security-review
vX
io.github.x-cmd/x-cmd/security-review
Security audit for code changes. Triggered by "/security-review" when reviewing auth, crypto, input handling, or when user explicitly requests a security audit.
共 3,312 个资源
vX
io.github.x-cmd/x-cmd/security-review
Security audit for code changes. Triggered by "/security-review" when reviewing auth, crypto, input handling, or when user explicitly requests a security audit.
vmaster
io.github.pproenca/dot-skills/nextjs-ppr-patterns
Next.js 16 App Router pages mixing static and dynamic content — Partial Prerendering (PPR) under the Cache Components model. Covers enabling it with cacheComponents (the removed experimental.ppr / experimental_ppr flags), the dynamic-by-default rendering inversion, the Suspense static-shell/dynamic-hole boundary, the 'use cache' directive (automatic keys, cacheLife/cacheTag, children/action pass-through, runtime values as props, serverless durability), async runtime APIs and connection() for non-determinism, page composition from a single hole to parallel dashboards to streaming a Promise into a Client Component with use(), and forms/wizards with updateTag read-your-writes and Activity state preservation. Triggers on PPR, cacheComponents, 'use cache', Suspense streaming, partial prerendering, or static-shell work even when not named explicitly.
vmaster
io.github.pproenca/dot-skills/nextjs-bundle-optimizer
Next.js 16 bundle-size and build-time optimization — runs a data-driven iteration loop: measure baseline → analyze top offenders → apply ONE recipe → re-measure → verify nothing broke (build + types + tests + no regression) → commit or revert. Built for Next.js 16 with Turbopack default, and falls back to webpack-mode tooling when the project hasn't migrated yet. Triggers on phrases like "First Load JS is huge", "bundle size", "build takes too long", "page is slow to TTI", "reduce bundle", "tree-shake", or when the user shares output from `next experimental-analyze` / `@next/bundle-analyzer` — even if the user doesn't say "optimize" explicitly.
vmaster
io.github.pproenca/dot-skills/dockerfile-optimise
Dockerfile optimization guidelines from official Docker documentation. This skill should be used when writing, reviewing, or refactoring Dockerfiles to ensure optimal build time, image size, security, and robustness. Triggers on tasks involving Dockerfile creation, Docker image builds, container optimization, multi-stage builds, build cache, or Docker security hardening.
vmain
io.github.nexu-io/open-design/codex-interactive-capability-map
Turn a long-form article, thread, memo, or product narrative into a compact clickable capability map with a workflow loop, use-case matrix, and responsive detail panel.
vmain
io.github.nexu-io/open-design/vfx-text-cursor
Cursor light trail, chromatic rays, and directional flares for word-by-word quote reveals in video intros.
vmain
io.github.alirezarezvani/claude-skills/kubernetes-operator
Use when building a Kubernetes Operator — custom controllers that reconcile CRD state. Triggers on "build an operator", "CRD design", "reconcile loop", "controller-runtime", "kubebuilder", "operator-sdk", "metacontroller", "KOPF", "operator capability levels", or "custom resource". Ships CRD validator, reconcile-loop linter, and OperatorHub capability auditor (all stdlib Python), 4 references on the operator pattern + CRD design + reconcile patterns + tooling landscape, and a /operator-audit slash command. NOT a generic k8s skill — specifically the Operator pattern.
vmain
io.github.briiirussell/cybersecurity-skills/mobile-audit
Audit iOS and Android mobile applications against OWASP MASVS / MASTG — insecure storage, weak crypto, certificate pinning, deeplinks, IPC, jailbreak/root detection, reverse-engineering resistance. Use when the user mentions 'mobile security,' 'iOS security,' 'Android security,' 'mobile audit,' 'mobile pentest,' 'MASVS,' 'MASTG,' 'certificate pinning,' 'jailbreak detection,' 'root detection,' 'deeplink,' 'URL scheme,' 'app transport security,' 'keychain,' 'keystore,' 'mobile reverse engineering,' or has a mobile app to review.
vmain
io.github.nexu-io/html-video/vfx-text-cursor
Cursor light trail, chromatic rays, and directional flares for word-by-word quote reveals in video intros.
vmaster
io.github.openvinotoolkit/openvino/python-bootstrap
Install Python dependencies before running verification or test steps. Choose the correct path depending on whether the agent builds OpenVINO from source or not.
