{"id":50510317,"url":"https://github.com/SnailSploit/Claude-Red","last_synced_at":"2026-06-12T02:00:36.491Z","repository":{"id":351522946,"uuid":"1172273835","full_name":"SnailSploit/Claude-Red","owner":"SnailSploit","description":"claude-red is a curated library of offensive security skills designed for the Claude skills system. Each skill is a structured SKILL.md file that primes Claude with expert-level methodology for a specific attack surface — from SQLi to shellcode, EDR evasion to exploit development.","archived":false,"fork":false,"pushed_at":"2026-05-01T21:47:30.000Z","size":1048,"stargazers_count":1140,"open_issues_count":0,"forks_count":195,"subscribers_count":10,"default_branch":"main","last_synced_at":"2026-05-01T23:28:20.428Z","etag":null,"topics":["claude-ai","claude-pt","claude-skills","redteam","redteam-tools","skills"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SnailSploit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-04T05:52:35.000Z","updated_at":"2026-05-01T22:53:40.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/SnailSploit/Claude-Red","commit_stats":null,"previous_names":["snailsploit/claude-red"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/SnailSploit/Claude-Red","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FClaude-Red","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FClaude-Red/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FClaude-Red/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FClaude-Red/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SnailSploit","download_url":"https://codeload.github.com/SnailSploit/Claude-Red/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FClaude-Red/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34225351,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-12T02:00:06.859Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["claude-ai","claude-pt","claude-skills","redteam","redteam-tools","skills"],"created_at":"2026-06-02T20:00:22.174Z","updated_at":"2026-06-12T02:00:36.427Z","avatar_url":"https://github.com/SnailSploit.png","language":"Python","funding_links":[],"categories":["🔒 安全与逆向 (Security \u0026 Reverse Engineering)","Python"],"sub_categories":["架构演进：代码优先 (Code-First)"],"readme":"![claude-red banner](/assets/banner.png)\n\n\u003cdiv align=\"center\"\u003e\n\n# claude-red\n\n**Offensive security skills for Claude — drop-in `SKILL.md` files that turn Claude into a context-aware red team operator.**\n\n[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)\n[![Skills](https://img.shields.io/badge/skills-58-red.svg)](#skill-index)\n[![Categories](https://img.shields.io/badge/categories-13-orange.svg)](#categories)\n[![Stars](https://img.shields.io/github/stars/SnailSploit/claude-red?style=social)](https://github.com/SnailSploit/claude-red)\n[![Forks](https://img.shields.io/github/forks/SnailSploit/claude-red?style=social)](https://github.com/SnailSploit/claude-red/network/members)\n\nBuilt by **[SnailSploit](https://snailsploit.com)** — GenAI Security Research.\n\n\u003c/div\u003e\n\n---\n\n## Table of Contents\n\n- [What is this](#what-is-this)\n- [Quickstart](#quickstart)\n- [Categories](#categories)\n- [Skill Index](#skill-index)\n  - [Web Application](#web-application)\n  - [Auth \u0026 Identity](#auth--identity)\n  - [Active Directory](#active-directory)\n  - [Wireless](#wireless)\n  - [Cloud](#cloud)\n  - [Mobile](#mobile)\n  - [IoT \u0026 Embedded](#iot--embedded)\n  - [Infrastructure \u0026 Red Team](#infrastructure--red-team)\n  - [Exploit Development](#exploit-development)\n  - [Fuzzing \u0026 Vulnerability Research](#fuzzing--vulnerability-research)\n  - [Reconnaissance](#reconnaissance)\n  - [AI Security](#ai-security)\n  - [Utility](#utility)\n- [Roadmap](#roadmap)\n- [Contributing](#contributing)\n- [License](#license)\n- [Acknowledgements](#acknowledgements)\n\n---\n\n## What is this\n\n`claude-red` is a curated library of offensive security skills for the [Claude Skills system](https://docs.claude.com). Each skill is a structured `SKILL.md` file that primes Claude with expert-level methodology for a specific attack surface — from SQLi to shellcode, EDR evasion to ADCS abuse.