The library
Everything we index — ranked by what works, never by stars.
forSalesMarketingHRFinanceLegalOpsProductEngineeringDataProductivitySupportsetup≤ plug & play≤ + a key≤ multi-tool
● works · ● untested / no effect · ● hurts — every rank is measured against a no-skill baseline
untested★22→untested★0→untested★2,144→untested★7→untested★0→untested★2,144→untested★0→untested★2,144→untested★7→untested★0→untested★2,144→untested★45→untested★0→untested★2,144→untested★44→untested★0→untested★2,144→untested★19→untested★0→untested★12→untested★0→untested★2,144→untested★45→untested★0→untested★2,144→untested★45→untested★0→untested★2,144→untested★12→untested★20→untested★0→untested★2,144→untested★6→untested★15→untested★0→untested★6→untested★15→untested★0→untested★13→untested★15→untested★20→untested★2,144→untested★11→untested★19→untested★2,144→untested★11→untested★2,144→untested★11→untested★2,144→untested★15→
Quick emotional state snapshot without introspection when you need gut-check interpretationskillL1
limbic · Quick emotional state snapshot without introspection when you need gut-check interpretation
Detect GraphQL injection vulnerabilitiesskillEngineeringOpsL3
sast-graphql · Finding query string injection that reaches GraphQL parsers (not resolver SQL injection)
Test file upload securityskillEngineeringOpsL2
offensive-file-upload · Finding RCE or XSS through file upload when MIME validation or extension checks are sole defense
Manage Poke agents and session historyskillEngineeringL2
poke-agents-mcp · Headless orchestration of local agent runs without UI when scripting multi-agent workflows
Find hardcoded secrets in codeskillEngineeringOpsL3
sast-hardcodedsecrets · Finding exposed API keys, credentials, and tokens that code review and linters miss
Test GraphQL for security flawsskillEngineeringOpsL2
offensive-graphql · Bypassing GraphQL authorization when individual resolvers don't check permissions uniformly
Detect IDOR vulnerabilitiesskillEngineeringOpsL3
sast-idor · Finding authorization gaps where IDs are trusted directly without ownership verification
Exploit insecure direct object referencesskillEngineeringL2
offensive-idor · Accessing other users' data when IDs are sequential or predictable and authorization is missing
Prevent App Store rejectionsskillProductL1
apple-app-review-skills · Reducing App Store submission failures by catching common violations before review
Detect insecure JWT implementationsskillEngineeringL3
sast-jwt · Finding JWT signature bypass, algorithm confusion, and key exposure in token handling
Find and exploit open redirectsskillEngineeringL2
offensive-open-redirect · Chaining open redirect with phishing or SSRF when URL parameters trust user input
Execute code from idea to productionskillEngineeringL3
cm-start · Setting up codymaster scaffolding for new projects without manual config
Detect missing authentication vulnerabilitiesskillEngineeringL3
sast-missingauth · Finding unprotected endpoints that forgot authentication decorators or checks
Exploit HTTP parameter pollutionskillEngineeringL2
offensive-parameter-pollution · Bypassing security controls when backend and frontend parse parameters differently
Automate UK grocery shoppingskillOpsL2
uk-grocery-cli · Automating recurring grocery orders across multiple UK chains with price comparison before checkout
Detect path traversal vulnerabilitiesskillEngineeringL3
sast-pathtraversal · Large codebases needing path traversal scanned in parallel without overwhelming context
Exploit race condition bugsskillEngineeringL2
offensive-race-condition · Bug bounty race condition testing on registration, payments, and single-use tokens
Stage and commit code changesskillEngineeringL1
commit · Rapid multi-file commits with auto-generated messages matching repo conventions
Detect remote code execution flawsskillEngineeringL3
sast-rce · Finding command injection and eval-like RCE across large codebases in parallel
Track Discord channel memoryskillOpsL2
discord-channel-memory · Maintaining agent memory across 3+ Discord channels without loading full history at session start
Generate consolidated security reportskillEngineeringL1
sast-report · Executive-facing security report consolidating 10+ vulnerability types into one prioritized list
