redcap — Red-team / red-hat skill suite

redcap — Red-team / red-hat skill suite

Named for the folklore redcap: a murderous goblin that dips its hat in the blood of its victims. This suite is the Claude-Code analog — it dips its pointer into whichever sibling skill best fits the task.

When this meta-skill is invoked

Claude reaches for the meta when the request is red-team / device-research flavored but the specific sibling isn't obvious, or when a task needs multiple siblings in sequence. For a direct request ("find me an XSS payload", "decompile this APK"), Claude should invoke the relevant sibling directly without bouncing through the meta.

The suite

Sibling	Invoke when the task is...
redcap-payloads	Looking up a specific exploit payload — SQL injection, XSS, SSTI, LDAP, XXE, CSRF, CRLF, SSRF, deserialization, auth bypass, WAF bypass, CVE-specific payloads
redcap-imhex	Parsing or decoding a binary — firmware blob, file format, proprietary container, embedded config — especially when a structured pattern language helps
redcap-droid	Decompiling an Android APK / XAPK / JAR / AAR, extracting HTTP API endpoints, tracing call flows, locating compile-time gates in bytecode
redcap-gpt	Running an autonomous pentest on an authorized CTF / HTB machine / target, where persistent enumeration and reasoning-tree output beat manual direction
redcap-kernel	Analyzing a firmware dump or kernel tree — unpacking partitions, hunting for compile-time feature flags, comparing advertised features to compile-time gates, detecting FCC-filing gaps
redcap-compliance	Comparing a system or device config to a hardening baseline — SCAP, STIG, CIS, PCI-DSS, OSPP — or finding compliance deviations on an owned device

Routing logic

1. Parse the intent. What is the user trying to LEARN or DO?
2. Match against the table above. Often a single sibling covers it; invoke that directly.
3. Multi-step workflows: chain siblings. The canonical example is engineering-mode unlock on an owned device:
   • redcap-payloads for web admin JSON-RPC fuzz payloads →
   • redcap-droid for decompiling admin JARs to locate the feature gate →
   • redcap-kernel for partition-level analysis of a firmware dump →
   • redcap-imhex for raw binary structures (scatter.txt, preloader, bootloader) →
   • redcap-gpt for autonomous reasoning over remaining attack axes →
   • redcap-compliance as a sanity-check baseline against advertised / expected behavior.

Legal and ethical framing

This suite is for lawful uses:

• Authorized penetration testing (with written authorization)
• Security research on hardware and software you OWN
• Right-to-repair and consumer-rights investigation (interop analysis under DMCA §1201(f); EU Directive 2009/24/EC)
• Malware analysis and incident response
• CTF competitions and educational use
• Compliance audits of systems under your administration

You are responsible for ensuring your use complies with applicable laws and terms of service. Unauthorized reverse engineering or network access against systems you do not own or do not have permission to test may violate computer-fraud statutes, terms of service, or regulations.

If a user asks for help against a target whose ownership or authorization is ambiguous, ASK before proceeding.

Consumer-rights angle

A driving use case for this suite is surfacing manufacturer-vs-reality gaps on devices the user owns:

• Marketing claims (e.g., "5G supported") vs compile-time gates that disable the feature in shipped firmware
• FCC ID filings that turn out to be non-existent or missing required documentation
• Features disabled on consumer firmware that are present in ODM / white-label siblings of the same hardware
• Compliance / security baselines the device silently fails
• Region-locked features that are perfectly functional when unlocked

When Claude uses these skills to investigate a device the user owns, framing the output as a fact-based gap audit (not "defeating security") both matches the real intent and avoids publishing patterns that read as attack disclosures.

Without Ultraplan

Each sibling auto-triggers on its own description keywords. Invoke redcap-payloads directly by asking about payloads; Claude will match. The meta is only needed when the intent is ambiguous or when the task spans multiple siblings.

With Ultraplan

Each sibling is a dispatchable work-unit. Ultraplan decomposes a mission by:

1. Expanding the user goal into phases
2. Mapping each phase to the tightest sibling match using the routing table above
3. Dispatching in parallel where phases are independent, serial where dependencies exist

A single sibling invocation is one work-unit; multi-sibling chains are pipelines. The meta-skill itself is rarely a work-unit — it's a routing aid, not a doer.

Installation

/plugin marketplace add GITDIDDY69/redcap
/plugin install redcap@redcap
/plugin install redcap-payloads@redcap
/plugin install redcap-imhex@redcap
/plugin install redcap-droid@redcap
/plugin install redcap-gpt@redcap
/plugin install redcap-kernel@redcap
/plugin install redcap-compliance@redcap

Install only the siblings you want.

Most siblings expect a local clone of their upstream reference fork:

Sibling	Expected local path
redcap-payloads	~/Documents/GitHub/PayloadsAllTheThings
redcap-imhex	~/Documents/GitHub/ImHex + optional built binary
redcap-droid	self-contained (jadx + Java JDK; auto-install scripts included)
redcap-gpt	~/Documents/GitHub/PentestGPT (Python env set up per its README)
redcap-kernel	at least one kernel tree in ~/Documents/GitHub/ — linux (ADI) as a starter corpus; expand as you target new devices
redcap-compliance	~/Documents/GitHub/content (ComplianceAsCode)

Clone all (once):

cd ~/Documents/GitHub
gh repo clone GITDIDDY69/PayloadsAllTheThings
gh repo clone GITDIDDY69/ImHex
gh repo clone GITDIDDY69/PentestGPT
gh repo clone GITDIDDY69/linux                 # large (~4 GB)
gh repo clone GITDIDDY69/content               # ComplianceAsCode fork