GraphQL
APICommonly used with
Skills using GraphQL (618)
cs-senior-engineer
Senior Engineer agent for architecture decisions, code review, DevOps, and API design. Orchestrates engineering and engineering-team skills for technical implementation work. Spawn when users need system design, code quality review, CI/CD pipeline setup, or infrastructure decisions.
engineering-advanced-skills
25 advanced engineering agent skills and plugins for Claude Code, Codex, Gemini CLI, Cursor, OpenClaw. Agent design, RAG, MCP servers, CI/CD, database design, observability, security auditing, release management, platform ops.
api-security-testing
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
dotnet-backend
Build ASP.NET Core 8+ backend services with EF Core, auth, background jobs, and production API patterns.
graphql-architect
Master modern GraphQL with federation, performance optimization, and enterprise security. Build scalable schemas, implement advanced caching, and design real-time systems.
qdrant-vector-search
High-performance vector similarity search engine for RAG and semantic search. Use when building production RAG systems requiring fast nearest neighbor search, hybrid search with filtering, or scalable vector storage with Rust-powered performance.
railway-database
Add official Railway database services (Postgres, Redis, MySQL, MongoDB). Use when user wants to add a database, says "add postgres", "add redis", "add database", "connect to database", or "wire up the database". For other templates (Ghost, Strapi, n8n), use the railway-templates skill.
railway-domain
Add, view, or remove domains for Railway services. Use when user wants to add a domain, generate a railway domain, check current domains, get the URL for a service, or remove a domain.
railway-environment
Query, stage, and apply configuration changes for Railway environments. Use for ANY variable or env var operations, service configuration (source, build settings, deploy settings), lifecycle (delete service), and applying changes. Prefer over railway-status skill for any configuration or variable queries.
railway-metrics
Query resource usage metrics for Railway services. Use when user asks about resource usage, CPU, memory, network, disk, or service performance like "how much memory is my service using" or "is my service slow".
railway-projects
List, switch, and configure Railway projects. Use when user wants to list all projects, switch projects, rename a project, enable/disable PR deploys, make a project public/private, or modify project settings.
railway-service
Check service status, rename services, change service icons, link services, or create services with Docker images. For creating services with local code, prefer railway-new skill. For GitHub repo sources, use railway-new skill to create empty service then railway-environment skill to configure source.
phoenix-cli
Debug LLM applications using the Phoenix CLI. Fetch traces, analyze errors, review experiments, inspect datasets, and query the GraphQL API. Use when debugging AI/LLM applications, analyzing trace data, working with Phoenix observability, or investigating LLM performance issues.
alchemy-webhooks-events
Implement Alchemy Notify webhooks for real-time blockchain event notifications. Use when tracking wallet activity, monitoring mined transactions, watching smart contract events, or building real-time dApp features. Trigger: "alchemy webhook", "alchemy notify", "alchemy events", "alchemy address activity", "alchemy real-time notifications".
atlas-recon
Documentation reconnaissance for takeover — find all docs, assess accuracy, freshness, coverage, and discoverability, and identify critical knowledge gaps. Use when asked "what docs exist", "documentation assessment", or "knowledge gaps".
building-graphql-server
Build production-ready GraphQL servers with schema design, resolvers, and subscriptions. Use when building GraphQL APIs with schemas and resolvers. Trigger with phrases like "build GraphQL API", "create GraphQL server", or "setup GraphQL".
cursor-local-dev-loop
Optimize daily development workflow with Cursor IDE using Chat, Composer, Tab, and Git integration. Triggers on "cursor workflow", "cursor development loop", "cursor productivity", "cursor daily workflow", "cursor dev flow".
fireflies-ci-integration
Configure CI/CD pipelines for Fireflies.ai integrations with GraphQL testing. Use when setting up automated testing, configuring GitHub Actions, or validating Fireflies.ai queries in your build process. Trigger with phrases like "fireflies CI", "fireflies GitHub Actions", "fireflies automated tests", "CI fireflies", "test fireflies pipeline".
