You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Master Entry → Category Entries → Deep Topic Skills
One master entry, six category entries, and 101 deep topic skills across 14 security domains.
An Agent Skills knowledge base covering web security, API security, authentication & authorization, OS privilege escalation (Linux/Windows/macOS), Active Directory attacks, mobile security, binary exploitation (Pwn), reverse engineering, cryptography attacks, blockchain & smart contract security, AI/ML & LLM security, network protocols & pivoting, and digital forensics — built for bug bounty, penetration testing, CTF competitions, and authorized security research.
The current branch has converged to a standard directory structure: every skill lives in its own directory, uniformly using skills/{semantic-identifier}/SKILL.md. The design goal is not to expose every minor tip as an entry point, but to compress what the loader truly needs to see into one master entry, six category entries, and deep topic skills drilled down on demand.
The objective is straightforward: organize security knowledge that is genuinely useful in real engagements and easy to audit and maintain into a set of installable, searchable, and composable HackSkills.
Browse Online
This repo is published in three forms — pick whichever your workflow prefers; they are kept in sync on every push to main.
The website is a static, fully client-side build of site/ — no tracking, no backend. Source: site/, workflow: .github/workflows/deploy-pages.yml. Search uses a weighted fuzzy index over name / id / category / description with field qualifiers like category:auth, tier:deep, lines:>200.
┌─────────────────────────────────────┐
│ skills.hackbenchmark.com (static) │ ── search / filter / copy install cmd
└─────────────────────────────────────┘
▲
github.com/yaklang/hack-skills ───────►┤ same repo, three views
▼
┌─────────────────────────────────────┐
│ hack-skills.zip (AES-256, public │ ── offline / behind AV
│ password: hack-skills, via CDN) │
└─────────────────────────────────────┘
Knowledge Sources & Distillation Boundaries
This repository is not a mirror of external materials — it is a distillation layer aimed at Agents.
Primary reference sources (all publicly available, used strictly for educational distillation):
CTF competition knowledge base covering Pwn, Crypto, Reverse Engineering, Forensics, and Misc
Distilled into binary exploitation techniques (stack/heap/kernel), crypto attack patterns (RSA/lattice/symmetric), RE methodology, steganography, and traffic analysis skills
hacktricks
Penetration testing encyclopedia covering web tricks, Linux/Windows/macOS privilege escalation, Active Directory, containers, mobile, and AI security
Distilled into OS-specific privilege escalation playbooks, AD attack chains (Kerberos/ACL/ADCS), mobile pentesting checklists, container escape techniques, and network pivoting strategies
Public security research papers and CVE advisories
Distilled into attack pattern matrices, systematic testing checklists, decision trees
Processing principles:
No direct copying of large dictionaries or full payload lists.
Prioritize distilling into routable, composable, and auditable security skills.
Use small, stable samples, taxonomies, and cross-references to improve Agent stability in real security scenarios.
No customer-specific information, no vendor-identifiable case details, purely educational methodology.
Quick Start
The preferred entry point is hack:
npx skills add yaklang/hack-skills
If your tooling supports pulling a single SKILL.md directly, you can also use:
frontmatter name: hack
raw URL: https://raw.githubusercontent.com/yaklang/hack-skills/main/skills/hack/SKILL.md
After installing, the recommended order is simple: start from the master entry, then move into category entries, and only then drill into deep topic skills.
Loader Priority
Layer
Role
Recommended Exposure
Representative Skill
Master Entry
Global routing, test sequencing, cross-category switching
About the password. The ZIP is wrapped with AES-256 and a public constant password hack-skills. This is not access control — anyone can download, anyone can extract, the password is printed openly in the README, the website, the GitHub Actions workflow, and CI logs. It exists solely to bypass content heuristics on AV / EDR / browser scanners that flag plain offensive markdown and silently drop or quarantine the file in transit. Build, encryption settings, and integrity verification all live in .github/workflows/upload-hack-skills.yml.
Same ZIP is also surfaced one-click on the website's nav bar (ZIP button) and the Install → Offline ZIP tab.
Design Principles
Security knowledge takes priority over fancy packaging.
Content auditability takes priority over quantity expansion.
Prioritize authorized testing, legitimate research, and defensive verification scenarios.
Directory names should convey security semantics at a glance.
No customer-specific information; all content is generic methodology for educational use.
Harmless PoC Policy
Skills document how to prove a vulnerability and how to gain access in an authorized
engagement — they do not ship payloads whose only purpose is to irreversibly destroy data or
take a target offline. The boundary is simple:
Removed / neutralized — irreversibly destructive operations. Data destruction
(DROP / TRUNCATE / mass DELETE / Redis FLUSHALL) and availability destruction
(service shutdown / reboot / DoS endpoints) are replaced with non-destructive proofs that
demonstrate the same injection point or capability.
Retained — non-destructive access primitives. Standard offensive PoCs needed for real
authorized testing are kept, including RCE such as webshell writes (INTO OUTFILE /
DUMPFILE), reverse shells, and command execution. These grant access without wrecking the
environment.
Destructive form (avoided)
Used instead
Why it still proves the issue
...; DROP TABLE users;-- (stacked query)
...; SELECT SLEEP(5);--
Time delay proves arbitrary stacked-statement execution, no data loss
DELETE FROM ... WHERE x='' OR '1'='1' (deletes all rows)
Same recon/secret-leak value without taking the app down
Conventions:
Prefer time-based (SLEEP/pg_sleep/WAITFOR DELAY) or read-only proofs over any
statement that destroys data or availability.
RCE stays in scope: webshell drops, reverse shells, and command execution are non-destructive
access primitives essential to authorized testing and are intentionally retained.
Standard read-only recon commands (e.g. xp_cmdshell 'whoami', LOAD_FILE('/etc/passwd')) are kept.
Defensive hardening snippets (e.g. rename-command FLUSHALL "") are kept as defenses.
Related Projects (Sister Sites)
HackSkills is part of a family of agent-facing knowledge bases from the Yaklang ecosystem:
When a finding needs custom tooling — proxy hot-patching, traffic decryption, fuzzing logic — pivot from HackSkills to Yak Skills for the Yaklang implementation playbooks.
Contributing
PRs are welcome. Key areas include:
New vulnerability categories and high-value cases
Better bug bounty and penetration testing methodologies
OS-specific privilege escalation paths and AD attack chains
CTF challenge techniques (Pwn, Crypto, RE, Forensics)
Edge conditions that Agents easily overlook
Risk annotations, terminology consistency, and content denoising
Contributions should ideally be verifiable, auditable, and helpful for Agents to reason and execute more robustly in real tasks.
About
Helping AI Agent become an awesome practical hacker!