Skill

penetration-testing-guide

OWASP Top 10 checklist for Firebase apps. Firestore rules audit. Auth flow testing. Functions input validation. [EXPLICIT]

From jm-adk

Install

Run in your terminal

npx claudepluginhub javimontano/jm-adk-alfa

Tool Access

This skill uses the workspace's default tool permissions.

Supporting Assets

View in Repository

agents/guardian.md

agents/lead.md

agents/specialist.md

agents/support.md

evals/evals.json

knowledge/body-of-knowledge.md

knowledge/knowledge-graph.md

prompts/meta.md

prompts/primary.md

prompts/variations/deep.md

prompts/variations/quick.md

templates/output.docx.md

templates/output.html

Skill Content

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

prompts.chat

157.5k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

prompts.chat

157.5k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

139.2k

Stats

Stars1

Forks0

Last CommitMar 28, 2026

Actions

View Source View Plugin View on GitHub View README

Core Principles

Law of Auth First: No endpoint without authentication. Firebase ID token verification is mandatory. [EXPLICIT]

Law of Least Privilege: Users get minimum permissions needed. Custom claims define roles. [EXPLICIT]

Law of Defense in Depth: Client validation + Security Rules + Cloud Functions validation. Three layers. [EXPLICIT]

Scenario

Handling

Empty or minimal input

Request clarification before proceeding

Conflicting requirements

Flag conflicts explicitly, propose resolution

Out-of-scope request

Redirect to appropriate skill or escalate

penetration-testing-guide {Security} (v1.0)

"Security is not a feature. It's every feature's foundation."

Purpose

OWASP Top 10 checklist for Firebase apps. Firestore rules audit. Auth flow testing. Functions input validation. [EXPLICIT] When to use: Implementing authentication, authorization, or security measures in Firebase projects.

Core Principles

Law of Auth First: No endpoint without authentication. Firebase ID token verification is mandatory. [EXPLICIT]
Law of Least Privilege: Users get minimum permissions needed. Custom claims define roles. [EXPLICIT]
Law of Defense in Depth: Client validation + Security Rules + Cloud Functions validation. Three layers. [EXPLICIT]

Core Process

Phase 1: Assess security requirements from spec.

Phase 2: Implement auth, authorization, and security measures.

Phase 3: Audit with OWASP checklist. Test rules with emulator.

Validation Gate

Auth implemented on all endpoints
Security rules cover all Firestore collections
OWASP Top 10 mitigations addressed
Secrets in Secret Manager (not in code)
Privacy compliance documented

Usage

Example invocations:

"/penetration-testing-guide" — Run the full penetration testing guide workflow
"penetration testing guide on this project" — Apply to current context

Assumptions & Limits

Assumes access to project artifacts (code, docs, configs) [EXPLICIT]
Requires English-language output unless otherwise specified [EXPLICIT]
Does not replace domain expert judgment for final decisions [EXPLICIT]

Edge Cases

Scenario	Handling
Empty or minimal input	Request clarification before proceeding
Conflicting requirements	Flag conflicts explicitly, propose resolution
Out-of-scope request	Redirect to appropriate skill or escalate