\n\nDrop a skill into your Claude environment and it behaves like a specialist: it knows the techniques, the tooling, the edge cases, and the escalation paths. Skills load on demand based on conversational triggers — you don't pay context for skills you aren't using.\n\n**Use it for:** authorized red team engagements, bug bounty triage, security research, CTF preparation, training operators, and exploring attack surfaces methodically.\n\n---\n\n## Quickstart\n\n### Claude Skills System (recommended)\n\n```bash\n# Clone into a directory Claude will scan\ngit clone https://github.com/SnailSploit/claude-red ~/.claude/skills/claude-red\n\n# Or install only one category\ngit clone --filter=blob:none --sparse https://github.com/SnailSploit/claude-red\ncd claude-red \u0026\u0026 git sparse-checkout set Skills/web Skills/active-directory\n```\n\nClaude will auto-load matching skills based on conversational triggers (e.g. mentioning SQLi loads `offensive-sqli`).\n\n### Claude Code\n\n```bash\n# Point Claude at a single skill before a session\ncat Skills/web/offensive-sqli/SKILL.md | claude --system-file -\n\n# Or load a whole category\ncat Skills/active-directory/**/SKILL.md | claude --system-file -\n```\n\n### Claude.ai (Manual)\n\nPaste the contents of a `SKILL.md` into a Project's system prompt or prepend to your conversation.\n\n### Install Script\n\n```bash\n./install.sh                           # interactive\n./install.sh --target ~/.claude/skills # explicit target\n./install.sh --category web            # one category\n```\n\n---\n\n## Categories\n\n| Category | Skills | Focus |\n|---|---:|---|\n| [Web Application](#web-application) | 16 | OWASP Top 10 + business logic + advanced web bug classes |\n| [Auth \u0026 Identity](#auth--identity) | 2 | JWT, OAuth |\n| [Active Directory](#active-directory) | 1 | On-prem AD attack methodology *(expanding)* |\n| [Wireless](#wireless) | 13 | 802.11, WPA2/3, EAP, WPS, evil-twin, BLE, Zigbee, Z-Wave, LoRa, sub-GHz |\n| [Cloud](#cloud) | 1 | AWS / Azure / GCP attack paths *(expanding)* |\n| [Mobile](#mobile) | 1 | Android + iOS pentest *(expanding)* |\n| [IoT \u0026 Embedded](#iot--embedded) | 1 | Hardware, firmware, RTOS, ICS *(expanding)* |\n| [Infrastructure \u0026 Red Team](#infrastructure--red-team) | 7 | Initial access, EDR evasion, Windows ops |\n| [Exploit Development](#exploit-development) | 6 | Stack/heap, mitigations, crash analysis, TOCTOU |\n| [Fuzzing \u0026 VR](#fuzzing--vulnerability-research) | 4 | libFuzzer, AFL++, bug ID, vuln classes |\n| [Reconnaissance](#reconnaissance) | 2 | OSINT tooling and methodology |\n| [AI Security](#ai-security) | 1 | Prompt injection, jailbreaks, RAG poisoning |\n| [Utility](#utility) | 2 | Fast-checking, professional reporting |\n\n---\n\n## Skill Index\n\n### Web Application\n\n`Skills/web/`\n\n| Skill | Description |\n|---|---|\n| [`offensive-sqli`](Skills/web/offensive-sqli/SKILL.md) | SQL injection — error/blind/OOB, DB-specific, ORM CVEs, cloud paths |\n| [`offensive-xss`](Skills/web/offensive-xss/SKILL.md) | Cross-site scripting — stored, reflected, DOM, mutation |\n| [`offensive-ssrf`](Skills/web/offensive-ssrf/SKILL.md) | Server-side request forgery — cloud metadata, filter bypass |\n| [`offensive-ssti`](Skills/web/offensive-ssti/SKILL.md) | Server-side template injection — engine ID, RCE paths |\n| [`offensive-xxe`](Skills/web/offensive-xxe/SKILL.md) | XML