web-audit-tools

Run accessibility and HTML lint audit on files, then provide fix SUGGESTIONS (does NOT modify files) using WCAG/ARIA references

Comprehensive DevSecOps security audit that launches multiple specialized agents in parallel. Covers secrets, SAST, SCA, container security, and IaC scanning based on OWASP DevSecOps Guideline.

Run comprehensive SEO audit combining static analysis and Lighthouse

Run comprehensive web resource file audit (sitemap.xml, robots.txt, llms.txt, security.txt)

Two-phase intelligent attack strategy. Quick scan (path discovery + CVE) for fast reconnaissance, followed by deep scan (XSS/SQLi/CSRF/IDOR) for comprehensive coverage. Maximum efficiency, maximum bounty.

Analyzes HTML/JSX/TSX files for accessibility and HTML standard issues using axe-core and markuplint, then provides detailed fix SUGGESTIONS based on WCAG 2.1 AA criteria and WAI-ARIA patterns. This agent does NOT modify files - it only reports issues and suggests fixes. Use when user runs /a11y-audit command or asks to check accessibility issues in their code.

CSRF specialist bounty hunter. Expert at finding missing tokens and exploiting state-changing requests. Every unprotected form is a potential $1,000-$10,000 payday. Use when hunting specifically for CSRF vulnerabilities.

CVE specialist bounty hunter. Obsessed with known vulnerabilities and public exploits. Every outdated library is a potential $5,000-$50,000 payday. Use when hunting specifically for known CVE vulnerabilities in web stacks.

Secret detection specialist. Hunts for hardcoded credentials, API keys, tokens, and private keys in git repositories. Every exposed secret is a potential $1,000-$50,000+ finding. Use when scanning for secrets, credentials, or sensitive data in codebases.

Dockerfile security and best practices specialist using Hadolint. Analyzes Dockerfiles for security issues, best practice violations, and configuration problems. Use when reviewing Dockerfiles, container builds, or CI/CD pipeline security.

IDOR specialist bounty hunter. Master of finding insecure direct object references. Every numeric ID is a potential $2,000-$50,000 payday. Use when hunting specifically for authorization bypass and IDOR vulnerabilities.

SAST specialist using Semgrep. Hunts for code-level vulnerabilities including injection flaws, XSS, insecure deserialization, and security anti-patterns. Use when performing static analysis, code security review, or hunting for OWASP Top 10 vulnerabilities in source code.

SQL Injection specialist bounty hunter. Lives for database errors and UNION selects. Every login form is a potential $5,000-$50,000 payday. Use when hunting specifically for SQL injection vulnerabilities.

Infrastructure as Code security specialist using tfsec and Checkov. Hunts for cloud misconfigurations in Terraform, CloudFormation, and Kubernetes manifests. Use when reviewing IaC, Terraform plans, or cloud infrastructure security.

Container and dependency security specialist using Trivy. Scans container images for OS and library vulnerabilities, and filesystems for dependency vulnerabilities. Use when scanning Docker images, container registries, or performing SCA on codebases.

XSS specialist bounty hunter. Obsessed with finding script injection, event handlers, and DOM manipulation vulnerabilities. Every reflected input is a potential $500-$15,000 payday. Use when hunting specifically for XSS vulnerabilities in web applications.

Proactively validates Claude Code's own generated HTML/JSX/TSX output for accessibility before presenting to users. Use this skill automatically when generating UI code to ensure WCAG 2.1 AA compliance.

Looks up OWASP Top 10 attack methods, CWE references, and form-specific vulnerability patterns with a bounty hunter mindset. Returns attack vectors, payloads, and payout estimates. Use when user asks about "XSS", "SQL injection", "CSRF", "OWASP", "CWE", "IDOR", "injection", "bypass", "vulnerability", "exploit", "SQLインジェクション", "クロスサイトスクリプティング", "脆弱性".

Scans containers and Dockerfiles for security issues. Wraps Hadolint for Dockerfile linting and Trivy for container image scanning. Use when user asks to "scan Dockerfile", "lint Dockerfile", "container security", "image scan", "Dockerセキュリティ", "コンテナスキャン".

Searches the NIST NVD database for CVE vulnerabilities using API 2.0. Returns CVE details, CVSS scores, affected software, and references. Use when user asks about "CVE", "vulnerability database", "NIST", "NVD", "security advisory", "CVE-2024", "CVE-2023", "脆弱性", "セキュリティアドバイザリ", or wants to find known vulnerabilities for specific software.

