded devices, router images, or analyzing binary blobs for hidden content during hardware/firmware security assessments.
tools3
binaryninja
Commercial reverse engineering platform with decompiler, multi-architecture IL system (LLIL/MLIL/HLIL), and Python scripting API. Use when performing static analysis with decompilation, writing automated RE scripts, analyzing firmware or multi-arch binaries, or when a programmable disassembler with type recovery is needed.
development3
frida
Dynamic instrumentation toolkit for hooking functions, tracing APIs, and manipulating running processes across Windows, Linux, macOS, Android, and iOS. Use when performing runtime analysis, bypassing protections, intercepting crypto/network calls, or building custom instrumentation scripts.
tools3
objdump
objdump: binutils inspection and disassembly tool for ELF and many other object formats. Use when you need fast CLI disassembly, section dumps, symbol views, or mixed source and assembly output during reverse engineering, exploit triage, or binary diffing.
tools3
windbg
Microsoft's debugger for user-mode and kernel-mode Windows debugging, crash dump analysis, driver reversing, and rootkit analysis. Use when analyzing Windows kernel drivers, BSOD crash dumps, kernel-mode malware, process memory at system level, or when x64dbg is insufficient.
development3
seccomp-tools
seccomp-tools: seccomp BPF inspection toolkit for dumping, disassembling, assembling, and emulating Linux syscall filters. Use when reversing sandboxed binaries, understanding allowed syscalls, or planning exploit payloads under seccomp constraints.
tools3
strings
strings: printable-string extractor for binaries, libraries, firmware blobs, and files of unknown type. Use when you need a fast first pass for URLs, paths, flags, format strings, compiler banners, crypto material, or embedded configuration before deeper reversing.
development3
gdb
GDB with pwndbg/GEF for dynamic binary analysis, malware debugging, exploit development, and reverse engineering on Linux/WSL. Use when debugging ELF binaries, tracing syscalls, unpacking Linux malware, bypassing anti-debug, or scripting automated analysis with Python.
development3
one-gadget
one-gadget: libc gadget finder for `execve`-style code execution opportunities under known register and stack constraints. Use when you already have a libc leak or version match and want candidate single-shot RCE offsets to test before building a longer ROP chain.
development3
strace
strace: Linux syscall tracer for observing file, process, network, memory, and signal behavior at runtime. Use when you need to understand what a binary really does under execution, debug loader failures, trace sandboxed challenges, or triage malware and exploit behavior from the kernel boundary.
development3
ghidra
NSA's open-source reverse engineering suite with disassembler, decompiler, P-Code IL, and Ghidra/Python scripting. Use when statically analyzing malware, firmware, or binaries to understand logic, recover algorithms, apply type information, diff binaries, or run headless batch analysis.
development3
patchelf
patchelf: ELF patching utility for changing interpreters, RPATH/RUNPATH, DT_NEEDED entries, and SONAME fields. Use when redirecting a binary to a custom loader or libc, fixing packaged ELF dependencies, or preparing local exploit environments that must run against a specific runtime.
tools3
reverse-ssh
Establish reverse SSH tunnels from victim to attacker for interactive shell access behind NAT/firewall. Use when target is not directly reachable and you need a stable SSH shell through outbound-only connections.
tools3
readelf
readelf: ELF metadata inspection utility for headers, sections, program headers, symbols, notes, relocations, and dynamic entries. Use when you need ground-truth ELF structure for reverse engineering, exploit setup, loader debugging, or runtime-linking investigation.
tools3
ropgadget
ROPgadget: gadget discovery utility for ELF, PE, Mach-O, and raw binaries. Use when you need to find ROP, JOP, or syscall gadgets, filter candidates by instruction pattern or bad bytes, generate a first-pass chain, or support exploit-development triage after `checksec` and debugger work.
tools3
weevely3
Stealth PHP webshell with 30+ post-exploitation modules for file ops, pivoting, and persistence. Use after file upload or RFI vulnerabilities to get an interactive PHP shell with built-in post-ex modules.
development3
x64dbg
User-mode debugger for Windows x64/x86 with plugin ecosystem for malware analysis, unpacking, API tracing, and anti-anti-debug. Use when dynamically analyzing PE malware, unpacking obfuscated executables, tracing Windows API calls, scripting conditional breakpoints, or performing live memory patching.