vmaster
io.github.kevinpbuckley/unreal-engine-skills/automation-and-testing
Write and run automated tests for Unreal Engine projects — simple/complex automation tests (IMPLEMENT_SIMPLE_AUTOMATION_TEST, IMPLEMENT_COMPLEX_AUTOMATION_TEST), BDD-style Spec tests (DEFINE_SPEC, BEGIN_DEFINE_SPEC, Describe/It/BeforeEach/AfterEach), functional in-level tests (AFunctionalTest), low-level tests (Catch2-based LLTs), latent/async commands, EAutomationTestFlags, FAutomationTestBase assertion API (TestTrue/TestEqual/TestNotNull/AddError), and running tests from the editor, CLI, or CI. Use when writing unit or integration tests for gameplay logic or systems, setting up headless CI test runs, verifying data/content, or catching regressions.
vmain
io.github.openai/plugins/testing-data-visualizations
Test data visualizations and dashboards. Use when the user needs chart or diagram test strategy, screenshot or image diff testing, visual regression, mocked or synthetic chart data, component or unit tests, E2E dashboard QA, interactive UML-like diagram verification, scroll-driven story verification, export verification, or guidance on avoiding brittle over-testing.
vmain
io.github.openai/plugins/typescript-data-visualization-engineering
Build typed data visualizations in TypeScript. Use when the user wants TypeScript visualization code, typed data models, browser visualization components, UML-like diagram models, interactive graph or architecture diagram contracts, scroll-driven scene contracts, library selection guidance, or a maintainable visualization architecture beyond React- or Next-specific concerns.
vmain
io.github.Leonxlnx/taste-skill/taste-skill
Anti-slop frontend skill for landing pages, portfolios, and redesigns. The agent reads the brief, infers the right design direction, and ships interfaces that do not look templated. Real design systems when applicable, audit-first on redesigns, strict pre-flight check.
vmain
io.github.kortix-ai/suna/pdf
Use for creating, editing, extracting, OCRing, filling, and converting PDF documents.
vmain
skillsmp.zarazhangrui-frontend-slides-skill-md
Create stunning, animation-rich HTML presentations from scratch or by converting PowerPoint files. Use when the user wants to build a presentation, convert a PPT/PPTX to web, or create slides for a talk/pitch. Helps non-designers discover their aesthetic through visual exploration rather than abstract choices.
vdevel
io.github.ansible/ansible/review
Review an Ansible PR following the project's standardized process from CLAUDE.md
vmaster
io.github.microsoft/fluentui/review-pr
Review a PR for correctness, pattern compliance, testing, accessibility, and safety. Produces a confidence score for merge readiness.
vmain
io.github.openclaw/openclaw/agent-transcript
Add a redacted agent transcript section to GitHub PR or issue bodies during OpenClaw agent-created PR/issue workflows.
vmain
io.github.ZHangZHengEric/Sage/mcp-builder
Guide for creating high-quality MCP (Model Context Protocol) servers that enable LLMs to interact with external services through well-designed tools. Use when building MCP servers to integrate external APIs or services, whether in Python (FastMCP) or Node/TypeScript (MCP SDK).
vmain
io.github.ZHangZHengEric/Sage/pdf
Use this skill whenever the user wants to do anything with PDF files. This includes reading or extracting text/tables from PDFs, combining or merging multiple PDFs into one, splitting PDFs apart, rotating pages, adding watermarks, creating new PDFs, filling PDF forms, encrypting/decrypting PDFs, extracting images, and OCR on scanned PDFs to make them searchable. If the user mentions a .pdf file or asks to produce one, use this skill.
vmain
io.github.PurpleAILAB/Decepticon/docker-socket-mount
Docker / containerd socket mounted into a container → host RCE. Common in CI runners, GitOps controllers (ArgoCD, Flux), and 'Docker-in-Docker' setups. Single-command escape via `docker run --rm --privileged -v /:/host alpine chroot /host`.
vmain
io.github.PurpleAILAB/Decepticon/api
Modern API category — gRPC, SOAP/WSDL, WebSocket, Server-Sent Events. Routing skill: identify the API protocol from the response Content-Type or wire format, then load the matching sub-skill.
vmain
io.github.PurpleAILAB/Decepticon/server-sent-events
Server-Sent Events (SSE / EventSource) exploitation — origin abuse for cross-site streaming exfil, prompt-injection via SSE messages into LLM clients, retry-after token leak, fragmenting events to bypass content-type sniffers.