@elizaos/skills 2.0.0-alpha.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +126 -0
- package/package.json +53 -0
- package/skills/1password/SKILL.md +70 -0
- package/skills/1password/references/cli-examples.md +29 -0
- package/skills/1password/references/get-started.md +17 -0
- package/skills/apple-notes/SKILL.md +77 -0
- package/skills/apple-reminders/SKILL.md +96 -0
- package/skills/bear-notes/SKILL.md +107 -0
- package/skills/bird/SKILL.md +224 -0
- package/skills/blogwatcher/SKILL.md +69 -0
- package/skills/blucli/SKILL.md +47 -0
- package/skills/bluebubbles/SKILL.md +131 -0
- package/skills/camsnap/SKILL.md +45 -0
- package/skills/canvas/SKILL.md +203 -0
- package/skills/clawhub/SKILL.md +77 -0
- package/skills/coding-agent/SKILL.md +284 -0
- package/skills/discord/SKILL.md +578 -0
- package/skills/eightctl/SKILL.md +50 -0
- package/skills/food-order/SKILL.md +48 -0
- package/skills/gemini/SKILL.md +43 -0
- package/skills/gifgrep/SKILL.md +79 -0
- package/skills/github/SKILL.md +77 -0
- package/skills/gog/SKILL.md +116 -0
- package/skills/goplaces/SKILL.md +52 -0
- package/skills/healthcheck/SKILL.md +245 -0
- package/skills/himalaya/SKILL.md +257 -0
- package/skills/himalaya/references/configuration.md +184 -0
- package/skills/himalaya/references/message-composition.md +199 -0
- package/skills/imsg/SKILL.md +74 -0
- package/skills/local-places/SERVER_README.md +101 -0
- package/skills/local-places/SKILL.md +102 -0
- package/skills/local-places/pyproject.toml +21 -0
- package/skills/local-places/src/local_places/__init__.py +2 -0
- package/skills/local-places/src/local_places/google_places.py +314 -0
- package/skills/local-places/src/local_places/main.py +65 -0
- package/skills/local-places/src/local_places/schemas.py +107 -0
- package/skills/mcporter/SKILL.md +61 -0
- package/skills/model-usage/SKILL.md +69 -0
- package/skills/model-usage/references/codexbar-cli.md +33 -0
- package/skills/model-usage/scripts/model_usage.py +310 -0
- package/skills/nano-banana-pro/SKILL.md +58 -0
- package/skills/nano-banana-pro/scripts/generate_image.py +184 -0
- package/skills/nano-pdf/SKILL.md +38 -0
- package/skills/notion/SKILL.md +172 -0
- package/skills/obsidian/SKILL.md +81 -0
- package/skills/openai-image-gen/SKILL.md +89 -0
- package/skills/openai-image-gen/scripts/gen.py +240 -0
- package/skills/openai-whisper/SKILL.md +38 -0
- package/skills/openai-whisper-api/SKILL.md +52 -0
- package/skills/openai-whisper-api/scripts/transcribe.sh +85 -0
- package/skills/openhue/SKILL.md +51 -0
- package/skills/oracle/SKILL.md +125 -0
- package/skills/ordercli/SKILL.md +78 -0
- package/skills/peekaboo/SKILL.md +190 -0
- package/skills/sag/SKILL.md +87 -0
- package/skills/security-ask-questions-if-underspecified/.claude-plugin/plugin.json +10 -0
- package/skills/security-ask-questions-if-underspecified/README.md +24 -0
- package/skills/security-ask-questions-if-underspecified/skills/ask-questions-if-underspecified/SKILL.md +85 -0
- package/skills/security-audit-context-building/.claude-plugin/plugin.json +10 -0
- package/skills/security-audit-context-building/README.md +58 -0
- package/skills/security-audit-context-building/commands/audit-context.md +21 -0
- package/skills/security-audit-context-building/skills/audit-context-building/SKILL.md +297 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/COMPLETENESS_CHECKLIST.md +47 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/FUNCTION_MICRO_ANALYSIS_EXAMPLE.md +355 -0
- package/skills/security-audit-context-building/skills/audit-context-building/resources/OUTPUT_REQUIREMENTS.md +71 -0
- package/skills/security-building-secure-contracts/.claude-plugin/plugin.json +10 -0
- package/skills/security-building-secure-contracts/README.md +241 -0
- package/skills/security-building-secure-contracts/skills/algorand-vulnerability-scanner/SKILL.md +284 -0
- package/skills/security-building-secure-contracts/skills/algorand-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +405 -0
- package/skills/security-building-secure-contracts/skills/audit-prep-assistant/SKILL.md +409 -0
- package/skills/security-building-secure-contracts/skills/cairo-vulnerability-scanner/SKILL.md +329 -0
- package/skills/security-building-secure-contracts/skills/cairo-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +722 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/SKILL.md +218 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/ASSESSMENT_CRITERIA.md +355 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/EXAMPLE_REPORT.md +248 -0
- package/skills/security-building-secure-contracts/skills/code-maturity-assessor/resources/REPORT_FORMAT.md +33 -0
- package/skills/security-building-secure-contracts/skills/cosmos-vulnerability-scanner/SKILL.md +334 -0
- package/skills/security-building-secure-contracts/skills/cosmos-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +740 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/SKILL.md +252 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/ASSESSMENT_AREAS.md +329 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/DELIVERABLES.md +118 -0
- package/skills/security-building-secure-contracts/skills/guidelines-advisor/resources/EXAMPLE_REPORT.md +298 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/SKILL.md +161 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/resources/EXAMPLE_REPORT.md +279 -0
- package/skills/security-building-secure-contracts/skills/secure-workflow-guide/resources/WORKFLOW_STEPS.md +132 -0
- package/skills/security-building-secure-contracts/skills/solana-vulnerability-scanner/SKILL.md +389 -0
- package/skills/security-building-secure-contracts/skills/solana-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +669 -0
- package/skills/security-building-secure-contracts/skills/substrate-vulnerability-scanner/SKILL.md +298 -0
- package/skills/security-building-secure-contracts/skills/substrate-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +791 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/SKILL.md +362 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/resources/ASSESSMENT_CATEGORIES.md +571 -0
