mlvpatel
12 verified skills12 total stars
chain-guard
Smart contract security audit — 10 DeFi bug classes (accounting desync, access control, incomplete path, off-by-one, oracle, ERC4626, reentrancy, flash loan, signature replay, proxy), pre-dive kill signals (TVL < $500K etc), Foundry PoC template, grep patterns for each class, and real Immunefi paid examples. Use for any Solidity/Rust contract audit or when deciding whether a DeFi target is worth hunting.
development1
hunt-mindset
Use at the START of any bug bounty hunting session, when switching targets, or when feeling lost about what to do next. Master orchestrator that combines the 5-phase non-linear hunting workflow with the critical thinking framework (developer psychology, anomaly detection, What-If experiments). Routes to all other skills based on current hunting phase. Also use when asking "what should I do next" or "where am I in the process."
development1
sentinel-core
Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gates, human-tone writing, templates by vuln class, CVSS 3.1, PoC generation, always-rejected list, conditional chain table, submission checklist). Use for ANY bug bounty task — starting a new target, doing recon, hunting specific vulns, auditing source code, testing AI features, validating findings, or writing reports. 中文触发词:漏洞赏金、安全测试、渗透测试、漏洞挖掘、信息收集、子域名枚举、XSS测试、SQL注入、SSRF、安全审计、漏洞报告
tools1
verdict-gate
Finding validation before writing any report — 7-Question Gate (all 7 questions), 4 pre-submission gates, always-rejected list, conditionally valid with chain table, CVSS 3.1 quick reference, severity decision guide, report title formula, 60-second pre-submit checklist. Use BEFORE writing any report. One wrong answer = kill the finding and move on. Saves N/A ratio.
testing1
bug-bounty
Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gates, human-tone writing, templates by vuln class, CVSS 3.1, PoC generation, always-rejected list, conditional chain table, submission checklist). Use for ANY bug bounty task — starting a new target, doing recon, hunting specific vulns, auditing source code, testing AI features, validating findings, or writing reports.
tools1
code-reaper
Static Application Security Testing (SAST) — deep source code analysis for vulnerability detection. Covers 12 languages (JavaScript/TypeScript, Python, PHP, Go, Ruby, Rust, Java, C#, Solidity, Kotlin, Swift, Dart). Automated scanning (Semgrep rulesets, Gitleaks, Trufflehog), manual pattern hunting (dangerous sinks, auth inconsistency, injection vectors), taint analysis (source→sink tracing), auth architecture audit (middleware gaps, IDOR patterns, privilege escalation), secret detection (API keys, tokens, credentials), dependency analysis (known CVEs in packages), and framework-specific vulnerability patterns. Generates prioritized findings with exploitability assessment. Use when asked to "review this code", "audit source code", "find vulnerabilities in code", "static analysis", "code security review", "SAST scan", or when source code is available for a target.
development1
netbreach
Network penetration testing — full methodology from host discovery to post-exploitation. Covers Phase 0 (scoping + rules of engagement), Phase 1 (host discovery — nmap, masscan, ARP scan, IPv6), Phase 2 (service enumeration — version detection, banner grabbing, script scanning, UDP), Phase 3 (vulnerability assessment — CVE mapping, Nessus/OpenVAS parsing, exploit-db matching, default credentials), Phase 4 (exploitation — Metasploit, manual exploits, password attacks, service-specific attacks for SSH/SMB/RDP/FTP/SNMP/SMTP/DNS/LDAP/Kerberos/HTTP/MySQL/MSSQL/PostgreSQL/Redis/MongoDB), Phase 5 (post-exploitation — privilege escalation Linux/Windows, persistence, credential harvesting, pivoting, lateral movement), Phase 6 (Active Directory attacks — AS-REP roasting, Kerberoasting, Pass-the-Hash, DCSync, BloodHound, NTLM relay, certificate abuse), Phase 7 (wireless — WPA2/WPA3, evil twin, deauth, PMKID), Phase 8 (reporting — executive summary, technical findings, CVSS scoring, remediation). Use for ANY network pentest task — internal/external assessment, AD testing, infrastructure audit, vulnerability assessment, or when asked to "scan this network", "pentest this host", "attack this service", "escalate privileges", or "test Active Directory".
development1
vuln-matrix
Complete reference for 20 web2 bug classes with root causes, detection patterns, bypass tables, exploit techniques, and real paid examples. Covers IDOR, auth bypass, XSS, SSRF (11 IP bypass techniques), SQLi, business logic, race conditions, OAuth/OIDC, file upload (10 bypass techniques), GraphQL, LLM/AI (ASI01-ASI10 agentic framework), API misconfig (mass assignment, JWT attacks, prototype pollution, CORS), ATO taxonomy (9 paths), SSTI (Jinja2/Twig/Freemarker/ERB/Spring), subdomain takeover, cloud/infra misconfigs, HTTP smuggling (CL.TE/TE.CL/H2.CL), cache poisoning, MFA bypass (7 patterns), SAML attacks (XSW/comment injection/signature stripping). Use when hunting a specific vuln class or studying what makes bugs pay.
development1
apex-pipeline
Unified application security testing workflow — combines recon, SAST, DAST, manual hunting, validation, and reporting into a single orchestrated pipeline. Runs as an "app" with automated phase transitions. Supports web apps (React, Next.js, Django, Flask, Laravel, Spring, Rails, Express), mobile APIs, GraphQL, REST, gRPC, and microservices. Phases — Phase 0 (target intake + scope lock), Phase 1 (passive recon + tech fingerprint), Phase 2 (SAST deep scan via semgrep/grep/trufflehog), Phase 3 (DAST active probing — nuclei/ffuf/dalfox), Phase 4 (manual hunt — IDOR/SSRF/XSS/SQLi/auth-bypass/race/business-logic/LLM), Phase 5 (chain building + impact escalation), Phase 6 (7-Question Gate validation), Phase 7 (report generation). Use when starting a full security assessment on any application, when asked to "test this app", "audit this codebase", "find bugs in this project", or when you need an end-to-end security workflow that combines static and dynamic analysis with manual expertise.
development1
ghost-recon
Web2 recon pipeline — subdomain enumeration (subfinder, Chaos API, assetfinder), live host discovery (dnsx, httpx), URL crawling (katana, waybackurls, gau), directory fuzzing (ffuf), JS analysis (LinkFinder, SecretFinder), continuous monitoring (new subdomain alerts, JS change detection, GitHub commit watch). Use when starting recon on any web2 target or when asked about asset discovery, subdomain enum, or attack surface mapping.
development1
strike-report
Bug bounty report writing for H1/Bugcrowd/Intigriti/Immunefi — report templates, human tone guidelines, impact-first writing, CVSS 3.1 scoring, title formula, impact statement formula, severity decision guide, downgrade counters, pre-submit checklist. Use after validating a finding and before submitting. Never use "could potentially" — prove it or don't report.
testing1
payload-forge
Security payloads, bypass tables, wordlists, gf pattern names, always-rejected bug list, and conditionally-valid-with-chain table. Use when you need specific payloads for XSS/SSRF/SQLi/XXE/NoSQLi/command injection/SSTI/IDOR/path-traversal/HTTP smuggling/WebSocket/MFA bypass, bypass techniques, or to check if a finding is submittable. Also use when asked about what NOT to submit.
development1