fix: optimize 27 web-security skills#22
Open
GangGreenTemperTatum wants to merge 4 commits into
Open
Conversation
Rewrote lowest-scoring skills (data-exfil 18%→90%, scorer-reference 61%→86%, dom-vulnerability-* 71%→97%, hackerone-recon 74%→97%, vuln-kb 75%→100%). Common fixes: allowed-tools array→string, added Use-when clauses, removed verbose explanations of concepts the agent already knows, replaced pseudocode with executable rg/curl/grep commands, added validation checkpoints to workflows, cut monolithic files to essentials. 28 skills improved, average score 86%→92% across all 58 skills.
Targeted fixes based on judge feedback for each skill: - jxscout-static-analysis: 84% -> 96% (added trigger terms, trimmed HTTP context/limitations) - mcp-auth-exploitation: 86% -> 90% (added validation checkpoints between phases, trimmed explanatory text) - write-path-to-rce: 86% -> 97% (enriched description with specific frameworks and actions) - burp-suite: 85% -> 97% (added verification steps, common workflows section) - subdomain-takeover-check: 85% -> 94% (added executable examples, error handling guidance) - exploit-verifier: 86% -> 98% (added references to bundle files, consolidated inline guidance) - jxscout-relationships: 88% -> 93% (consolidated use cases into workflow, expanded checkpoint) - agent-browser: 89% -> 93% (trimmed auth/viewport/iOS/eval sections, reduced from 586 to 393 lines) - jxscout-security-research: 89% -> 99% (improved description trigger terms) - ssrf-redirect-loop: 89% -> 94% (added concrete curl examples, validation checkpoint) Skipped 3 skills already >=90%: scorer-reference (93%), oauth-flow-hijack (92%), dompurify-mxss-bypass (90%) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Port skills that existed in project-obsidian-md but were missing from the web-security capability: custom-sanitizer-audit, archive-path-traversal, type-confusion-testing, self-xss-escalation, saas-provider-url-ssrf, inline-script-breakout-exfil, config-file-parsing-bugs, insecure-defaults, and caido-proxy (adapted from caido-skill to match existing MCP server). All trimmed from source (avg 280→100 lines), large skills split into reference files, tessl review scores 92-100%.
67 skills (was 58), 9 ported from project-obsidian-md, 27 optimized via tessl review. Update description to reflect 60+ playbooks.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rewrote lowest-scoring skills (data-exfil 18%→90%, scorer-reference 61%→86%, dom-vulnerability-* 71%→97%, hackerone-recon 74%→97%, vuln-kb 75%→100%).
Common fixes: allowed-tools array→string, added Use-when clauses, removed verbose explanations of concepts the agent already knows, replaced pseudocode with executable rg/curl/grep commands, added validation checkpoints to workflows, cut monolithic files to essentials.
28 skills improved, average score 86%→92% across all 58 skills.