Run any Skill in Manus with one click

$pwd:

fuzz-dicts-navigator

Name: Fuzz Dicts Navigator
Author: m-sec-org

// Navigate the fuzzDicts repository and choose the right dictionary or payload list for authorized Web directory scanning, parameter fuzzing, upload bypass testing, subdomain enumeration, API discovery, credential spraying, and vuln-specific fuzzing. Use this skill whenever the user asks which wordlist to use, wants to browse or classify fuzz dictionaries, needs ffuf/wfuzz/feroxbuster/dirsearch/gobuster-ready file paths, or mentions this repository even if they do not explicitly ask for a skill.

Run Skill in Manus

$ git log --oneline --stat

stars:282

forks:46

updated:May 6, 2026 at 08:59

File Explorer

100 files

SKILL.md

readonly

name

fuzz-dicts-navigator

description

Navigate the fuzzDicts repository and choose the right dictionary or payload list for authorized Web directory scanning, parameter fuzzing, upload bypass testing, subdomain enumeration, API discovery, credential spraying, and vuln-specific fuzzing. Use this skill whenever the user asks which wordlist to use, wants to browse or classify fuzz dictionaries, needs ffuf/wfuzz/feroxbuster/dirsearch/gobuster-ready file paths, or mentions this repository even if they do not explicitly ask for a skill.

Fuzz Dicts Navigator

Use this skill to turn the fuzzDicts repository into a practical navigation layer.

The repository already contains many useful dictionaries, but the folder names alone do not help much during a live test. Your job is to quickly map the user's task to the smallest useful set of files, explain why those files fit, and give tool-ready examples.

This skill is for authorized security testing, internal validation, lab work, and CTF-style practice. If the user's context is unclear, keep guidance focused on defensive or authorized use.

What to do

Identify the user's scenario.
Map it to one of the dictionary families in references/navigation.md.
Recommend one primary file and up to two fallbacks.
Prefer narrower dictionaries before huge catch-all lists when the stack is known.
Give command examples that the user can paste into common fuzzing tools.

Scenario routing

Route the request into one of these buckets before recommending anything:

Directory or content discovery
Parameter discovery
File upload bypass or extension fuzzing
Username or password guessing for authorized testing
Subdomain enumeration
API path discovery
JavaScript file discovery
Vulnerability-specific payload selection: XSS, SQLi, SSRF, LFI, XXE, RCE
CTF-only path fuzzing

If the user mixes goals, split the answer into phases. Example: first directory scan, then parameter fuzz, then upload bypass.

Selection rules

When the tech stack is known, choose the matching stack-specific dictionary first.
When the stack is unknown, start with a balanced general dictionary rather than the biggest file.
Only escalate to very large lists when the first pass is exhausted or the user explicitly wants breadth.
If the user asks for speed, bias toward smaller curated lists.
If the user asks for coverage, include one broad fallback.
If a directory contains payloads rather than plain wordlists, say so clearly.

Output format

Use this structure unless the user asks for something else:

Scenario

One sentence describing what the user is trying to do.

Recommended Dictionaries

relative/path/to/file.txt: why it is the first choice
relative/path/to/file.txt: when to switch to it
relative/path/to/file.txt: optional broad fallback

Tool Examples

Provide one or two commands using the files you recommended. Prefer ffuf, feroxbuster, gobuster, or wfuzz depending on the request.

Notes

Mention stack assumptions.
Mention whether the file is compact, broad, or payload-oriented.
Mention any sequencing advice.

Command behavior

Use repository-relative paths in examples unless the user gives an absolute path.
Keep command templates short and editable.
For directory brute force, include extensions only when they fit the stack.
For parameter fuzzing, show where FUZZ should go.
For upload fuzzing, clarify whether the file targets filename tricks, extension tricks, or middleware behavior.

Reference files

Read references/navigation.md for the category map and recommended file entry points.
Read references/tool-playbooks.md when you need ready-made command patterns for common fuzzing tools.

Response quality bar

Do not dump the whole repository tree unless the user explicitly asks.
Do not recommend more than three files in the first pass.
Explain tradeoffs in plain language: smaller and faster, broader and noisier, stack-specific, payload-heavy.
If the user only says "give me the best dirscan dictionary", still ask yourself whether they seem to want speed, depth, or stack specificity, and answer accordingly.

