akira

Use when encountering HTTP 403 Forbidden responses during pentests or bug bounty hunting, testing access control bypasses, trying to reach restricted endpoints, admin panels, or protected API routes. Also trigger when the user says "403 bypass", "bypass forbidden", "access denied bypass", "forbidden page bypass", or "trying to access restricted endpoint". Use this whenever a 403 needs to be tested - not just blindly accepted.

Internal utility library - not an invokable skill. Contains phase0.sh (session state, intel relay, memory read) and signals.sh (append-only signal emission). Sourced by all other skills via `source ~/.claude/skills/_shared/phase0.sh`.

Use when attacking Active Directory environments, hunting Kerberoastable accounts, AS-REP roasting, DCSync, Pass-the-Hash, Pass-the-Ticket, BloodHound path analysis, LDAP enumeration, GPO abuse, ACL abuse, or full AD domain compromise chains. Also use when the user says "attack AD", "domain compromise", "Kerberoast", "DCSync", "BloodHound", or "lateral movement".

Use when auditing cloud infrastructure for misconfigurations, testing AWS IAM privilege escalation, enumerating exposed S3 buckets, attacking GCP service accounts, testing Azure RBAC misconfigs, hunting for exposed Kubernetes API servers, or finding cloud credential leaks in metadata services. Also use when the user says "cloud audit", "AWS pentest", "GCP attack", "K8s attack", "S3 exposed", "metadata service", or "cloud misconfiguration".

Use when context is running long during a pentest engagement, at phase boundaries after completing a full phase, or when the user says "compact", "compress context", "trim context", or "save tokens". Compresses completed phase outputs while keeping session.json as the authoritative source of truth.

Use when working on CTF (Capture the Flag) challenges, HackTheBox machines, TryHackMe rooms, pwn challenges, reverse engineering, cryptography puzzles, forensics, web exploitation CTF tasks, OSINT challenges, or steganography. Also use when the user says "CTF", "HackTheBox", "HTB", "TryHackMe", "THM", "pwn this", "reverse this binary", "solve this crypto", or "find the flag".

Use when running exploitation phase of a pentest, testing for SQL injection, XSS, SSRF, JWT confusion, deserialization, prototype pollution, HTTP smuggling, cache poisoning, SSTI, XXE, GraphQL, SAML, LFI, file upload bypass, CORS, WebSocket hijacking, IDOR, mass assignment, account takeover chains, 2FA bypass, or any class of web/API vulnerability. Also use when the user says "run exploit", "phase 3", "start exploitation", "test for XSS/SQLi/SSRF", or names any specific vuln class.

Use when attacking OAuth 2.0 or OIDC implementations, testing for authorization code interception, PKCE bypass, open redirect chains, token leakage via referer, state parameter CSRF, token substitution, JWT confusion, implicit flow token theft, or OAuth misconfiguration in bug bounty targets. Also use when the user says "attack OAuth", "OAuth bug", "PKCE bypass", "redirect_uri bypass", "token leakage", or "SSO attack".

Use when starting any pentesting engagement, receiving a target domain or IP, saying "new engagement", "start a pentest", "plan this target", or beginning any offensive security assessment. Invoke this FIRST before any other skill. Also triggers on "bug bounty on X", "test X for me", "attack X", "scope is X".

Use when testing for race conditions, single-packet attacks, TOCTOU vulnerabilities, limit-bypass via concurrent requests, coupon/voucher reuse, double-spend, rate limit bypass, or parallel request timing attacks. Also use when the user says "race condition", "single packet attack", "concurrent requests", "double spend", "limit bypass", or "TOCTOU".

Use when running reconnaissance on a pentest target, starting phase 1 of an engagement, gathering subdomains, DNS resolution, live hosts, port scan results, URL intelligence, JavaScript endpoints, GitHub secrets, cloud buckets, subdomain takeovers, or attack surface mapping. Also use when the user says "run recon", "start recon", "phase 1", "enumerate subdomains", "find attack surface", or "map the target".

Use when running APT-level red team operations, post-exploitation, lateral movement, credential harvesting, Active Directory attacks (Kerberoasting, DCSync, Golden/Silver tickets, ADCS ESC chains, BloodHound), C2 framework tradecraft (Cobalt Strike, Havoc, Sliver), Living off the Land binaries, defense evasion (AMSI bypass, ETW patching, process hollowing), persistence, cloud APT (Azure AD Pass-the-PRT, Device Code phishing, ADFS Golden SAML, AWS assumed-role lateral movement), data exfiltration, or OPSEC tradecraft. Also triggers on "red team", "APT simulation", "post-exploitation", "lateral movement", "persistence", "AD attacks", "C2", "LotL", "Living off the Land", "BloodHound", "Kerberoast", "DCSync", "ADCS", "credential harvesting", "defense evasion", "domain fronting".

Use when generating a pentest report, writing up findings from a completed assessment, converting triage output into a structured document, or producing an executive summary of vulnerabilities. Also use when the user says "generate report", "write report", or "create report".

Use when hunting for secrets, API keys, tokens, or credentials on a pentest target, running phase 2 of an engagement, scanning JS files for hardcoded secrets, or running trufflehog/gitleaks. Also use when the user says "run secrets", "hunt secrets", or "phase 2".

Use when aggregating pentest findings across all phases, clustering vulnerabilities by severity, prioritizing findings for a report, or surfacing the top actionable issues from a completed scan. Also use when the user says "triage", "aggregate findings", or "what did we find".

Use when hunting for zero-days, backdoors, RCE, supply chain attacks, JWT vulnerabilities, cache poisoning, HTTP smuggling, dependency confusion, source map exposure, GSRM/WAF bypass, internal admin panel exposure, business logic flaws, race conditions, subdomain takeover, cloud misconfigs, mobile APK secrets, OAuth attacks, CORS misconfigs, serialization/SSTI/XXE, CI/CD pipeline attacks, or chained attack vectors. Also use when user says "find zero day", "hunt backdoor", "find RCE", "go deep", "maximum potential", "find critical", "chain attack", or "elite hunt".