- package/skills/security-building-secure-contracts/skills/token-integration-analyzer/resources/REPORT_TEMPLATES.md +141 -0
- package/skills/security-building-secure-contracts/skills/ton-vulnerability-scanner/SKILL.md +388 -0
- package/skills/security-building-secure-contracts/skills/ton-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md +595 -0
- package/skills/security-burpsuite-project-parser/.claude-plugin/plugin.json +10 -0
- package/skills/security-burpsuite-project-parser/README.md +103 -0
- package/skills/security-burpsuite-project-parser/commands/burp-search.md +18 -0
- package/skills/security-burpsuite-project-parser/skills/SKILL.md +358 -0
- package/skills/security-burpsuite-project-parser/skills/scripts/burp-search.sh +99 -0
- package/skills/security-claude-in-chrome-troubleshooting/.claude-plugin/plugin.json +8 -0
- package/skills/security-claude-in-chrome-troubleshooting/README.md +31 -0
- package/skills/security-claude-in-chrome-troubleshooting/skills/claude-in-chrome-troubleshooting/SKILL.md +251 -0
- package/skills/security-constant-time-analysis/.claude-plugin/plugin.json +9 -0
- package/skills/security-constant-time-analysis/README.md +381 -0
- package/skills/security-constant-time-analysis/commands/ct-check.md +20 -0
- package/skills/security-constant-time-analysis/ct_analyzer/__init__.py +49 -0
- package/skills/security-constant-time-analysis/ct_analyzer/analyzer.py +1284 -0
- package/skills/security-constant-time-analysis/ct_analyzer/script_analyzers.py +3081 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/__init__.py +1 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_analyzer.py +1397 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/bn_excerpt.js +205 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_constant_time.c +181 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.c +74 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.go +78 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.rs +92 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.cs +174 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.java +161 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.kt +181 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.php +140 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.py +252 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.rb +188 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.swift +199 -0
- package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/vulnerable.ts +154 -0
- package/skills/security-constant-time-analysis/pyproject.toml +52 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/README.md +90 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/SKILL.md +219 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/compiled.md +129 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/javascript.md +136 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/kotlin.md +252 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/php.md +172 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/python.md +179 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/ruby.md +198 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/swift.md +288 -0
- package/skills/security-constant-time-analysis/skills/constant-time-analysis/references/vm-compiled.md +354 -0
- package/skills/security-constant-time-analysis/uv.lock +8 -0
- package/skills/security-culture-index/.claude-plugin/plugin.json +8 -0
- package/skills/security-culture-index/README.md +79 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/SKILL.md +293 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/anti-patterns.md +255 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/conversation-starters.md +408 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/interview-trait-signals.md +253 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/motivators.md +158 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/patterns-archetypes.md +147 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/primary-traits.md +307 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/secondary-traits.md +228 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/references/team-composition.md +148 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/check_deps.py +108 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/__init__.py +20 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/constants.py +122 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/extract.py +187 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/models.py +16 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/culture_index/opencv_extractor.py +520 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/extract_pdf.py +237 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/scripts/pyproject.toml +18 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/burnout-report.md +113 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/comparison-report.md +103 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/hiring-profile.md +127 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/individual-report.md +85 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/predicted-profile.md +165 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/templates/team-report.md +109 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/analyze-team.md +188 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/coach-manager.md +267 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/compare-profiles.md +188 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/define-hiring-profile.md +220 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/detect-burnout.md +206 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/extract-from-pdf.md +121 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/interpret-individual.md +183 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/interview-debrief.md +234 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/mediate-conflict.md +306 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/plan-onboarding.md +322 -0