fireflies-common-errors
Diagnose and fix Fireflies.ai GraphQL API errors by error code. Use when encountering Fireflies.ai errors, debugging failed requests, or troubleshooting authentication and rate limit issues. Trigger with phrases like "fireflies error", "fix fireflies", "fireflies not working", "debug fireflies", "fireflies 429".
fireflies-core-workflow-a
Retrieve and process Fireflies.ai meeting transcripts with speaker diarization and summaries. Use when fetching transcripts, extracting action items, or building meeting intelligence pipelines. Trigger with phrases like "fireflies transcript", "get meeting notes", "fireflies meeting data", "fetch fireflies recording".
fireflies-cost-tuning
Optimize Fireflies.ai subscription costs through seat auditing, selective recording, and plan sizing. Use when analyzing Fireflies.ai billing, reducing per-seat costs, or implementing usage monitoring and right-sizing. Trigger with phrases like "fireflies cost", "fireflies billing", "reduce fireflies costs", "fireflies pricing", "fireflies expensive", "fireflies budget".
fireflies-data-handling
Handle Fireflies.ai transcript data: export formats, PII redaction, retention policies, and compliance. Use when exporting transcripts, implementing data redaction, configuring retention, or ensuring GDPR/CCPA compliance. Trigger with phrases like "fireflies data", "fireflies PII", "fireflies GDPR", "fireflies data retention", "fireflies privacy", "fireflies export".
fireflies-debug-bundle
Collect Fireflies.ai debug evidence for support tickets and troubleshooting. Use when encountering persistent issues, preparing support tickets, or collecting diagnostic information for Fireflies.ai problems. Trigger with phrases like "fireflies debug", "fireflies support bundle", "collect fireflies logs", "fireflies diagnostic".
fireflies-deploy-integration
Deploy Fireflies.ai webhook receivers and GraphQL clients to Vercel, Docker, and Cloud Run. Use when deploying Fireflies.ai-powered applications to production, configuring platform-specific secrets, or hosting webhook endpoints. Trigger with phrases like "deploy fireflies", "fireflies Vercel", "fireflies production deploy", "fireflies Cloud Run", "fireflies Docker".
fireflies-enterprise-rbac
Configure Fireflies.ai workspace roles, channels, privacy controls, and meeting sharing. Use when managing team access, setting up channels, or configuring transcript visibility and sharing rules. Trigger with phrases like "fireflies roles", "fireflies permissions", "fireflies channels", "fireflies privacy", "fireflies sharing", "fireflies RBAC".
fireflies-hello-world
Create a minimal working Fireflies.ai example that queries transcripts. Use when starting a new Fireflies.ai integration, testing your setup, or learning the GraphQL API patterns for meeting data. Trigger with phrases like "fireflies hello world", "fireflies example", "fireflies quick start", "simple fireflies code".
fireflies-incident-runbook
Execute Fireflies.ai incident response with triage, remediation, and postmortem. Use when responding to Fireflies.ai API outages, auth failures, or webhook delivery problems. Trigger with phrases like "fireflies incident", "fireflies outage", "fireflies down", "fireflies on-call", "fireflies emergency", "fireflies broken".
fireflies-install-auth
Configure Fireflies.ai GraphQL API authentication and verify connectivity. Use when setting up a new Fireflies.ai integration, configuring API keys, or initializing the GraphQL client for transcript access. Trigger with phrases like "install fireflies", "setup fireflies", "fireflies auth", "configure fireflies API key".
fireflies-local-dev-loop
Configure local development workflow for Fireflies.ai GraphQL integrations. Use when setting up a development environment, mocking transcript data, or establishing a fast iteration cycle with the Fireflies API. Trigger with phrases like "fireflies dev setup", "fireflies local development", "fireflies dev environment", "develop with fireflies", "mock fireflies".
fireflies-migration-deep-dive
Migrate to Fireflies.ai from other meeting transcription platforms or legacy recording systems. Use when switching from Otter.ai, Rev, or custom transcription to Fireflies, or importing historical meeting data into the Fireflies ecosystem. Trigger with phrases like "migrate to fireflies", "switch from otter", "fireflies migration", "import meetings to fireflies", "fireflies replatform".
