Skip to main content
تشغيل أي مهارة في Manus
بنقرة واحدة
مستودع GitHub

BreachWeave

يحتوي BreachWeave على 22 من skills المجمعة من m-sec-org، مع تغطية مهنية على مستوى المستودع وصفحات skill داخل الموقع.

skills مجمعة
22
Stars
417
محدث
2026-05-06
Forks
61
التغطية المهنية
3 فئات مهنية · 100% مصنفة
مستكشف المستودعات

Skills في هذا المستودع

bun-dev
مطوّرو البرمجيات

This skill should be used when working with Bun runtime, bun:sqlite, Bun.serve, bun:test, or when "Bun", "bun:test", or Bun-specific patterns are mentioned.

2026-05-06
pi-mono-framework
مطوّرو البرمجيات

pi-mono agent framework reference (github.com/badlogic/pi-mono). TRIGGER when: writing agent code using pi-ai/pi-agent-core/pi-coding-agent packages, defining tools with TypeBox schemas, implementing TUI or Web UI over an agent core, building extensions that hook into agent lifecycle, working with session/compaction/retry logic, implementing LLM provider abstractions, or any code that imports from @mariozechner/* packages.

2026-05-06
ui-ux-pro-max
مصممو واجهات الويب والرقمية

UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient.

2026-05-06
ad-pentest
محللو أمن المعلومات

Active Directory 域渗透全链路指导技能。基于 GOAD (Game of Active Directory) 靶场实战经验, 涵盖从初始侦察、用户枚举、密码攻击、中继与投毒、ADCS证书攻击、MSSQL利用、提权、 横向移动、凭据提取、ACL滥用、委派攻击、域信任利用到域控拿下的完整渗透链。 当用户提到以下任何关键词时,务必触发此技能: AD渗透、域渗透、Active Directory、域控攻击、内网渗透、kerberoasting、AS-REP roasting、 NTLM relay、responder、bloodhound、certipy、ADCS、ESC1-ESC15、PetitPotam、 noPac、PrintNightmare、横向移动、pass the hash、golden ticket、silver ticket、 DCSync、secretsdump、mimikatz、委派攻击、delegation、ACL滥用、域信任、 forest trust、提权、SeImpersonate、KrbRelay、MSSQL提权、webshell、 凭据收集、密码喷洒、password spray、域枚举、SMB签名、coercer、 shadow credentials、certifried、RBCD、GPO abuse、LAPS、 即使用户没有明确说"域渗透",只要涉及Windows域环境的攻击场景都应使用此技能。

2026-05-06
agent-browser
مطوّرو البرمجيات

Browser automation CLI for AI agents. Use when the user needs to interact with websites, including navigating pages, filling forms, clicking buttons, taking screenshots, extracting data, testing web apps, or automating any browser task. Triggers include requests to "open a website", "fill out a form", "click a button", "take a screenshot", "scrape data from a page", "test this web app", "login to a site", "automate browser actions", or any task requiring programmatic web interaction.

2026-05-06
ffuf-skill
محللو أمن المعلومات

Help with ffuf-based Web parameter fuzzing. Use this skill whenever the user wants to fuzz Web request paths, query parameters, headers, POST bodies, JSON fields, or raw HTTP requests with ffuf, or when they ask for an ffuf command, wordlist choice, false-positive filtering, matcher/filter tuning, or replaying hits into Burp/ZAP.

2026-05-06
fuzz-dicts-navigator
محللو أمن المعلومات

Navigate the fuzzDicts repository and choose the right dictionary or payload list for authorized Web directory scanning, parameter fuzzing, upload bypass testing, subdomain enumeration, API discovery, credential spraying, and vuln-specific fuzzing. Use this skill whenever the user asks which wordlist to use, wants to browse or classify fuzz dictionaries, needs ffuf/wfuzz/feroxbuster/dirsearch/gobuster-ready file paths, or mentions this repository even if they do not explicitly ask for a skill.

