jeremylongshore

Scan a source tree for command-injection vulnerable patterns: shell=True calls in Python subprocess, os.system / os.popen with interpolated strings, Node child_process.exec with template literals, Ruby backticks / Kernel#system / Kernel#exec with interpolation, Go exec.Command with shell wrapping, PHP system / passthru / shell_exec / backticks with $-interpolation, Java Runtime.exec with concatenated args. Use when: pre-commit gate on code that calls out to shell utilities, audit of file-processing / archive-handling / image-conversion code, post-bug-report investigation for "we shell out to a tool." Threshold: any shell-invocation API called with a string that contains a variable interpolation, OR shell=True with anything other than a fixed literal. Trigger with: "scan command injection", "shell=True audit", "find exec calls", "check os.system".

Scan a source tree for dynamic-code-execution APIs that an attacker can hijack: Python eval / exec / compile, JavaScript eval / Function() / setTimeout(string), Ruby eval / instance_eval / class_eval, Java ScriptEngine, PHP eval / assert($str), .NET Activator.CreateInstance / Reflection.Emit with dynamic input. Use when: pre-commit gate on any application that parses user-uploaded code (rule engines, formula evaluators, plugin systems), or post-bug-report when "we run user-supplied expressions." Threshold: any call to eval / exec / Function / similar where the argument is not a string literal. Trigger with: "scan eval", "find dynamic exec", "audit eval calls", "code injection patterns".

Scan a source tree for unsafe-by-default deserialization APIs: Python pickle.loads / cPickle / shelve / dill, Ruby Marshal.load / YAML.load (pre-3.1 default), Java ObjectInputStream.readObject, PHP unserialize, .NET BinaryFormatter / NetDataContractSerializer, Node.js node-serialize, JavaScript JSON.parse with reviver containing eval. Use when: pre-commit gate on services that accept binary blobs, audit of legacy job-queue code (workers deserializing tasks), post-bug-report when "we accept user-uploaded archives." Threshold: any call to a known-unsafe deserialization API on data that originates from user input, network, file upload, or untrusted storage. Trigger with: "scan deserialization", "pickle audit", "java readObject scan", "yaml.load check".

Scan a source tree for SQL-injection vulnerable patterns: string concatenation into queries, f-string interpolation in SQL, string-format substitution into raw queries, deprecated cursor methods (cursor.execute with % formatting), Knex / Sequelize raw() with template interpolation, sequelize.query with replacements. Use when: pre-commit code review, post-feature SQL-touching release, inheriting a legacy codebase that predates ORMs, or post-bug-report investigation. Threshold: any source line where SQL keywords (SELECT / INSERT / UPDATE / DELETE / FROM / WHERE) appear in a string that's being built via concatenation, f-string, %-format, or .format() with variable input. Trigger with: "scan for sqli", "sql injection patterns", "check raw queries", "audit cursor.execute".

Scan a source tree for weak cryptographic primitives: MD5 / SHA-1 used for security purposes, DES / 3DES / RC4 ciphers, ECB block mode, custom-built crypto (XOR loops, hand-rolled HMAC), hardcoded IVs, predictable random (Math.random / java.util.Random for crypto seeds), missing certificate verification (verify=False, rejectUnauthorized: false). Use when: pre-merge gate on crypto-touching code, audit before SOC2 / PCI assessment, post-incident review when "we found a weakness in our token signing." Threshold: any call to a known-weak algorithm with non-test context, OR cert verification explicitly disabled, OR a custom crypto loop pattern. Trigger with: "scan weak crypto", "find MD5 usage", "check ECB mode", "audit ssl verify", "weak random".

Scan a source-code tree for hardcoded credentials embedded in source files: AWS access keys, GitHub tokens, Stripe keys, Slack tokens, Anthropic API keys, OpenAI keys, JWT signing secrets, generic base64-encoded passwords, RSA / SSH private keys, and high-entropy string literals that pattern-match common credential shapes. Use when: pre-commit gate before pushing a feature branch, audit before SOC2, post-incident scan after a leak, or inheriting a codebase you didn't write. Threshold: any source file contains a string that matches a canonical credential regex (AWS AKIA prefix, GitHub ghp_ prefix, etc.) OR a string with Shannon entropy above 4.5 in a field context (key=, token:, secret=). Trigger with: "scan secrets", "credential scan", "find hardcoded keys", "leak check".