tools3
shellerator
CLI reverse/bind shell generator supporting 20+ languages with optional encoding. Use when generating customized shell payloads for specific languages and encodings during exploitation.
tools3
revshellgen
Interactive Python reverse-shell generator with auto listener setup, encoding support, and shell-type selection. Use when generating modern reverse shell payloads from CLI, choosing payloads by runtime availability, and speeding up operator workflows without manual one-liner editing.
tools3
winpeas
WinPEAS: automated Windows privilege escalation enumeration checking service misconfigurations, unquoted service paths, AlwaysInstallElevated, writable registry keys, token privileges, and stored credentials. Use post-exploitation on Windows as a low-privilege user to surface escalation vectors.
testing1
binwalk
Analyze and extract firmware images, identifying embedded file systems, compressed archives, and executable code. Use when reversing IoT firmware, embedded devices, or binary blobs during hardware/firmware security assessments.
development1
radare2
CLI reverse engineering framework with disassembly, debugging, scripting, and binary patching. Use when analyzing binaries headlessly, scripting RE tasks, patching executables, or working in resource-constrained environments.
tools1
amass
OWASP attack surface mapping tool for subdomain enumeration, DNS brute-force, and asset discovery using passive and active techniques. Use when asked for deep subdomain reconnaissance, attack surface mapping, DNS enumeration, or when subfinder alone is insufficient.
tools1
sn1per
Automated penetration testing recon framework combining 20+ tools in a single scan. Use when performing comprehensive target recon that combines port scanning, subdomain discovery, web crawling, and vulnerability detection.
tools1
sublist3r
Subdomain enumeration using OSINT sources (Google, Bing, Baidu, DNSDumpster, VirusTotal, ThreatCrowd). Use when passively enumerating subdomains from public search engines and threat intel platforms.
development1
cupp
Custom User Password Profiler that generates targeted wordlists from personal information about a target. Use when asked to generate a targeted wordlist, profile a specific person for password guessing, create a custom dictionary from OSINT data, or prepare a personalized password list for brute-force attacks.
development1
gophish
Open-source phishing campaign framework with web UI for creating credential harvesting campaigns, tracking click-through rates, and managing targets. Use when asked to set up a phishing campaign, create credential harvesting pages, send spear-phishing emails, or generate phishing infrastructure.
tools1
modlishka
Modlishka: flexible reverse proxy phishing framework that captures credentials and session cookies while bypassing 2FA/MFA. Use when conducting phishing campaigns targeting OTP or push MFA by acting as a transparent MITM between victim and the real site.
development1
set
Social-Engineer Toolkit (SET) for spear-phishing, credential harvesting, and payload delivery via social engineering vectors. Use when asked to create spear-phishing emails with payloads, clone websites for credential harvesting, generate social engineering pretexts, or automate phishing + exploit delivery.
tools1
commix
Commix: automated OS command injection detection and exploitation tool supporting classic, time-based, and file-based techniques. Use when detecting and exploiting command injection vulnerabilities in web parameters, cookies, or HTTP headers, or escalating from injection to interactive shell access.
tools1
dotdotpwn
Directory traversal vulnerability fuzzer for web servers and applications. Use when testing for path traversal and LFI vulnerabilities across HTTP, FTP, and TFTP services.
development1
sqlmap
sqlmap: automatic SQL injection detection and exploitation tool supporting all major database backends. Use when testing web parameters, cookies, or headers for SQLi; extracting database contents; or escalating to OS command execution via INTO OUTFILE or xp_cmdshell.
tools1
xsstrike
XSStrike: advanced XSS detection suite with context-aware payload generation, DOM XSS analysis, site crawler, and WAF-bypass fuzzer. Use when testing for reflected, stored, or DOM-based XSS, identifying injection contexts, or generating payloads tailored to bypass specific filters.
testing1
zap
OWASP ZAP: open-source web application scanner and intercepting proxy for automated active/passive vulnerability scanning. Use when performing comprehensive web app tests, integrating security scanning into CI/CD pipelines, scripting custom scan logic, or running headless API scans.