external entity — OOB exfil, blind exploitation |\n| [`offensive-idor`](Skills/web/offensive-idor/SKILL.md) | Insecure direct object references — enumeration, business logic |\n| [`offensive-file-upload`](Skills/web/offensive-file-upload/SKILL.md) | File upload — extension bypass, polyglots, webshells |\n| [`offensive-rce`](Skills/web/offensive-rce/SKILL.md) | Remote code execution — chaining, command injection |\n| [`offensive-deserialization`](Skills/web/offensive-deserialization/SKILL.md) | Insecure deserialization — Java/PHP/.NET gadget chains |\n| [`offensive-race-condition`](Skills/web/offensive-race-condition/SKILL.md) | Race conditions — TOCTOU, single-packet, limit bypass |\n| [`offensive-request-smuggling`](Skills/web/offensive-request-smuggling/SKILL.md) | HTTP request smuggling — CL.TE, TE.CL, h2 desync |\n| [`offensive-open-redirect`](Skills/web/offensive-open-redirect/SKILL.md) | Open redirect — OAuth abuse, phishing, SSRF pivots |\n| [`offensive-parameter-pollution`](Skills/web/offensive-parameter-pollution/SKILL.md) | HTTP parameter pollution — WAF bypass, logic confusion |\n| [`offensive-graphql`](Skills/web/offensive-graphql/SKILL.md) | GraphQL — introspection, batching, IDOR via aliases |\n| [`offensive-waf-bypass`](Skills/web/offensive-waf-bypass/SKILL.md) | WAF bypass — encoding, chunking, case mutation |\n| [`offensive-business-logic`](Skills/web/offensive-business-logic/SKILL.md) | Business logic — workflow bypass, pricing, refunds, chains |\n\n### Auth \u0026 Identity\n\n`Skills/auth/`\n\n| Skill | Description |\n|---|---|\n| [`offensive-jwt`](Skills/auth/offensive-jwt/SKILL.md) | JWT — alg:none, key confusion, secret cracking |\n| [`offensive-oauth`](Skills/auth/offensive-oauth/SKILL.md) | OAuth — open redirect abuse, token leakage, PKCE bypass |\n\n### Active Directory\n\n`Skills/active-directory/`\n\n| Skill | Description |\n|---|---|\n| [`offensive-active-directory`](Skills/active-directory/offensive-active-directory/SKILL.md) | AD — Kerberoast, ASREProast, ACL abuse, ADCS ESC1-15, delegation, persistence, hybrid AAD |\n\n\u003e **Note:** This category is being expanded. The AD overview is being split into 16 focused skills (Kerberoasting, ASREProasting, ADCS, coercion, NTLM relay, BloodHound, ticket forgery, GPO abuse, etc.). See [Roadmap](#roadmap).\n\n### Wireless\n\n`Skills/wireless/`\n\n| Skill | Description |\n|---|---|\n| [`offensive-wifi`](Skills/wireless/offensive-wifi/SKILL.md) | 802.11 overview — entrypoint into the wireless category |\n| [`offensive-wifi-recon`](Skills/wireless/offensive-wifi-recon/SKILL.md) | Adapter selection, monitor mode, multi-band airspace mapping |\n| [`offensive-wpa2-psk`](Skills/wireless/offensive-wpa2-psk/SKILL.md) | Handshake capture, PMKID, hashcat 22000 cracking |\n| [`offensive-wpa3-sae`](Skills/wireless/offensive-wpa3-sae/SKILL.md) | Transition-mode downgrade, Dragonblood, SAE side-channels |\n| [`offensive-wpa-enterprise`](Skills/wireless/offensive-wpa-enterprise/SKILL.md) | 802.1X / EAP attacks, eaphammer evil-twin RADIUS |\n| [`offensive-wps`](Skills/wireless/offensive-wps/SKILL.md) | Pixie Dust, online PIN brute, vendor PIN generators |\n| [`offensive-evil-twin`](Skills/wireless/offensive-evil-twin/SKILL.md) | KARMA, Mana, captive portal, post-association MITM |\n| [`offensive-krack-fragattacks`](Skills/wireless/offensive-krack-fragattacks/SKILL.md) | KRACK + FragAttacks supplicant testing |\n| [`offensive-deauth-disassoc`](Skills/wireless/offensive-deauth-disassoc/SKILL.md) | Targeted/broadcast deauth, PMF awareness, action frames |\n| [`offensive-bluetooth-ble`](Skills/wireless/offensive-bluetooth-ble/SKILL.md) | BLE GATT enum, pairing downgrade, sniffing, MITM |\n| [`offensive-bluetooth-classic`](Skills/wireless/offensive-bluetooth-classic/SKILL.md) | BR/EDR — SDP, SPP, KNOB, BlueBorne, HID spoofing |\n| [`offensive-zigbee-thread-matter`](Skills/wireless/offensive-zigbee-thread-matter/SKILL.md) | 802.15.4 mesh — KillerBee, Touchlink abuse, ZCL command injection |\n| [`offensive-z-wave`](Skills/wireless/offensive-z-wave/SKILL.md) | S0 key derivation flaw, S2 commissioning, hub pivots |\n| [`offensive-lorawan-sub-ghz`](Skills/wireless/offensive-lorawan-sub-ghz/SKILL.md) | LoRaWAN ABP/OTAA, KeeLoq garage doors, fixed-code, TPMS |\n\n### Cloud\n\n`Skills/cloud/`\n\n| Skill | Description |\n|---|---|\n| [`offensive-cloud`](Skills/cloud/offensive-cloud/SKILL.md) | AWS / Azure / GCP — privesc, IMDS, cross-account, persistence, CSPM evasion |\n\n\u003e **Note:** Cloud-identity (Entra/AAD/Okta hybrid) skills coming separately. See [Roadmap](#roadmap).\n\n### Mobile\n\n`Skills/mobile/`\n\n| Skill | Description |\n|---|---|\n| [`offensive-mobile`](Skills/mobile/offensive-mobile/SKILL.md) | Android + iOS — Frida, pinning, storage, biometric, deep links |\n\n### IoT \u0026 Embedded\n\n`Skills/iot/`\n\n| Skill | Description |\n|---|---|\n| [`offensive-iot`](Skills/iot/offensive-iot/SKILL.md) | Hardware recon, firmware, RTOS, ICS/OT, MQTT/CoAP |\n\n\u003e **Note:** Being split into 10 focused skills (UART/JTAG, flash dump, fault injection, U-Boot, secure boot, RTOS, ICS protocols). See [Roadmap](#roadmap).\n\n### Infrastructure \u0026 Red Team\n\n`Skills/infrastructure/`\n\n| Skill | Description |\n|---|---|\n| [`offensive-initial-access`](Skills/infrastructure/offensive-initial-access/SKILL.md) | Phishing, drive-by, supply chain — TA0001 |\n| [`offensive-advanced-redteam`](Skills/infrastructure/offensive-advanced-redteam/SKILL.md) | Full kill chain, C2, OPSEC, lateral, persistence |\n| [`offensive-edr-evasion`](Skills/infrastructure/offensive-edr-evasion/SKILL.md) | Unhooking, indirect syscalls, PPID spoofing |\n| [`offensive-shellcode`](Skills/infrastructure/offensive-shellcode/SKILL.md) | Writing, encoding, injection techniques |\n| [`offensive-keylogger-arch`](Skills/infrastructure/offensive-keylogger-arch/SKILL.md) | Keylogger architecture and input-capture techniques |\n| [`offensive-windows-mitigations`](Skills/infrastructure/offensive-windows-mitigations/SKILL.md) | Windows mitigations — ACG, Arbitrary Code Guard |\n| [`offensive-windows-boundaries`](Skills/infrastructure/offensive-windows-boundaries/SKILL.md) | Defeating Windows boundaries — sandbox escape, privilege |\n\n### Exploit Development\n\n`Skills/exploit-dev/`\n\n| Skill | Description |\n|---|---|\n| [`offensive-exploit-development`](Skills/exploit-dev/offensive-exploit-development/SKILL.md) | Stack/heap, ROP chains, mitigations |\n| [`offensive-exploit-dev-course`](Skills/exploit-dev/offensive-exploit-dev-course/SKILL.md) | Structured curriculum format |\n| [`offensive-basic-exploitation`](Skills/exploit-dev/offensive-basic-exploitation/SKILL.md) | Linux exploitation, mitigations disabled — beginner-to-mid |\n| [`offensive-crash-analysis`](Skills/exploit-dev/offensive-crash-analysis/SKILL.md) | Crash triage, exploitability assessment, root cause |\n| [`offensive-mitigations`](Skills/exploit-dev/offensive-mitigations/SKILL.md) | Modern kernel mitigations — ASLR, CFG, CET, PAC |\n| [`offensive-toctou`](Skills/exploit-dev/offensive-toctou/SKILL.md) | Time-of-check/use across binary, kernel, web, container |\n\n### Fuzzing \u0026 Vulnerability Research\n\n`Skills/fuzzing/`\n\n| Skill | Description |\n|---|---|\n| [`offensive-fuzzing`](Skills/fuzzing/offensive-fuzzing/SKILL.md) | libFuzzer, AFL++, coverage-guided, mutation strategies |\n| [`offensive-fuzzing-course`](Skills/fuzzing/offensive-fuzzing-course/SKILL.md) | Curriculum — finding vulns via fuzzing |\n| [`offensive-bug-identification`](Skills/fuzzing/offensive-bug-identification/SKILL.md) | Code