Probe a target for directories that return auto-generated index listings instead of denying or serving a specific file — exposes the full file tree under any reachable directory, including files the application never linked to. Use when: post-deploy verification on a static-asset host, security audit before SOC2, or following up on a finding from skill #6 (exposed-files) where a backup-file path returned 200 with HTML body instead of the expected file content (suggests autoindex serving a directory listing). Threshold: any directory-shaped path returns 200 with HTML body matching the framework-specific autoindex fingerprint (nginx fancyindex, Apache mod_autoindex Index of/, Caddy browse, Lighttpd mod_dirlisting, etc.). Trigger with: "directory listing check", "autoindex detection", "open directory scan".

Identify the server software, framework, and component versions a target is running from its HTTP response signatures — Server header, X-Powered-By, Via, X-AspNet-Version, X-Runtime, X-Drupal-Cache, X-Generator, Set-Cookie name patterns, error-page artwork, HTTP method behavior signatures. Use when: penetration test reconnaissance phase, post-deploy audit of fingerprintable exposure, or before reporting "no obvious version disclosure" to an auditor. Threshold: any version string in a response header (e.g., Server header with nginx/1.18.0, X-Powered-By with PHP/7.4.21, X-Generator with Drupal 9), or any framework-default Set-Cookie name (PHPSESSID, JSESSIONID, connect.sid, _csrf_token). Trigger with: "fingerprint server", "version disclosure", "tech-stack identification", "what's this site running".

Generate and configure Nixtla Skills using the CLI for forecasting workflows. Use when installing or updating skills. Trigger with 'install nixtla skills' or 'update nixtla'.

Generate benchmarking pipelines to compare forecasting models and summarize accuracy/speed trade-offs. Use when evaluating TimeGPT vs StatsForecast/MLForecast/NeuralForecast on a dataset. Trigger with "benchmark models", "compare TimeGPT vs StatsForecast", or "model selection".

Research and summarize Nixtla ecosystem updates and time-series forecasting content from the web and GitHub. Use when gathering release notes, recent changes, or best-practice references. Trigger with "Nixtla updates", "what's new with TimeGPT", or "find time-series papers".

Generate production-ready TimeGPT forecasting pipeline code from requirements. Use when scaffolding a pipeline with validation, logging, visualization, and repeatable runs. Trigger with "create TimeGPT pipeline", "build TimeGPT integration", or "generate forecast code".

Analyze Nixtla baseline forecasting results (sMAPE/MASE on M4 or other benchmark datasets). Use when the user asks about baseline performance, model comparisons, or metric interpretation for Nixtla time-series experiments. Trigger with "baseline review", "interpret sMAPE/MASE", or "compare AutoETS vs AutoTheta".

Orchestrate 6-phase changelog generation workflow with AI synthesis, multi-source data fetching (GitHub/Slack/Git), quality validation, and automated PR creation. Use when automating release notes, weekly changelogs, or documentation updates. Trigger with "generate changelog", "weekly changelog", or "automate release notes".

Analyze and explain TimeGPT forecast results in plain English. Generates executive summaries with driver analysis. Use when stakeholders need forecast explanations, board presentations, or compliance documentation. Trigger with "explain forecast", "why is the forecast", "forecast narrative".

Fine-tunes TimeGPT on custom datasets to improve forecasting accuracy. Use when TimeGPT's zero-shot performance is insufficient or domain-specific accuracy is needed. Trigger with "finetune TimeGPT", "train TimeGPT", "adapt TimeGPT".

Self-improving research loops with hypothesis generation, experiment design, and result analysis

Full-stack research and code generation pipeline - research, code, and create

Natural language web UI control — element detection, targeted interaction, and automated form filling

Public opinion analysis and sentiment at scale — sentiment scoring, stance detection, and multi-dimensional bias measurement.

Meta-specialist that auto-discovers and scaffolds new specialists from trending GitHub repos

Safe multi-language code execution via alibaba/OpenSandbox

Multi-agent financial analysis pipeline: fundamental analysis, technical indicators, and news sentiment scoring for any ticker symbol. Wraps patterns from virattt/ai-hedge-fund and ZhuLinsen/daily_stock_analysis.

Ensemble predictions via swarm intelligence with multi-model voting and consensus

Generates comprehensive analysis reports from input data. Activates when analysis is requested and produces structured output.

I can help you do things.

Tests referenced file detection with both valid and broken references in the body.

Does stuff.

Generates conventional commit messages from staged git diffs. Activates when the user requests a commit message and produces type(scope) subject format.

Generates conventional commit messages from staged git diffs. Activates when the user requests a commit message and produces type(scope) subject format.

Builds discounted cash flow (DCF) valuation models in Excel with free cash flow projections, WACC calculations, and sensitivity analysis. Targets investment banking and corporate finance workflows. Use when asked to create a DCF model, calculate enterprise value, value a company, or build a valuation model. Trigger with "create a DCF model", "build a valuation", "calculate enterprise value", or "value this company". Make sure to use whenever the user needs company valuation or DCF analysis in Excel.