development1
certify
Certify (GhostPack): AD Certificate Services enumeration and abuse tool for detecting ESC1-ESC8 template misconfigurations. Use when auditing AD CS, escalating privileges by requesting certs for alternate UPNs, or mapping ADCS attack surface before exploitation.
tools1
evil-winrm
Interactive WinRM shell for Windows remote management with support for pass-the-hash, pass-the-ticket, SSL, file upload/download, and PowerShell scripts. Use when asked to get a shell on a Windows host via WinRM, use pass-the-hash over WinRM, upload tools, or run PowerShell remotely.
tools1
psexec
Impacket psexec for remote SYSTEM-level shell execution on Windows hosts via SMB. Use when asked to execute commands remotely on a Windows host, get a SYSTEM shell via SMB, perform pass-the-hash for remote execution, or run commands on a Windows machine using impacket tools.
tools1
trevorspray
Threaded password spraying tool targeting Microsoft 365, Azure AD, ADFS, and on-prem Active Directory. Use when asked to perform password spraying against Office 365, Azure, or AD environments, enumerate valid usernames, or test lockout-safe spraying with jitter and delay controls.
tools1
c-patterns
C language patterns and best practices for safe, maintainable C: ownership, error handling, integer safety, and API design. Use when writing or reviewing C code (C11+) and when designing low-level modules with clear resource lifetimes.
development1
golang-patterns
Idiomatic Go patterns, best practices, and conventions for building robust, readable, and maintainable Go code. Use when writing, reviewing, or refactoring Go (APIs, packages, errors, interfaces, concurrency, and code style).
development1
python-async-patterns
Async Python patterns for building non-blocking I/O with asyncio and async/await: task orchestration, cancellation, timeouts, backpressure, rate limiting, and safe sync/async boundaries. Use when implementing concurrent network/DB workflows or async services.
development1
rust-performance
Rust performance workflow: benchmark and profile first, identify hotspots, reduce allocations and contention, improve data layout, tune release profiles, and verify gains with repeatable evidence. Use only after you have a real Rust performance symptom, regression, or hotspot in `.rs` code.
development1
rust-testing
Rust testing patterns for unit, integration, async, doc, property, snapshot, and benchmark-adjacent tests. Use when writing or reviewing tests for `.rs` code, reducing flakiness, designing fixtures/fakes, or improving CI confidence in Rust crates and workspaces.
development1
sensors
Select, compare, and integrate sensors for Arduino, ESP32, robotics, model-making, and home automation with focus on signal quality, false positives, debounce, and practical wiring. Use when asked which sensor to choose, how to detect an event reliably, how to map signals into code, or how to design sensor-driven systems such as break-beams, PIR, vibration, IMU, climate, occupancy, or binary-sensor style automations.
tools1
arduino
Build, review, debug, and scaffold professional Arduino projects across classic AVR boards (`Uno`, `Nano`, `Mega`), Renesas-based R4 boards (`Uno R4 Minima`, `Uno R4 WiFi`, `Nano R4`), ESP32-based Arduino boards, and other common Arduino-family targets. Use when asked for sketches, `.ino` files, Arduino IDE 2, Arduino CLI, PlatformIO, or Arduino Cloud workflows, board-specific pin maps, wiring/BOM notes, unit tests, debug plans, upload/serial monitor troubleshooting, or refactors that must stay practical on real hardware.
tools1
ghidra
NSA's open-source reverse engineering suite with disassembler, decompiler, and scripting. Use when statically analyzing malware, firmware, or binaries to understand logic, find vulnerabilities, or recover algorithms.
development1
enum4linux
SMB and Windows/Samba enumeration tool that extracts users, shares, groups, OS info, and password policies via null sessions or with credentials. Use when asked to enumerate a Windows host or Samba share, find users via SMB, extract domain info, or check for null session access.
tools1
corsy
CORS misconfiguration scanner that detects exploitable cross-origin resource sharing issues. Use when testing web apps for CORS vulnerabilities that could allow cross-origin data theft.
development1
kiterunner
Context-aware API route discovery and brute-forcing using real-world API schema wordlists. Use when enumerating API endpoints, discovering hidden routes on REST/gRPC services, or replacing dirbusting for API surfaces.