fireflies-observability
Monitor Fireflies.ai integration health with metrics, alerts, and dashboards. Use when implementing monitoring, setting up alerting, or tracking transcript processing reliability. Trigger with phrases like "fireflies monitoring", "fireflies metrics", "fireflies observability", "monitor fireflies", "fireflies alerts".
fireflies-performance-tuning
Optimize Fireflies.ai GraphQL query performance with field selection, caching, and batching. Use when experiencing slow API responses, implementing caching, or optimizing transcript processing throughput. Trigger with phrases like "fireflies performance", "optimize fireflies", "fireflies latency", "fireflies caching", "fireflies slow", "fireflies batch".
fireflies-prod-checklist
Execute Fireflies.ai production deployment checklist with health checks and rollback. Use when deploying Fireflies.ai integrations to production, preparing for launch, or implementing go-live procedures. Trigger with phrases like "fireflies production", "deploy fireflies", "fireflies go-live", "fireflies launch checklist".
fireflies-rate-limits
Implement Fireflies.ai rate limiting, backoff, and request queuing. Use when handling rate limit errors, implementing retry logic, or optimizing API request throughput for Fireflies.ai. Trigger with phrases like "fireflies rate limit", "fireflies throttling", "fireflies 429", "fireflies retry", "fireflies backoff".
fireflies-reference-architecture
Design meeting intelligence architecture with Fireflies.ai GraphQL API, webhooks, and CRM sync. Use when designing new integrations, planning transcript pipelines, or establishing architecture for meeting analytics platforms. Trigger with phrases like "fireflies architecture", "fireflies design", "fireflies project structure", "meeting intelligence pipeline".
fireflies-sdk-patterns
Apply production-ready Fireflies.ai GraphQL client patterns for TypeScript and Python. Use when implementing Fireflies.ai integrations, building typed clients, or establishing team coding standards for the GraphQL API. Trigger with phrases like "fireflies SDK patterns", "fireflies best practices", "fireflies client", "fireflies GraphQL wrapper", "typed fireflies".
fireflies-upgrade-migration
Handle Fireflies.ai API deprecations and migrate to current query patterns. Use when updating deprecated fields, migrating query patterns, or responding to Fireflies API changelog updates. Trigger with phrases like "upgrade fireflies", "fireflies deprecated", "fireflies migration", "fireflies breaking changes", "fireflies changelog".
flyio-sdk-patterns
Apply production-ready Fly.io Machines API patterns for TypeScript with typed clients, machine lifecycle management, and multi-region orchestration. Trigger: "fly.io Machines API", "fly.io SDK patterns", "fly.io API client".
linear-common-errors
Diagnose and fix common Linear API and SDK errors. Use when encountering Linear API errors, debugging integration issues, or troubleshooting authentication, rate limits, or query problems. Trigger: "linear error", "linear API error", "debug linear", "linear not working", "linear 429", "linear authentication error".
linear-core-workflow-a
Issue lifecycle management with Linear: create, update, transition, relate, comment, and organize issues through the SDK and GraphQL API. Trigger: "linear issue workflow", "linear issue lifecycle", "create linear issues", "update linear issue", "linear state transition", "linear sub-issues", "linear comments".
linear-hello-world
Create your first Linear issue and query using the SDK and GraphQL API. Use when making initial API calls, testing connection, or learning basic Linear CRUD operations. Trigger: "linear hello world", "first linear issue", "create linear issue", "linear API example", "test linear".
linear-incident-runbook
Production incident response procedures for Linear integrations. Use when handling production issues, diagnosing outages, or responding to Linear-related incidents. Trigger: "linear incident", "linear outage", "linear production issue", "debug linear production", "linear down", "linear 500".
linear-install-auth
Install and configure Linear SDK/CLI authentication. Use when setting up a new Linear integration, configuring API keys, OAuth2 flows, or initializing LinearClient in your project. Trigger: "install linear", "setup linear", "linear auth", "configure linear API key", "linear SDK setup", "linear OAuth".
