security_skill

This skill performs a comprehensive web security assessment, weaving reconnaissance, threat modeling, and vulnerability analysis to prioritize testing outcomes.
  • TypeScript

10.2k

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

3 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill danielmiessler/personal_ai_infrastructure --skill security

  • SKILL.md1.4 KB

Overview

This skill performs full web application security assessments combining app understanding, threat modeling, automated testing, fuzzing, and AI-assisted vulnerability analysis. It coordinates with Recon and PromptInjection skills to scale reconnaissance and LLM-specific injection testing. The goal is a prioritized, evidence-backed test plan and clear findings with PoCs and remediation guidance.

How this skill works

The skill builds an application narrative (roles, user flows, tech stack, attack surface) and generates a prioritized threat model mapped to OWASP/CWE. It orchestrates reconnaissance outputs (subdomains, endpoints, paths), runs targeted tests (ffuf fuzzing, Playwright browser automation), and uses AI to analyze and triage results. Outputs include attack paths, test plans with tool suggestions, effort estimates, and a final report with exploitation notes and remediation advice.

When to use it

  • Performing a full security assessment or pentest engagement
  • Creating a threat model or prioritizing attack scenarios
  • Running content discovery or directory fuzzing with ffuf
  • Automating browser-based testing with Playwright
  • Analyzing and triaging findings with AI-assisted vulnerability analysis
  • Coordinating OSINT and recon before testing

Best practices

  • Obtain explicit authorization and define clear scope before testing
  • Run Recon first to enumerate domains, endpoints, and assets
  • Understand the app narrative and user flows before active testing
  • Use threat model to prioritize tests: breadth then depth
  • Document commands, screenshots, and PoCs for every finding
  • Integrate fuzzing and Playwright automation for repeatable tests

Example use cases

  • Full assessment: Recon → Understand Application → Create Threat Model → Execute pentest and report
  • Quick threat model: generate prioritized attack paths and a compact test plan for focused testing
  • Fuzzing campaign: run ffuf-driven content discovery across discovered subdomains
  • Browser automation: use Playwright flows to validate auth, business logic, and file uploads
  • AI analysis: run Gemini-style vulnerability analysis to triage noisy scanner output into actionable issues

FAQ

Yes. It coordinates with Recon tools for enumeration and uses ffuf, Playwright, and other standard pentest utilities; those should be available in the assessment environment.

How are results prioritized?

Findings are prioritized via a threat model mapped to OWASP/CWE and risk scores; effort estimates (quick/medium/extensive) guide testing order.

Can this run without customization?

Yes. The skill uses sensible defaults but will apply user preferences if a customization directory is provided prior to execution.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
security skill by danielmiessler/personal_ai_infrastructure | VeilStrat