A curated collection of security testing resources packaged as Claude Code skills, available on skills.sh
This repository contains a curated collection of security testing resources from SecLists packaged as Claude Code skills. These skills provide instant access to essential wordlists, payloads, patterns, and web shells for authorized security testing, penetration testing, CTF competitions, and security research.
The goal of this project is to provide organized, immediately accessible security testing resources that integrate seamlessly with Claude Code workflows for:
- Authorized penetration testing and security assessments
- Bug bounty program research
- CTF competition problem solving
- Security tool development and testing
- Educational security demonstrations
- Vulnerability research in controlled environments
The easiest way to get started is to install from the skills.sh marketplace:
# Add the awesome-security-skills marketplace
/plugin marketplace add Eyadkelleh/awesome-claude-skills-security
# List all available security plugins
/plugin
# Install all security skills at once
/plugin install security-fuzzing@awesome-security-skills
/plugin install security-passwords@awesome-security-skills
/plugin install security-patterns@awesome-security-skills
/plugin install security-payloads@awesome-security-skills
/plugin install security-usernames@awesome-security-skills
/plugin install security-webshells@awesome-security-skills
/plugin install llm-testing@awesome-security-skillsAfter installing, verify the skills are available:
# In Claude Code, try a command
/sqli-test
# Or ask Claude to use a skill
"Use the security-fuzzing skill to show me SQL injection payloads"Once installed, you'll have access to:
- 7 Security Skill Categories: Fuzzing, Passwords, Patterns, Payloads, Usernames, Web-shells, LLM Testing
- 5 Slash Commands:
/sqli-test,/xss-test,/wordlist,/webshell-detect,/api-keys - 3 Specialized Agents: Pentest Advisor, CTF Assistant, Bug Bounty Hunter
- Curated SecLists Content: Essential wordlists and payloads for security testing
- LLM Security Testing: Comprehensive AI/ML security testing prompts and methodologies
If this is your first time using Claude Code skills:
-
Make sure you have Claude Code CLI installed
# Check if Claude Code is installed claude --version -
Add this marketplace
/plugin marketplace add Eyadkelleh/awesome-claude-skills-security
-
Install your first skill
# Start with fuzzing payloads /plugin install security-fuzzing@awesome-security-skills -
Test it out
# Try a slash command /sqli-test # Or ask Claude naturally "Show me SQL injection payloads from the security-fuzzing skill"
"Marketplace not found"
- Ensure the GitHub repository is public
- Check your internet connection
- Verify the repository name is correct:
Eyadkelleh/awesome-claude-skills-security
"Plugin not available"
- Make sure you've added the marketplace first
- Run
/pluginto see all available plugins - Check that you're using the correct plugin name and marketplace
"Command not working"
- Verify the plugin is installed with
/plugin - Try reinstalling:
/plugin uninstall <plugin-name>then install again - Make sure you're using the correct slash command syntax
Need help?
- Open an issue on GitHub
- Check the Claude Code documentation
Essential fuzzing payloads for vulnerability testing
- SQL injection testing payloads
- Command injection patterns
- NoSQL injection vectors
- LDAP injection strings
- Special character fuzzing
- Authentication bypass patterns
Curated password lists for authorized credential testing
- 500 worst passwords
- 10K most common passwords
- 100K NCSC password list
- Dark web breach compilations
- Probable password variations
Sensitive data patterns for security testing
- API key detection patterns
- Credit card format validation
- Email address patterns
- IP address discovery
- SSN format matching
- Phone number patterns
Specialized attack payloads for testing
- XSS injection vectors
- XXE payloads
- Template injection
- File upload bypasses
- Path traversal strings
Common username wordlists
- Default usernames
- Common account names
- Service-specific usernames
- Admin account patterns
Web shell samples for detection and analysis
- PHP web shells
- ASP/ASPX shells
- JSP shells
- Python shells
- Perl shells
Comprehensive AI/ML security testing prompts
- Bias detection (gender, nationality, race/ethnicity)
- Data leakage and privacy testing
- Memory recall testing
- Alignment and divergence attacks
- Adversarial prompt resistance
- AI safety evaluation
- Claude Code CLI (latest version)
- Git for cloning the repository
- Basic understanding of security testing concepts
- Authorization for security testing on target systems
Add this repository as a Claude Code plugin marketplace:
/plugin marketplace add Eyadkelleh/awesome-claude-skills-securityThen list available plugins:
/pluginInstall individual security testing plugins:
