awesome-claude-skills-security MCP — Cas d'usage, Installer & Démo en direct

Pourquoi l'utiliser

Fonctionnalités clés

7 skill categories covering fuzzing, passwords, payloads, pattern matching, and more
5 slash commands: /sqli-test, /xss-test, /wordlist, /webshell-detect, /api-keys
3 expert agents: Pentest Advisor, CTF Assistant, Bug Bounty Hunter
Curated from SecLists — common passwords, injection payloads, detection patterns
LLM security testing prompts for AI safety evaluation

Démo en direct

Aperçu en pratique

awesome-claude-skills-security.replay ▶ prêt

0/0

Installer

Choisissez votre client

~/Library/Application Support/Claude/claude_desktop_config.json · Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Ouvrez Claude Desktop → Settings → Developer → Edit Config. Redémarrez après avoir enregistré.

~/.cursor/mcp.json · .cursor/mcp.json

{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Cursor utilise le même schéma mcpServers que Claude Desktop. La config projet l'emporte sur la globale.

VS Code → Cline → MCP Servers → Edit

{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Cliquez sur l'icône MCP Servers dans la barre latérale Cline, puis "Edit Configuration".

~/.codeium/windsurf/mcp_config.json

{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Même format que Claude Desktop. Redémarrez Windsurf pour appliquer.

~/.continue/config.json

{
  "mcpServers": [
    {
      "name": "awesome-claude-skills-security",
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  ]
}

Continue utilise un tableau d'objets serveur plutôt qu'une map.

~/.config/zed/settings.json

{
  "context_servers": {
    "awesome-claude-skills-security": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
        ]
      }
    }
  }
}

Ajoutez dans context_servers. Zed recharge à chaud à la sauvegarde.

claude mcp add awesome-claude-skills-security -- TODO 'See README: https://github.com/Eyadkelleh/awesome-claude-skills-security'

Une seule ligne. Vérifiez avec claude mcp list. Supprimez avec claude mcp remove.

Cas d'usage

Usages concrets : awesome-claude-skills-security

How to test for SQL injection in a CTF challenge with security skills

👤 CTF participants and security students ⏱ ~20 min intermediate

Quand l'utiliser : You encounter a web challenge that may be vulnerable to SQL injection in a CTF competition.

Prérequis

Security skills installed — /plugin marketplace add Eyadkelleh/awesome-claude-skills-security
Target is a CTF challenge you are authorized to test — Ensure you have explicit authorization

Déroulement

Invoke the SQLi test command

/sqli-test — I have a login form at http://ctf-challenge.local/login. Help me test it for SQL injection vulnerabilities.✓ Copié

→ Claude provides relevant SQLi payloads from SecLists and testing strategy
Analyze results

The server returned a 500 error with 'OR 1=1. What does this indicate and what should I try next?✓ Copié

→ Explanation of the vulnerability type and escalation approach

Résultat : Identified SQL injection vector with exploitation path for the CTF flag.

Pièges

Testing against unauthorized targets — Only use these skills on systems you own or have written authorization to test

Scan a codebase for exposed API keys and credentials

👤 Security engineers performing code reviews ⏱ ~10 min beginner

Quand l'utiliser : You want to audit a codebase for accidentally committed secrets.

Prérequis

Security skills installed — /plugin install security-fuzzing@awesome-security-skills

Déroulement

Run the API key scan

/api-keys — Scan the current project directory for exposed API keys, tokens, and credentials.✓ Copié

→ List of files and patterns matching known credential formats

Résultat : Report of exposed credentials that need to be rotated and removed.

Pièges

False positives from test fixtures — Exclude test directories and known fixture files from the scan

Combiner avec : filesystem

Combinaisons

Associez-le à d'autres MCPs pour un effet X10

awesome-claude-skills-security + filesystem

Scan project files for exposed secrets and automatically create .gitignore entries

Scan this project for exposed API keys, then add any sensitive files to .gitignore.✓ Copié

Outils

Ce que ce MCP expose

Outil	Entrées	Quand appeler
/sqli-test	target description	Testing for SQL injection vulnerabilities in authorized environments
/xss-test	target description	Testing for cross-site scripting in authorized environments
/wordlist	wordlist type	Need password or directory wordlists for testing
/webshell-detect	file or directory	Checking for web shells in a compromised server
/api-keys	directory to scan	Auditing code for accidentally committed secrets

Coût et limites

Coût d'exécution

Quota d'API: N/A — all resources are local
Tokens par appel: 500–3000 tokens depending on payload lists loaded
Monétaire: Free
Astuce: Load specific wordlists on demand rather than all categories at once.

Sécurité

Permissions, secrets, portée

Stockage des identifiants : N/A — no external credentials needed

Sortie de données : All processing is local — no external network calls

⚠ This tool is designed for authorized security research, CTF competitions, and defensive analysis only. Do not use it against systems you don't own or have written authorization to test.
Payloads included can cause damage if used against production systems without authorization.
Web shell samples are included for detection training — do not deploy them.

Dépannage

Erreurs courantes et correctifs

Slash command not recognized

Ensure the security skills plugin is installed correctly. Try reinstalling with /plugin marketplace add.

Vérifier : /plugin list

Wordlist too large for context

Request specific subsets (e.g., 'top 100 SQL payloads') instead of loading entire wordlists.

False positives in API key scan

Exclude test fixtures and example files. Provide specific file patterns to scan.

Alternatives

awesome-claude-skills-security vs autres

Alternative	Quand l'utiliser	Compromis
hexstrike-ai	You need active security tools (nmap, nuclei, sqlmap) rather than wordlists and payloads	Active scanning vs passive payload lists

Plus

Ressources

📖 Lire le README officiel sur GitHub

🐙 Voir les issues ouvertes

🔍 Parcourir les 400+ serveurs MCP et Skills