- package/skills/security-culture-index/skills/interpreting-culture-index/workflows/predict-from-interview.md +250 -0
- package/skills/security-differential-review/.claude-plugin/plugin.json +10 -0
- package/skills/security-differential-review/README.md +109 -0
- package/skills/security-differential-review/commands/diff-review.md +21 -0
- package/skills/security-differential-review/skills/differential-review/SKILL.md +220 -0
- package/skills/security-differential-review/skills/differential-review/adversarial.md +203 -0
- package/skills/security-differential-review/skills/differential-review/methodology.md +234 -0
- package/skills/security-differential-review/skills/differential-review/patterns.md +300 -0
- package/skills/security-differential-review/skills/differential-review/reporting.md +369 -0
- package/skills/security-dwarf-expert/.claude-plugin/plugin.json +10 -0
- package/skills/security-dwarf-expert/README.md +38 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/SKILL.md +93 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/coding.md +31 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/dwarfdump.md +50 -0
- package/skills/security-dwarf-expert/skills/dwarf-expert/reference/readelf.md +8 -0
- package/skills/security-entry-point-analyzer/.claude-plugin/plugin.json +10 -0
- package/skills/security-entry-point-analyzer/README.md +74 -0
- package/skills/security-entry-point-analyzer/commands/entry-points.md +18 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/SKILL.md +251 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/cosmwasm.md +182 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/move-aptos.md +107 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/move-sui.md +87 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/solana.md +155 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/solidity.md +135 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/ton.md +185 -0
- package/skills/security-entry-point-analyzer/skills/entry-point-analyzer/references/vyper.md +141 -0
- package/skills/security-firebase-apk-scanner/.claude-plugin/plugin.json +10 -0
- package/skills/security-firebase-apk-scanner/README.md +85 -0
- package/skills/security-firebase-apk-scanner/commands/scan-apk.md +18 -0
- package/skills/security-firebase-apk-scanner/scanner.sh +1408 -0
- package/skills/security-firebase-apk-scanner/skills/firebase-apk-scanner/SKILL.md +197 -0
- package/skills/security-firebase-apk-scanner/skills/firebase-apk-scanner/references/vulnerabilities.md +803 -0
- package/skills/security-fix-review/.claude-plugin/plugin.json +13 -0
- package/skills/security-fix-review/README.md +118 -0
- package/skills/security-fix-review/commands/fix-review.md +24 -0
- package/skills/security-fix-review/skills/fix-review/SKILL.md +264 -0
- package/skills/security-fix-review/skills/fix-review/references/bug-detection.md +408 -0
- package/skills/security-fix-review/skills/fix-review/references/finding-matching.md +298 -0
- package/skills/security-fix-review/skills/fix-review/references/report-parsing.md +398 -0
- package/skills/security-insecure-defaults/.claude-plugin/plugin.json +10 -0
- package/skills/security-insecure-defaults/README.md +45 -0
- package/skills/security-insecure-defaults/skills/insecure-defaults/SKILL.md +117 -0
- package/skills/security-insecure-defaults/skills/insecure-defaults/references/examples.md +409 -0
- package/skills/security-modern-python/.claude-plugin/plugin.json +10 -0
- package/skills/security-modern-python/README.md +58 -0
- package/skills/security-modern-python/hooks/hooks.json +16 -0
- package/skills/security-modern-python/hooks/intercept-legacy-python.bats +388 -0
- package/skills/security-modern-python/hooks/intercept-legacy-python.sh +109 -0
- package/skills/security-modern-python/hooks/test_helper.bash +75 -0
- package/skills/security-modern-python/skills/modern-python/SKILL.md +333 -0
- package/skills/security-modern-python/skills/modern-python/references/dependabot.md +43 -0
- package/skills/security-modern-python/skills/modern-python/references/migration-checklist.md +141 -0
- package/skills/security-modern-python/skills/modern-python/references/pep723-scripts.md +259 -0
- package/skills/security-modern-python/skills/modern-python/references/prek.md +211 -0
- package/skills/security-modern-python/skills/modern-python/references/pyproject.md +254 -0
- package/skills/security-modern-python/skills/modern-python/references/ruff-config.md +240 -0
- package/skills/security-modern-python/skills/modern-python/references/security-setup.md +255 -0
- package/skills/security-modern-python/skills/modern-python/references/testing.md +284 -0
- package/skills/security-modern-python/skills/modern-python/references/uv-commands.md +200 -0
- package/skills/security-modern-python/skills/modern-python/templates/dependabot.yml +36 -0
- package/skills/security-modern-python/skills/modern-python/templates/pre-commit-config.yaml +66 -0
- package/skills/security-property-based-testing/.claude-plugin/plugin.json +9 -0
- package/skills/security-property-based-testing/README.md +47 -0
- package/skills/security-property-based-testing/skills/property-based-testing/README.md +88 -0
- package/skills/security-property-based-testing/skills/property-based-testing/SKILL.md +109 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/design.md +191 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/generating.md +200 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/libraries.md +130 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/refactoring.md +181 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/reviewing.md +209 -0
- package/skills/security-property-based-testing/skills/property-based-testing/references/strategies.md +124 -0
- package/skills/semgrep-rule-creator/.claude-plugin/plugin.json +8 -0
- package/skills/semgrep-rule-creator/README.md +43 -0
- package/skills/semgrep-rule-creator/commands/semgrep-rule.md +26 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/SKILL.md +168 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/references/quick-reference.md +203 -0
