ghostonbutterbread/pfp
skills/pfp/SKILL.md
Route profile-picture, avatar, and image-profile workflows into focused upload, SSRF, XSS, IDOR, WAF, race, and storage testing lanes.
testing
Updated May 27, 2026
$ install --global
skillsauthnpx skillsauth add ghostonbutterbread/bug-bounty-harness pfpInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 27, 2026, 2:12 AM14.1s1 file scanned
SKILL.md
- name:
- pfp
- description:
- Route profile-picture, avatar, and image-profile workflows into focused upload, SSRF, XSS, IDOR, WAF, race, and storage testing lanes.
Profile Picture Testing
Use for profile-picture, avatar, profile-image, account-photo, and image URL import workflows.
/pfp is a coordinator skill. It maps the profile-picture workflow, creates a queue of focused child lanes, and runs those child agents one at a time through a shared browser/live-testing slot. Child lanes should test bounded mutation families and return evidence, not just decide from the parent scout that a branch is impossible.
Invocation
/pfp <program> [goal/context]
/pfp <program> --no-ledger [goal/context]
/pfp canva profile-picture
/pfp superdrug avatar-upload
Required Preflight
- Read program scope, owned-account context, and active live-testing policy.
- Read
$HARNESS_ROOT/prompts/pfp-playbook.md. - Read
$HARNESS_ROOT/prompts/pfp-context-pack.mdto load the focused branch map and local-note sources. - Use
$HARNESS_ROOT/prompts/pfp-research-terms.mdonly when a branch needs expansion. - Default to ledger mode for prior context and durable findings. If the user says
--no-ledger, do not read prior findings or write durable ledger/coverage state. - Use a scheduler gate for live/browser work: only one child lane may own Chrome/CDP/session state at a time unless Ryushe explicitly approves parallel browser instances.
- Keep tests tied to owned accounts and owned profile/image resources.
Workflow
- Map the profile-picture flow: local upload, remote URL import, crop/resize, profile render locations, storage/CDN object, and update/delete behavior.
- Build a sequential child-agent queue from observed capabilities:
- local upload or transformed bytes -> upload/parser lane
- URL fetch/import ->
/ssrf - filename, metadata, URL, error, or render surface ->
/xss - object ownership, profile image IDs, storage keys, or update/delete endpoints ->
/idor - blocking/filtering/CDN behavior ->
/waf - replace/delete/crop timing ->
/race
- Give each queued child lane a bounded test budget and the shared browser slot when needed. The child should run concrete variants/mutations, record where data reflects or changes, and hand control back.
- Do not force a lane with no reachable precondition, but do not reject a lane only from parent intuition. Rejection needs a short observed reason.
- Save a handoff card before each child lane runs and a result card after it returns.
Evidence
Write notes under $HARNESS_SHARED_BASE/{program}/ghost/pfp/.
Record:
- owned account/resource used
- upload/import endpoint and full URLs
- scout payload family, not raw secret values
- observed behavior
- child lane chosen
- child queue order and lane status
- mutation/test families attempted
- ledger mode and ledger action
- policy boundary and next safe test
Related Skills
ghostonbutterbread/ato
testing
VerifiedTrustedCommunity
Route account takeover testing across password reset, recovery, SSO/OAuth, account linking, MFA, email change, session, invite, and identity-binding flows.
SKILL.mdUpdated Jun 5, 2026
ghostonbutterbread/url-ingest
testing
VerifiedTrustedCommunity
Use when importing, indexing, filtering, queueing, checking, or marking recon URLs in the SQLite-backed per-lane URL review tracker.
SKILL.mdUpdated Jun 4, 2026
ghostonbutterbread/payment-testing
testing
VerifiedTrustedCommunity
Route checkout, billing, subscriptions, coupons, credits, gift cards, invoices, refunds, payment authorization, and paid-entitlement testing into safe zero-dollar-first workflows.
SKILL.mdUpdated Jun 4, 2026
ghostonbutterbread/intercepted-proxy
data-ai
VerifiedTrustedCommunity
Launch scoped browsers through the correct Caido proxy, enable live intercept or Tamper one lane at a time, modify selected requests, forward them, then disable intercept.
SKILL.mdUpdated Jun 4, 2026