/ Directory / Playground / awesome-claude-skills-security
← All servers ↗ GitHub
● Community Eyadkelleh ⚡ Instant

awesome-claude-skills-security

by Eyadkelleh · Eyadkelleh/awesome-claude-skills-security

SecLists-powered security testing skills for Claude Code — injection payloads, wordlists, and expert agents for CTFs and pentesting.

awesome-claude-skills-security packages curated SecLists resources as Claude Code skills for authorized security testing. It provides 7 skill categories (fuzzing, passwords, pattern matching, payloads, usernames, web shells, LLM testing) plus 5 slash commands and 3 expert agents (Pentest Advisor, CTF Assistant, Bug Bounty Hunter). Designed for CTF competitions, authorized pentesting, and security research.

▶ Watch demo 📦 Install 💡 Use Cases

Why use it

Key features

Live Demo

What it looks like in practice

awesome-claude-skills-security.replay ▶ ready
0/0

Install

Pick your client

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Open Claude Desktop → Settings → Developer → Edit Config. Restart after saving.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Cursor uses the same mcpServers schema as Claude Desktop. Project config wins over global.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Click the MCP Servers icon in the Cline sidebar, then "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "awesome-claude-skills-security": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  }
}

Same shape as Claude Desktop. Restart Windsurf to pick up changes.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "awesome-claude-skills-security",
      "command": "TODO",
      "args": [
        "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
      ]
    }
  ]
}

Continue uses an array of server objects rather than a map.

~/.config/zed/settings.json
{
  "context_servers": {
    "awesome-claude-skills-security": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/Eyadkelleh/awesome-claude-skills-security"
        ]
      }
    }
  }
}

Add to context_servers. Zed hot-reloads on save.

claude mcp add awesome-claude-skills-security -- TODO 'See README: https://github.com/Eyadkelleh/awesome-claude-skills-security'

One-liner. Verify with claude mcp list. Remove with claude mcp remove.

Use Cases

Real-world ways to use awesome-claude-skills-security

How to test for SQL injection in a CTF challenge with security skills

👤 CTF participants and security students ⏱ ~20 min intermediate

When to use: You encounter a web challenge that may be vulnerable to SQL injection in a CTF competition.

Prerequisites
  • Security skills installed — /plugin marketplace add Eyadkelleh/awesome-claude-skills-security
  • Target is a CTF challenge you are authorized to test — Ensure you have explicit authorization
Flow
  1. Invoke the SQLi test command
    /sqli-test — I have a login form at http://ctf-challenge.local/login. Help me test it for SQL injection vulnerabilities.✓ Copied
    → Claude provides relevant SQLi payloads from SecLists and testing strategy
  2. Analyze results
    The server returned a 500 error with 'OR 1=1. What does this indicate and what should I try next?✓ Copied
    → Explanation of the vulnerability type and escalation approach

Outcome: Identified SQL injection vector with exploitation path for the CTF flag.

Pitfalls
  • Testing against unauthorized targets — Only use these skills on systems you own or have written authorization to test

Scan a codebase for exposed API keys and credentials

👤 Security engineers performing code reviews ⏱ ~10 min beginner

When to use: You want to audit a codebase for accidentally committed secrets.

Prerequisites
  • Security skills installed — /plugin install security-fuzzing@awesome-security-skills
Flow
  1. Run the API key scan
    /api-keys — Scan the current project directory for exposed API keys, tokens, and credentials.✓ Copied
    → List of files and patterns matching known credential formats

Outcome: Report of exposed credentials that need to be rotated and removed.

Pitfalls
  • False positives from test fixtures — Exclude test directories and known fixture files from the scan
Combine with: filesystem

Combinations

Pair with other MCPs for X10 leverage

awesome-claude-skills-security + filesystem

Scan project files for exposed secrets and automatically create .gitignore entries

Scan this project for exposed API keys, then add any sensitive files to .gitignore.✓ Copied

Tools

What this MCP exposes

ToolInputsWhen to callCost
/sqli-test target description Testing for SQL injection vulnerabilities in authorized environments 0
/xss-test target description Testing for cross-site scripting in authorized environments 0
/wordlist wordlist type Need password or directory wordlists for testing 0
/webshell-detect file or directory Checking for web shells in a compromised server 0
/api-keys directory to scan Auditing code for accidentally committed secrets 0

Cost & Limits

What this costs to run

API quota
N/A — all resources are local
Tokens per call
500–3000 tokens depending on payload lists loaded
Monetary
Free
Tip
Load specific wordlists on demand rather than all categories at once.

Security

Permissions, secrets, blast radius

Credential storage: N/A — no external credentials needed
Data egress: All processing is local — no external network calls

Troubleshooting

Common errors and fixes

Slash command not recognized

Ensure the security skills plugin is installed correctly. Try reinstalling with /plugin marketplace add.

Verify: /plugin list
Wordlist too large for context

Request specific subsets (e.g., 'top 100 SQL payloads') instead of loading entire wordlists.

False positives in API key scan

Exclude test fixtures and example files. Provide specific file patterns to scan.

Alternatives

awesome-claude-skills-security vs others

AlternativeWhen to use it insteadTradeoff
hexstrike-aiYou need active security tools (nmap, nuclei, sqlmap) rather than wordlists and payloadsActive scanning vs passive payload lists

More

Resources

📖 Read the official README on GitHub

🐙 Browse open issues

🔍 Browse all 400+ MCP servers and Skills