- package/skills/semgrep-rule-creator/skills/semgrep-rule-creator/references/workflow.md +240 -0
- package/skills/semgrep-rule-variant-creator/.claude-plugin/plugin.json +9 -0
- package/skills/semgrep-rule-variant-creator/README.md +86 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/SKILL.md +205 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/applicability-analysis.md +250 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/language-syntax-guide.md +324 -0
- package/skills/semgrep-rule-variant-creator/skills/semgrep-rule-variant-creator/references/workflow.md +518 -0
- package/skills/session-logs/SKILL.md +115 -0
- package/skills/sharp-edges/.claude-plugin/plugin.json +10 -0
- package/skills/sharp-edges/README.md +48 -0
- package/skills/sharp-edges/skills/sharp-edges/SKILL.md +292 -0
- package/skills/sharp-edges/skills/sharp-edges/references/auth-patterns.md +252 -0
- package/skills/sharp-edges/skills/sharp-edges/references/case-studies.md +274 -0
- package/skills/sharp-edges/skills/sharp-edges/references/config-patterns.md +333 -0
- package/skills/sharp-edges/skills/sharp-edges/references/crypto-apis.md +190 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-c.md +205 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-csharp.md +285 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-go.md +270 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-java.md +263 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-javascript.md +269 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-kotlin.md +265 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-php.md +245 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-python.md +274 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-ruby.md +273 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-rust.md +272 -0
- package/skills/sharp-edges/skills/sharp-edges/references/lang-swift.md +287 -0
- package/skills/sharp-edges/skills/sharp-edges/references/language-specific.md +588 -0
- package/skills/sherpa-onnx-tts/SKILL.md +103 -0
- package/skills/sherpa-onnx-tts/bin/sherpa-onnx-tts +178 -0
- package/skills/skill-creator/SKILL.md +370 -0
- package/skills/skill-creator/license.txt +202 -0
- package/skills/skill-creator/scripts/init_skill.py +378 -0
- package/skills/skill-creator/scripts/package_skill.py +111 -0
- package/skills/skill-creator/scripts/quick_validate.py +101 -0
- package/skills/slack/SKILL.md +144 -0
- package/skills/songsee/SKILL.md +49 -0
- package/skills/sonoscli/SKILL.md +46 -0
- package/skills/spec-to-code-compliance/.claude-plugin/plugin.json +10 -0
- package/skills/spec-to-code-compliance/README.md +67 -0
- package/skills/spec-to-code-compliance/commands/spec-compliance.md +22 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/SKILL.md +349 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/COMPLETENESS_CHECKLIST.md +69 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/IR_EXAMPLES.md +417 -0
- package/skills/spec-to-code-compliance/skills/spec-to-code-compliance/resources/OUTPUT_REQUIREMENTS.md +105 -0
- package/skills/spotify-player/SKILL.md +64 -0
- package/skills/static-analysis/.claude-plugin/plugin.json +8 -0
- package/skills/static-analysis/README.md +59 -0
- package/skills/static-analysis/skills/codeql/SKILL.md +315 -0
- package/skills/static-analysis/skills/sarif-parsing/SKILL.md +479 -0
- package/skills/static-analysis/skills/sarif-parsing/resources/jq-queries.md +162 -0
- package/skills/static-analysis/skills/sarif-parsing/resources/sarif_helpers.py +331 -0
- package/skills/static-analysis/skills/semgrep/SKILL.md +337 -0
- package/skills/summarize/SKILL.md +87 -0
- package/skills/testing-handbook-skills/.claude-plugin/plugin.json +8 -0
- package/skills/testing-handbook-skills/README.md +241 -0
- package/skills/testing-handbook-skills/scripts/pyproject.toml +8 -0
- package/skills/testing-handbook-skills/scripts/validate-skills.py +657 -0
- package/skills/testing-handbook-skills/skills/address-sanitizer/SKILL.md +341 -0
- package/skills/testing-handbook-skills/skills/aflpp/SKILL.md +640 -0
- package/skills/testing-handbook-skills/skills/atheris/SKILL.md +515 -0
- package/skills/testing-handbook-skills/skills/cargo-fuzz/SKILL.md +454 -0
- package/skills/testing-handbook-skills/skills/codeql/SKILL.md +549 -0
- package/skills/testing-handbook-skills/skills/constant-time-testing/SKILL.md +507 -0
- package/skills/testing-handbook-skills/skills/coverage-analysis/SKILL.md +607 -0
- package/skills/testing-handbook-skills/skills/fuzzing-dictionary/SKILL.md +297 -0
- package/skills/testing-handbook-skills/skills/fuzzing-obstacles/SKILL.md +426 -0
- package/skills/testing-handbook-skills/skills/harness-writing/SKILL.md +614 -0
- package/skills/testing-handbook-skills/skills/libafl/SKILL.md +625 -0
- package/skills/testing-handbook-skills/skills/libfuzzer/SKILL.md +795 -0
- package/skills/testing-handbook-skills/skills/ossfuzz/SKILL.md +426 -0
- package/skills/testing-handbook-skills/skills/ruzzy/SKILL.md +443 -0
- package/skills/testing-handbook-skills/skills/semgrep/SKILL.md +601 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/SKILL.md +372 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/agent-prompt.md +280 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/discovery.md +452 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/domain-skill.md +504 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/fuzzer-skill.md +454 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/technique-skill.md +527 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/templates/tool-skill.md +366 -0
- package/skills/testing-handbook-skills/skills/testing-handbook-generator/testing.md +482 -0
- package/skills/testing-handbook-skills/skills/wycheproof/SKILL.md +533 -0
- package/skills/things-mac/SKILL.md +86 -0
- package/skills/tmux/SKILL.md +135 -0
- package/skills/tmux/scripts/find-sessions.sh +112 -0
- package/skills/tmux/scripts/wait-for-text.sh +83 -0
- package/skills/trello/SKILL.md +95 -0
- package/skills/variant-analysis/.claude-plugin/plugin.json +8 -0
