ghostonbutterbread/pwnfox
skills/pwnfox/SKILL.md
Use when inspecting proxy traffic from PwnFox-profiled browser sessions, filtering Caido/Burp/proxy history by X-PwnFox-Color, or interpreting user phrases like 'Red session' as a distinct browser/auth/profile lane.
data-ai
Updated Jun 6, 2026
$ install --global
skillsauthnpx skillsauth add ghostonbutterbread/bug-bounty-harness pwnfoxInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 6, 2026, 2:27 AM47.7s2 files scanned
SKILL.md
- name:
- pwnfox
- description:
- Use when inspecting proxy traffic from PwnFox-profiled browser sessions, filtering Caido/Burp/proxy history by X-PwnFox-Color, or interpreting user phrases like 'Red session' as a distinct browser/auth/profile lane.
PwnFox Profile Headers
Use this when a request/proxy task mentions PwnFox, colored sessions, browser profiles, tab sessions, or a user phrase such as "look at the Red session".
PwnFox adds a request header that identifies the browser profile color:
X-PwnFox-Color: <color>
Example:
X-PwnFox-Color: red
Treat each PwnFox color as a distinct browser/profile lane. In practice, that often means a distinct auth session, cookie jar, tab context, role, test account, or workflow run.
Phrase Mapping
When Ryushe says:
- "Red session" -> filter requests where
X-PwnFox-Color: red - "Blue session" -> filter requests where
X-PwnFox-Color: blue - "Green session" -> filter requests where
X-PwnFox-Color: green - "the red tab/profile/lane" -> use the same
X-PwnFox-Color: redfilter
Color matching should be case-insensitive in natural-language interpretation, but preserve the observed header value when recording evidence.
Workflow
- Load
caido,intercepted-proxy,single-request-grabber, or the relevant proxy/request skill first. - If Ryushe names a color, filter request history by the matching
X-PwnFox-Colorheader. - If multiple colors appear, keep them separated as distinct session lanes.
- Label findings, comparisons, and request notes with the PwnFox color.
- When comparing auth behavior, compare equivalent requests across colors only after confirming the account/resource ownership for each lane.
Request Filtering
Use the header as the primary session discriminator:
Header name: X-PwnFox-Color
Header value: <requested color>
For proxy history review, search or filter for the exact header name first, then narrow by color value. If the header is absent, say that the observed traffic is not PwnFox-labeled instead of guessing which profile produced it.
Guardrails
- Do not assume two colors are the same account just because the URLs match.
- Do not merge evidence from different colors unless the comparison is explicit.
- Do not copy cookies, bearer tokens, CSRF tokens, or private request bodies between colors unless Ryushe explicitly approves that session-transfer test.
- Keep raw secrets out of chat, prompts, logs, reports, and commits.
Evidence
Record:
- requested color and observed
X-PwnFox-Colorvalue - full URL, method, status, and auth state
- proxy source, such as Caido/Burp/browser history
- account/resource alias for that color when known
- whether the header was present, absent, or inconsistent
- comparison color if doing cross-session auth testing
Related Skills
ghostonbutterbread/stored-xss
documentation
VerifiedTrustedCommunity
Use when attacker-controlled input is saved and rendered later in a profile, comment, title, notification, admin view, export, email, feed, upload metadata, or other stored render surface.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/reflected-xss
content-media
VerifiedTrustedCommunity
Use when attacker-controlled input appears in the immediate HTTP response or browser-rendered page and needs reflected XSS context classification, payload selection, mutation, and browser verification.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/skills/lfi
tools
VerifiedTrustedCommunity
# LFI — Local File Inclusion Bypass ## What It Does Tests LFI bypass techniques: path traversal, null bytes, wrappers, log poisoning. Load `general-security-testing-policy`, `live-testing-policy`, and `injection-testing-policy` before live testing. For file/path sinks, absence of an immediate file read or response delta is not a stop reason by itself; use the policy to reason about path normalization, extension allowlists, wrappers, encoding, parser differences, and stack-specific proof ladder
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/dom-xss
tools
VerifiedTrustedCommunity
Use when XSS depends on browser-side sources and sinks such as URL/query/hash, router state, local/session storage, cookies, postMessage, DOM parsing, framework render paths, or client-side sanitizer behavior.
SKILL.mdUpdated Jun 6, 2026