Active Directory security audit using the MITRE ATT&CK framework. Full domain enumeration, trust mapping, GPO analysis, ACL abuse paths, ADCS attacks (ESC1-ESC8), delegation abuse (constrained/unconstrained/RBCD), fine-grained password policies, LAPS deployment, service account security, and Kerberos configuration. Uses enum4linux-ng, netexec, impacket, ldapsearch, certipy-ad, bloodhound-python, and rpcclient. Produces attack path diagrams, prioritized risk register, and PoCs. Chains into /gh-export for issue filing.
Auto-activate for alembic/, alembic.ini, advanced_alchemy imports. Expert knowledge for Advanced Alchemy / SQLAlchemy ORM patterns. Produces ORM models with audit trails, repository/service patterns, and Alembic migrations. Use when: defining models with UUIDAuditBase, building repositories and services, configuring SQLAlchemy plugins for Litestar/FastAPI/Flask/Sanic, creating DTOs, running Alembic migrations, using custom types (EncryptedString, FileObject, PasswordHash, DateTimeUTC), composing filters and pagination, choosing base classes and mixins, configuring dogpile.cache query caching, setting up read/write replica routing, or managing file storage with obstore/fsspec backends. Not for raw SQLAlchemy without Advanced Alchemy abstractions.
FastAPI Best Architecture (fba) project development guide. Provide complete architecture specifications, coding styles, and plugin development guidance.
在 MergeMeet 專案中建立或修改 API 路由時使用此 skill。它強制執行「禁止尾隨斜線」標準以防止 404 錯誤。適用於處理 FastAPI 路由、修復 404 錯誤或審查 API 端點定義時。
Verify and install project tooling before feature development. Detects language (Node/TS, Python, Rust, Go), installs linter, formatter, type checker, dead code detection, pre-commit hooks, test framework, and standardized scripts. Idempotent — tracks state in .tooling-state.json. Use when starting a new project, when /develop Phase 4c runs, or when the user says "bootstrap", "setup tooling", "install dev tools", "quality gates".
- 📁 examples/
- 📄 bandit.md
- 📄 README.md
- 📄 SKILL.md
Security audit of Python source code (.py, setup.py, pyproject.toml) for security vulnerabilities using Bandit AST analysis. (1) Detects exec/eval code execution, pickle/yaml deserialization, subprocess shell injection, SQL injection, hardcoded credentials, weak cryptography, OWASP Top 10 Python issues. Use for Python security audits, Django/Flask apps, malicious Python code triage, CI/CD pipelines. NOT use for dependency/package audits (use guarddog), non-Python code (use graudit), shell scripts (use shellcheck). For mixed Python projects, combine with graudit -d secrets for comprehensive coverage.
Help developers write code that interacts with Alkahest escrow contracts using the TypeScript, Rust, or Python SDK
This skill should be used when the user asks to "create api endpoint", "django ninja", "django api", "add endpoint", "rest api django", "ninja router", "api schemas", or mentions API development, endpoint organization, or Pydantic schemas in Django projects. Provides Django Ninja patterns with 1-endpoint-per-file organization. --- # Django Ninja API Development Opinionated Django Ninja patterns with single-endpoint-per-file organization. ## Core Principles 1. **One endpoint = one file** - Each endpoint lives in its own file 2. **Logical grouping** - Endpoints grouped in subpackages by domain 3. **Router per group** - Each group has its own router 4. **Schemas in separate package** - Pydantic models in `schemas/` 5. **Services for logic** - Business logic in services, not endpoints ## API Structure ``` myapp/ ├── api/ │ ├── __init__.py # Main NinjaAPI instance │ ├── users/ │ │ ├── __init__.py # Router: users_router │ │ ├── list.py # GET /users/ │ │ ├── detail.py # GET /users/{id} │ │ ├── create.py # POST /users/ │ │ ├── update.py # PUT /users/{id} │ │ └── delete.py # DELETE /users/{id} │ ├── products/ │ │ ├── __init__.py │ │ ├── list.py │ │ ├── detail.py │ │ └── search.py │ └── auth/ │ ├── __init__.py │ ├── login.py │ ├── logout.py │ └── refresh.py └── schemas/ ├── __init__.py ├── user.py # UserIn, UserOut, UserPatch ├── product.py └── common.py # Pagination, errors ``` ## Main API Setup In `api/__init__.py`: ```python from ninja import NinjaAPI from ninja.security import HttpBearer from .users import router as users_router from .products import router as products_router from .auth import router as auth_router class AuthBearer(HttpBearer): def authenticate(self, request, token): # Token validation logic from ..services.auth import AuthService return AuthService.validate_token(token) api = NinjaAPI( title="My API",
- 📁 agents/
- 📁 references/
- 📄 SKILL.md
Public skill for installing, running, debugging, improving, and handing off a Paper Reader style product built with Next.js and FastAPI. Use when the user wants to work on a paper discovery and recommendation app with ranking cards, detail pages, and reproducibility evidence.
Create or modify tools (.json + .sh pairs) and skills (SKILL.md files) and hot-reload them into the active conversation using reload_capabilities. Use when you want to build a new capability, extend yourself with a new tool, fix an existing tool, create or update a skill, or build a complete application (web server, API, data pipeline, CLI) — all without restarting. --- ## Overview You can extend yourself at runtime. New tools and skills take effect immediately via `reload_capabilities` — no session restart required. Session-scoped capabilities live in `core/` inside your session directory: - **Tools**: `core/tools/<name>.json` (schema) + `core/tools/<name>.sh` (implementation) - **Skills**: `core/skills/<name>/SKILL.md` (frontmatter + body) **There is no limit on what a tool can do.** The shell script can call Python, Node.js, any language or binary on the system. Build first, use immediately. --- ## Building a tool
- 📄 main.py
- 📄 README.md
- 📄 SKILL.md
Opinionated code review for Python and TypeScript — a senior engineer's taste as a service
- 📁 .github/
- 📁 channel-plugin/
- 📁 config/
- 📄 .coverage
- 📄 .env.example
- 📄 .gitignore
Add real-time phone calling to AI agents using OpenAI Realtime API and Twilio Media Streams. Use when you want an AI agent to make or receive phone calls with sub-200ms latency, bidirectional audio streaming, and session continuity across voice, Telegram, and email channels. Requires Python 3.9+, a Twilio phone number, and an OpenAI API key with Realtime API access.