- package/skills/variant-analysis/README.md +41 -0
- package/skills/variant-analysis/commands/variants.md +23 -0
- package/skills/variant-analysis/skills/variant-analysis/METHODOLOGY.md +327 -0
- package/skills/variant-analysis/skills/variant-analysis/SKILL.md +142 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/cpp.ql +119 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/go.ql +69 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/java.ql +71 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/javascript.ql +63 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/codeql/python.ql +80 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/cpp.yaml +98 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/go.yaml +63 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/java.yaml +61 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/javascript.yaml +60 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/semgrep/python.yaml +72 -0
- package/skills/variant-analysis/skills/variant-analysis/resources/variant-report-template.md +75 -0
- package/skills/video-frames/SKILL.md +46 -0
- package/skills/video-frames/scripts/frame.sh +81 -0
- package/skills/voice-call/SKILL.md +45 -0
- package/skills/wacli/SKILL.md +72 -0
- package/skills/weather/SKILL.md +54 -0
- package/skills/yara-authoring/.claude-plugin/plugin.json +9 -0
- package/skills/yara-authoring/README.md +131 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/SKILL.md +645 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_Mac_ProtonRAT_Jan25.yar +99 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_NPM_SupplyChain_Jan25.yar +170 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_Win_Remcos_Jan25.yar +103 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/SUSP_CRX_SuspiciousPermissions.yar +134 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/examples/SUSP_JS_Obfuscation_Jan25.yar +185 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/crx-module.md +214 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/dex-module.md +383 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/performance.md +333 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/strings.md +433 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/style-guide.md +257 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/references/testing.md +399 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/atom_analyzer.py +526 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/pyproject.toml +25 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/scripts/yara_lint.py +631 -0
- package/skills/yara-authoring/skills/yara-rule-authoring/workflows/rule-development.md +493 -0
|
@@ -0,0 +1,185 @@
|
|
|
1
|
+
# TON Entry Point Detection (FunC/Tact)
|
|
2
|
+
|
|
3
|
+
## Entry Point Identification (State-Changing Only)
|
|
4
|
+
|
|
5
|
+
Focus on message handlers that modify state. **Exclude** read-only patterns:
|
|
6
|
+
- `get` methods in FunC (pure getters)
|
|
7
|
+
- Receivers that only return data without state changes
|
|
8
|
+
|
|
9
|
+
### FunC Entry Points
|
|
10
|
+
```func
|
|
11
|
+
;; Main entry point - receives all external messages
|
|
12
|
+
() recv_internal(int my_balance, int msg_value, cell in_msg_full, slice in_msg_body) impure {
|
|
13
|
+
;; Dispatch based on op code
|
|
14
|
+
int op = in_msg_body~load_uint(32);
|
|
15
|
+
if (op == op::transfer) { handle_transfer(); }
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
;; External messages (from outside blockchain)
|
|
19
|
+
() recv_external(slice in_msg) impure {
|
|
20
|
+
;; Usually for wallet operations
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
;; Tick-tock for special contracts
|
|
24
|
+
() run_ticktock(cell full_state, int is_tock) impure {
|
|
25
|
+
}
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
### Tact Entry Points
|
|
29
|
+
```tact
|
|
30
|
+
contract MyContract {
|
|
31
|
+
// Receivers are entry points
|
|
32
|
+
receive(msg: Transfer) {
|
|
33
|
+
// Handle Transfer message
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
receive("increment") {
|
|
37
|
+
// Handle text message
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
// External receiver
|
|
41
|
+
external(msg: Deploy) {
|
|
42
|
+
// Handle external message
|
|
43
|
+
}
|
|
44
|
+
|
|
45
|
+
// Bounce handler
|
|
46
|
+
bounced(src: bounced<Transfer>) {
|
|
47
|
+
// Handle bounced message
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
### Entry Point Types
|
|
53
|
+
| Pattern | Include? | Notes |
|
|
54
|
+
|---------|----------|-------|
|
|
55
|
+
| `recv_internal` | **Yes** | All internal messages (state-changing) |
|
|
56
|
+
| `recv_external` | **Yes** | External (off-chain) messages |
|
|
57
|
+
| `receive(MsgType)` | **Yes** | Tact message handler |
|
|
58
|
+
| `external(MsgType)` | **Yes** | Tact external handler |
|
|
59
|
+
| `bounced(...)` | **Yes** | Bounce handler |
|
|
60
|
+
| `get` methods (FunC) | No | EXCLUDE - read-only getters |
|
|
61
|
+
| `get fun` (Tact) | No | EXCLUDE - read-only getters |
|
|
62
|
+
| Helper functions | No | Internal only |
|
|
63
|
+
|
|
64
|
+
## Access Control Patterns
|
|
65
|
+
|
|
66
|
+
### FunC Access Control
|
|
67
|
+
```func
|
|
68
|
+
;; Owner check
|
|
69
|
+
() check_owner() impure inline {
|
|
70
|
+
throw_unless(401, equal_slices(sender_address, owner_address));
|
|
71
|
+
}
|
|
72
|
+
|
|
73
|
+
;; Admin check via stored address
|
|
74
|
+
() require_admin() impure inline {
|
|
75
|
+
var ds = get_data().begin_parse();
|
|
76
|
+
slice admin = ds~load_msg_addr();
|
|
77
|
+
throw_unless(403, equal_slices(sender_address, admin));
|
|
78
|
+
}
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
### Tact Access Control
|
|
82
|
+
```tact
|
|
83
|
+
contract Owned {
|
|
84
|
+
owner: Address;
|
|
85
|
+
|
|
86
|
+
receive(msg: AdminAction) {
|
|
87
|
+
require(sender() == self.owner, "Not owner");
|
|
88
|
+
// ...
|
|
89
|
+
}
|
|
90
|
+
|
|
91
|
+
// Using traits
|
|
92
|
+
receive(msg: Transfer) {
|
|
93
|
+
self.requireOwner(); // From Ownable trait
|
|
94
|
+
// ...
