/ 目錄 / 演練場 / awesome-claude-skills-security
← 全部伺服器 ↗ GitHub
● 社群 Eyadkelleh ⚡ 即開即用

awesome-claude-skills-security

作者 Eyadkelleh · Eyadkelleh/awesome-claude-skills-security

SecLists-powered security testing skills for Claude Code — injection payloads, wordlists, and expert agents for CTFs and pentesting.

awesome-claude-skills-security packages curated SecLists resources as Claude Code skills for authorized security testing. It provides 7 skill categories (fuzzing, passwords, pattern matching, payloads, usernames, web shells, LLM testing) plus 5 slash commands and 3 expert agents (Pentest Advisor, CTF Assistant, Bug Bounty Hunter). Designed for CTF competitions, authorized pentesting, and security research.

▶ 觀看演示 📦 安裝 💡 使用場景

為什麼要用

核心特性

即時演示

實際使用效果

awesome-claude-skills-security.replay ▶ 就緒
0/0

安裝

選擇你的客戶端

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

開啟 Claude Desktop → Settings → Developer → Edit Config。儲存後重啟應用。

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Cursor 使用與 Claude Desktop 相同的 mcpServers 格式。專案級設定優先於全域。

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

點擊 Cline 側欄中的 MCP Servers 圖示,然後選 "Edit Configuration"。

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

格式與 Claude Desktop 相同。重啟 Windsurf 生效。

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "awesome-claude-skills-security",
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  ]
}

Continue 使用伺服器物件陣列,而非映射。

~/.config/zed/settings.json
{
  "context_servers": {
    "awesome-claude-skills-security": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
        ]
      }
    }
  }
}

加入 context_servers。Zed 儲存後熱重載。

claude mcp add awesome-claude-skills-security -- TODO 'See README: https://github.com/Eyadkelleh/awesome-claude-skills-security'

一行命令搞定。用 claude mcp list 驗證,claude mcp remove 移除。

使用場景

實戰用法: awesome-claude-skills-security

How to test for SQL injection in a CTF challenge with security skills

👤 CTF participants and security students ⏱ ~20 min intermediate

何時使用: You encounter a web challenge that may be vulnerable to SQL injection in a CTF competition.

前置條件
  • Security skills installed — /plugin marketplace add Eyadkelleh/awesome-claude-skills-security
  • Target is a CTF challenge you are authorized to test — Ensure you have explicit authorization
步驟
  1. Invoke the SQLi test command
    /sqli-test — I have a login form at http://ctf-challenge.local/login. Help me test it for SQL injection vulnerabilities.✓ 已複製
    → Claude provides relevant SQLi payloads from SecLists and testing strategy
  2. Analyze results
    The server returned a 500 error with 'OR 1=1. What does this indicate and what should I try next?✓ 已複製
    → Explanation of the vulnerability type and escalation approach

結果: Identified SQL injection vector with exploitation path for the CTF flag.

注意事項
  • Testing against unauthorized targets — Only use these skills on systems you own or have written authorization to test

Scan a codebase for exposed API keys and credentials

👤 Security engineers performing code reviews ⏱ ~10 min beginner

何時使用: You want to audit a codebase for accidentally committed secrets.

前置條件
  • Security skills installed — /plugin install security-fuzzing@awesome-security-skills
步驟
  1. Run the API key scan
    /api-keys — Scan the current project directory for exposed API keys, tokens, and credentials.✓ 已複製
    → List of files and patterns matching known credential formats

結果: Report of exposed credentials that need to be rotated and removed.

注意事項
  • False positives from test fixtures — Exclude test directories and known fixture files from the scan
搭配使用: filesystem

組合

與其他 MCP 搭配,撬動十倍槓桿

awesome-claude-skills-security + filesystem

Scan project files for exposed secrets and automatically create .gitignore entries

Scan this project for exposed API keys, then add any sensitive files to .gitignore.✓ 已複製

工具

此 MCP 暴露的能力

工具輸入參數何時呼叫成本
/sqli-test target description Testing for SQL injection vulnerabilities in authorized environments 0
/xss-test target description Testing for cross-site scripting in authorized environments 0
/wordlist wordlist type Need password or directory wordlists for testing 0
/webshell-detect file or directory Checking for web shells in a compromised server 0
/api-keys directory to scan Auditing code for accidentally committed secrets 0

成本與限制

運行它的成本

API 配額
N/A — all resources are local
每次呼叫 Token 數
500–3000 tokens depending on payload lists loaded
費用
Free
提示
Load specific wordlists on demand rather than all categories at once.

安全

權限、密鑰、影響範圍

憑證儲存: N/A — no external credentials needed
資料出站: All processing is local — no external network calls

故障排查

常見錯誤與修復

Slash command not recognized

Ensure the security skills plugin is installed correctly. Try reinstalling with /plugin marketplace add.

驗證: /plugin list
Wordlist too large for context

Request specific subsets (e.g., 'top 100 SQL payloads') instead of loading entire wordlists.

False positives in API key scan

Exclude test fixtures and example files. Provide specific file patterns to scan.

替代方案

awesome-claude-skills-security 對比其他方案

替代方案何時用它替代權衡
hexstrike-aiYou need active security tools (nmap, nuclei, sqlmap) rather than wordlists and payloadsActive scanning vs passive payload lists

更多

資源

📖 閱讀 GitHub 上的官方 README

🐙 查看未解決的 issue

🔍 瀏覽全部 400+ MCP 伺服器和 Skills