Awesome Claude Skills: Security Collection

A curated collection of security testing resources packaged as Claude Code skills, available on skills.sh

Overview

This repository contains a curated collection of security testing resources from SecLists packaged as Claude Code skills. These skills provide instant access to essential wordlists, payloads, patterns, and web shells for authorized security testing, penetration testing, CTF competitions, and security research.

The goal of this project is to provide organized, immediately accessible security testing resources that integrate seamlessly with Claude Code workflows for:

• Authorized penetration testing and security assessments
• Bug bounty program research
• CTF competition problem solving
• Security tool development and testing
• Educational security demonstrations
• Vulnerability research in controlled environments

Quick Start

Install from skills.sh (Recommended)

The easiest way to get started is to install from the skills.sh marketplace:

# Add the awesome-security-skills marketplace
/plugin marketplace add Eyadkelleh/awesome-claude-skills-security

# List all available security plugins
/plugin

# Install all security skills at once
/plugin install security-fuzzing@awesome-security-skills
/plugin install security-passwords@awesome-security-skills
/plugin install security-patterns@awesome-security-skills
/plugin install security-payloads@awesome-security-skills
/plugin install security-usernames@awesome-security-skills
/plugin install security-webshells@awesome-security-skills
/plugin install llm-testing@awesome-security-skills

Verify Installation

After installing, verify the skills are available:

# In Claude Code, try a command
/sqli-test

# Or ask Claude to use a skill
"Use the security-fuzzing skill to show me SQL injection payloads"

What You Get

Once installed, you'll have access to:

• 7 Security Skill Categories: Fuzzing, Passwords, Patterns, Payloads, Usernames, Web-shells, LLM Testing
• 5 Slash Commands: /sqli-test, /xss-test, /wordlist, /webshell-detect, /api-keys
• 3 Specialized Agents: Pentest Advisor, CTF Assistant, Bug Bounty Hunter
• Curated SecLists Content: Essential wordlists and payloads for security testing
• LLM Security Testing: Comprehensive AI/ML security testing prompts and methodologies

First Time Setup

If this is your first time using Claude Code skills:

1. Make sure you have Claude Code CLI installed

   # Check if Claude Code is installed
   claude --version
   

2. Add this marketplace

   /plugin marketplace add Eyadkelleh/awesome-claude-skills-security
   

3. Install your first skill

   # Start with fuzzing payloads
   /plugin install security-fuzzing@awesome-security-skills
   

4. Test it out

   # Try a slash command
   /sqli-test
   
   # Or ask Claude naturally
   "Show me SQL injection payloads from the security-fuzzing skill"
   

Troubleshooting

"Marketplace not found"

• Ensure the GitHub repository is public
• Check your internet connection
• Verify the repository name is correct: Eyadkelleh/awesome-claude-skills-security

"Plugin not available"

• Make sure you've added the marketplace first
• Run /plugin to see all available plugins
• Check that you're using the correct plugin name and marketplace

"Command not working"

• Verify the plugin is installed with /plugin
• Try reinstalling: /plugin uninstall <plugin-name> then install again
• Make sure you're using the correct slash command syntax

Need help?

• Open an issue on GitHub
• Check the Claude Code documentation

Available Skills

Fuzzing

Essential fuzzing payloads for vulnerability testing

• SQL injection testing payloads
• Command injection patterns
• NoSQL injection vectors
• LDAP injection strings
• Special character fuzzing
• Authentication bypass patterns

Passwords

Curated password lists for authorized credential testing

• 500 worst passwords
• 10K most common passwords
• 100K NCSC password list
• Dark web breach compilations
• Probable password variations

Pattern-Matching

Sensitive data patterns for security testing

• API key detection patterns
• Credit card format validation
• Email address patterns
• IP address discovery
• SSN format matching
• Phone number patterns

Payloads

Specialized attack payloads for testing

• XSS injection vectors
• XXE payloads
• Template injection
• File upload bypasses
• Path traversal strings

Usernames

Common username wordlists

• Default usernames
• Common account names
• Service-specific usernames
• Admin account patterns

Web-Shells

Web shell samples for detection and analysis

• PHP web shells
• ASP/ASPX shells
• JSP shells
• Python shells
• Perl shells

LLM Testing

Comprehensive AI/ML security testing prompts

• Bias detection (gender, nationality, race/ethnicity)
• Data leakage and privacy testing
• Memory recall testing
• Alignment and divergence attacks
• Adversarial prompt resistance
• AI safety evaluation

