/ Каталог / Песочница / awesome-claude-skills-security
← Все серверы ↗ GitHub
● Сообщество Eyadkelleh ⚡ Сразу

awesome-claude-skills-security

автор Eyadkelleh · Eyadkelleh/awesome-claude-skills-security

SecLists-powered security testing skills for Claude Code — injection payloads, wordlists, and expert agents for CTFs and pentesting.

awesome-claude-skills-security packages curated SecLists resources as Claude Code skills for authorized security testing. It provides 7 skill categories (fuzzing, passwords, pattern matching, payloads, usernames, web shells, LLM testing) plus 5 slash commands and 3 expert agents (Pentest Advisor, CTF Assistant, Bug Bounty Hunter). Designed for CTF competitions, authorized pentesting, and security research.

▶ Смотреть демо 📦 Установить 💡 Сценарии

Зачем использовать

Ключевые функции

Живое демо

Как выглядит на практике

awesome-claude-skills-security.replay ▶ готово
0/0

Установка

Выберите клиент

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Откройте Claude Desktop → Settings → Developer → Edit Config. Перезапустите после сохранения.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Cursor использует ту же схему mcpServers, что и Claude Desktop. Конфиг проекта приоритетнее глобального.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Щёлкните значок MCP Servers на боковой панели Cline, затем "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Тот же формат, что и Claude Desktop. Перезапустите Windsurf для применения.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "awesome-claude-skills-security",
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  ]
}

Continue использует массив объектов серверов, а не map.

~/.config/zed/settings.json
{
  "context_servers": {
    "awesome-claude-skills-security": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
        ]
      }
    }
  }
}

Добавьте в context_servers. Zed перезагружается автоматически.

claude mcp add awesome-claude-skills-security -- TODO 'See README: https://github.com/Eyadkelleh/awesome-claude-skills-security'

Однострочная команда. Проверить: claude mcp list. Удалить: claude mcp remove.

Сценарии использования

Реальные сценарии: awesome-claude-skills-security

How to test for SQL injection in a CTF challenge with security skills

👤 CTF participants and security students ⏱ ~20 min intermediate

Когда использовать: You encounter a web challenge that may be vulnerable to SQL injection in a CTF competition.

Предварительные требования
  • Security skills installed — /plugin marketplace add Eyadkelleh/awesome-claude-skills-security
  • Target is a CTF challenge you are authorized to test — Ensure you have explicit authorization
Поток
  1. Invoke the SQLi test command
    /sqli-test — I have a login form at http://ctf-challenge.local/login. Help me test it for SQL injection vulnerabilities.✓ Скопировано
    → Claude provides relevant SQLi payloads from SecLists and testing strategy
  2. Analyze results
    The server returned a 500 error with 'OR 1=1. What does this indicate and what should I try next?✓ Скопировано
    → Explanation of the vulnerability type and escalation approach

Итог: Identified SQL injection vector with exploitation path for the CTF flag.

Подводные камни
  • Testing against unauthorized targets — Only use these skills on systems you own or have written authorization to test

Scan a codebase for exposed API keys and credentials

👤 Security engineers performing code reviews ⏱ ~10 min beginner

Когда использовать: You want to audit a codebase for accidentally committed secrets.

Предварительные требования
  • Security skills installed — /plugin install security-fuzzing@awesome-security-skills
Поток
  1. Run the API key scan
    /api-keys — Scan the current project directory for exposed API keys, tokens, and credentials.✓ Скопировано
    → List of files and patterns matching known credential formats

Итог: Report of exposed credentials that need to be rotated and removed.

Подводные камни
  • False positives from test fixtures — Exclude test directories and known fixture files from the scan
Сочетать с: filesystem

Комбинации

Сочетайте с другими MCP — эффект x10

awesome-claude-skills-security + filesystem

Scan project files for exposed secrets and automatically create .gitignore entries

Scan this project for exposed API keys, then add any sensitive files to .gitignore.✓ Скопировано

Инструменты

Что предоставляет этот MCP

ИнструментВходные данныеКогда вызыватьСтоимость
/sqli-test target description Testing for SQL injection vulnerabilities in authorized environments 0
/xss-test target description Testing for cross-site scripting in authorized environments 0
/wordlist wordlist type Need password or directory wordlists for testing 0
/webshell-detect file or directory Checking for web shells in a compromised server 0
/api-keys directory to scan Auditing code for accidentally committed secrets 0

Стоимость и лимиты

Во что обходится

Квота API
N/A — all resources are local
Токенов на вызов
500–3000 tokens depending on payload lists loaded
Деньги
Free
Совет
Load specific wordlists on demand rather than all categories at once.

Безопасность

Права, секреты, радиус поражения

Хранение учётных данных: N/A — no external credentials needed
Исходящий трафик: All processing is local — no external network calls

Устранение неполадок

Частые ошибки и исправления

Slash command not recognized

Ensure the security skills plugin is installed correctly. Try reinstalling with /plugin marketplace add.

Проверить: /plugin list
Wordlist too large for context

Request specific subsets (e.g., 'top 100 SQL payloads') instead of loading entire wordlists.

False positives in API key scan

Exclude test fixtures and example files. Provide specific file patterns to scan.

Альтернативы

awesome-claude-skills-security в сравнении

АльтернативаКогда использоватьКомпромисс
hexstrike-aiYou need active security tools (nmap, nuclei, sqlmap) rather than wordlists and payloadsActive scanning vs passive payload lists

Ещё

Ресурсы

📖 Читать официальный README на GitHub

🐙 Открытые задачи

🔍 Все 400+ MCP-серверов и Skills