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
### Op Code Dispatch Pattern (FunC)
|
|
100
|
+
```func
|
|
101
|
+
() recv_internal(...) impure {
|
|
102
|
+
int op = in_msg_body~load_uint(32);
|
|
103
|
+
|
|
104
|
+
;; Public operations
|
|
105
|
+
if (op == op::transfer) { return handle_transfer(); }
|
|
106
|
+
if (op == op::swap) { return handle_swap(); }
|
|
107
|
+
|
|
108
|
+
;; Admin operations
|
|
109
|
+
if (op == op::set_fee) {
|
|
110
|
+
check_owner();
|
|
111
|
+
return handle_set_fee();
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
```
|
|
115
|
+
|
|
116
|
+
### Access Control Classification
|
|
117
|
+
| Pattern | Classification |
|
|
118
|
+
|---------|----------------|
|
|
119
|
+
| `equal_slices(sender, owner)` | Owner |
|
|
120
|
+
| `equal_slices(sender, admin)` | Admin |
|
|
121
|
+
| `require(sender() == self.owner)` | Owner |
|
|
122
|
+
| `self.requireOwner()` | Owner |
|
|
123
|
+
| `throw_unless(X, equal_slices(...))` | Check error code context |
|
|
124
|
+
| No sender check for op code | Public (Unrestricted) |
|
|
125
|
+
|
|
126
|
+
## Contract-Only Detection
|
|
127
|
+
|
|
128
|
+
### Callback Patterns
|
|
129
|
+
```func
|
|
130
|
+
;; Jetton transfer notification
|
|
131
|
+
() on_jetton_transfer(...) impure {
|
|
132
|
+
;; Should verify sender is jetton wallet
|
|
133
|
+
}
|
|
134
|
+
|
|
135
|
+
;; NFT callbacks
|
|
136
|
+
() on_nft_transfer(...) impure {
|
|
137
|
+
}
|
|
138
|
+
```
|
|
139
|
+
|
|
140
|
+
### Contract Verification
|
|
141
|
+
```func
|
|
142
|
+
;; Verify caller is expected contract
|
|
143
|
+
() verify_caller(slice expected) impure inline {
|
|
144
|
+
throw_unless(402, equal_slices(sender_address, expected));
|
|
145
|
+
}
|
|
146
|
+
```
|
|
147
|
+
|
|
148
|
+
## Extraction Strategy
|
|
149
|
+
|
|
150
|
+
### FunC
|
|
151
|
+
1. Parse `.fc` / `.func` files
|
|
152
|
+
2. Find `recv_internal` and `recv_external` functions
|
|
153
|
+
3. Extract op code dispatch table:
|
|
154
|
+
- Map op codes to handler functions
|
|
155
|
+
- Check each handler for owner/admin checks
|
|
156
|
+
4. Classify:
|
|
157
|
+
- Op codes with no access check → Public
|
|
158
|
+
- Op codes with `check_owner`/similar → Role-based
|
|
159
|
+
- Callbacks → Contract-Only
|
|
160
|
+
|
|
161
|
+
### Tact
|
|
162
|
+
1. Parse `.tact` files
|
|
163
|
+
2. Find `contract` declarations
|
|
164
|
+
3. Extract all `receive`, `external`, `bounced` handlers
|
|
165
|
+
- **Skip** `get fun` declarations (read-only getters)
|
|
166
|
+
4. Check handler body for:
|
|
167
|
+
- `require(sender() == self.X)` → Role-based
|
|
168
|
+
- `self.requireOwner()` → Owner
|
|
169
|
+
- No sender validation → Public (Unrestricted)
|
|
170
|
+
|
|
171
|
+
## TON-Specific Considerations
|
|
172
|
+
|
|
173
|
+
1. **Message-Based**: All interactions are via messages with op codes
|
|
174
|
+
2. **Workchains**: Check if contract operates on specific workchain
|
|
175
|
+
3. **Bounced Messages**: Handle bounced messages appropriately
|
|
176
|
+
4. **Gas Management**: `accept_message()` in FunC accepts gas payment
|
|
177
|
+
5. **State Init**: Initial deployment may set owner/admin
|
|
178
|
+
|
|
179
|
+
## Common Gotchas
|
|
180
|
+
|
|
181
|
+
1. **Op Code Collisions**: Different contracts may use same op codes
|
|
182
|
+
2. **Proxy Patterns**: Some contracts forward messages
|
|
183
|
+
3. **Wallet Contracts**: Special access control for wallet operations
|
|
184
|
+
4. **Masterchain**: Some operations require masterchain deployment
|
|
185
|
+
5. **Query ID**: Track request/response with query_id
|
|
@@ -0,0 +1,141 @@
|
|
|
1
|
+
# Vyper Entry Point Detection
|
|
2
|
+
|
|
3
|
+
## Entry Point Identification (State-Changing Only)
|
|
4
|
+
|
|
5
|
+
### Include: State-Changing Functions
|
|
6
|
+
```vyper
|
|
7
|
+
@external # State-changing entry point
|
|
8
|
+
def function_name():
|
|
9
|
+
pass
|
|
10
|
+
|
|
11
|
+
@external
|
|
12
|
+
@payable # State-changing, receives ETH
|
|
13
|
+
def payable_function():
|
|
14
|
+
pass
|
|
15
|
+
|
|
16
|
+
@external
|
|
17
|
+
@nonreentrant("lock") # State-changing with reentrancy protection
|
|
18
|
+
def protected():
|
|
19
|
+
pass
|
|
20
|
+
```
|
|
21
|
+
|
|
22
|
+
### Exclude: Read-Only Functions
|
|
23
|
+
```vyper
|
|
24
|
+
@external
|
|
25
|
+
@view # EXCLUDE - cannot modify state
|
|
26
|
+
def read_only():
|
|
27
|
+
pass
|
|
28
|
+
|
|
29
|
+
@external
|
|
30
|
+
@pure # EXCLUDE - no state access
|
|
31
|
+
def pure_function():
|
|
32
|
+
pass
|
|
33
|
+
```
|
|
34
|
+
|
|
35
|
+
### Decorator Matrix
|
|
36
|
+
| Decorators | Include? | Notes |
|
|
37
|
+
|------------|----------|-------|
|
|
38
|
+
| `@external` | **Yes** | State-changing entry point |
|
|
39
|
+
| `@external @payable` | **Yes** | State-changing, receives ETH |
|
|
40
|
+
| `@external @nonreentrant` | **Yes** | State-changing with protection |
|
|
41
|
+
| `@external @view` | No | Read-only, exclude |
|
|
42
|
+
| `@external @pure` | No | No state access, exclude |
|
|
43
|
+
| `@internal` | No | Not externally callable |
|
|
44
|
+
| `@deploy` | No | Constructor (Vyper 0.4+) |
|
|
45
|
+
|
|
46
|
+
### Special Entry Points
|
|
47
|
+
```vyper
|
|
48
|
+
@external
|
|
49
|
+
@payable
|
|
50
|
+
def __default__(): # Fallback function (receives ETH + unmatched calls)
|
|
51
|
+
pass
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
## Access Control Patterns
|
|
55
|
+
|
|
56
|
+
### Owner Pattern
|
|
57
|
+
```vyper
|
|
58
|
+
owner: public(address)
|
|
59
|
+
|
|
60
|
+
@external
|
|
61
|
+
def restricted_function():
|
|
62
|
+
assert msg.sender == self.owner, "Not owner"
