ghostonbutterbread
51 verified skills
403
Use when an in-scope endpoint returns 403 Forbidden and the agent owns the endpoint or it is a server endpoint safe to probe with bounded access-bypass checks.
testing
shared-skill-creator
Create or update shared skills in the correct project repo, then commit, push, and run aiskillsync when configured.
data-ai
bypass
Use when testing access, parser, encoding, WAF, redirect, LFI, SSRF, IDOR, CORS, SQLi, XSS, RCE, or other bypass techniques against a scoped target.
testing
pullscope
Use when pulling bug bounty scope, checking in-scope assets, fetching HackerOne, Bugcrowd, or Intigriti program scope, or initializing normalized target lists before recon or testing.
testing
prompt-injection
Use when testing AI-integrated app behavior, prompt injection, indirect prompt injection, LLM tool misuse, AI content manipulation, system prompt leakage, or trust-boundary failures.
tools
electron
Use when running beta Electron Team profiles against a local Electron app, extracted app.asar, or desktop application source, including Electron config, preload bridge, IPC, custom protocol, and research-note-assisted prompt preparation.
data-ai
intercepted-proxy
Launch scoped browsers through the correct Caido proxy, enable live intercept or Tamper one lane at a time, modify selected requests, forward them, then disable intercept.
data-ai
payment-testing
Route checkout, billing, subscriptions, coupons, credits, gift cards, invoices, refunds, payment authorization, and paid-entitlement testing into safe zero-dollar-first workflows.
testing
url-ingest
Use when importing, indexing, filtering, queueing, checking, or marking recon URLs in the SQLite-backed per-lane URL review tracker.
testing
findings
Use when viewing, listing, filtering, summarizing, or checking bug bounty findings, including /findings requests by program or severity.
testing
fuzz
Use when discovering hidden endpoints, parameters, files, routes, directories, request fields, or undocumented application surface through fuzzing.
documentation
hunt
Use when starting or orchestrating a bug bounty hunt, running /hunt for a program, selecting testing tasks, or coordinating parallel security research work.
testing
manual_hunter
Use when adding manual security findings to the Ghost pipeline, importing findings from files, watching report directories, or running /manual_hunter workflows.
testing
recon
Use when doing reconnaissance, enumerating targets, discovering endpoints, mapping attack surface, collecting domains, probing services, or preparing targets for security testing.
testing
sqli
Use when testing SQL injection, SQLi, database query injection, parameter tampering against SQL-backed endpoints, error-based injection, boolean/time-based injection, or stacked query behavior.
testing
status
Use when checking orchestrator status, active targets, current findings, running agents, Ghost pipeline state, or /status-style progress during a hunt.
testing
sync-reports
Use when syncing reports, importing vulnerabilities from source report directories into the Ghost pipeline, writing reports from memory, or running /sync-reports for a program.
testing
waf
Use when detecting, fingerprinting, or bypassing WAF blocks, rate limits, payload filtering, blocked probes, CDN security rules, or application firewall behavior during testing.
testing
xss
Use when testing Cross-Site Scripting or routing XSS work into reflected, stored, or DOM lanes. Load this first for XSS triage, then load reflected-xss, stored-xss, or dom-xss based on where attacker-controlled input lands.
testing
me
Use when the user asks for /me, a Ghost-aware bug bounty hunting briefing, current target context for Codex/Claude, manual hunt coordination, fresh/default hunt context, bounty harness storage paths, ledger/coverage coordination, or how to write findings into Ghost's current bounty pipeline.
development
race
Use when testing race conditions, concurrent workflow flaws, double-submit bugs, parallel requests, locking issues, time-of-check/time-of-use behavior, or state consistency under load.
testing
headers
Route security testing for HTTP header trust, origin validation, proxy context, route overrides, host routing, method overrides, content negotiation, and auth-header precedence.
development
brainstorm
Use when brainstorming bug bounty approaches, attack ideas, developer assumptions, auth bypass angles, business-logic abuse paths, new targets, new application areas, likely mistakes, or testing ideas before deeper recon or exploitation.
development
retard-collaboration
Use when the user asks for Retard mode, retard collaboration, creative multi-agent bug bounty brainstorming, or attack-chain generation from existing zero_day_team findings and wants lateral ideas, filtered concepts, or synthesized exploit chains.
data-ai
error-triage
Classify HTTP error responses during bug bounty testing and route agents into the next safe skill or stop condition based on goal, ownership, status code, and response evidence.