development1
evilginx2
Man-in-the-middle phishing proxy that captures session cookies and bypasses MFA/2FA by proxying real login pages. Use when asked to bypass two-factor authentication via phishing, capture session tokens, perform adversary-in-the-middle (AiTM) attacks, or set up a reverse-proxy phishing site.
data-ai1
ffuf
Fast web fuzzer for directory/file discovery, parameter fuzzing, virtual host discovery, and POST data fuzzing. Use when asked to fuzz web endpoints, discover hidden parameters, enumerate directories, test for injection points, or perform any HTTP-level wordlist-based fuzzing.
development1
linpeas
LinPEAS: automated bash script enumerating Linux/macOS privilege escalation vectors including SUID binaries, writable paths, weak service configs, cron jobs, sudo rules, and kernel CVE indicators. Use post-exploitation as a low-privilege user on Linux or macOS to identify escalation paths.
data-ai1
dirsearch
Web path scanning and directory brute-forcing with recursive scanning and multi-extension support. Use when enumerating web server content, finding hidden endpoints, and discovering backup or config files.
tools1
pyexfil
Multi-channel data exfiltration tool supporting 20+ covert channels (ICMP, DNS, HTTPS, SMTP, Slack, QUIC). Use when testing DLP controls or exfiltrating data through unconventional protocols.
tools1
x64dbg
User-mode debugger for Windows x64/x86 with plugin ecosystem for malware analysis, unpacking, and vulnerability research. Use when dynamically analyzing PE malware, unpacking obfuscated executables, or tracing Windows API calls.
tools1
privesccheck
PrivescCheck: pure PowerShell Windows privilege escalation enumeration script checking services, scheduled tasks, registry, DLL hijacking, COM hijacking, and stored credentials. Use when winPEAS is blocked by AV, for a lower-detection PS1 alternative, or for structured readable output with remediation context.
testing1
maltego
Visual intelligence and link analysis platform for mapping relationships between people, organizations, domains, IPs, and infrastructure. Use when building entity relationship graphs during recon or threat intelligence gathering.
development1
shellter
Shellter: dynamic shellcode injection tool that backdoors native Windows PE executables while preserving original functionality to evade AV detection. Use when trojanizing legitimate PE files (putty, vlc, notepad++) with custom shellcode payloads for initial access.
tools1
dnsexfiltrator
Exfiltrate data over DNS queries using a custom DNS server. Use when HTTP/S channels are blocked and DNS traffic is allowed outbound, enabling covert file transfer via DNS TXT/A records.
data-ai1
veil
Veil: AV evasion framework generating Metasploit-compatible payloads in multiple languages (Python, Ruby, Go, C#, PowerShell) to bypass common antivirus. Use when generating obfuscated shellcode runners or embedding Meterpreter payloads that survive AV scanning at initial access.
development1
cain-and-abel
Windows password recovery tool for sniffing, cracking (dictionary/brute-force/cryptanalysis), and decoding stored credentials. Use when recovering Windows hashes, cracking captured handshakes, or decoding cached credentials on Windows systems.
tools1
scoutsuite
Multi-cloud security auditing tool for AWS, Azure, GCP, and others. Use when assessing cloud misconfigurations, reviewing IAM policies, security groups, storage permissions, and generating audit reports.
tools1
gitleaks
Detect hardcoded secrets (API keys, tokens, credentials) in git repos and files. Use when auditing source code, CI pipelines, or commit history for leaked secrets in red-team or pre-engagement recon.
development1
silenttrinity
Post-exploitation C2 framework using Boo-lang .NET implants with asynchronous communication. Use when targeting Windows environments needing CLR-based implants that bypass traditional PowerShell-based detections.
development1
cloakify
Exfiltrate data by encoding it as innocuous-looking strings (tweets, chess moves, cat names). Use when needing to bypass DLP tools by disguising exfiltrated data as benign traffic or files.
tools1
arjun
Discover hidden HTTP parameters in web endpoints. Use when performing API reconnaissance, fuzzing query/body/header parameters, or finding undocumented inputs in REST/GraphQL endpoints.
development1
deep-research-generic
File-backed deep research with recursive link-following, multi-tool fetching (Jina Reader, Tavily, Playwright), and step-by-step synthesis. Use when the user asks to research, investigate, analyze, or summarize a topic in depth; when a thorough answer requires gathering and cross-referencing multiple sources across linked pages; or when the output must be comprehensive, cited, and not limited by context window size.