Exploit HTTP request smugglingskillEngineeringL2
offensive-request-smuggling · Bug bounty request smuggling on multi-tier proxies and load balancers (Nginx, HAProxy, AWS ALB)
Generate codebase documentationskillEngineeringL1
cm-dockit · One-shot knowledge base generation from source code without writing separate documentation
Detect SQL injection vulnerabilitiesskillEngineeringL3
sast-sqli · Finding SQLi across authentication and bulk data endpoints in large codebases
Test SQL injection exploitsskillEngineeringL2
offensive-sqli · Bug bounty exploitation of SQL injection on login and export endpoints
Run visual QA through browserskillProductL2
cm-browse · Quick content extraction and link discovery from any web page
Detect server-side request forgeryskillEngineeringL3
sast-ssrf · Finding SSRF that reaches internal microservices, cloud metadata (169.254.169.254), or database servers
Exploit server-side request forgeryskillEngineeringL2
offensive-ssrf · AWS/GCP credential theft via IMDSv1 metadata endpoint and internal database access
Scan for sensitive data before commitskillEngineeringL1
check-before-commit · Pre-commit quality gates preventing style/error commits from reaching main
Maintain impact diagramsskillProductL1
diagram · Generating architecture diagrams, flowcharts, and sequence diagrams from code or text
Detect server-side template injectionskillEngineeringL3
sast-ssti · Finding SSTI in microtemplate rendering (Jinja2, ERB, Handlebars) on dynamic pages
Exploit template injection flawsskillEngineeringL2
offensive-ssti · RCE via template injection on Jinja2, ERB, and Handlebars endpoints
Visualize codebase structure instantlyskillEngineeringL1
project-structure-viewer · Quick understanding of unfamiliar codebase layout without reading all files
Niri window manager referenceskillEngineeringL1
niri · Rapid keyboard-driven workflow setup for developers using Linux Wayland
Detect XSS vulnerabilities automaticallyskillEngineeringL3
sast-xss · Use for specialized sast-xss scenarios where standard approaches are insufficient.
Build Arbitrum dApps with StylusskillEngineeringL3
arbitrum-dapp-skill · Opinionated guide for building dApps on Arbitrum using Stylus (Rust) and/or Solidity
GNOME desktop environment guideskillEngineeringL1
gnome · Use for specialized gnome scenarios where standard approaches are insufficient.
Find XXE injection vulnerabilitiesskillEngineeringL3
sast-xxe · Use for specialized sast-xxe scenarios where standard approaches are insufficient.
Get second opinion on code changesskillEngineeringL2
cross-review · Run a cross-review using the opposite CLI reviewer for proposal review and change assessment
Manage media library with *arr stackskillOpsL3
media · Media Management (\*arr Stack) Skill
Master GitHub CLI operationsskillEngineeringL2
gh-cli · GitHub CLI (gh) comprehensive reference for repositories, issues, pull requests, Actions, projects, releases, gists, codespaces,...
Execute BLE penetration testsskillEngineeringL4
offensive-bluetooth-ble · Bluetooth Low Energy (BLE) attack methodology — GATT enumeration, characteristic read/write without auth, pairing downgrade...
Shrink browser prompts 95%skillEngineeringL2
predicate-snapshot · ML-powered DOM pruning for 95% smaller browser prompts
Track ETF news by categoryskillDataL2
etf-news · Fetch and tag news articles by Indian ETF category with sentiment scores
Attack Bluetooth Classic devicesskillEngineeringL4
offensive-bluetooth-classic · Bluetooth Classic (BR/EDR) attack methodology — device discovery, service enumeration via SDP, LMP/L2CAP layer attacks,...
Generate flashcards from STEM materialskillProductivityL2
generating-stem-flashcards · Generates atomic flashcards from technical/STEM source material
Execute WiFi deauth attacksskillEngineeringL4
offensive-deauth-disassoc · Deauthentication and disassociation attacks against 802
Apply Laravel production patternsskillEngineeringL1
laravel-best-practices · Laravel best practices and architecture patterns for building production-ready applications
Deploy evil twin access pointsskillEngineeringL4
offensive-evil-twin · Evil Twin / KARMA / Mana access point methodology — rogue AP construction with hostapd-mana...
Manage GitHub repositories and PRsskillEngineeringL2
github · GitHub & Git Integration Skill