# Fuzzing payloads for injection testing
/plugin install security-fuzzing@awesome-security-skills
# Password wordlists
/plugin install security-passwords@awesome-security-skills
# Sensitive data patterns (API keys, etc.)
/plugin install security-patterns@awesome-security-skills
# XSS, XXE, and attack payloads
/plugin install security-payloads@awesome-security-skills
# Username wordlists
/plugin install security-usernames@awesome-security-skills
# Web shell samples for detection
/plugin install security-webshells@awesome-security-skills
# LLM security testing prompts
/plugin install llm-testing@awesome-security-skillsClone and use directly:
git clone https://github.com/Eyadkelleh/awesome-claude-skills-security.git
cd awesome-claude-skills-securityOnce installed from skills.sh, you can use specialized security testing commands directly in Claude Code:
# SQL injection testing guidance
/sqli-test
# XSS testing and payload generation
/xss-test
# Access wordlists for fuzzing/brute force
/wordlist
# Web shell detection (defensive security)
/webshell-detect
# Scan for exposed API keys and secrets
/api-keysYou can also reference the skills in your conversation with Claude:
# Ask Claude to use specific skills
"Use the security-fuzzing skill to help me test for SQL injection vulnerabilities"
"Show me common passwords from the security-passwords skill"
"Help me detect exposed API keys using the security-patterns skill"
"I need XSS payloads from the security-payloads skill"Invoke expert agents for comprehensive security guidance:
# Penetration testing advisor
"Use the pentest-advisor agent to help me plan a security assessment"
# CTF competition assistant
"Use the ctf-assistant agent to help me solve this web exploitation challenge"
# Bug bounty hunting advisor
"Use the bug-bounty-hunter agent to help me test this bug bounty program responsibly"Example 1: SQL Injection Testing
# Start with the slash command
/sqli-test
# Or ask Claude naturally
"I need to test a login form for SQL injection. Use the security-fuzzing skill to show me relevant payloads"Example 2: Password Auditing
# Access password lists
/wordlist
# Or ask Claude
"Use the security-passwords skill to show me the most common weak passwords to test against our password policy"Example 3: Code Review for Secrets
# Scan for exposed secrets
/api-keys
# Or ask Claude
"Use the security-patterns skill to help me scan this codebase for exposed API keys and credentials"Example 4: CTF Challenge
# Get comprehensive CTF help
"I'm working on a web exploitation CTF challenge. Use the ctf-assistant agent and security-payloads skill to help me approach this"Example 5: LLM Security Testing
# Test for AI model biases
"Use the llm-testing skill to help me test this AI model for gender bias"
# Check for data leakage vulnerabilities
"Use the llm-testing skill to test for data leakage and privacy issues in this LLM"
# Comprehensive AI safety audit
"I need to perform a red team assessment on this LLM. Use the llm-testing skill to show me prompts for bias detection, alignment testing, and adversarial resistance"If you cloned the repository, access wordlists directly:
# Example: Load SQL injection payloads
with open('seclists-categories fuzzing/fuzzing/references/Fuzzing/quick-SQLi.txt', 'r') as f:
sqli_payloads = f.read().splitlines()
# Example: Load common passwords
with open('seclists-categories passwords/passwords/references/500-worst-passwords.txt', 'r') as f:
passwords = f.read().splitlines()
# Example: Use in security testing
for payload in sqli_payloads[:10]:
test_injection(target_url, payload)SQL Injection Testing (Authorized)
# 1. Start with the SQL injection command
/sqli-test
# 2. Follow the guidance provided
# 3. Use appropriate payloads from fuzzing/references/
# 4. Document all findingsCTF Challenge
# 1. Invoke the CTF assistant
"Help me solve this web exploitation CTF challenge"
# 2. Describe the challenge
# 3. Get guidance on approach and payloads
# 4. Access relevant wordlists as suggestedBug Bounty Hunting
# 1. Invoke the bug bounty agent
"Help me test this bug bounty program"
