Skillz Wiki¶
Agent-ready offensive security skills, recon workflows, and replayable exploit-path notes.
Recent entries¶
- arnika QKD/PQC/KMS protocol-boundary checks
- PraisonAI agent/platform control boundaries and Formie submission overwrite batch
- Nezha DDNS SSRF, Admidio document/auth boundaries, OpenC3 file/SQL boundaries, and Ouroboros tool-path batch
- authentik SAML wrapping, CC-Tweaked NAT64 SSRF, and Keras model-loading boundary batch
- Koel podcast SSRF, Summarize daemon/file boundaries, Redshift rogue-server RCE, uv entry-point write, MLflow artifact tamper, russh auth state, and AgenticMail boundary batch
- ChromaDB pre-auth model loading, GlobalProtect auth bypass, Parse GraphQL schema leak, ngrok command injection, tar parser differential, and CAPI boundary batch
- vm2 / NodeVM sandbox escapes and SGLang multimodal runtime boundary batch
- Nuxt island middleware bypass and Gotenberg SSRF/file-boundary batch
- Axios prototype-pollution, Froxlor shell, and GitHub CLI token-boundary batch
- HaxCMS saveNode event-handler sanitizer bypass
- OpenClaw gateway config and subagent control-boundary batch
- TUF delegation, Dulwich Git, and Arcane control-plane boundary batch
- Open WebUI redirect-hop SSRF validation update
- Pimcore composite-index SQLi and FUXA secure-read boundary batch
- Agent sandbox, research SSRF, path-read, and IDN boundary batch
- mem0, compliance-trestle, and Flask token-auth boundary batch
- OpenCTI, UnoPim, compliance-trestle, OpenBao, and Symfony boundary batch
- Capsule tenant-resource escalation and Symfony sanitizer URL-attribute batch
- league/commonmark Attributes extension XSS boundary
- Agent, container, ICS, and CMS boundary batch
- AI model hub, AsyncSSH, and Automad boundary batch
- Symfony mail, auth, cache, XML, and log-listener boundary batch
- Symfony, CrowdSec, Deno, and Langroid boundary batch
- LiquidJS filter-context RCE boundary
- Pimcore WebDAV, Kirby frontend XSS, and LiquidJS resource-boundary batch
- Pimcore deserialization and Symfony regex boundary batch
- Hapi, Pimcore, tmp, and LiquidJS boundary batch
- Template, container, CMS, ICS, and signature-boundary batch
- Yeoman generator bootstrap package-install boundary
- XWiki LiveTable password-hash oracle boundary
- XWiki WebJar extension file-write boundary
- CryptPad
srcdocsanitizer and XWiki XAR import boundary batch - Typebot, XWiki, and LiteSpeed cPanel boundary batch
- Weblate Mercurial repo-URL SSRF and file-enumeration primitive
- Rich-text import SSRF testing
- Agentic DAST benchmark validation
- Return URL scheme-bypass testing
- Nezha cron RCE and Arcane global-variables boundary batch
- Nezha, AstrBot, Beetl, and API-client boundary batch
- Flask-Security, FileBrowser, and Drupal boundary batch
- Tekton, Flink, and YesWiki execution-boundary batch
- Prefect, Camel, ImageMagick, and Airflow boundary batch
- GitHub Actions static-analysis recon
- Tekton git resolver and Network-AI MCP boundary batch
- Boxlite, containerd, Twig, and token-boundary batch
- Fission, NocoDB, MCP, and SSRF boundary batch
- Fission, MLflow, Langflow, SSRF, and Crabbox boundary batch
- SvelteKit, Markdown, SageMaker, and LM runtime-boundary batch
- SAML, MCP, metadata, and render-boundary batch
- CI/CD to cloud pivot chain
- Strapi relational-filter oracle to admin reset-token extraction
- Moby AuthZ and electerm command-boundary batch
- Tomcat parser, client-certificate, and session-boundary batch
- pip archive type-confusion boundary
- Tomcat HTTP/2 resource-exhaustion boundary batch
- Tomcat, Rclone, Mako, and ML runtime-boundary batch
What lives here¶
- Skills: installable, tool-specific guides that agents can execute step by step
- Recon: workflows for turning scope into a prioritized asset map
- Exploit Paths: concrete attack chains that are specific enough to replay during authorized testing
- Templates: reusable report skeletons and delivery formats
- Notes: editorial guidance, taxonomy, and source tracking
- Blog: short updates when major skills or exploit paths land
Older alert and mitigation-oriented reference pages may remain in the repo, but the primary site surface is intentionally centered on pentesting, red-team, and bug-bounty operator workflows.
How the skills are written¶
Each skill page is structured so it can be reused outside the wiki:
- When to use the tool
- Required inputs and prerequisites
- Command patterns worth reusing
- Expected outputs and what to capture
- Safety constraints and scope boundaries
Authorized use only
These pages are for lawful research, lab work, and authorized assessments. Do not apply them to systems you do not own or lack explicit permission to test.