2026-05-06
intranet-pentest
محللو أمن المعلومات

CTF/靶场多层内网渗透指导与自动化脚本生成技能。基于 NPS C2 通道,覆盖从初始侦察、网段发现、 服务利用、Windows/Linux 提权、凭据收集与复用、域渗透(ADCS/noPac/Zerologon)、 云原生/K8s/Docker 逃逸到横向移动的完整渗透链,目标是拿到 FLAG 或域控权限。 触发场景:用户提到内网渗透、CTF内网、靶场、多层内网、横向移动、提权、凭据获取、mimikatz、 hash传递、域渗透、域控攻击、云原生渗透、Docker逃逸、K8s渗透、fscan扫描、服务利用、 Redis、Redis未授权、Redis利用、密码喷洒、ADCS、noPac、Zerologon、PrintSpoofer、Potato提权、SUID提权、 内网信息收集、网段发现、代理链搭建,或需要生成内网渗透自动化脚本时,都应使用此技能。 即使用户只是简单提到"内网"、"横向"、"拿域控"、"打靶场"等口语化表达也应触发。

2026-05-06
jwt-oauth-token-attacks
محللو أمن المعلومات

JWT and OAuth token attack playbook. Use when validating token trust, signing algorithms, key handling, claim abuse, bearer flows, and OAuth account-binding weaknesses.

2026-05-06
jwt-tool-skill
محللو أمن المعلومات

Help with authorized JWT assessment using ticarpi/jwt_tool. Use this skill whenever the user mentions `jwt_tool`, wants commands for JWT decoding, verification, secret cracking, claim tampering, playbook scans, `alg:none`, key confusion, JWKS spoofing or inline JWK injection, raw-request mode with `-r`, or needs to test bearer-token trust with a real HTTP request. Make sure to use it when the user asks how to audit or exploit JWT handling with `jwt_tool`, even if they only describe the token, headers, cookies, or a captured request and do not explicitly ask for a skill.

2026-05-06
known-product-exploit
محللو أمن المعلومات

通用已知产品/框架漏洞利用专项技能。适用于 fscan/Nuclei/Wappalyzer 识别出目标运行已知产品(OA系统、CMS、中间件、框架)后的标准利用流程。 核心原则:已知产品必须 Nuclei 先行,不走盲测渗透。覆盖 Nuclei 精准扫描、模板分析、手工验证、环境诊断、命令执行方式选择、NPS 收口。 触发场景:fscan 或手工识别出目标为已知产品(通达OA/致远OA/用友NC/泛微OA/WordPress/Drupal/Tomcat/WebLogic/Shiro/Spring/ThinkPHP/Laravel/ phpMyAdmin/Confluence/GitLab/Jenkins 等)时必须优先使用本技能。

2026-05-06
nuclei-skill
محللو أمن المعلومات

Help with safe, practical use of ProjectDiscovery Nuclei for authorized scanning. Use this skill whenever the user wants to run `nuclei`, choose templates, filter by tags or severity, scan one host or a target list, validate or run a custom template, tune output formats, use authenticated scans, or understand key CLI flags. Trigger on requests like "给我写 nuclei 命令", "怎么扫一批 URL", "怎么只跑高危模板", "帮我用 nuclei 跑自定义模板", "nuclei 结果怎么导出 JSONL", and similar Nuclei usage questions even if the user does not explicitly mention a skill.

2026-05-06
payload-research
محللو أمن المعلومات

Payload crafting and bypass research for vulnerability verification

2026-05-06
payloads-all-the-things
محللو أمن المعلومات

Browse the bundled PayloadsAllTheThings corpus for CTF and web security payloads, bypasses, fuzz strings, exploit ideas, and methodology notes. Use when Agent needs to locate payloads by vulnerability category during CTFs, pentests, or challenge solving, then drill into the relevant README.md and markdown files under references/ instead of loading the whole corpus at once.