review patterns, static analysis triggers |\n| [`offensive-vuln-classes`](Skills/fuzzing/offensive-vuln-classes/SKILL.md) | Vulnerability classes — real-world examples, taxonomy |\n\n### Reconnaissance\n\n`Skills/recon/`\n\n| Skill | Description |\n|---|---|\n| [`offensive-osint`](Skills/recon/offensive-osint/SKILL.md) | OSINT tools — recon-ng, theHarvester, Maltego pipelines |\n| [`offensive-osint-methodology`](Skills/recon/offensive-osint-methodology/SKILL.md) | OSINT methodology — structured intelligence collection |\n\n### AI Security\n\n`Skills/ai/`\n\n| Skill | Description |\n|---|---|\n| [`offensive-ai-security`](Skills/ai/offensive-ai-security/SKILL.md) | AI pentest — prompt injection, jailbreaking, RAG poisoning |\n\n### Utility\n\n`Skills/utility/`\n\n| Skill | Description |\n|---|---|\n| [`offensive-fast-checking`](Skills/utility/offensive-fast-checking/SKILL.md) | Fast triage checklist — quick-win identification |\n| [`offensive-reporting`](Skills/utility/offensive-reporting/SKILL.md) | Pro pentest reporting — CVSS, evidence, exec summary, retest |\n\n---\n\n## Roadmap\n\nThe library is being expanded in seven phases. Track progress in [CHANGELOG.md](CHANGELOG.md).\n\n| Phase | Category | New Skills | Status |\n|---|---|---:|---|\n| 1 | Internal AD/Windows (rename `active-directory/` → `internal/`) | +16 | Planned |\n| 2 | Cloud Identity (Entra/AAD, ADFS, Okta, M365) | +10 | Planned |\n| 3 | Wireless split (WPA2/3, EAP, BLE, Zigbee, Z-Wave, LoRa, sub-GHz) | +12 | **Mandatory** |\n| 4 | IoT split (UART/JTAG, flash, fault injection, RTOS, ICS) | +10 | Planned |\n| 5 | Web Basics (recon, auth bypass, access control, CSRF, headers, CORS, cache, clickjack) | +8 | Planned |\n| 6 | Web Advanced (proto pollution, SAML, OIDC, WebSocket, gRPC, postMessage, SSI/ESI, CSTI) | +10 | Planned |\n| 7 | Polish (README, LICENSE, manifest, install) | — | **In progress** |\n\nEnd state: ~107 skills across the same 13+ categories.\n\n---\n\n## Contributing\n\nContributions welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for the skill template, frontmatter standard, and review process. Focused, single-surface skills are preferred over monolithic overviews.\n\n## License\n\n[MIT](LICENSE) — use freely, attribution appreciated.\n\n## Acknowledgements\n\n- **Author:** Kai Aizen (SnailSploit) — [snailsploit.com](https://snailsploit.com)\n- **Original Checklists:** [Sahar Shlichov](https://github.com/sahar042/offensive-checklist) — the offensive checklist collection many of these skills are based on.\n- **Community:** PRs and feedback that keep the library current with the threat landscape.\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n\u003e *\"Give Claude the right skill and it stops being a chatbot. It becomes an operator.\"*\n\n\u003c/div\u003e\n\n\u003c!-- snailsploit-backlink:start --\u003e\n\n---\n\n## 📚 Documentation \u0026 Author\n\nThis project's full writeup, methodology, and related research lives at:\n\n**[https://snailsploit.com/claude-red](https://snailsploit.com/claude-red)**\n\nCreated by **Kai Aizen** — independent offensive security researcher.\n\n[snailsploit.com](https://snailsploit.com) · [Research](https://snailsploit.com/research) · [Frameworks](https://snailsploit.com/frameworks) · [GitHub](https://github.com/SnailSploit) · [LinkedIn](https://linkedin.com/in/kaiaizen) · [ResearchGate](https://www.researchgate.net/profile/Kai-Aizen-2) · [X/Twitter](https://x.com/SnailSploit)\n\n\u003e *Same attack. Different substrate.*\n\n\u003c!-- snailsploit-backlink:end --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSnailSploit%2FClaude-Red","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSnailSploit%2FClaude-Red","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSnailSploit%2FClaude-Red/lists"}