The library

apply-shadcn · UI development when shadcn library components reduce custom CSS and maintain consistency.

testing-ci · CI setup when automated testing + deployment gates reduce manual integration friction.

dto-generator · NestJS projects scaffold DTOs faster with auto-discovery than manual scaffolding.

dev-container · IsaacLab development runs faster with one shared image across parallel project clones.

next-best-practices · Next.js refactors avoid pitfalls when you follow file conventions and RSC boundaries.

terraform-skill · IaC refactors are safer when you diagnose risk categories before applying changes.

tool-calling-tutor · Tool-calling agents work faster when you debug schema, invocation, and loop patterns.

sequential-think · Complex debugging beats quick answers when you systematize multi-layer reasoning.

apk-redteam-pipeline · Mobile security research runs faster with automated APK acquisition and decompilation.

bb-local-toolkit · Bug bounty hunting converges faster with systematic recon, learning, and triage.

semantic-grep · Security scanning is faster and more reliable when you use semantic rules vs regex.

bb-methodology · Bug bounty sessions gain focus when you apply systematic 5-phase methodology.

bugcrowd-reporting · Bug bounty submissions when VRT defaults misalign with actual impact severity.

cloud-iam-deep · Red-team privilege analysis when a cloud credential surfaces and escalation vectors matter.

bio-microbiome-functional-prediction · Metagenomics when shotgun sequencing is unavailable and KEGG/MetaCyc function prediction suffices.

dotnet-maui-aot · Mobile performance when app size and startup time reductions (up to 50%) justify AOT setup.

nx-cli · Monorepo development when task discovery and affected-scope analysis speed up iteration.

codegen · Use for code generation utilities for json-render. use when generating code from ui specs, building custom code exporters, traversing specs, or serializing props for @json-render/codegen.

dotnet-add-testing · Use for >-

gsap-timeline · Use for official gsap skill for timelines — gsap.timeline(), position parameter, nesting, playback. use when sequencing animations, choreographing keyframes, or when the user asks about animation sequencing, timelines, or animation order (in gsap or when recommending a library that supports timelines).

hunt-csrf · Use for hunting skill for csrf vulnerabilities. built from 15 public bug bounty reports including modern variants — samesite=lax sibling-subdomain bypass (argo cd cve-2024-22424), graphql mutations-via-get (gitlab $3,370), framework-wide csrf middleware disabled (stripe dashboard $5,000), path-traversal csrf-token bypass (github enterprise cve-2022-23732 $10k), origin-omission bypass (tiktok $2,500), oauth-state null-byte (streamlabs), websocket csrf / cswsh (coda), default-samesite email-change → ato (yoyo games $400), social-account-link csrf (hackerone), json-csrf via text/plain on email-change (tiktok $500). use when hunting modern csrf — heavy emphasis on chain-to-ato patterns.

tunit · Use for run tunit tests with playwright. use when user asks to run tests, execute tests, or check if tests pass.

hunt-deserialization · Use for hunt insecure deserialization — java gadget chains (ysoserial), php object injection (phpggc), python pickle rce, .net binaryformatter, ruby marshal.load, jndi/log4shell. rce via deserialization is almost always critical. use when target runs java, php serialization, python pickle, .net, or ruby on rails.

cloudflare · Use for comprehensive cloudflare platform skill covering workers, pages, storage (kv, d1, r2), ai (workers ai, vectorize, agents sdk), networking (tunnel, spectrum), security (waf, ddos), and infrastructure-as-code (terraform, pulumi). use for any cloudflare development task.

hunt-dispatch · Use for skill-set loader for /hunt orchestrator. fingerprints the target, picks the right platform attack skills, and loads the red team or wapt skill set. use when /hunt has just received a mode answer (redteam or wapt + blackbox|greybox) and needs to load the appropriate skills and print the taxonomy. not for direct user invocation.

nexus-elements-nexus-provider · Use for install and configure the nexusprovider for nexus elements. use when setting up provider context, handleinit on wallet connect, or when any element needs usenexus.

hunt-dom · Use for hunt client-side dom vulnerabilities — dom clobbering (overwrite js globals via html injection), postmessage hijacking (missing origin check), service worker abuse (intercept requests from same-origin script), css injection/exfiltration (attribute selectors → token char-by-char via oob), client-side template injection, dangerouslysetinnerhtml. grounded in named public research: gareth heyes / portswigger dom-clobbering + dom-invader, michał bentkowski dompurify clobbering bypasses, jquery htmlprefilter xss (cve-2020-11022 / cve-2020-11023), d0nut css-exfil research. use when hunting dom-xss, client-side auth bypass, or token exfiltration without server-side interaction.

hunt-file-upload · Security auditors hunting RCE on PHP/JSP/ASPX stacks with publicly-exploitable file-processing chains.

hunt-graphql · Bug bounty hunters on platform APIs (GitHub, Shopify, Stripe tier) where GraphQL mutations interact with REST APIs.

hunt-grpc · Security teams hunting microservice architecture vulns where edge-proxy auth is bypassed by reaching backend directly.

hunt-host-header · Security researchers hunting account-takeover on apps behind CDN/reverse proxy where Host is unkeyed in cache.

bug-investigation · Teams enforcing TDD discipline to prevent regressions and verify actual bug fix.

hunt-http-smuggling · Bug bounty hunters on older deployments (HAProxy <2.4, legacy F5, Citrix ADC) or AWS ALB+origin chains with H2 downgrade.

expo-deployment · Use for expo-deployment tasks and operations.

hunt-idor · Use when hunting idor on any target.

jest-generator · Use for jest-generator tasks and operations.

hunt-k8s · Testing container orchestration for auth bypass and RCE.

hunt-laravel · Testing PHP Laravel apps for CVE-2021-3129 Ignition.

hunt-ldap · Penetrating directory-backed authentication systems.

design-index · Creating table of contents for design docs.

hunt-lfi · Extracting secrets via path traversal and filter chains.

api-doc-comments · Documenting smart contract ABIs where generated docs must be client-accessible and precise.

code-sanitizer · Ensuring consistent code style across a data pipeline before completion checklist.

git-workflow · Submitting feature patterns to upstream community repositories with clean history.

hunt-mfa-bypass · Hunting account takeover chains where MFA enforcement is incomplete or bypassable.

hunt-misc · Discovering account boundary violations in multi-tenant SaaS with role-based access.

android-di-koin · Setting up DI scoping per feature layer without manual constructor plumbing.

hunt-nextjs · Bypassing Server Actions auth or exploiting Image Optimizer SSRF on Next.js hosts.

hunt-nodejs · Chaining prototype pollution to RCE on Express apps with unsafe merge operations.

hunt-nosqli · Extracting data from NoSQL services when parametrized queries are not used.