2026-05-06
pentest-fuzz-skill
محللو أمن المعلومات

Help with authorized Web pentest, Web fuzzing, and CTF-style vulnerability analysis. Use this skill whenever the user wants payload ideas, fuzz dictionaries, quick probe strings, test methodology, response-difference heuristics, or per-vulnerability checklists for common Web bugs such as SQL injection, XSS, SSTI, SSRF, XXE, file inclusion, IDOR, JWT weaknesses, deserialization, auth bypass, or command injection. Make sure to use it when the user asks how to test a Web bug, what characters or tokens to fuzz, how to organize notes by vulnerability type, or which vulnerability family a behavior most likely belongs to, even if they do not explicitly mention a skill.

2026-05-06
php-payload-builder
محللو أمن المعلومات

安全构造 PHP payload 的专项技能。解决 bash/shell 转义导致 PHP 代码损坏的问题,提供经过验证的 payload 模板。 触发场景:用户需要通过 bash/shell 写入 PHP 文件(echo、printf、redis-cli -x、curl -d)、 遇到 $_POST/$_GET 变量被 bash 展开、PHP 代码写入后不执行、disable_functions bypass、 构造 webshell、构造诊断页、构造文件下载器、heredoc 写法、base64 编码写入时使用。

2026-05-06
recon
محللو أمن المعلومات

Fast reconnaissance - discover assets, entry points, attack surface, and hypotheses

2026-05-06
redis-webroot-rce
محللو أمن المعلومات

Windows/Linux 场景下基于 Redis 未授权访问写入 Web 根并获取稳定命令执行、随后快速收敛到 NPS 的专项技能。只要用户提到 Redis、Redis未授权、6379、fscan 提示 unauthorized file、CONFIG SET dir/dbfilename、写 webshell、写计划任务、写 ssh key,或者已经确认 Redis 能写入 Web 目录,就应优先使用本技能,而不是走泛化 Web 利用或 SMB 分支。尤其在用户已经有上游跳板、NPS 通道、HTTP 映射端口时,必须优先触发本技能。

2026-05-06
remote-cmd-execution
محللو أمن المعلومات

Windows/Linux 远程命令执行规范技能。覆盖 NPS execcmd 通用规范、Windows cmd /c 要求与绝对路径、 Linux nohup/后台执行、wmic/setsid 后台启动、工具上传语义、常用命令路径参考。 触发场景:用户通过 NPS execcmd 在受控主机上执行命令、遇到命令不回显、命令超时、 路径错误、找不到命令、工具上传后执行失败、后台进程启动、文件下载传输、 环境变量/PATH 异常时使用。同时适用于 Windows 和 Linux 主机。

2026-05-06
ssrf-server-side-request-forgery
محللو أمن المعلومات

SSRF playbook. Use when the server fetches URLs, resolves hostnames, imports remote content, or can be driven toward internal networks, cloud metadata, or secondary protocols.

2026-05-06
targeted-pentest
محللو أمن المعلومات

用于 pentest-agent 的 targeted-pentest 子 agent,在已锁定的 hypothesis_id、kind 与 entry_point 上执行单假设定向验证。适用于 Web、API、认证、浏览器端、服务端、Node.js 与 CVE 线索的验证场景;在同一假设内完成基线确认、payload 研究、最小化利用、证据收集、结论判定与 goal 提交。不用于宽泛 recon、不切换到其他假设、也不做与当前假设无关的发散测试。

2026-05-06
tch-headless-skill
مطوّرو البرمجيات

Use this skill whenever the user wants to crawl a website with the `tch-headless` or `TCH-EZ-Headless` browser crawler for a quick headless pass, especially for dynamic pages, Chrome-based automation, request capture, sitemap-style output inspection, or parsing `.tch-networks-output` / `.raw` crawl artifacts. Also use it when the user mentions headless browser crawling, automated website exploration with Chrome, or asks how to run and analyze `tch-headless`, even if they do not explicitly ask for a skill.

2026-05-06