development
appmap
Use when mapping a local application source tree or extracted binary source with /appmap to produce static AppMap artifacts and generated brainstorm specs before handing execution to zero_day_team or apk_team.
data-ai
brainstorm-spec
Use when creating, editing, summarizing, or importing a target-lane brainstorm spec with /brainstorm-spec so zero_day_team, apk_team, and future harness modules can consume hypothesis-driven dynamic agents.
data-ai
appmap-research-librarian
Use when creating a gated research campaign for AppMap where one agent scouts external sources, another validates them into structured technique packs, and AppMap later ingests only reviewed local seed data or explicit validated URLs.
testing
csrf
Use when testing Cross-Site Request Forgery, CSRF, anti-CSRF token validation, SameSite bypasses, Origin or Referer enforcement, state-changing requests, or browser-driven unauthorized actions.
testing
chromium-test
Launch an isolated Chromium test browser on a free local CDP port for scoped web, desktop, or proxy-observed bug bounty workflows.
development
ato
Route account takeover testing across password reset, recovery, SSO/OAuth, account linking, MFA, email change, session, invite, and identity-binding flows.
testing
caido
Connect to a Caido MCP instance for proxy traffic inspection and request comparison.
tools
pfp
Route profile-picture, avatar, and image-profile workflows into focused upload, SSRF, XSS, IDOR, WAF, race, and storage testing lanes.
testing
idor
Use when testing Insecure Direct Object Reference, IDOR, broken object-level authorization, cross-account access, tenant isolation, user ID tampering, or resource ownership checks.
testing
dom-xss
Use when XSS depends on browser-side sources and sinks such as URL/query/hash, router state, local/session storage, cookies, postMessage, DOM parsing, framework render paths, or client-side sanitizer behavior.
tools
ssrf
Use when testing Server-Side Request Forgery, URL fetchers, webhooks, importers, metadata access, internal reachability, redirect bypasses, or server-side URL validation.
development
stored-xss
Use when attacker-controlled input is saved and rendered later in a profile, comment, title, notification, admin view, export, email, feed, upload metadata, or other stored render surface.
documentation
reflected-xss
Use when attacker-controlled input appears in the immediate HTTP response or browser-rendered page and needs reflected XSS context classification, payload selection, mutation, and browser verification.
content-media
skills/lfi
# LFI — Local File Inclusion Bypass ## What It Does Tests LFI bypass techniques: path traversal, null bytes, wrappers, log poisoning. Load `general-security-testing-policy`, `live-testing-policy`, and `injection-testing-policy` before live testing. For file/path sinks, absence of an immediate file read or response delta is not a stop reason by itself; use the policy to reason about path normalization, extension allowlists, wrappers, encoding, parser differences, and stack-specific proof ladder
tools
pwnfox
Use when inspecting proxy traffic from PwnFox-profiled browser sessions, filtering Caido/Burp/proxy history by X-PwnFox-Color, or interpreting user phrases like 'Red session' as a distinct browser/auth/profile lane.
data-ai
single-request-grabber
Capture one live owned-session request through proxy or browser, then perform a bounded modify/replay test for CSRF, access-control, header, or request-shape validation.
testing
recon-ry
Run Ryushe's recon-ry on Hoster and ingest completed outputs into canonical recon artifact directories.
tools
temporary-email
Create and read disposable Mail.tm inboxes for owned test account setup.
testing
agent-proxy
Resolve the default agent-lane Caido MCP endpoint for the current agent host.
tools
live-map
Build runtime application maps from browser exploration, proxy traffic, manual observations, or hybrid source/runtime evidence.
development
ryushe-proxy
Inspect or compare Ryushe's personal Caido traffic from an approved Hoster agent.
data-ai
chromium-handoff
Expose a safe manual handoff page for an existing CDP Chromium session so Ryushe can solve CAPTCHA, Cloudflare, Turnstile, bot challenges, or inspect a stuck browser through an SSH tunnel.
devops
ssti
Use when testing server-side template injection, template expression evaluation, template-engine fingerprinting, or template-rendered user input.
testing
access-control
Route broken access control, IDOR, BOLA, role, tenant, workflow, method, header, path, and auth-state testing into focused authorization lanes.
testing
mental-map
Use when mapping application architecture, analyzing Caido MCP proxy traffic, grouping requests into auth, cart, checkout, signup, login, forgot-password, or user-profile flows, or documenting sequence diagrams and replication notes.
tools
mullvad
Switch Mullvad VPN relays for scoped bug bounty connectivity, DNS failures, transient page-load failures, or suspected VPN exit-node blocking.
data-ai