By Pw00kT
25-skill pentest pack with engagement governance, network/code/dependency scans, OWASP Top 10 mapping, and exec-readable reporting. Heavy-hitter compliant; chain-of-custody attestable.
Analyze a target's TLS configuration — negotiated protocol version, cipher suite, certificate chain, expiry, and downgrade vectors. Use when: SOC2 auditor flagged your endpoint for "weak TLS" but you don't know which control failed (TSC CC6.7 transmission integrity vs CC6.6 encryption) or which cipher is the problem. Threshold: any negotiated TLSv1.0 or TLSv1.1, OR a cipher with RC4 / 3DES / null / EXPORT, OR a cert with under 30 days to expiry, OR a chain that fails hostname verification. Trigger with: "audit tls", "check ssl config", "weak tls", "analyze tls".
Audit a target's CORS posture — Access-Control-Allow-Origin handling, reflected-origin bypass, credentials+wildcard mismatch, preflight OPTIONS behavior, Vary header correctness. Use when: a third-party integration is failing CORS preflight and someone proposes "just set Allow-Origin to *" as the fix, OR your bug-bounty inbox has a credential-reuse exploit chain. Threshold: any reflection of arbitrary Origin into Allow-Origin, Allow-Credentials:true with wildcard origin (browser-rejected combo but server config wrong), missing Vary:Origin on per-origin responses, preflight cached over 86400s, OR Allow-Origin trust of attacker- controlled subdomain pattern. Trigger with: "audit cors", "check cors policy", "cors bypass", "preflight check".
Audit a Node.js project's installed npm dependency tree for known CVEs by wrapping the npm audit JSON output and emitting findings in the canonical penetration-tester schema. Detects direct AND transitive vulnerabilities, normalizes npm's severity scale (info/low/moderate/ high/critical) to the shared Severity enum, and parses both v1 and v2 audit output formats so the skill works against npm 6 and npm 7+ lockfiles. Use when: pre-merge gate on a Node project, post-incident sweep after a transitive package compromise (e.g. event-stream, ua-parser, node-ipc, color.js), SOC2 vendor-management evidence collection, or auditing an inherited or acquired Node codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit npm deps", "npm vulnerability scan", "check node packages for CVEs", "npm audit".
Audit a Python project's installed dependencies for known CVEs by wrapping pip-audit (PyPA's official vulnerability auditor) and emitting findings in the canonical penetration-tester schema. Detects vulnerable direct AND transitive packages, normalizes pip-audit's severity output via OSV severity bands, falls back to pip list --outdated when pip-audit isn't installed, and supports requirements.txt, pyproject.toml (PEP 621), Pipfile.lock, and poetry.lock as input sources. Use when: pre-merge gate on a Python project, post-incident sweep after a PyPI compromise (e.g. ctx, request-toolbelt typosquats, ultralytics 8.3.42 compromise), SOC2 evidence collection, or inheriting an unfamiliar Python codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit python deps", "pip vulnerability scan", "check pypi packages for CVEs", "pip-audit run".
Audit a target's HTTP security headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and the Cross-Origin trio (COOP, COEP, CORP). Use when: SOC2 / PCI auditor flagged "missing security headers" or a Mozilla Observatory grade is below B, OR you need HSTS preload eligibility for chrome://net-internals. Threshold: any missing required header on production HTML response, HSTS max-age below 31536000s (preload requirement), CSP with 'unsafe-inline' or 'unsafe-eval', X-Frame-Options absent AND CSP frame-ancestors absent (clickjacking), Cache-Control allowing public cache on authenticated endpoint. Trigger with: "audit security headers", "check csp", "hsts check", "header posture".
Own this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimOwn this plugin?
Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).
Sign in to claimBased on adoption, maintenance, documentation, and repository signals. Not a security audit or endorsement.
Built for Claude Code. Every plugin and skill in this catalog targets Anthropic's official CLI.
432 plugins, 2,769 skills, 297 agents, 30 community contributors — validated and ready to install.
marketplace.extended.json is the same marketplace.json the Claude Code CLI reads. No registries to reconcile, no manual sync step.name / description / allowed-tools / version / author / license / compatibility / tags. The 100-point rubric is public./skill-creator --forge <api-name> builds production-grade plugins from any REST API with an audit trail; hand-authored plugins use the same templates and validators.pnpm add -g @intentsolutionsio/ccpi # Install the CLI
ccpi install devops-automation-pack # Install any plugin
Or use Claude's built-in command:
/plugin marketplace add jeremylongshore/claude-code-plugins
Browse the marketplace | Explore plugins | Download bundles
Killer Skill of the Week — kobiton-automate by Kobiton Inc.
Real mobile devices on demand — no emulators, no flaky CI
Kobiton's automate plugin gives Claude Code, Cursor, Codex, and Gemini CLI direct access to the Kobiton real-device cloud via remote MCP. 12 tools across three surfaces — Devices (list / reserve / status / terminate), Sessions (list / get / artifacts / terminate), and Apps (upload / confirm / list / get) — plus 3 specialist agents for device picking, Appium capability reconciliation, and session triage. One install, real iOS + Android hardware, no emulator drift.
"Mobile testing that runs where the bugs actually live — on the device, not the simulator." — Kobiton Inc.
Grade: A | Week of May 20, 2026 (W21) | Browse on Marketplace
Previous picks: skyvern, code-cleanup, web-analytics, token-optimizer, executive-assistant-skills, skill-creator, cursor-pack, crypto-portfolio-tracker. See all at tonsofskills.com.
Option 1: CLI (Recommended)
npx claudepluginhub pw00kt/fuzzy-sniffle --plugin penetration-testerIntelligent YAML validation, generation, and transformation agent with schema inference, linting, and format conversion capabilities
Set up synthetic monitoring for proactive performance tracking
Detect SQL injection vulnerabilities
Generate RESTful APIs from schemas with proper routing, validation, and documentation
Orchestrate complex test workflows with dependencies, parallel execution, and smart test selection
Comprehensive skill pack with 66 specialized skills for full-stack developers: 12 language experts (Python, TypeScript, Go, Rust, C++, Swift, Kotlin, C#, PHP, Java, SQL, JavaScript), 10 backend frameworks, 6 frontend/mobile, plus infrastructure, DevOps, security, and testing. Features progressive disclosure architecture for 50% faster loading.
Comprehensive .NET development skills for modern C#, ASP.NET, MAUI, Blazor, Aspire, EF Core, Native AOT, testing, security, performance optimization, CI/CD, and cloud-native applications
Harness-native ECC operator layer - 67 agents, 278 skills, 94 legacy command shims, reusable hooks, rules, selective install profiles, and production-ready workflows for Claude Code, Codex, OpenCode, Cursor, and related agent harnesses
Tools to maintain and improve CLAUDE.md files - audit quality, capture session learnings, and keep project memory current.
Complete creative writing suite with 10 specialized agents covering the full writing process: research gathering, character development, story architecture, world-building, dialogue coaching, editing/review, outlining, content strategy, believability auditing, and prose style/voice analysis. Includes genre-specific guides, templates, and quality checklists.
Unity Development Toolkit - Expert agents for scripting/refactoring/optimization, script templates, and Agent Skills for Unity C# development