Creates leveraged buyout (LBO) models in Excel with sources & uses, debt schedules, cash flow waterfalls, and IRR calculations. Targets private equity and investment banking workflows. Use when asked to create an LBO model, build a buyout model, calculate PE returns, or analyze a leveraged acquisition. Trigger with "create an LBO model", "build a buyout model", "PE returns analysis", or "leveraged acquisition model". Make sure to use whenever the user needs private equity deal modeling in Excel.

Generates pivot tables and charts from raw data using natural language commands. Targets business analysts and data teams working in Excel. Use when asked to create a pivot table, summarize data by category, analyze sales by region, show revenue breakdowns, or build cross-tab analyses. Trigger with "create a pivot table", "summarize by category", "sales by region", or "show breakdown by". Make sure to use whenever the user needs data summarization or pivot analysis in Excel.

Automates budget vs actual variance analysis in Excel with flagging, commentary, and executive summaries. Targets FP&A teams and financial reporting workflows. Use when asked to analyze budget variance, compare actual vs forecast, create a variance report, or explain budget differences. Trigger with "analyze budget variance", "compare actual vs forecast", "variance report", or "why are we over budget". Make sure to use whenever the user needs budget-to-actual analysis or financial variance reporting.

Manage Slack channel access control — pairing, allowlist, channel opt-in

Configure Slack channel tokens (bot token + app-level token)

CCSC lifecycle command center — fresh install walkthrough, health doctor, verify round-trip, auto-repair, Slack app manifest export, reset, tour, and uninstall. One skill for the full install lifecycle.

Author MCP tool-call policy rules without hand-editing access.json

Backfill daily blog posts to startaitools.com for a date range. Auto-classifies content into 3 tiers (Field Note / Deep-Dive / Case Study). Tracks methodology decisions in JSONL for calibration analysis. Dual-publishes to tonsofskills.com/blog, cross-posts to Dev.to, Hashnode, Medium, and Substack. Generates weekly recaps and monthly retrospectives on cadence. Use when backfilling missed blog posts. Trigger with /blog-backfill.

Monthly calibration report for the blog content tier classification system. Analyzes decisions.jsonl and feedback.jsonl to detect tier inflation, assess calibration accuracy, and surface emergent patterns. Trigger with /blog-calibrate.

Post-publication assessment for blog posts classified by the tier system. Records whether the classification was correct, captures engagement data, and feeds the calibration loop. Trigger with /blog-feedback.

Team knowledge governance for Claude Code. Captures architectural decisions, patterns, conventions, and insights during sessions. Shares governed knowledge across the team via qmd. Use when making team-relevant discoveries or importing existing docs.

Dog-food intentional-cognition-os against the operator's own system. Discovers a target — a folder of markdown docs, a project, or an ecosystem — creates an isolated ICO workspace outside the target tree, ingests and compiles its docs, runs a hand-authored question bank against it, verifies each citation by deterministic source-grep, and produces a structured receipts trail with receipts, verifications, friction logs, and a sanitized summary. Sanitized per-run summaries are written into the target repo's dogfood directory; raw answer content and workspace stay in the user cache. Use when validating ICO works on real corpora, generating dog-food proof artifacts, or surfacing ICO bugs to file as beads. Trigger with /ico-your-internals, dog-food ICO, analyze my system with ICO.

Local-only OSS contribution command center. Auto-refreshes the user's in-flight PR and issue state on invoke so conversations start with full context — no need to brief Claude on what's in flight. Helps the user find issues to contribute to on GitHub, builds per-repo dossiers of what each upstream expects (CLA, DCO, branch convention, AI policy, draft-first, review bots, issue templates), runs deterministic gates before any external action so AI-assisted contributions don't reach maintainers as slop. State is markdown-only: candidate files at ~/.contribute-system/candidates/, repo dossiers at ~/.contribute-system/research/, append-only event log at ~/.contribute-system/log.jsonl. No database, no cloud calls. Use when the user asks about their PRs / issues / contributions, wants to find new work to take on, claim an issue, build/refresh a repo's dossier, or draft a Design Issue or PR. Trigger with "/contribute", "what's my PR status", "find a contribution", "claim issue X", "draft a Design Issue for Y", "refre

Research and onboard new data sources for STCI, producing source profiles, collector stubs, and validation rules

Manage distributed graph-based issue tracking with bd (beads). Track multi-session work with dependencies, hierarchies, and persistent memory across conversation compactions. Use when managing complex tasks spanning multiple sessions, organizing epics with subtasks, or needing dependency tracking. Trigger with "create beads issue", "bd commands", "track task with beads", "organize work dependencies".