|
|
63
|
+
# ...
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
### Role-Based Patterns
|
|
67
|
+
```vyper
|
|
68
|
+
# Common patterns
|
|
69
|
+
admin: public(address)
|
|
70
|
+
governance: public(address)
|
|
71
|
+
guardian: public(address)
|
|
72
|
+
operator: public(address)
|
|
73
|
+
|
|
74
|
+
# Mapping-based roles
|
|
75
|
+
authorized: public(HashMap[address, bool])
|
|
76
|
+
minters: public(HashMap[address, bool])
|
|
77
|
+
|
|
78
|
+
@external
|
|
79
|
+
def mint(to: address, amount: uint256):
|
|
80
|
+
assert self.minters[msg.sender], "Not minter"
|
|
81
|
+
# ...
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
### Access Control Classification
|
|
85
|
+
| Pattern | Classification |
|
|
86
|
+
|---------|----------------|
|
|
87
|
+
| `assert msg.sender == self.owner` | Admin/Owner |
|
|
88
|
+
| `assert msg.sender == self.admin` | Admin |
|
|
89
|
+
| `assert msg.sender == self.governance` | Governance |
|
|
90
|
+
| `assert msg.sender == self.guardian` | Guardian |
|
|
91
|
+
| `assert self.authorized[msg.sender]` | Review Required |
|
|
92
|
+
| `assert self.whitelist[msg.sender]` | Review Required |
|
|
93
|
+
|
|
94
|
+
## Contract-Only Detection
|
|
95
|
+
|
|
96
|
+
### Callback Functions
|
|
97
|
+
```vyper
|
|
98
|
+
@external
|
|
99
|
+
def onERC721Received(...) -> bytes4:
|
|
100
|
+
return method_id("onERC721Received(address,address,uint256,bytes)")
|
|
101
|
+
|
|
102
|
+
@external
|
|
103
|
+
def uniswapV3SwapCallback(amount0: int256, amount1: int256, data: Bytes[...]):
|
|
104
|
+
# Must verify caller is the pool
|
|
105
|
+
pass
|
|
106
|
+
```
|
|
107
|
+
|
|
108
|
+
### Contract-Caller Checks
|
|
109
|
+
```vyper
|
|
110
|
+
assert msg.sender == self.pool, "Only pool"
|
|
111
|
+
assert msg.sender != tx.origin, "No EOA" # Vyper 0.3.7+
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
## Extraction Strategy
|
|
115
|
+
|
|
116
|
+
1. Parse all `.vy` files
|
|
117
|
+
2. For each function:
|
|
118
|
+
- Check for `@external` decorator
|
|
119
|
+
- **Skip** functions with `@view` or `@pure` decorators
|
|
120
|
+
- Record function name and parameters
|
|
121
|
+
- Record line number
|
|
122
|
+
- Check for access control assertions in function body
|
|
123
|
+
3. Classify:
|
|
124
|
+
- No access assertions → Public (Unrestricted)
|
|
125
|
+
- `msg.sender == self.X` → Check what X is
|
|
126
|
+
- `self.mapping[msg.sender]` → Review Required
|
|
127
|
+
- Known callback name → Contract-Only
|
|
128
|
+
|
|
129
|
+
## Vyper-Specific Considerations
|
|
130
|
+
|
|
131
|
+
1. **No Modifiers**: Vyper doesn't have modifiers—access control is inline `assert` statements
|
|
132
|
+
2. **No Inheritance**: Each contract is standalone (interfaces only)
|
|
133
|
+
3. **Explicit is Better**: All visibility must be declared explicitly
|
|
134
|
+
4. **Default Internal**: Functions without decorators are internal
|
|
135
|
+
|
|
136
|
+
## Common Gotchas
|
|
137
|
+
|
|
138
|
+
1. **Initializer Pattern**: Look for `initialized: bool` flag with one-time setup
|
|
139
|
+
2. **Raw Calls**: `raw_call()` can delegate to other contracts
|
|
140
|
+
3. **Create Functions**: `create_minimal_proxy_to()`, `create_copy_of()` are factory patterns
|
|
141
|
+
4. **Reentrancy**: `@nonreentrant` protects against reentrancy but function is still entry point
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "firebase-apk-scanner",
|
|
3
|
+
"version": "2.1.0",
|
|
4
|
+
"description": "Scan Android APKs for Firebase security misconfigurations including open databases, storage buckets, authentication issues, and exposed cloud functions. For authorized security research only.",
|
|
5
|
+
"author": {
|
|
6
|
+
"name": "Nick Sellier",
|
|
7
|
+
"email": "",
|
|
8
|
+
"url": ""
|
|
9
|
+
}
|
|
10
|
+
}
|
|
@@ -0,0 +1,85 @@
|
|
|
1
|
+
# Firebase APK Security Scanner
|
|
2
|
+
|
|
3
|
+
Scan Android APKs for Firebase security misconfigurations including open databases, exposed storage buckets, and authentication bypasses.