tools1
cpp-bof
Generate, compile, and debug Beacon Object Files (BOF) in C++ for Cobalt Strike and compatible C2 frameworks. Use when the user asks to create a C++ BOF, leverage RAII/templates/classes inside a BOF, use typedef+GetProcAddress DFR, integrate COM/GDI+, or needs dual-build (BOF+EXE) patterns.
development1
rubeus
Kerberos attack toolkit for TGT/TGS requests, AS-REP roasting, Kerberoasting, pass-the-ticket, overpass-the-hash, and S4U delegation abuse. Use when asked to perform Kerberos attacks, request tickets, roast service accounts, extract TGTs, or abuse Kerberos delegation in Active Directory.
tools1
nanodump
Stealthy LSASS memory dumper using syscalls, handle duplication, and fork-based techniques to evade EDR and AV. Use when asked to dump LSASS memory for credential extraction, create a minidump of LSASS without triggering EDR, extract NTLM hashes and Kerberos tickets from memory, or perform a stealthy credential dump on a Windows host.
tools1
shellcode-fluctuation
C++ shellcode fluctuation technique that encrypts injected shellcode between C2 sleep intervals to evade EDR memory scans. Use when implants are being detected by memory-scanning EDR products during sleep.
development1
coercer
Coercer forces Windows servers to authenticate to a controlled host by abusing MS-RPRN, MS-EFSR, MS-DFSNM, and other RPC protocols, enabling NTLM relay or hash capture. Use when asked to coerce NTLM authentication from a Windows server, set up an NTLM relay via Responder, or exploit printspooler/PetitPotam-style auth coercion.
testing1
agent-md-creator
Create, update, or refactor repository-root and nested AGENTS.md files for AI coding agents. Use when the user asks to bootstrap AGENTS.md, replace tool-specific instruction files with a shared open format, compress overly verbose agent instructions, document build/test commands for agents, or design minimal project instructions for monorepos and subprojects.
tools1
python-testing
Python testing patterns with pytest: TDD loop, fixtures, parametrization, mocking, test organization, async testing, coverage, and CI hygiene. Use when writing or reviewing Python tests to improve correctness and reduce flakiness.
development1
readme-md-creator
Create, update, rewrite, or shorten repository README.md files so they stay concise, well-sectioned, non-redundant, and written in clear English. Use when the user asks to create a new README, improve or refresh an existing one, standardize structure and tone, remove bloat, or add practical setup and usage guidance, selective badges or callouts, and small ASCII architecture diagrams only when the architecture or flow is important to understanding the project.
testing1
pacu
AWS exploitation framework for auditing and attacking misconfigured AWS environments. Use when performing AWS red-team engagements, privilege escalation, data exfiltration, or persistence in AWS accounts.
development1
trufflehog
Find leaked credentials and secrets in git repos, S3 buckets, filesystems, and CI systems using entropy analysis and 700+ detectors. Use when hunting for secrets in large codebases or cloud storage during recon.
development1
linux-exploit-suggester
Suggest Linux privilege escalation exploits based on kernel version and OS. Use after gaining initial access to Linux systems to quickly identify applicable local privilege escalation CVEs.
data-ai1
self-improvement
Capture errors, corrections, discoveries, and recurring patterns so future sessions start smarter. Use when a user corrects the agent, a non-obvious failure is diagnosed, a project convention is discovered, a requested capability is missing, or before starting long multi-session work in an area that may already have learnings.
data-ai1
deep-research-offensive
File-backed offensive security research with recursive link-following, multi-tool fetching (Jina Reader, Tavily, Playwright), and step-by-step synthesis. Use when researching CVEs, vulnerabilities, exploits, attack chains, PoC code, OSINT targets, red team planning, or threat intelligence. Saves each useful page to intermediate files, follows linked sources recursively, and produces a comprehensive research document not limited by context size.
tools1
cpp-testing
C++ testing workflow for unit and integration tests: GoogleTest/GoogleMock, CMake/CTest integration, diagnosing flaky tests, and running sanitizers and coverage for correctness signal. Use when writing or fixing C++ tests and test infrastructure.