# 2. Review scope and methodology
# 3. Use appropriate testing commands
# 4. Get guidance on responsible disclosureawesome-claude-skills-security/
├── README.md # This file
├── .claude-plugin/ # Plugin marketplace configuration
│ ├── marketplace.json # Marketplace definition
│ ├── plugin.json # Main plugin manifest
│ ├── commands/ # Slash commands
│ │ ├── sqli-test.md # SQL injection testing
│ │ ├── xss-test.md # XSS testing
│ │ ├── wordlist.md # Wordlist access
│ │ ├── webshell-detect.md # Web shell detection
│ │ └── api-keys.md # API key scanning
│ └── agents/ # Specialized agents
│ ├── pentest-advisor.md # Pentesting guidance
│ ├── ctf-assistant.md # CTF competition help
│ └── bug-bounty-hunter.md # Bug bounty guidance
├── seclists-categories/
│ ├── fuzzing/fuzzing/
│ │ ├── SKILL.md # Skill metadata
│ │ └── references/ # SQL/NoSQL/Command injection
│ ├── passwords/passwords/
│ │ ├── SKILL.md
│ │ └── references/ # Password wordlists
│ ├── pattern-matching/pattern-matching/
│ │ ├── SKILL.md
│ │ └── references/ # API keys, sensitive data
│ ├── payloads/payloads/
│ │ ├── SKILL.md
│ │ └── references/ # XSS, XXE, file upload
│ ├── usernames/usernames/
│ │ ├── SKILL.md
│ │ └── references/ # Username wordlists
│ └── web-shells/web-shells/
│ ├── SKILL.md
│ └── references/ # Web shell samples
/sqli-test- Interactive SQL injection testing guide with payload recommendations/xss-test- XSS vulnerability testing with context-aware payload suggestions/wordlist- Quick access to curated wordlists for authorized testing/webshell-detect- Defensive security guidance for web shell detection/api-keys- Scan for exposed API keys and sensitive credentials
- Pentest Advisor - Strategic penetration testing methodology and planning
- CTF Assistant - CTF competition challenge solver with educational focus
- Bug Bounty Hunter - Professional bug bounty hunting and responsible disclosure
- 7 Plugin Categories - Fuzzing, Passwords, Patterns, Payloads, Usernames, Web-shells, LLM Testing
- Curated from SecLists - Essential security testing wordlists and payloads
- AI/ML Security Testing - Comprehensive LLM testing prompts for bias, alignment, and safety
- Instant Access - All resources available through Claude Code commands
- Ethical Guidelines - Built-in reminders for authorized use only
- Authorized penetration testing with written permission
- Bug bounty programs (within documented scope)
- CTF competitions and challenges
- Security research in controlled lab environments
- Testing your own systems and applications
- Educational demonstrations with proper safeguards
- Defensive security tool development
- AI/ML security research and red team operations
- LLM safety evaluation and bias testing
- Responsible AI development and testing
- Unauthorized access attempts against any system
- Testing systems without explicit permission
- Malicious activities or attacks
- Privacy violations or data theft
- Any illegal activities
- Attacks against critical infrastructure
- Mass exploitation or automated attacks
- Always obtain written authorization before conducting security tests
- Stay within scope of authorized testing boundaries
- Document all activities during security assessments
- Report vulnerabilities responsibly through proper disclosure channels
- Respect rate limits and avoid denial-of-service conditions
- Protect sensitive data discovered during testing
- Follow applicable laws and regulations in your jurisdiction
SecLists is an incredible resource containing over 6,000 files and 4.5GB of security testing data. However, its size and breadth can be overwhelming. This project:
- Curates essential lists most commonly needed for security testing
- Organizes by category for easy discovery and access
- Integrates with Claude Code for seamless workflow integration
- Provides clear documentation on when and how to use each resource
- Emphasizes ethical use with clear guidelines and warnings
All security testing resources in this repository are sourced from SecLists by Daniel Miessler and contributors.
