ghostonbutterbread/mental-map
skills/mental-map/SKILL.md
Use when mapping application architecture, analyzing Caido MCP proxy traffic, grouping requests into auth, cart, checkout, signup, login, forgot-password, or user-profile flows, or documenting sequence diagrams and replication notes.
tools
Updated May 28, 2026
$ install --global
skillsauthnpx skillsauth add ghostonbutterbread/bug-bounty-harness mental-mapInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 28, 2026, 2:30 AM147.7s1 file scanned
SKILL.md
- name:
- mental-map
- description:
- Use when mapping application architecture, analyzing Caido MCP proxy traffic, grouping requests into auth, cart, checkout, signup, login, forgot-password, or user-profile flows, or documenting sequence diagrams and replication notes.
Mental Map Analysis
Build mental maps of application architecture from Caido MCP proxy traffic.
Required Preflight
Read shared state in this order before mapping flows:
notes/summary.mdnotes/observations.mdchecklist.md(auth, workflow, and business-logic items only)todo.md(workflow mapping or prerequisite items only)
Primary Analysis Surface
Use Caido MCP proxy traffic as the source of truth, set the browser or replay client proxy to KAIDO_MCP_PROXY_URL, then classify captured requests into application flows.
When the flow creates reusable routes, object references, auth boundaries, or follow-up hypotheses, also write normalized observations through /live-map so future agents can query the universal runtime application map instead of rediscovering the same area.
What To Map
Prioritize end-to-end flows another agent would need to replay safely:
authsignuploginforgot-passworduser-profilecartcheckout- Any custom billing, admin, search, upload, or API workflow that materially changes state
Files
- Playbook:
$HARNESS_ROOT/prompts/mental-map-playbook.md - Output Root:
$HARNESS_SHARED_BASE/{program}/agent_shared/application-structure/ - Universal Runtime Map:
$HARNESS_SHARED_BASE/{program}/agent_shared/application-map/ - Live Map CLI:
$HARNESS_ROOT/agents/live_map.py - Flow Template:
$HARNESS_ROOT/agent_shared/templates/application-structure/flow-template.md
Output Contract
Write one markdown file per flow to:
$HARNESS_SHARED_BASE/{program}/agent_shared/application-structure/{flow-type}/{flow-name}.md
Each flow file must include:
- Domain
- Endpoints involved
- Request sequence
- Auth requirements
- Session handling and CSRF notes
- Data model
- State transitions
- Replication notes for another agent
Workflow
- Complete the required preflight reads in shared state order.
- Read
prompts/mental-map-playbook.md. - Connect the browser or replay client to
KAIDO_MCP_PROXY_URLand capture the real workflow. - Group requests into a concrete flow with entry points, dependencies, and state-changing operations.
- Write the diagram and structured notes to
agent_shared/application-structure/{flow-type}/{flow-name}.md. - Ingest reusable route/object/action/auth-boundary observations into
/live-map. - Update
notes/summary.md,notes/observations.md, andtodo.mdwhen the map exposes new testing lanes or prerequisites.
Related Skills
ghostonbutterbread/stored-xss
documentation
VerifiedTrustedCommunity
Use when attacker-controlled input is saved and rendered later in a profile, comment, title, notification, admin view, export, email, feed, upload metadata, or other stored render surface.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/reflected-xss
content-media
VerifiedTrustedCommunity
Use when attacker-controlled input appears in the immediate HTTP response or browser-rendered page and needs reflected XSS context classification, payload selection, mutation, and browser verification.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/pwnfox
data-ai
VerifiedTrustedCommunity
Use when inspecting proxy traffic from PwnFox-profiled browser sessions, filtering Caido/Burp/proxy history by X-PwnFox-Color, or interpreting user phrases like 'Red session' as a distinct browser/auth/profile lane.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/skills/lfi
tools
VerifiedTrustedCommunity
# LFI — Local File Inclusion Bypass ## What It Does Tests LFI bypass techniques: path traversal, null bytes, wrappers, log poisoning. Load `general-security-testing-policy`, `live-testing-policy`, and `injection-testing-policy` before live testing. For file/path sinks, absence of an immediate file read or response delta is not a stop reason by itself; use the policy to reason about path normalization, extension allowlists, wrappers, encoding, parser differences, and stack-specific proof ladder
SKILL.mdUpdated Jun 6, 2026