AWS DynamoDB single-table design, GSI patterns, SDK v3 TypeScript/Python

Analyze existing repositories, maintain structure, setup guardrails and best practices

E2E testing with Playwright - Page Objects, cross-browser, CI/CD

PostHog analytics, event tracking, feature flags, dashboards

React web development with hooks, React Query, Zustand

Create Jira/Asana/Linear tickets optimized for Claude Code execution - AI-native ticket writing

User experience flows - journey mapping, UX validation, error recovery

'Expert guidance on contributing to WendyOS: Yocto builds, agent internals, E2E testing, and system architecture. Use when developers mention: (1) building WendyOS images, (2) meta-wendyos layers or bitbake, (3) wendy-agent development or internals, (4) containerd or nerdctl on WendyOS, (5) E2E tests for wendy-agent, (6) Yocto recipes or bbappend files, (7) mDNS/Avahi service configuration, (8) device identity or UUID generation.'

Three.js scene setup, cameras, renderer, Object3D hierarchy, coordinate systems. Use when setting up 3D scenes, creating cameras, configuring renderers, managing object hierarchies, or working with transforms.

>

Grilling session that challenges your plan against the existing domain model, sharpens terminology, and updates documentation (CONTEXT.md, ADRs) inline as decisions crystallise. Use when user wants to stress-test a plan against their project's language and documented decisions.

Find deepening opportunities in a codebase, informed by the domain language in CONTEXT.md and the decisions in docs/adr/. Use when the user wants to improve architecture, find refactoring opportunities, consolidate tightly-coupled modules, or make a codebase more testable and AI-navigable.

Create new agent skills with proper structure, progressive disclosure, and bundled resources. Use when user wants to create, write, or build a new skill.

Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through

'Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures,

Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify

'Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered toolkit that

'Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including

'Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns,

Parse Windows LNK shortcut files to extract target paths, timestamps, volume information, and machine identifiers

Analyze Windows Shellbag registry artifacts to reconstruct folder browsing activity, detect access to removable

Design and implement a comprehensive DevSecOps pipeline in GitLab CI/CD integrating SAST, DAST, container scanning,

'Designs and documents structured incident response playbooks that define step-by-step procedures for specific

Establish a structured operational process to triage, test, and deploy Microsoft Patch Tuesday security updates

Collect volatile forensic evidence from a compromised system following order of volatility, preserving memory,

'Conducts security testing of REST, GraphQL, and gRPC APIs to identify vulnerabilities in authentication, authorization,

'Responds to security incidents in cloud environments (AWS, Azure, GCP) by performing identity-based containment,

'This skill outlines methodologies for performing authorized penetration testing against AWS, Azure, and GCP

Perform DCSync attacks to replicate Active Directory credentials and establish domain persistence by extracting

'Conducts external reconnaissance using Open Source Intelligence (OSINT) techniques to map an organization''s

Execute an internal network penetration test simulating an insider threat or post-breach attacker to identify

Conduct internal Active Directory reconnaissance using BloodHound Community Edition to map attack paths, identify

'Simulates man-in-the-middle attacks using Ettercap, mitmproxy, and Bettercap in authorized environments to intercept,

'Conducts comprehensive network penetration tests against authorized target environments by performing host discovery,

Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate

Design and execute a social engineering penetration test including phishing, vishing, smishing, and physical

Spearphishing simulation is a targeted social engineering attack vector used by red teams to gain initial access.

'Conducts authorized wireless network penetration tests to assess the security of WiFi infrastructure by testing

Deploy a Software-Defined Perimeter using the CSA v2.0 specification with Single Packet Authorization, mutual

Detect and prevent ARP spoofing attacks using ARPWatch, Dynamic ARP Inspection, Wireshark analysis, and custom

Detect and test for OWASP API3:2023 Broken Object Property Level Authorization vulnerabilities including excessive

'Detects command-and-control (C2) communications tunneled through DNS protocol including DNS tunneling tools

Detect DCSync attacks where adversaries abuse Active Directory replication privileges to extract password hashes

'Detects AI-generated deepfake audio used in voice phishing (vishing) attacks by extracting spectral features

'Detect command injection attacks against Modbus TCP/RTU protocol in ICS environments by monitoring for unauthorized

'This skill covers detecting anomalies in Modbus/TCP and Modbus RTU communications in industrial control systems.

Detect process hollowing (T1055.012) by analyzing memory-mapped sections, hollowed process indicators, and parent-child

'Detecting data exfiltration attempts from AWS S3 buckets by analyzing CloudTrail S3 data events, VPC Flow Logs,

Discover and inventory shadow API endpoints that operate outside documented specifications using traffic analysis,

Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam