Skills

The open registry for AI agent skills — structured prompts and workflows with recommended models, example prompts, and compatible tools.

Contribute a Skill

Skills

13

Categories

9

Compatible tools

6

Contributors

1

Showing 113 of 13 skills

JWT Analyzerintermediate

Decodes and reviews JSON Web Tokens and their surrounding auth flow for correctness and security. Explains header and claims, checks algorithm and key handling, validates expiration and audience/issuer claims, and flags common pitfalls such as the alg:none attack, weak secrets, missing validation, and over-long token lifetimes. Never treats token contents as trusted secrets to echo back.

4 models
Penetration Test Planneradvanced

Plans authorized penetration tests for systems you own or are permitted to assess. Defines scope, rules of engagement, and objectives; maps the attack surface; structures phases (recon, mapping, exploitation, post-exploitation, reporting) around a framework like the OWASP Testing Guide or PTES; and specifies safe handling of findings. Emphasizes explicit authorization and non-destructive testing.

4 models
Privacy Compliance Auditoradvanced

Reviews applications and data flows for common privacy-regulation obligations (GDPR, CCPA/CPRA). Maps what personal data is collected, where it flows, and how long it is retained; checks for lawful basis, consent handling, data-subject rights, and third-party sharing; and produces a prioritized remediation list. Provides engineering guidance, not legal advice.

4 models
Security Headers Configuratorintermediate

Configures HTTP security headers to harden web applications. Covers Content-Security-Policy (including nonces and strict-dynamic), HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP, and cookie flags. Produces server/CDN configuration, explains tradeoffs, and provides a rollout plan using report-only mode to avoid breakage.

4 models
IAM Policy Revieweradvanced

Reviews cloud IAM policies for least-privilege violations, overly broad wildcards, privilege escalation paths, and risky trust relationships across AWS, GCP, and Azure. Explains the risk of each finding and rewrites policies to grant only the permissions actually needed.

3 models
SBOM Generatorintermediate

Generates and validates Software Bills of Materials in CycloneDX or SPDX formats. Covers dependency inventory, transitive resolution, license and vulnerability annotation, VEX statements, container image SBOMs, and CI integration for supply-chain compliance. Helps teams meet regulatory requirements and track what is actually shipped.

4 models
Secrets Scannerintermediate

Scans code, configuration, and git history for leaked credentials such as API keys, tokens, private keys, and connection strings. Classifies findings by severity and false-positive likelihood, and provides safe remediation steps including rotation, history scrubbing, and pre-commit prevention.

3 models
Data Anonymizerintermediate

Detects and redacts personally identifiable information (PII) and sensitive data from text, logs, and structured datasets. Recommends anonymization techniques such as masking, tokenization, pseudonymization, k-anonymity, and differential privacy, and generates reusable redaction code while preserving analytical utility and referential integrity.

3 models
Prompt Injection Testeradvanced

Red-teams LLM applications for prompt injection, jailbreaks, and data exfiltration risks. Generates adversarial test cases for direct and indirect injection, system prompt leakage, tool-call abuse, and unsafe output handling, then reports findings with severity ratings and concrete mitigations such as input isolation, output filtering, and least-privilege tools.

3 models
Threat Modelingadvanced

Performs systematic threat modeling for software systems using frameworks like STRIDE, PASTA, and Attack Trees. Identifies potential security threats, attack vectors, and vulnerabilities in system architectures. Produces prioritized risk assessments with mitigation strategies and security controls.

3 models
Skill Security Vetteradvanced

Security-first AI agent skill auditing. Reviews skill definitions, SKILL.md files, and agent configurations for dangerous patterns, excessive permissions, data exfiltration risks, and suspicious behaviors before installation. Provides a safety score and actionable recommendations.

3 models
Dependency Auditorintermediate

Audits project dependencies for security vulnerabilities, license compliance, maintenance status, and bundle size impact. Identifies outdated packages, suggests alternatives for abandoned libraries, and flags risky transitive dependencies.

3 models
Security Auditadvanced

Performs comprehensive security analysis of code and configurations. Identifies OWASP Top 10 vulnerabilities, insecure patterns, missing input validation, authentication flaws, and secrets exposure. Provides remediation steps with secure code examples.

3 models

Skills vs MCP servers

what's the difference?

Skillsthe “what to do”

A skillA reusable, structured prompt/workflow with recommended models, an example prompt, and compatible tools. packages know-how — instructions, an example promptA ready-to-use prompt template that demonstrates how to invoke the skill., and recommended models — so an agent performs a task consistently. Skills add knowledge, not new connections.

MCP serversthe “how to connect”

An MCP serverModel Context Protocol server — a standard way to expose tools, resources, and prompts to AI agents and IDEs. gives an agent new capabilities by connecting it to real systems (databases, APIs, files) over a transportHow the client talks to the server: stdio (local process), SSE, or HTTP streaming.. MCP adds connections and actions, not task instructions.

Rule of thumb: reach for a skill when you need the model to do a task well, and an MCP server when you need it to reach a tool or system. They compose — a skill can rely on tools an MCP server provides.

Built a useful skill?

Submit a SKILL.md — it's open source and community-maintained.

Contribute on GitHub