Search everything...

Stats

Actions

Available In

web-security

Name: web-security
Author: s3cr1z

By s3cr1z

Web application penetration testing with 30+ attack technique playbooks covering request smuggling, cache poisoning, SSRF, SSTI, DOM vulnerabilities, authentication bypasses, parser differentials, and client-side attacks. Includes HTTP client tooling, Caido proxy integration via MCP, credential management, DNS rebinding, phone verification, and vulnerability verification.

npx claudepluginhub s3cr1z/capabilities --plugin web-security

Popularity

Stars

Med: 0·Avg: 285

Installs

Med: 0·Avg: 1

What's Inside

Agents1

web-security

/web-security

Autonomous web application security testing agent

Skills51

dom-vulnerability-static-analysis

/dom-vulnerability-static-analysis

Static code analysis for DOM-based vulnerabilities in client-side JavaScript. USE WHEN performing pre-commit reviews, auditing large codebases without dynamic execution, triaging minified code for XSS issues, verifying sanitization routines, analyzing source-to-sink data flows, OR reviewing JavaScript files for potential DOM XSS. Covers source identification, data flow tracing, sink detection, sanitization assessment, postMessage handler review, framework-specific constructs, and automated pattern scanning with AST-based tools.

jxscout-bookmarks

/jxscout-bookmarks

Create jxscout bookmarks and bookmark groups via the CLI to document interesting code during security research. Use when analyzing JS/HTML files, reviewing findings, documenting client-side flows, or when the user asks to bookmark security-relevant code patterns, gadgets, or sinks.

jxscout-custom-analyzers

/jxscout-custom-analyzers

Create custom jxscout analyzers (regex, derived, or script-based) and retrigger analysis. Use when the user wants to find specific code patterns across all project files, add new match kinds, or extend jxscout's static analysis capabilities.

jxscout-findings

/jxscout-findings

Create, retrieve, and list jxscout findings to document security-relevant discoveries. Use when you've identified a vulnerability, interesting gadget, security-relevant primitive, or anything a bug bounty hunter would want to track. Also use when the user wants to review, list, filter, or summarize existing findings.

jxscout-relationships

/jxscout-relationships

Query jxscout for asset relationships -- which JS files and iframes a page loads, lazy-loaded chunks, reversed source maps, and how assets relate to each other. Use when mapping the attack surface of a specific page or understanding how assets are connected.

MCP Servers7

The plugin manifest points to a different repository than the source indexed by ClaudePluginHub.

Stats

Version1.0.3

LanguagePython

Stars0

MaintenanceGood

LicenseMIT

Last CommitMay 8, 2026

AddedMay 9, 2026

Actions

View on GitHub View README Plugin Marketplace JSON

Own this plugin?

Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).

Available In

dreadnode-capabilities

Safety Signals

Critical

Admin access level

Server config contains admin-level keywords

Caution

Uses power tools

Uses Bash, Write, or Edit tools

README

Logo

Dreadnode Capabilities

This is the source repo for the capabilities Dreadnode publishes to app.dreadnode.io. A capability is a directory — a manifest plus any combination of agents, tools, skills, and MCP servers — that a Dreadnode runtime picks up and loads:

ai-red-teaming/
  capability.yaml     # manifest
  agents/             # markdown prompts
  tools/              # python @tool functions
  skills/             # SKILL.md packs

Install one

Published — dn capability install dreadnode/ai-red-teaming (swap in any name from capabilities/)
From source — dn capability install ./capabilities/ai-red-teaming symlinks the directory into your runtime, so edits go live on reload
From the TUI — start dn, press Ctrl+P, filter for dreadnode/

dn is the Dreadnode CLI — see getting-started to install and authenticate. Full install reference for capabilities lives at docs.dreadnode.io/capabilities/installing.

Build your own

Every directory under capabilities/ is a shipped, working example. Read one alongside the docs:

Concepts and load model
Manifest reference
Quickstart — scaffold to running in the TUI in about ten minutes

Security scanning

Every skill in this repo is scanned with cisco-ai-defense/skill-scanner for prompt injection, data exfiltration, tool-chaining abuse, and supply chain risk. CI fails on HIGH+ findings and uploads SARIF reports to GitHub Code Scanning. The repo policy in scan-policy.yaml tunes the scanner for security-focused content.

just security-scan                    # scan all capabilities
just security-scan web-security       # scan one capability
just security-scan behavioral="true"  # deep dataflow analysis

Contributing

This repo is published for reference, not as a contribution target — we don't generally accept external PRs that add new capabilities. See CONTRIBUTING.md for what's useful to send and how to build your own capabilities instead.

License

Each capability declares its license in its capability.yaml.

web-security

Popularity

What's Inside

Confidence

README

Dreadnode Capabilities

Install one

Build your own

Security scanning

Contributing

License

Similar Plugins

dotnet-skills

everything-claude-code

ecc

fullstack-dev-skills

reverse-engineering

octo

More by s3cr1z

memory-forensics

bloodhound

ghostwriter-readonly

dotnet-reversing

bloodhound-enterprise

Dreadnode Capabilities

Install one

Build your own

Security scanning

Contributing

License

Popularity

Health & Quality

More by s3cr1z

memory-forensics

bloodhound

ghostwriter-readonly

dotnet-reversing

bloodhound-enterprise

Similar Plugins

dotnet-skills

everything-claude-code

ecc

fullstack-dev-skills

reverse-engineering

octo