|
|
4
|
+
|
|
5
|
+
## When to Use
|
|
6
|
+
|
|
7
|
+
Use this skill when you need to:
|
|
8
|
+
- Audit Android applications for Firebase misconfigurations
|
|
9
|
+
- Test Firebase endpoints extracted from APKs (Realtime Database, Firestore, Storage)
|
|
10
|
+
- Check authentication security (open signup, anonymous auth, email enumeration)
|
|
11
|
+
- Enumerate Cloud Functions and test for unauthenticated access
|
|
12
|
+
- Perform mobile app security assessments involving Firebase backends
|
|
13
|
+
|
|
14
|
+
## When NOT to Use
|
|
15
|
+
|
|
16
|
+
- Scanning apps you do not have explicit authorization to test
|
|
17
|
+
- Testing production Firebase projects without written permission
|
|
18
|
+
- When you only need to extract Firebase config without testing (use manual grep/strings instead)
|
|
19
|
+
- For non-Android targets (iOS, web apps) - this skill is APK-specific
|
|
20
|
+
- When the target app does not use Firebase
|
|
21
|
+
|
|
22
|
+
## What It Does
|
|
23
|
+
|
|
24
|
+
This skill automates Firebase security testing for Android applications. When invoked, Claude will:
|
|
25
|
+
|
|
26
|
+
- **Decompile** the APK using apktool
|
|
27
|
+
- **Extract** Firebase configuration from all sources (google-services.json, XML resources, assets, smali code, DEX strings)
|
|
28
|
+
- **Test** authentication endpoints for misconfigurations
|
|
29
|
+
- **Probe** Realtime Database and Firestore for open read/write access
|
|
30
|
+
- **Check** Storage buckets for public listing and upload vulnerabilities
|
|
31
|
+
- **Enumerate** Cloud Functions and test accessibility
|
|
32
|
+
- **Generate** detailed reports with findings and remediation guidance
|
|
33
|
+
|
|
34
|
+
## Key Features
|
|
35
|
+
|
|
36
|
+
- Supports native Android, React Native, Flutter, and Cordova apps
|
|
37
|
+
- Extracts config from 7+ sources including raw DEX binary strings
|
|
38
|
+
- Tests 14 distinct vulnerability categories
|
|
39
|
+
- Automatic cleanup of test data created during scans
|
|
40
|
+
- Detailed vulnerability reference documentation included
|
|
41
|
+
|
|
42
|
+
## Installation
|
|
43
|
+
|
|
44
|
+
```
|
|
45
|
+
/plugin install trailofbits/skills/plugins/firebase-apk-scanner
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
## Prerequisites
|
|
49
|
+
|
|
50
|
+
Install required dependencies before use:
|
|
51
|
+
|
|
52
|
+
**macOS:**
|
|
53
|
+
```bash
|
|
54
|
+
brew install apktool curl jq binutils
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
**Ubuntu/Debian:**
|
|
58
|
+
```bash
|
|
59
|
+
sudo apt install apktool curl jq unzip binutils
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
## Usage
|
|
63
|
+
|
|
64
|
+
```
|
|
65
|
+
/firebase-scan ./app.apk
|
|
66
|
+
/firebase-scan ./apks/
|
|
67
|
+
```
|
|
68
|
+
|
|
69
|
+
Or run the standalone script directly:
|
|
70
|
+
|
|
71
|
+
```bash
|
|
72
|
+
./scanner.sh app.apk
|
|
73
|
+
./scanner.sh ./apks/ --no-cleanup
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
## Vulnerability Categories
|
|
77
|
+
|
|
78
|
+
| Category | Tests | Severity |
|
|
79
|
+
|----------|-------|----------|
|
|
80
|
+
| **Authentication** | Open signup, anonymous auth, email enumeration | Critical/High/Medium |
|
|
81
|
+
| **Realtime Database** | Unauthenticated read/write, auth token bypass | Critical/High |
|
|
82
|
+
| **Firestore** | Document access, collection enumeration | Critical/High |
|
|
83
|
+
| **Storage** | Bucket listing, unauthenticated upload | Critical/High |
|
|
84
|
+
| **Cloud Functions** | Unauthenticated access, function enumeration | Medium/Low |
|
|
85
|
+
| **Remote Config** | Public parameter exposure | Medium |
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: trailofbits:scan-apk
|
|
3
|
+
description: Scans Android APKs for Firebase security misconfigurations
|
|
4
|
+
argument-hint: "<apk-file-or-directory>"
|
|
5
|
+
allowed-tools:
|
|
6
|
+
- Bash
|
|
7
|
+
- Read
|
|
8
|
+
- Grep
|
|
9
|
+
- Glob
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Scan APK for Firebase Misconfigurations
|
|
13
|
+
|
|
14
|
+
**Arguments:** $ARGUMENTS
|
|
15
|
+
|
|
16
|
+
Parse the APK path from arguments. If empty, ask for the path.
|
|
17
|
+
|
|
18
|
+
Invoke the `firebase-apk-scanner` skill with the APK path for the full workflow.
|