Examples

Example 1 Input: "目标像是 PHP 站点，我想先跑目录扫描，再看看有没有常见后台文件。"

Output shape:

Recommend directoryDicts/php/top3000.txt first
Add directoryDicts/php/phpFileName.txt as a PHP-focused fallback
Add directoryDicts/vulns.txt or directoryDicts/vuls/all.txt for known vulnerable paths
Give a short ffuf or feroxbuster command

Example 2 Input: "给我一个适合 Spring Boot 的接口和参数 fuzz 组合。"

Output shape:

Recommend apiDict/api.txt
Add paramDict/AllParam.txt or paramDict/parameter.txt
Mention spring/spring-configuration-metadata.txt for Spring-specific clues
Give one API path command and one parameter fuzz command

Example 3 Input: "这是 IIS 上传点，想测扩展名绕过。"

Output shape:

Recommend uploadFileExtDicts/iis_upload_fuzz.txt
Add uploadFileExtDicts/all_upload_fuzz.txt as a broad fallback
Mention uploadFileExtDicts/fileExt as a simple extension seed file
Give one upload fuzzing pattern the user can adapt

related-skills.json

same repository

pi-mono-framework.md

from "m-sec-org/BreachWeave"

pi-mono agent framework reference (github.com/badlogic/pi-mono). TRIGGER when: writing agent code using pi-ai/pi-agent-core/pi-coding-agent packages, defining tools with TypeBox schemas, implementing TUI or Web UI over an agent core, building extensions that hook into agent lifecycle, working with session/compaction/retry logic, implementing LLM provider abstractions, or any code that imports from @mariozechner/* packages.

2026-05-06282

ui-ux-pro-max.md

from "m-sec-org/BreachWeave"

UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient.

2026-05-06282

ad-pentest.md

from "m-sec-org/BreachWeave"

Active Directory 域渗透全链路指导技能。基于 GOAD (Game of Active Directory) 靶场实战经验，涵盖从初始侦察、用户枚举、密码攻击、中继与投毒、ADCS证书攻击、MSSQL利用、提权、横向移动、凭据提取、ACL滥用、委派攻击、域信任利用到域控拿下的完整渗透链。当用户提到以下任何关键词时，务必触发此技能： AD渗透、域渗透、Active Directory、域控攻击、内网渗透、kerberoasting、AS-REP roasting、 NTLM relay、responder、bloodhound、certipy、ADCS、ESC1-ESC15、PetitPotam、 noPac、PrintNightmare、横向移动、pass the hash、golden ticket、silver ticket、 DCSync、secretsdump、mimikatz、委派攻击、delegation、ACL滥用、域信任、 forest trust、提权、SeImpersonate、KrbRelay、MSSQL提权、webshell、凭据收集、密码喷洒、password spray、域枚举、SMB签名、coercer、 shadow credentials、certifried、RBCD、GPO abuse、LAPS、即使用户没有明确说"域渗透"，只要涉及Windows域环境的攻击场景都应使用此技能。

2026-05-06282

ffuf-skill.md

from "m-sec-org/BreachWeave"

Help with ffuf-based Web parameter fuzzing. Use this skill whenever the user wants to fuzz Web request paths, query parameters, headers, POST bodies, JSON fields, or raw HTTP requests with ffuf, or when they ask for an ffuf command, wordlist choice, false-positive filtering, matcher/filter tuning, or replaying hits into Burp/ZAP.

2026-05-06282

intranet-pentest.md

from "m-sec-org/BreachWeave"

CTF/靶场多层内网渗透指导与自动化脚本生成技能。基于 NPS C2 通道，覆盖从初始侦察、网段发现、服务利用、Windows/Linux 提权、凭据收集与复用、域渗透（ADCS/noPac/Zerologon）、云原生/K8s/Docker 逃逸到横向移动的完整渗透链，目标是拿到 FLAG 或域控权限。触发场景：用户提到内网渗透、CTF内网、靶场、多层内网、横向移动、提权、凭据获取、mimikatz、 hash传递、域渗透、域控攻击、云原生渗透、Docker逃逸、K8s渗透、fscan扫描、服务利用、 Redis、Redis未授权、Redis利用、密码喷洒、ADCS、noPac、Zerologon、PrintSpoofer、Potato提权、SUID提权、内网信息收集、网段发现、代理链搭建，或需要生成内网渗透自动化脚本时，都应使用此技能。即使用户只是简单提到"内网"、"横向"、"拿域控"、"打靶场"等口语化表达也应触发。

2026-05-06282

jwt-oauth-token-attacks.md

from "m-sec-org/BreachWeave"

JWT and OAuth token attack playbook. Use when validating token trust, signing algorithms, key handling, claim abuse, bearer flows, and OAuth account-binding weaknesses.

