Thanks for contributing. This guide explains the skill format, the review process, and the conventions to keep the library coherent as it grows.
- One skill, one surface. Prefer focused skills (
offensive-kerberoasting) over monolithic overviews (offensive-active-directory). - YAML frontmatter is required. Skills without it won't load via the Claude Skills system.
- Cite sources. Every technique should be attributable. Link CVEs, advisories, original research.
- No unauthorized targeting. Don't include hardcoded victim domains, real customer data, or credentials.
- Use code blocks with language tags. It's how Claude (and humans) parse them best.
A skill lives at:
Skills/<category>/<skill-folder>/SKILL.md
The folder name must match the name: field in the frontmatter.
---
name: offensive-<bug-class-or-domain>
description: "One paragraph (50–500 words). State the surface, the techniques covered, and when to use this skill. Claude uses this for trigger matching — be specific about scenarios, tools, and sub-topics."
---The description is what Claude matches against. Make it dense with relevant terms an operator would mention. Avoid marketing language.
# <Short Skill Title>
<One-paragraph framing. Why this matters, what makes it distinct.>
## Quick Workflow
1. <Numbered, ordered steps an operator follows in the field>
---
## <Section per phase or technique cluster>
<Concrete, copy-paste commands or code blocks. Annotate the why.>
---
## Detection / Defender View
<Optional but valuable — what defenders will see, common evasions.>
---
## Engagement Cheatsheet
<A short copy-paste-ready sequence summarizing the methodology.>
---
## Key References
- MITRE ATT&CK / CWE / OWASP IDs
- Canonical research papers, conference talks
- Tool docs, advisory URLs
- Source: link to upstream checklist if applicable- Voice: technical, second-person ("you"), present tense
- Length: 200–800 lines is typical; aim for depth in one surface, not breadth across many
- Code blocks: always specify the language (
bash,python,c,powershell,sql,yaml,http) - Tables: use for compact reference (CVE → exploitation, capability → escape, etc.)
- No emoji unless used as visual markers in tables (✓ ✗ ⚠) and only sparingly
- Pick the right category folder. If none fits, propose a new one in your PR description.
- Create
Skills/<category>/<skill-name>/SKILL.md. - Write the frontmatter and body following the structure above.
- Update
README.md— add the skill to the relevant category table. - Update
CHANGELOG.mdunder the next version. - Update
claude-skills.jsonif it exists (runpython tools/build_manifest.pyif available). - Run any local lint:
./tools/check-skill.sh Skills/<category>/<skill-name>/SKILL.md
- Preserve the
name:field (it's a public identifier; renames are breaking changes) - Note the edit briefly in CHANGELOG.md
- For substantive rewrites, link the prior version's SHA so reviewers can diff
When a skill grows beyond one surface (e.g. offensive-wifi covering WPA2, WPA3, BLE, Zigbee), split it:
- Keep the original as a brief overview that points to the new focused skills
- Move detailed content into new per-surface skills
- Update README, CHANGELOG, and the manifest
The roadmap in README tracks current splits.
Pull requests are reviewed for:
- Technical accuracy (does this work? is it current?)
- Clarity (would a competent operator understand and execute?)
- Scope (one surface, not three)
- Attribution (sources cited?)
- Safety (no real targets, no live secrets, no malicious helpers)
Expect one round of review. Maintainers may request edits before merging.
- Skills that hardcode real victim infrastructure
- Tooling that has destructive defaults without warnings
- Bypasses for vendor-mandated security telemetry without legitimate red team context
- Content under non-MIT-compatible licenses
- AI-generated skills without operator review (use Claude to draft, then verify and edit)
Open a GitHub Discussion before a large PR so the maintainers can confirm the direction. For sensitive findings (a leaked credential in an example, etc.), see SECURITY.md.