Community-editable security skills for Claude Code's super-rouge-hunter plugin.
This repository provides a curated collection of security-focused skills designed for red teamers, bug bounty hunters, and security researchers. Each skill provides systematic methodologies, tool recommendations, and practical examples for security operations.
The skills are organized into focused categories:
Skills for information gathering and attack surface mapping:
- automated-subdomain-enum - Systematic subdomain discovery through passive and active techniques
- web-app-recon - Comprehensive web application attack surface mapping
- service-fingerprinting - Identifying services, versions, and technologies
Skills for developing and executing exploits:
- exploit-dev-workflow - Systematic exploit development from vulnerability to weaponization
- payload-generation - Creating and customizing payloads for various scenarios
- fuzzing-harness - Building effective fuzzing harnesses for vulnerability discovery
Skills for vulnerability research and code analysis:
- zero-day-hunting - Discovering novel vulnerabilities through systematic research
- static-vuln-analysis - Finding security flaws through code review
- binary-analysis - Reverse engineering and analyzing compiled binaries
Skills for automating security workflows:
- Coming soon: Automated recon pipelines, continuous security monitoring
Skills for organizing and maintaining security knowledge:
- Coming soon: Building knowledge bases, organizing research findings
Each skill follows a consistent structure:
---
name: Skill Name
description: Brief description of what the skill does
when_to_use: Specific scenarios where this skill should be applied
version: 1.0.0
languages: Relevant programming languages
---
# Skill Name
## Overview
High-level explanation and core principles
## When to Use
Detailed guidance on when to apply this skill
## Methodology
Step-by-step methodology with phases or sections
## Tool Recommendations
Recommended tools and how to use them
## Common Pitfalls
Mistakes to avoid with solutions
## Legal and Ethical Considerations
Critical guidelines for responsible use
## Integration with Other Skills
How this skill relates to others
## References
Further reading and resourcesThis repository is designed to be used with Claude Code's super-rouge-hunter plugin. The plugin will automatically clone this repository to provide Claude with security-focused skills.
For manual usage:
git clone https://github.com/macaugh/super-rouge-hunter-skills.git
cd super-rouge-hunter-skillsWhen working with Claude Code, you can reference specific skills:
- "Use the automated-subdomain-enum skill to discover subdomains for target.com"
- "Apply the zero-day-hunting methodology to analyze this source code"
- "Follow the exploit-dev-workflow to create a proof of concept"
Claude will follow the systematic methodologies defined in each skill to complete security tasks effectively.
We welcome contributions from the security community! Here's how you can help:
- Fork this repository
- Create a new skill directory:
skills/[category]/[skill-name]/ - Create
SKILL.mdfollowing the standard format - Add practical examples and tool recommendations
- Test the skill with real-world scenarios
- Submit a pull request
- Add new techniques or tools
- Update outdated information
- Fix errors or improve clarity
- Add examples and case studies
- Share lessons learned from real engagements
Skills should be:
- Systematic: Provide clear methodologies, not just tool lists
- Practical: Include working examples and commands
- Ethical: Emphasize legal and ethical considerations
- Current: Use modern tools and techniques
- Comprehensive: Cover both automated and manual approaches
- Educational: Explain the "why" behind techniques
All skills in this repository are provided for:
- Authorized security testing with written permission
- Educational purposes in controlled environments
- Legitimate bug bounty programs within defined scope
- Security research on systems you own or have permission to test
Unauthorized access to computer systems is illegal. Always:
- β Get explicit written authorization before testing
- β Understand and respect scope limitations
- β Follow responsible disclosure practices
- β Document all activities
- β Handle discovered vulnerabilities responsibly
- β Never use these skills for malicious purposes
- β Never test systems without permission
- β Never weaponize or publicly release exploits before coordination
Know your local laws (CFAA in US, Computer Misuse Act in UK, etc.) and the legal implications of security testing.
- β Reconnaissance (3 skills)
- β Exploitation (2 skills)
- β Analysis (2 skills)
- π Automation skills (recon pipelines, CI/CD security)
- π Documentation skills (knowledge bases, reporting)
- π Additional exploitation skills (fuzzing, kernel exploitation)
- π Binary analysis and reverse engineering
- π Post-exploitation and persistence
- π Cloud security (AWS, Azure, GCP)
- π Container and Kubernetes security
- π API security testing
- π Wireless security assessment
This is a community-driven project. We encourage:
- π¬ Discussion of techniques and improvements
- π Bug reports and corrections
- π‘ Suggestions for new skills
- π Sharing real-world experiences
- π Educational use and learning
- OWASP Testing Guide
- PortSwigger Web Security Academy
- HackTheBox and TryHackMe platforms
- Bug Bounty platforms (HackerOne, Bugcrowd)
- Security conference talks (DEF CON, Black Hat)
- ProjectDiscovery tools (subfinder, httpx, nuclei)
- Metasploit Framework
- Burp Suite
- Ghidra and IDA Pro
- AFL++ and fuzzing tools
- Bug bounty disclosure reports
- Security research blogs
- Open source security tools
- CVE databases
This project is licensed under the MIT License - see the LICENSE file for details.
Inspired by obra/superpowers-skills - a similar skills repository for general development tasks.
Special thanks to the security community for sharing knowledge, techniques, and responsible disclosure practices that make everyone more secure.
The skills and techniques described in this repository are provided for educational and authorized security testing purposes only. The authors and contributors are not responsible for any misuse or damage caused by the use of these skills. Users must ensure they have proper authorization before conducting any security testing activities.