development1
sliver
Sliver: open-source adversary simulation C2 framework by BishopFox supporting mTLS, WireGuard, HTTP/S, and DNS transports with per-binary asymmetric encryption. Use when deploying C2 implants, generating cross-platform beacons, managing multi-operator engagements, or executing BOFs via the armory.
development1
asm-testing
Assembly code testing, debugging, and bug-hunting workflow for hand-written and injected assembly: C/Go harness testing, GDB/LLDB/WinDbg/x64dbg verification, objdump structural analysis, Python helpers (Capstone/Unicorn/Keystone), Frida dynamic instrumentation, offensive ASM debugging (trampolines, callgates, syscall stubs, stack spoofing, PIC shellcode), reverse engineering own binaries, and common bug pattern diagnosis. Use when verifying correctness of .asm/.s/.S files, debugging crashes in injected code, hunting silent corruption in offensive tooling, or building ad-hoc Python analysis scripts.
tools1
mimipenguin
Dump credentials from memory on Linux systems (GNOME Keyring, VSFTPd, Apache, SSH). Use when you have root on a Linux target to extract plaintext passwords from running processes and memory.
data-ai1
lfisuite
Automated Local File Inclusion testing and exploitation tool with path traversal and log poisoning. Use when testing and exploiting LFI vulnerabilities to achieve RCE via log poisoning or /proc inclusion.
tools1
kerbrute
Kerberos-based user enumeration and password spraying tool for Active Directory. Use when asked to enumerate valid AD usernames via Kerberos pre-auth, perform password spraying against AD, brute-force a specific user's password, or identify valid accounts without triggering standard auth logs.
tools1
pupy
Cross-platform remote administration and post-exploitation tool with Python implants. Use when needing a lightweight RAT with in-memory modules, multiple transports (TCP/HTTP/WebSocket), and migration capabilities.
tools1
poshc2
PoshC2: proxy-aware Python C2 framework with implants in PowerShell, C#, Python, and C. Use when operating in environments with available PowerShell and network proxies, needing proxy-aware beacons, or performing post-exploitation with built-in credential access and lateral movement modules.
development1
crackmapexec
Swiss-army knife for Active Directory environments — SMB/WinRM/LDAP lateral movement, credential spraying, share enumeration, and remote code execution. Use when asked to spray credentials against AD, enumerate SMB shares, execute commands remotely, dump SAM/LSA/NTDS, or map an Active Directory environment.
development1
phpsploit
Stealth post-exploitation framework operating via HTTP headers inside a webshell. Use when you have a PHP webshell on target and need an interactive shell, file ops, and plugin-based post-exploitation over HTTP.
tools1
merlin
Cross-platform C2 server using HTTP/2 (h2c), HTTP/3 (QUIC), and DNS transports for covert agent communication. Use when needing a Go-based implant over non-standard encrypted channels to evade network inspection.
development1
covenant
Covenant: collaborative .NET C2 framework with web UI, Grunt implants over HTTP/S and SMB, built-in task library, and multi-operator support. Use when running .NET-native red team operations, leveraging the task library for post-exploitation, or training teams on visualized collaborative C2.
development1
cobalt-strike
Cobalt Strike: commercial adversary simulation platform with Beacon implant supporting HTTP/S, DNS, SMB, TCP, and Malleable C2 profiles. Use when operating professional red team engagements, simulating advanced threat groups, managing multi-operator teamserver infrastructure, or executing BOFs.
testing1
c-bof
Generate, compile, and debug Beacon Object Files (BOF) in C for Cobalt Strike and compatible C2 frameworks. Use when the user asks to create a BOF, convert a C PoC into a BOF, resolve BOF linking/entrypoint errors, or needs patterns for DFR, heap management, injection, key-value state, multi-mode BOFs, or embedded payloads.
development1
asm-patterns
Assembly language patterns, calling conventions, and code structure for x86-64 and ARM64. Use when writing, reviewing, or generating .asm/.s/.S files; when implementing functions that interoperate with C/system code; or when establishing correct prologues, epilogues, stack management, SIMD loops, syscall stubs, or PIC data access.
