The router
A skill is a self-contained specialist — its own prompt fragment and its own toolset. The router is a thin layer that, for every user turn, scores all skills against the prompt and activates the few that match. The activated skills’ tools are wired up for that turn only; the rest are dormant.
This keeps each turn cheap and focused:
- Slash commands and
@servermentions are authoritative — they bypass routing and force the matching skill on. - Free-form prompts are scored on keyword matches, whenToUse heuristics, and the project context.
- Multiple skills can run in the same turn — recon + intel + reporting on a single message is normal.
Skill catalogue
14 curated skills, grouped by category. Each one owns a prompt fragment, a tool list, and a set of slash commands that activate it.
- Recon
reconMap a target's external surface — passive DNS, certificate transparency, port and service fingerprint, technology detection, subdomain enumeration. Multiple lanes fan out in parallel and converge into one report.
- Intel · Breach
intel-breachSearch breach indices and paste sites for an email, domain, or username. Identifies which dump a credential came from, whether the password is reused, and surfaces leaked tokens.
- Intel · Vulns
intel-vulnResolve CVE IDs against authoritative advisories. Returns CVSS vector, vendor advisories, public PoCs, exploitability heuristics, and the patched / downgrade target.
- Intel · Threats
intel-threatsReputation lookups against multiple feeds for IPs, URLs, domains, and file hashes. Returns the verdict, classifier signals, and any active campaign correlation.
- Brand OSINT
brand-osintPull a website's identity package — logos, primary palette, typography, key copy. Useful for typosquat detection, phishing kit attribution, and visual-similarity searches.
- Crypto
cryptoHash fingerprinting (md5 / sha-* / bcrypt / NTLM / crypt), encoding decode (base64, hex, URL-safe), classical cipher ID, known-plaintext hints. CTF-friendly.
- Offensive
offensivePayload generation — reverse shells, bind shells, web shells, msfvenom variants. Knows the common targets (bash, python, perl, powershell, nc-traditional) and tailors the variant to the platform you specify.
- CTF · Web
ctf-webTriage a CTF web challenge end-to-end: recon, vuln theorising, exploitation strategy, common-gotcha checklist (LFI tricks, JWT alg=none, prototype pollution, SSTI, etc.).
- Post-exploit
post-exploitPrivilege escalation paths (Linux / Windows / AD), lateral movement, persistence techniques, and credential harvesting tailored to the foothold context you describe.
- Reverse engineering
reverse-engStatic and dynamic binary analysis assistance — Ghidra decompilation cleanup, GDB workflow, radare2 commands, anti-anti-debug tricks, packing identification.
- Remote · Exec
remote-execEmit runnable command proposals for the user's registered SSH targets. Picks the right host from a mention, calibrates timeouts and risk levels, and never auto-executes.
- Blue team
blue-teamDetection engineering — Sigma, KQL, and SPL rules from a TTP description or pasted log; threat-hunt queries for credential dumping, C2 beacons, lateral movement; tuning hints.
- Threat modelling
threat-modelSTRIDE, PASTA, and attack-tree analysis of a system you describe. Produces structured findings with mitigations and a prioritised remediation order. Drives /mindmap and /diagram.
- Reporting
reportingPentest finding writeups (title, impact, repro, evidence, remediation), CVSS v3.1 scoring from a description, and engagement-narrative drafting.
Toggling and tuning
Per-workspace toggles
You can turn a skill off for a project — useful when you don’t want offensive payloads polluting a defensive engagement, or when you want the router to stay narrow.
Custom skills (roadmap)
Bring-your-own skills are on the roadmap. The plumbing is in place (skill registry, loader, assembler) — what’s missing is a UI to upload prompt fragments and bind tools. If you have a use case, get in touch.