Loading...
Loading...
Found 198 Skills
WooYun business logic vulnerability methodology — 22,132 real cases across 6 domains (authentication bypass, authorization bypass, payment tampering, information disclosure, logic flaws, misconfiguration) and 33 vulnerability classes. It can be used for ANY security testing, auditing, or code review of web apps, APIs, or business systems, even without explicit "security" keywords. Triggers: penetration testing, security audit, vulnerability, bug bounty, payment security, IDOR, password reset, weak credentials, unauthorized access, race condition, parameter tampering, code review, penetration testing, security audit, vulnerability mining, payment security, privilege escalation, logic vulnerability, business security, SRC, code audit. It also triggers on implicit intent: "test this endpoint", "find bugs", "can I bypass this", "help me test this interface", "can this parameter be modified", "help me find bugs".
Use this skill when users mention scenarios such as "Feishu authorization", "OAuth", "Device Flow", "open_id", "repeated authorization pop-ups", "token reuse", "supplement authorization scopes", or "where Feishu tokens are stored"—scenarios that require reusing existing local user tokens, only supplementing missing scopes, or troubleshooting the actual storage location of tokens.
Integrate Apple Pay payments and Wallet passes using PassKit. Use when adding Apple Pay buttons, creating payment requests, handling payment authorization, adding passes to Wallet, configuring merchant capabilities, managing shipping and contact fields, or working with PKPaymentRequest, PKPaymentAuthorizationController, PKPaymentButton, PKPass, PKAddPassesViewController, PKPassLibrary, or Apple Pay checkout flows.
Access research-grade sensor data using SensorKit. Use when reading ambient light levels, accelerometer data, rotation rates, device usage patterns, keyboard metrics, or media events for approved research studies. Requires SensorKit entitlement and research study authorization.
IDOR and broken object authorization testing playbook. Use when requests expose object identifiers, tenant boundaries, writable fields, or missing object-level authorization checks.
Entry P1 category router for authentication and authorization. Use when testing login flows, sessions, object authorization, JWT, OAuth, CORS, CSRF, and enterprise SSO weaknesses before any deeper auth topic skill.
MUST be used whenever reviewing a Dune app for security issues, or before shipping any feature that handles credentials, user input, or external data. Do NOT skip this when the user asks for a security review, security audit, or vulnerability check — run every step in order. Triggers: security, security review, security audit, vulnerability, XSS, injection, credentials, secrets, auth, authentication, authorization, token, sensitive data, input validation, CORS, CSP, dependency audit.
Use for Core Location implementation patterns - authorization strategy, monitoring strategy, accuracy selection, background location
OAuth 2.1 + JWT authentication security best practices. Use when implementing auth, API authorization, token management. Follows RFC 9700 (2025).
Apple HealthKit framework for health and fitness data. Use for reading/writing health samples, workout data, authorization flows, observer queries, background delivery, clinical records, activity rings, and integrating with the Health app across iPhone, Apple Watch, iPad, and visionOS.
Design and review Rails applications using layered architecture principles from "Layered Design for Ruby on Rails Applications". Use when analyzing Rails codebases, reviewing PRs for architecture violations, planning feature implementations, or implementing patterns like authorization, view components, or AI integration. Triggers on "layered design", "architecture layers", "abstraction", "specification test", "layer violation", "extract service", "fat controller", "god object".
Load PROACTIVELY when task involves security review, vulnerability assessment, or hardening. Use when user says "check for security issues", "audit for vulnerabilities", "scan for secrets", "review auth security", or "check OWASP compliance". Covers authentication and session security, authorization and access control, input validation and injection prevention, data protection and encryption, dependency vulnerability scanning, API security (CORS, rate limiting, headers), and infrastructure hardening. Produces structured reports with severity ratings.