Requirements

• Claude Code CLI (latest version)
• Git for cloning the repository
• Basic understanding of security testing concepts
• Authorization for security testing on target systems

Installation

Method 1: Add Marketplace (Recommended)

Add this repository as a Claude Code plugin marketplace:

/plugin marketplace add Eyadkelleh/awesome-claude-skills-security

Then list available plugins:

/plugin

Method 2: Install Specific Plugins

Install individual security testing plugins:

# Fuzzing payloads for injection testing
/plugin install security-fuzzing@awesome-security-skills

# Password wordlists
/plugin install security-passwords@awesome-security-skills

# Sensitive data patterns (API keys, etc.)
/plugin install security-patterns@awesome-security-skills

# XSS, XXE, and attack payloads
/plugin install security-payloads@awesome-security-skills

# Username wordlists
/plugin install security-usernames@awesome-security-skills

# Web shell samples for detection
/plugin install security-webshells@awesome-security-skills

# LLM security testing prompts
/plugin install llm-testing@awesome-security-skills

Method 3: Clone Repository

Clone and use directly:

git clone https://github.com/Eyadkelleh/awesome-claude-skills-security.git
cd awesome-claude-skills-security

Usage

Using Slash Commands

Once installed from skills.sh, you can use specialized security testing commands directly in Claude Code:

# SQL injection testing guidance
/sqli-test

# XSS testing and payload generation
/xss-test

# Access wordlists for fuzzing/brute force
/wordlist

# Web shell detection (defensive security)
/webshell-detect

# Scan for exposed API keys and secrets
/api-keys

Using Skills in Natural Language

You can also reference the skills in your conversation with Claude:

# Ask Claude to use specific skills
"Use the security-fuzzing skill to help me test for SQL injection vulnerabilities"

"Show me common passwords from the security-passwords skill"

"Help me detect exposed API keys using the security-patterns skill"

"I need XSS payloads from the security-payloads skill"

Using Specialized Agents

Invoke expert agents for comprehensive security guidance:

# Penetration testing advisor
"Use the pentest-advisor agent to help me plan a security assessment"

# CTF competition assistant
"Use the ctf-assistant agent to help me solve this web exploitation challenge"

# Bug bounty hunting advisor
"Use the bug-bounty-hunter agent to help me test this bug bounty program responsibly"

Practical Usage Examples

Example 1: SQL Injection Testing

# Start with the slash command
/sqli-test

# Or ask Claude naturally
"I need to test a login form for SQL injection. Use the security-fuzzing skill to show me relevant payloads"

Example 2: Password Auditing

# Access password lists
/wordlist

# Or ask Claude
"Use the security-passwords skill to show me the most common weak passwords to test against our password policy"

Example 3: Code Review for Secrets

# Scan for exposed secrets
/api-keys

# Or ask Claude
"Use the security-patterns skill to help me scan this codebase for exposed API keys and credentials"

Example 4: CTF Challenge

# Get comprehensive CTF help
"I'm working on a web exploitation CTF challenge. Use the ctf-assistant agent and security-payloads skill to help me approach this"

Example 5: LLM Security Testing

# Test for AI model biases
"Use the llm-testing skill to help me test this AI model for gender bias"

# Check for data leakage vulnerabilities
"Use the llm-testing skill to test for data leakage and privacy issues in this LLM"

# Comprehensive AI safety audit
"I need to perform a red team assessment on this LLM. Use the llm-testing skill to show me prompts for bias detection, alignment testing, and adversarial resistance"

Direct File Access

If you cloned the repository, access wordlists directly:

# Example: Load SQL injection payloads
with open('seclists-categories fuzzing/fuzzing/references/Fuzzing/quick-SQLi.txt', 'r') as f:
    sqli_payloads = f.read().splitlines()

# Example: Load common passwords
with open('seclists-categories passwords/passwords/references/500-worst-passwords.txt', 'r') as f:
    passwords = f.read().splitlines()

# Example: Use in security testing
for payload in sqli_payloads[:10]:
    test_injection(target_url, payload)

Example Workflows

SQL Injection Testing (Authorized)

# 1. Start with the SQL injection command
/sqli-test

# 2. Follow the guidance pro