Looks up OWASP DevSecOps Guideline phases, security tools, and pipeline checks. Returns tool configurations, CWE mappings, and integration patterns for CI/CD security. Use when user asks about "DevSecOps", "SAST", "DAST", "SCA", "container security", "IaC security", "secret detection", "gitleaks", "semgrep", "trivy", "pipeline security", "シークレット検出", "静的解析", "動的解析", "コンテナセキュリティ", "セキュリティゲート".

Static security analysis of HTML forms without sending any requests. Checks for CSRF tokens, insecure actions, missing validation, hidden field issues, and common security misconfigurations. Safe to run - no payloads sent. Use when user asks to "analyze form security", "check form for vulnerabilities", "static security check".

Runs automated HTML linting using @axe-core/playwright (WCAG accessibility) and markuplint (HTML standards). Use when user asks to "lint HTML", "run automated checks", "validate HTML", "check accessibility", or mentions "axe-core", "markuplint", "automated audit".

Scans Infrastructure as Code for security misconfigurations. Wraps tfsec for Terraform and Checkov for multi-cloud IaC. Use when user asks to "scan Terraform", "IaC security", "infrastructure scan", "tfsec", "checkov", "Terraformセキュリティ", "インフラスキャン".

Runs Google Lighthouse audits using Playwright for SEO, Performance, Accessibility, and Best Practices scoring. Supports both URLs and local HTML files. Use when user mentions "Lighthouse", "page speed", "performance audit", "Core Web Vitals", "CWV", or needs comprehensive web performance analysis.

Dynamic security testing of web forms using Playwright browser automation. Sends actual payloads to test for vulnerabilities. REQUIRES USER CONFIRMATION before execution. Use when user wants to "test payloads", "dynamic security test", "exploit testing", "penetration test forms".

Runs Static Application Security Testing (SAST) using Semgrep. Scans source code for vulnerabilities, security anti-patterns, and OWASP Top 10 issues. Use when user asks to "run SAST", "scan for vulnerabilities", "static analysis", "code security scan", "静的解析", "脆弱性スキャン".

Runs Software Composition Analysis (SCA) to detect vulnerable dependencies. Wraps npm audit and Trivy fs. Use when user asks to "scan dependencies", "check npm vulnerabilities", "SCA scan", "dependency audit", "依存関係スキャン", "脆弱性チェック".

Scans git repositories for hardcoded secrets, credentials, and API keys using Gitleaks. Returns findings with severity, location, and remediation steps. Use when user asks to "scan for secrets", "detect credentials", "find API keys", "check for leaks", "シークレット検出", "認証情報スキャン".

Analyzes HTML/JSX/TSX files for SEO and accessibility issues including WCAG 2.1 AA compliance, color contrast (4.5:1), heading hierarchy, meta tags, image alt text, and ARIA attributes. Use when checking web pages for SEO, accessibility, WCAG compliance, or when user mentions "a11y", "contrast", "alt text", "meta tags", "heading structure", or "accessibility audit".

Analyzes HTML files for SEO issues using static analysis with cheerio. Checks meta tags, Open Graph, Twitter Cards, heading structure, and JSON-LD structured data. Use when user mentions "SEO check", "meta tags", "og tags", "structured data validation", "SEO audit", or wants to analyze HTML/JSX for SEO compliance.

Looks up SEO best practices for meta tags, Open Graph, Twitter Cards, and structured data (JSON-LD), returning Google/official documentation URLs with concise summaries. Use when user asks about SEO requirements (e.g., "title tag length", "og:image size"), meta tags (e.g., "canonical", "robots"), social media tags (e.g., "Open Graph", "Twitter Card"), or structured data schemas (e.g., "Article schema", "Product JSON-LD", "FAQ markup").

Looks up WCAG 2.1 AA criteria and WAI-ARIA patterns, returning official W3C URLs with concise summaries. Use when user asks about accessibility standards, WCAG criteria (e.g., "1.4.3", "contrast"), ARIA attributes (e.g., "aria-expanded", "role=dialog"), or accessible component patterns (e.g., "accessible tabs", "modal dialog a11y").

Validates essential web resource files (sitemap.xml, robots.txt, llms.txt, security.txt) for compliance with their specifications. Use when user asks about "sitemap validation", "robots.txt check", "llms.txt", "security.txt", "RFC 9116", "RFC 9309", "web resource audit", "サイトマップ", "セキュリティ", or wants to verify crawler/LLM accessibility files.