/ ディレクトリ / プレイグラウンド / awesome-claude-skills-security
← 全サーバー ↗ GitHub
● コミュニティ Eyadkelleh ⚡ 即起動

awesome-claude-skills-security

作者 Eyadkelleh · Eyadkelleh/awesome-claude-skills-security

SecLists-powered security testing skills for Claude Code — injection payloads, wordlists, and expert agents for CTFs and pentesting.

awesome-claude-skills-security packages curated SecLists resources as Claude Code skills for authorized security testing. It provides 7 skill categories (fuzzing, passwords, pattern matching, payloads, usernames, web shells, LLM testing) plus 5 slash commands and 3 expert agents (Pentest Advisor, CTF Assistant, Bug Bounty Hunter). Designed for CTF competitions, authorized pentesting, and security research.

▶ デモを見る 📦 インストール 💡 ユースケース

なぜ使うのか

主な機能

ライブデモ

実際の動作

awesome-claude-skills-security.replay ▶ 準備完了
0/0

インストール

クライアントを選択

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Claude Desktop → Settings → Developer → Edit Config を開く。保存後、アプリを再起動。

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Cursor は Claude Desktop と同じ mcpServers スキーマを使用。プロジェクト設定はグローバルより優先。

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Cline サイドバーの MCP Servers アイコンをクリックし、"Edit Configuration" を選択。

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Claude Desktop と同じ形式。Windsurf を再起動して反映。

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "awesome-claude-skills-security",
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  ]
}

Continue はマップではなくサーバーオブジェクトの配列を使用。

~/.config/zed/settings.json
{
  "context_servers": {
    "awesome-claude-skills-security": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
        ]
      }
    }
  }
}

context_servers に追加。保存時に Zed がホットリロード。

claude mcp add awesome-claude-skills-security -- TODO 'See README: https://github.com/Eyadkelleh/awesome-claude-skills-security'

ワンライナー。claude mcp list で確認、claude mcp remove で削除。

ユースケース

実用的な使い方: awesome-claude-skills-security

How to test for SQL injection in a CTF challenge with security skills

👤 CTF participants and security students ⏱ ~20 min intermediate

使うタイミング: You encounter a web challenge that may be vulnerable to SQL injection in a CTF competition.

前提条件
  • Security skills installed — /plugin marketplace add Eyadkelleh/awesome-claude-skills-security
  • Target is a CTF challenge you are authorized to test — Ensure you have explicit authorization
フロー
  1. Invoke the SQLi test command
    /sqli-test — I have a login form at http://ctf-challenge.local/login. Help me test it for SQL injection vulnerabilities.✓ コピーしました
    → Claude provides relevant SQLi payloads from SecLists and testing strategy
  2. Analyze results
    The server returned a 500 error with 'OR 1=1. What does this indicate and what should I try next?✓ コピーしました
    → Explanation of the vulnerability type and escalation approach

結果: Identified SQL injection vector with exploitation path for the CTF flag.

注意点
  • Testing against unauthorized targets — Only use these skills on systems you own or have written authorization to test

Scan a codebase for exposed API keys and credentials

👤 Security engineers performing code reviews ⏱ ~10 min beginner

使うタイミング: You want to audit a codebase for accidentally committed secrets.

前提条件
  • Security skills installed — /plugin install security-fuzzing@awesome-security-skills
フロー
  1. Run the API key scan
    /api-keys — Scan the current project directory for exposed API keys, tokens, and credentials.✓ コピーしました
    → List of files and patterns matching known credential formats

結果: Report of exposed credentials that need to be rotated and removed.

注意点
  • False positives from test fixtures — Exclude test directories and known fixture files from the scan
組み合わせ: filesystem

組み合わせ

他のMCPと組み合わせて10倍の力を

awesome-claude-skills-security + filesystem

Scan project files for exposed secrets and automatically create .gitignore entries

Scan this project for exposed API keys, then add any sensitive files to .gitignore.✓ コピーしました

ツール

このMCPが提供する機能

ツール入力呼び出すタイミングコスト
/sqli-test target description Testing for SQL injection vulnerabilities in authorized environments 0
/xss-test target description Testing for cross-site scripting in authorized environments 0
/wordlist wordlist type Need password or directory wordlists for testing 0
/webshell-detect file or directory Checking for web shells in a compromised server 0
/api-keys directory to scan Auditing code for accidentally committed secrets 0

コストと制限

運用コスト

APIクォータ
N/A — all resources are local
呼び出しあたりのトークン
500–3000 tokens depending on payload lists loaded
金額
Free
ヒント
Load specific wordlists on demand rather than all categories at once.

セキュリティ

権限、シークレット、影響範囲

認証情報の保管: N/A — no external credentials needed
データ送信先: All processing is local — no external network calls

トラブルシューティング

よくあるエラーと対処法

Slash command not recognized

Ensure the security skills plugin is installed correctly. Try reinstalling with /plugin marketplace add.

確認: /plugin list
Wordlist too large for context

Request specific subsets (e.g., 'top 100 SQL payloads') instead of loading entire wordlists.

False positives in API key scan

Exclude test fixtures and example files. Provide specific file patterns to scan.

代替案

awesome-claude-skills-security 他との比較

代替案代わりに使う場面トレードオフ
hexstrike-aiYou need active security tools (nmap, nuclei, sqlmap) rather than wordlists and payloadsActive scanning vs passive payload lists

その他

リソース

📖 GitHub の公式 README を読む

🐙 オープンな issue を見る

🔍 400以上のMCPサーバーとSkillsを見る