webassessment
Web security assessment. USE WHEN web assessment, pentest, security testing, vulnerability scan. SkillSearch('webassessment') for docs.
Install
mkdir -p .claude/skills/webassessment && curl -L -o skill.zip "https://mcp.directory/api/skills/download/844" && unzip -o skill.zip -d .claude/skills/webassessment && rm skill.zipInstalls to .claude/skills/webassessment
About this skill
Customization
Before executing, check for user customizations at:
~/.claude/skills/PAI/USER/SKILLCUSTOMIZATIONS/WebAssessment/
If this directory exists, load and apply any PREFERENCES.md, configurations, or resources found there. These override default behavior. If the directory does not exist, proceed with skill defaults.
šØ MANDATORY: Voice Notification (REQUIRED BEFORE ANY ACTION)
You MUST send this notification BEFORE doing anything else when this skill is invoked.
-
Send voice notification:
curl -s -X POST http://localhost:8888/notify \ -H "Content-Type: application/json" \ -d '{"message": "Running the WORKFLOWNAME workflow in the WebAssessment skill to ACTION"}' \ > /dev/null 2>&1 & -
Output text notification:
Running the **WorkflowName** workflow in the **WebAssessment** skill to ACTION...
This is not optional. Execute this curl command immediately upon skill invocation.
WebAssessment Skill
Security assessment infrastructure integrating reconnaissance, threat modeling, and vulnerability testing.
Workflow Routing
| Trigger | Workflow |
|---|---|
| "understand application", "what does this app do", "map the application" | UnderstandApplication |
| "threat model", "attack scenarios", "how would I attack" | CreateThreatModel |
| "pentest", "security assessment", "test for vulnerabilities" | Pentest/MasterMethodology |
| "fuzz with ffuf", "directory fuzzing", "content discovery" | Ffuf/FfufGuide |
| "OSINT", "reconnaissance", "open source intelligence" | Osint/MasterGuide |
| "test web app", "Playwright", "browser automation" | Webapp/TestingGuide |
| "bug bounty", "bounty programs" | BugBounty/Programs |
| "vulnerability analysis with AI", "Gemini analysis" | VulnerabilityAnalysisGemini3 |
Skill Integration
WebAssessment coordinates with specialized skills:
| Phase | Skill | Purpose |
|---|---|---|
| Scope Definition | Recon | Corporate structure, domain enumeration |
| Target Discovery | Recon | Subdomains, endpoints, ports |
| Understanding | WebAssessment | App narrative, user flows, sensitive data |
| Threat Modeling | WebAssessment | Attack scenarios, test prioritization |
| Injection Testing | PromptInjection | LLM-specific attacks |
| Intelligence | OSINT | People, companies, social media |
Assessment Workflow
1. Corporate Structure (Recon) ā Define scope and targets
2. Subdomain Enumeration (Recon) ā Find all domains
3. Endpoint Discovery (Recon) ā Extract JS endpoints
4. Understand Application ā Build app narrative
5. Create Threat Model ā Prioritize attack scenarios
6. Execute Testing ā Test against identified threats
7. Report Findings ā Document with PoCs
Recon Skill Tools
WebAssessment uses tools from the Recon skill:
# Corporate structure for scope
bun ~/.claude/skills/Recon/Tools/CorporateStructure.ts target.com
# Subdomain enumeration
bun ~/.claude/skills/Recon/Tools/SubdomainEnum.ts target.com
# Endpoint discovery from JavaScript
bun ~/.claude/skills/Recon/Tools/EndpointDiscovery.ts https://target.com
# Port scanning
bun ~/.claude/skills/Recon/Tools/PortScan.ts target.com
# Path discovery
bun ~/.claude/skills/Recon/Tools/PathDiscovery.ts https://target.com
UnderstandApplication Output
Produces structured narrative including:
- Summary: Purpose, industry, user base, critical functions
- User Roles: Access levels and capabilities
- User Flows: Step-by-step processes with sensitive data
- Technology Stack: Frontend, backend, auth, third-party
- Attack Surface: Entry points, inputs, file uploads, websockets
CreateThreatModel Output
Generates prioritized attack plan:
- Threats: OWASP/CWE mapped with risk scores
- Attack Paths: Multi-step attack scenarios
- Test Plan: Prioritized with tool suggestions
- Effort Estimates: Quick/medium/extensive per threat
Threat Categories
| Category | Triggers On |
|---|---|
| Authentication | Auth mechanisms detected |
| Access Control | Multiple user roles |
| Injection | All web apps |
| Data Exposure | Sensitive data identified |
| File Upload | Upload functionality |
| API Security | API endpoints |
| WebSocket | WebSocket detected |
| Business Logic | All web apps |
| Payment Security | Payment flows |
6-Phase Pentest Methodology
Phase 0: Scoping & Preparation Phase 1: Reconnaissance (Recon skill) Phase 2: Mapping (content discovery) Phase 3: Vulnerability Analysis Phase 4: Exploitation Phase 5: Reporting
Key Principles
- Authorization first - Never test without explicit permission
- Understand before testing - Build app narrative first
- Threat model guides testing - Don't test blindly
- Breadth then depth - Wide recon, focused exploitation
- Document everything - Notes, screenshots, commands
Workflow Index
Core Assessment:
Workflows/UnderstandApplication.md- Application reconnaissanceWorkflows/CreateThreatModel.md- Attack scenario generation
Penetration Testing:
Workflows/Pentest/MasterMethodology.md- 6-phase methodologyWorkflows/Pentest/ToolInventory.md- Security tools referenceWorkflows/Pentest/Reconnaissance.md- Asset discoveryWorkflows/Pentest/Exploitation.md- Vulnerability testing
Web Fuzzing:
Workflows/Ffuf/FfufGuide.md- FFUF fuzzing guideWorkflows/Ffuf/FfufHelper.md- Automated fuzzing helper
Bug Bounty:
Workflows/BugBounty/Programs.md- Program trackingWorkflows/BugBounty/AutomationTool.md- Bounty automation
Web App Testing:
Workflows/Webapp/TestingGuide.md- Playwright testingWorkflows/Webapp/Examples.md- Testing patterns
OSINT:
Workflows/Osint/MasterGuide.md- OSINT methodologyWorkflows/Osint/Reconnaissance.md- Domain reconWorkflows/Osint/SocialMediaIntel.md- SOCMINTWorkflows/Osint/Automation.md- SpiderFoot/MaltegoWorkflows/Osint/MetadataAnalysis.md- ExifTool analysis
AI-Powered:
Workflows/VulnerabilityAnalysisGemini3.md- Gemini deep analysis
Examples
Example 1: Full assessment workflow
User: "Security assessment on app.example.com"
ā Run UnderstandApplication to build narrative
ā Run CreateThreatModel to prioritize testing
ā Follow MasterMethodology with threat model guidance
ā Report findings with OWASP/CWE references
Example 2: Quick threat model
User: "How would I attack this app?"
ā Run CreateThreatModel on target
ā Get prioritized attack paths
ā Get test plan with tool suggestions
Example 3: Integrate with Recon
User: "Assessment on target.com including all subdomains"
ā CorporateStructure (Recon) ā Find parent/child companies
ā SubdomainEnum (Recon) ā Find all subdomains
ā EndpointDiscovery (Recon) ā Extract JS endpoints
ā UnderstandApplication ā Build app narrative
ā CreateThreatModel ā Generate attack plan
More by danielmiessler
View all āYou might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
rust-coding-skill
UtakataKyosui
Guides Claude in writing idiomatic, efficient, well-structured Rust code using proper data modeling, traits, impl organization, macros, and build-speed best practices.
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.