- Original Repository: https://github.com/danielmiessler/SecLists
- License: MIT License
- Maintainer: Daniel Miessler
- Contributors: Security community worldwide
This project is a curated, skill-packaged subset for Claude Code integration. For the complete SecLists collection (4.5GB, 6,000+ files), visit the original repository.
- Only test against systems you own or have written authorization to test
- Implement rate limiting to avoid account lockouts
- Monitor for defensive responses (WAF blocks, account locks)
- Use appropriate delays between attempts
- Test in isolated environments first
- Validate input sanitization and output encoding
- Check for secondary effects (logs, monitoring alerts)
- Document all findings systematically
- Only use for detection system validation
- Test in isolated lab environments
- Never deploy on production systems
- Focus on defensive detection capabilities
Contributions are welcome! If you'd like to:
- Add new curated wordlists
- Improve documentation
- Fix errors or update outdated information
- Suggest additional skills
Please open an issue or pull request.
This skill collection is designed to work with the skills.sh marketplace for Claude Code. Here's how users can find and install it:
- Browse skills.sh: Visit skills.sh to discover this and other skills
- Add the marketplace: Use
/plugin marketplace add Eyadkelleh/awesome-claude-skills-security - Install skills: Choose individual skills or install all at once
- Start using: Access wordlists, commands, and agents immediately
Want to add your own skills to this collection? Here's how:
- Fork this repository
- Add your skill in the appropriate category under
seclists-categories/ - Create a SKILL.md file with metadata and references
- Update marketplace.json to include your skill
- Submit a pull request with a description of your contribution
To create your own skill collection for skills.sh:
- Create a repository with a
.claude-plugin/directory - Add marketplace.json with your plugin definitions (see ours as an example)
- Include SKILL.md files in each skill directory
- Push to GitHub and make it public
- Share your marketplace - users can add it with
/plugin marketplace add username/repo-name
Example marketplace.json structure:
{
"name": "your-marketplace-name",
"owner": {
"name": "Your Name",
"email": "your@email.com"
},
"metadata": {
"description": "Your skill collection description",
"version": "1.0.0",
"pluginRoot": "./skills"
},
"plugins": [
{
"name": "your-skill-name",
"source": "./path/to/skill",
"description": "Skill description",
"version": "1.0.0",
"keywords": ["tag1", "tag2"],
"category": "your-category"
}
]
}- skills.sh Marketplace - Browse and discover Claude Code skills
- Claude Code Documentation - Official Claude Code docs
- SecLists Official Repository
- OWASP Testing Guide
- Bug Bounty Platforms
- Responsible Disclosure Guidelines
MIT License - Use responsibly with proper authorization.
This is a curated collection and redistribution of SecLists content. The original SecLists project is maintained by Daniel Miessler under the MIT License. All credit for the original content goes to the SecLists project and its contributors.
This repository is provided for educational and authorized security testing purposes only. The maintainers of this repository are not responsible for any misuse or damage caused by the resources contained herein. Users are solely responsible for ensuring they have proper authorization before conducting any security testing activities.
Note: This is a curated reference repository. Always verify you have proper authorization before conducting security testing. When in doubt, ask for explicit written permission.
Generated with Claude Code | Awesome Claude Skills: Security Collection