2026-05-06282

package.json

"author": "m-sec-org"

"repository": "m-sec-org/BreachWeave"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name

fuzz-dicts-navigator

description

Fuzz Dicts Navigator

Use this skill to turn the fuzzDicts repository into a practical navigation layer.

This skill is for authorized security testing, internal validation, lab work, and CTF-style practice. If the user's context is unclear, keep guidance focused on defensive or authorized use.

What to do

Identify the user's scenario.
Map it to one of the dictionary families in references/navigation.md.
Recommend one primary file and up to two fallbacks.
Prefer narrower dictionaries before huge catch-all lists when the stack is known.
Give command examples that the user can paste into common fuzzing tools.

Scenario routing

Route the request into one of these buckets before recommending anything:

Directory or content discovery
Parameter discovery
File upload bypass or extension fuzzing
Username or password guessing for authorized testing
Subdomain enumeration
API path discovery
JavaScript file discovery
Vulnerability-specific payload selection: XSS, SQLi, SSRF, LFI, XXE, RCE
CTF-only path fuzzing

If the user mixes goals, split the answer into phases. Example: first directory scan, then parameter fuzz, then upload bypass.

Selection rules

When the tech stack is known, choose the matching stack-specific dictionary first.
When the stack is unknown, start with a balanced general dictionary rather than the biggest file.
Only escalate to very large lists when the first pass is exhausted or the user explicitly wants breadth.
If the user asks for speed, bias toward smaller curated lists.
If the user asks for coverage, include one broad fallback.
If a directory contains payloads rather than plain wordlists, say so clearly.

Output format

Use this structure unless the user asks for something else:

Scenario

One sentence describing what the user is trying to do.

Recommended Dictionaries

relative/path/to/file.txt: why it is the first choice
relative/path/to/file.txt: when to switch to it
relative/path/to/file.txt: optional broad fallback

Tool Examples

Provide one or two commands using the files you recommended. Prefer ffuf, feroxbuster, gobuster, or wfuzz depending on the request.

Notes

Mention stack assumptions.
Mention whether the file is compact, broad, or payload-oriented.
Mention any sequencing advice.

Command behavior

Use repository-relative paths in examples unless the user gives an absolute path.
Keep command templates short and editable.
For directory brute force, include extensions only when they fit the stack.
For parameter fuzzing, show where FUZZ should go.
For upload fuzzing, clarify whether the file targets filename tricks, extension tricks, or middleware behavior.

Reference files

Read references/navigation.md for the category map and recommended file entry points.
Read references/tool-playbooks.md when you need ready-made command patterns for common fuzzing tools.

Response quality bar

Do not dump the whole repository tree unless the user explicitly asks.
Do not recommend more than three files in the first pass.
Explain tradeoffs in plain language: smaller and faster, broader and noisier, stack-specific, payload-heavy.
If the user only says "give me the best dirscan dictionary", still ask yourself whether they seem to want speed, depth, or stack specificity, and answer accordingly.

Examples

Example 1 Input: "目标像是 PHP 站点，我想先跑目录扫描，再看看有没有常见后台文件。"

Output shape:

Recommend directoryDicts/php/top3000.txt first
Add directoryDicts/php/phpFileName.txt as a PHP-focused fallback
Add directoryDicts/vulns.txt or directoryDicts/vuls/all.txt for known vulnerable paths
Give a short ffuf or feroxbuster command

Example 2 Input: "给我一个适合 Spring Boot 的接口和参数 fuzz 组合。"

Output shape:

Recommend apiDict/api.txt
Add paramDict/AllParam.txt or paramDict/parameter.txt
Mention spring/spring-configuration-metadata.txt for Spring-specific clues
Give one API path command and one parameter fuzz command

Example 3 Input: "这是 IIS 上传点，想测扩展名绕过。"

Output shape:

Recommend uploadFileExtDicts/iis_upload_fuzz.txt
Add uploadFileExtDicts/all_upload_fuzz.txt as a broad fallback
Mention uploadFileExtDicts/fileExt as a simple extension seed file
Give one upload fuzzing pattern the user can adapt

fuzz-dicts-navigator

Fuzz Dicts Navigator

What to do

Scenario routing

Selection rules

Output format

Scenario

Recommended Dictionaries

Tool Examples

Notes

Command behavior

Reference files

Response quality bar

Examples

More from this repository

More from this repository

Fuzz Dicts Navigator

What to do

Scenario routing

Selection rules

Output format

Scenario

Recommended Dictionaries

Tool Examples

Notes

Command behavior

Reference files

Response quality bar

Examples