dqmyth/js-reverse-ops
/SKILL.md
Execute advanced JavaScript reverse-engineering workflows for modern web applications, including signature recovery, runtime instrumentation, deobfuscation, bundle analysis, anti-debug bypass, environment rebuild, and replay validation.
development
Updated May 26, 2026
$ install --global
skillsauthnpx skillsauth add dqmyth/js-reverse-ops js-reverse-opsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 26, 2026, 3:41 AM308.5s174 files scanned
SKILL.md
- name:
- js-reverse-ops
- description:
- Execute advanced JavaScript reverse-engineering workflows for modern web applications, including signature recovery, runtime instrumentation, deobfuscation, bundle analysis, anti-debug bypass, environment rebuild, and replay validation.
JS Reverse Ops
Use this skill as a structured reverse-engineering workflow, not an ad hoc debugging session.
Scope
This public release keeps:
- stage-based routing for
Locate,Runtime,Recover, andReplay - reusable scripts for extraction, runtime capture normalization, replay scaffolding, and artifact generation
- generic references, rules, and templates for browser-driven JavaScript reverse engineering
This public release intentionally excludes:
- private or site-specific case libraries
- captured test fixtures and validation corpora
- concrete benchmark targets, credentials, and replay notes tied to named sites
Core Workflow
Start from the smallest reliable context:
- local JS or HTML target: run
scripts/triage_js.sh <path>and then the smallest extractor that matches the target family - browser-backed target: verify browser and bridge health before collecting runtime evidence
- accepted response plus confusing browser-visible values: inspect page-side render and suppression logic before escalating into signer recovery, and use
playbooks/accepted-response-hidden-dom.md - accepted response plus page-local embedded font or glyph entities: extract the current response font, solve the glyph map at page scope, and use
playbooks/embedded-runtime-font-mapping.md - replay still fails even after one accepted digest is recovered: inspect bootstrap-time cookie write order, digest collectors, and wrapped-cookie assembly, then use
playbooks/bootstrap-digest-ladder.md - one endpoint keeps returning JavaScript first and only returns arrays after the script is executed and replayed against the same path: treat it as an iterative warmup chain instead of hunting for a second hidden endpoint, and use
playbooks/iterative-script-warmup-same-endpoint.md - signer depends on one server-issued time and one wasm or module helper: freeze the time source, prove the exact signer input shape, and use
playbooks/server-time-gated-wasm-signer.md - digest helper name looks standard, but browser output diverges from both the standard library and the raw local helper: isolate the smallest runtime patch surface first, and use
playbooks/patched-runtime-digest-branch.md - one large bundle hides a tiny runtime helper you actually need for replay: extract that helper first instead of emulating the whole page, and use
playbooks/runtime-bundle-signer-extraction.md - global token helpers are absent or misleading, but
XMLHttpRequest.openrewrites the protected URL with the signer field: treat the rewritten URL as the signer output, preserve script order and runtime state, and useplaybooks/xhr-open-url-rewrite-runtime-replay.md - visible request contract is stable but different HTTP clients diverge: escalate through a transport ladder before inventing more signer state, and use
playbooks/transport-profile-ladder.md - verify response looks noisy or pessimistic while data requests still succeed: treat the data endpoint as the acceptance oracle, and use
playbooks/lenient-verify-data-gate.md - page exposes one simple request or one helper field, but later pages fail with a token-shaped gate: prove whether the visible request is a decoy before widening into full VM recovery, and use
playbooks/decoy-page-request-hidden-token-gate.md - one challenge image is a fixed small grid with one glyph or symbol per cell: solve the grid-assignment path first, and use
playbooks/grid-challenge-template-matching.md - multi-stage challenge needs fresh reload, one seeded signer proof, and then uses one accepted stage value as the next key: validate the first baseline request before solving downstream decrypts, and use
playbooks/fresh-reload-seeded-signer-step-key-ladder.md - one replay path works for round one, but later rounds only regain parity after prior-round replay: preserve the explicit same-page round ladder, and use
playbooks/same-page-prior-round-signer-replay.md - desktop HTML is unstable but a mobile or app request profile lands on a shell page with later JSON hydration: recover the shell request wrapper and route map first, then use
playbooks/mobile-shell-api-pivot.md
- packed or VM-like code: preserve the original artifact, recover structure incrementally, and label verified semantics
- replay handoff: export a stable artifact bundle before writing Node or Python delivery code
Primary References
references/task-types.mdreferences/stages/locate.mdreferences/stages/runtime.mdreferences/stages/recover.mdreferences/stages/replay.mdreferences/rules/evidence-rules.mdreferences/rules/runtime-first.mdreferences/rules/routing-rules.mdreferences/rules/replay-rules.md
Publishing Note
This public variant is intended for sharing as a reusable skill package. Keep private fixtures, live captures, and customer- or site-specific notes in a separate private workspace or repository.
Related Skills
openclaw/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,764SKILL.mdUpdated Apr 15, 2026
openclaw/openclaw-release-maintainer
development
VerifiedTrustedCommunity
Maintainer workflow for OpenClaw releases, prereleases, changelog release notes, and publish validation. Use when Codex needs to prepare or verify stable or beta release steps, align version naming, assemble release notes, check release auth requirements, or validate publish-time commands and artifacts.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/openclaw-qa-testing
development
VerifiedTrustedCommunity
Run, watch, debug, and extend OpenClaw QA testing with qa-lab and qa-channel. Use when Codex needs to execute the repo-backed QA suite, inspect live QA artifacts, debug failing scenarios, add new QA scenarios, or explain the OpenClaw QA workflow. Prefer the live OpenAI lane with regular openai/gpt-5.4 in fast mode; do not use gpt-5.4-pro or gpt-5.4-mini unless the user explicitly overrides that policy.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/openclaw-parallels-smoke
development
VerifiedTrustedCommunity
End-to-end Parallels smoke, upgrade, and rerun workflow for OpenClaw across macOS, Windows, and Linux guests. Use when Codex needs to run, rerun, debug, or interpret VM-based install, onboarding, gateway smoke tests, latest-release-to-main upgrade checks, fresh snapshot retests, or optional Discord roundtrip verification under Parallels.
357,764SKILL.mdUpdated Apr 10, 2026