development1
asm-offensive-patterns
Offensive x86-64 (and ARM64/x86) assembly patterns for red team, malware development, and evasion engineering. Covers direct/indirect syscalls; SSN resolution (Hell's Gate, Halo's Gate, Tartarus' Gate, FreshyCalls, DWhisper/RecycleGate); call-stack spoofing (Draugr, SilentMoonwalk DESYNC, Eclipse bypass); vDSO/libc dispatching on Linux; Heaven's Gate WoW64; PEB-walk IAT-free API resolution; metamorphic encoders (ADFL, XorMeta, Morph, MBA-XOR); PIC shellcode (CALL-POP, RIP-relative); ETW/AMSI patching; Gargoyle sleep obfuscation; VEH+HWBP HWBP abuse; fiber/threadless injection; ARM64 macOS syscalls. Use when writing, reviewing, or generating offensive .asm/.s/.S files; building stealth payloads, loaders, or BOFs; or selecting the right evasion primitive for Windows/Linux/macOS.
tools1
adaptixc2-dev
Develop, extend, and maintain AdaptixC2 extenders (agents, listeners, services) and their template generators. Use when creating new plugins, adding commands, building beacon/listener/service implementations, writing AxScript UI, designing wire protocols, or using the Template-Generators scaffold system. Covers the full plugin lifecycle: Go plugin API (axc2 v1.2.0), AxScript forms/commands/events/menus, config.yaml wiring, Teamserver interface, protocol overlays, multi-language implant builds (Go/C++/Rust), evasion gates, and validation workflows.
tools1
rust-patterns
Idiomatic Rust patterns and best practices for readable, safe, maintainable Rust: ownership, borrowing, API design, enums/traits, error handling, iterators, module layout, and tooling. Use when writing or reviewing `.rs` code, refactoring crates, porting non-idiomatic code into Rust, or designing Rust APIs.
tools1
python-patterns
Pythonic patterns and best practices for writing readable, robust Python: typing, error handling, data modeling, iteration, resource management, project layout, and tooling. Use when writing or reviewing Python code and APIs.
tools1
golang-testing
Go testing patterns for unit tests, table-driven tests, subtests, test helpers, mocking/fakes, benchmarks, fuzzing, and coverage. Use when writing or reviewing Go tests to improve correctness, stability, and maintainability.
tools1
nim-shellcode-fluctuation
Nim port of shellcode fluctuation — encrypts injected shellcode in memory between executions to evade memory scanners. Use when deploying implants that must hide from EDR in-memory scanning of RWX regions.
development1
golang-performance
Go performance workflow: benchmark and profile (pprof/trace), identify hotspots, reduce allocations/GC and contention, and verify improvements with repeatable measurement. Use only after you have evidence the Go code is the bottleneck.
development1
cpp-patterns
Modern C++ patterns and best practices for readable, safe, maintainable C++ code: RAII, ownership, error handling, API design, concurrency basics, and build/tooling hygiene. Use when writing or reviewing C++ (C++20+) code.
tools1
c-testing
C testing workflow for unit and integration tests: harness structure, CTest integration, diagnosing failures, and using sanitizers and fuzzing for bug-finding signal. Use when writing or fixing tests for C (C11+) modules.
testing1
asm-performance
Assembly performance optimization workflow: collect compiler-emitted ASM, classify bottlenecks with TMA, audit for codegen issues (bounds checks, register spills, dependency chains, missed vectorization, memory traffic, bad instruction selection, store-forwarding stalls, frontend pressure, data layout), apply one change at a time, measure, and report. Use after profiling confirms ASM is the bottleneck.
development1
lazagne
Post-exploitation credential recovery tool that extracts saved passwords from browsers, mail clients, databases, Git, WiFi, and other installed applications. Use when asked to dump saved credentials from a compromised host, extract browser passwords, recover application credentials, or collect all local credentials for lateral movement.
tools1
tplmap
Automatic Server-Side Template Injection detection and exploitation across 18+ template engines. Use when testing for SSTI vulnerabilities in Jinja2, Twig, Smarty, Mako, and other template engines to achieve RCE.
testing1
donut
Shellcode generator that converts .NET assemblies, EXEs, DLLs, and COM objects into position-independent shellcode. Use when asked to convert a .NET tool into shellcode, load an assembly in memory, generate a payload for injection, or create position-independent shellcode from a Windows executable.
tools1