web-audit-tools

Run accessibility and HTML lint audit on files, then provide fix SUGGESTIONS (does NOT modify files) using WCAG/ARIA references

Comprehensive DevSecOps security audit that launches multiple specialized agents in parallel. Covers secrets, SAST, SCA, container security, and IaC scanning based on OWASP DevSecOps Guideline.

Run comprehensive SEO audit combining static analysis and Lighthouse

Run comprehensive web resource file audit (sitemap.xml, robots.txt, llms.txt, security.txt)

Two-phase intelligent attack strategy. Quick scan (path discovery + CVE) for fast reconnaissance, followed by deep scan (XSS/SQLi/CSRF/IDOR) for comprehensive coverage. Maximum efficiency, maximum bounty.

Analyzes HTML/JSX/TSX files for accessibility and HTML standard issues using axe-core and markuplint, then provides detailed fix SUGGESTIONS based on WCAG 2.1 AA criteria and WAI-ARIA patterns. This agent does NOT modify files - it only reports issues and suggests fixes. Use when user runs /a11y-audit command or asks to check accessibility issues in their code.

CSRF specialist bounty hunter. Expert at finding missing tokens and exploiting state-changing requests. Every unprotected form is a potential $1,000-$10,000 payday. Use when hunting specifically for CSRF vulnerabilities.

CVE specialist bounty hunter. Obsessed with known vulnerabilities and public exploits. Every outdated library is a potential $5,000-$50,000 payday. Use when hunting specifically for known CVE vulnerabilities in web stacks.

Secret detection specialist. Hunts for hardcoded credentials, API keys, tokens, and private keys in git repositories. Every exposed secret is a potential $1,000-$50,000+ finding. Use when scanning for secrets, credentials, or sensitive data in codebases.

Dockerfile security and best practices specialist using Hadolint. Analyzes Dockerfiles for security issues, best practice violations, and configuration problems. Use when reviewing Dockerfiles, container builds, or CI/CD pipeline security.

Proactively validates Claude Code's own generated HTML/JSX/TSX output for accessibility before presenting to users. Use this skill automatically when generating UI code to ensure WCAG 2.1 AA compliance.

Looks up OWASP Top 10 attack methods, CWE references, and form-specific vulnerability patterns with a bounty hunter mindset. Returns attack vectors, payloads, and payout estimates. Use when user asks about "XSS", "SQL injection", "CSRF", "OWASP", "CWE", "IDOR", "injection", "bypass", "vulnerability", "exploit", "SQLインジェクション", "クロスサイトスクリプティング", "脆弱性".

Scans containers and Dockerfiles for security issues. Wraps Hadolint for Dockerfile linting and Trivy for container image scanning. Use when user asks to "scan Dockerfile", "lint Dockerfile", "container security", "image scan", "Dockerセキュリティ", "コンテナスキャン".

Searches the NIST NVD database for CVE vulnerabilities using API 2.0. Returns CVE details, CVSS scores, affected software, and references. Use when user asks about "CVE", "vulnerability database", "NIST", "NVD", "security advisory", "CVE-2024", "CVE-2023", "脆弱性", "セキュリティアドバイザリ", or wants to find known vulnerabilities for specific software.

Looks up OWASP DevSecOps Guideline phases, security tools, and pipeline checks. Returns tool configurations, CWE mappings, and integration patterns for CI/CD security. Use when user asks about "DevSecOps", "SAST", "DAST", "SCA", "container security", "IaC security", "secret detection", "gitleaks", "semgrep", "trivy", "pipeline security", "シークレット検出", "静的解析", "動的解析", "コンテナセキュリティ", "セキュリティゲート".