linear-performance-tuning
Optimize Linear API queries, caching, and batching for performance. Use when improving response times, reducing API calls, or implementing caching strategies for Linear data. Trigger: "linear performance", "optimize linear", "linear caching", "linear slow queries", "speed up linear", "linear N+1".
linear-rate-limits
Handle Linear API rate limiting, complexity budgets, and quotas. Use when dealing with 429 errors, implementing throttling, or optimizing request patterns to stay within limits. Trigger: "linear rate limit", "linear throttling", "linear 429", "linear API quota", "linear complexity", "linear request limits".
linear-sdk-patterns
TypeScript/JavaScript SDK patterns and best practices for Linear. Use when learning SDK idioms, implementing pagination, filtering, relation loading, or custom GraphQL queries. Trigger: "linear SDK patterns", "linear best practices", "linear typescript", "linear API patterns", "linear pagination".
linear-upgrade-migration
Upgrade Linear SDK versions and handle breaking changes safely. Use when updating to a new SDK version, handling deprecations, or migrating between API versions. Trigger: "upgrade linear SDK", "linear SDK migration", "update linear", "linear breaking changes", "linear deprecation".
navan-performance-tuning
Use when optimizing Navan API call patterns for high-volume integrations — caching, batching, connection pooling, and pagination strategies. Trigger with "navan performance tuning" or "navan api optimization" or "navan caching".
shopify-advanced-troubleshooting
Debug complex Shopify API issues using cost analysis, request tracing, webhook delivery inspection, and GraphQL introspection. Trigger with phrases like "shopify hard bug", "shopify mystery error", "shopify deep debug", "difficult shopify issue", "shopify intermittent failure".
shopify-architecture-variants
Choose between Shopify app architectures: embedded Remix app, headless storefront with Hydrogen, standalone integration, or theme app extension. Trigger with phrases like "shopify architecture decision", "shopify embedded vs headless", "shopify Hydrogen", "shopify app types", "which shopify architecture".
shopify-common-errors
Diagnose and fix common Shopify API errors including 401, 403, 422, 429, and GraphQL errors. Use when encountering Shopify errors, debugging failed requests, or troubleshooting integration issues. Trigger with phrases like "shopify error", "fix shopify", "shopify not working", "debug shopify", "shopify 422".
shopify-core-workflow-a
Manage Shopify products, variants, and collections using the GraphQL Admin API. Use when creating, updating, or querying products, managing inventory, or building product catalog integrations. Trigger with phrases like "shopify products", "create shopify product", "shopify variants", "shopify collections", "shopify inventory".
shopify-core-workflow-b
Manage Shopify orders, customers, and fulfillments using the GraphQL Admin API. Use when querying orders, processing fulfillments, managing customers, or building order management integrations. Trigger with phrases like "shopify orders", "shopify customers", "shopify fulfillment", "process shopify order", "shopify checkout".
shopify-cost-tuning
Optimize Shopify app costs through plan selection, API usage monitoring, and Shopify Plus upgrade analysis. Trigger with phrases like "shopify cost", "shopify billing", "shopify pricing", "shopify Plus worth it", "shopify API usage", "reduce shopify costs".
shopify-enterprise-rbac
Implement Shopify Plus access control patterns with staff permissions, multi-location management, and Shopify Organization features. Trigger with phrases like "shopify permissions", "shopify staff", "shopify Plus organization", "shopify roles", "shopify multi-location".
shopify-hello-world
Create a minimal working Shopify app that queries products via GraphQL Admin API. Use when starting a new Shopify integration, testing your setup, or learning basic Shopify API patterns. Trigger with phrases like "shopify hello world", "shopify example", "shopify quick start", "simple shopify app", "first shopify API call".
shopify-incident-runbook
Execute Shopify incident response with triage using Shopify status page, API health checks, and rate limit diagnosis. Trigger with phrases like "shopify incident", "shopify outage", "shopify down", "shopify on-call", "shopify emergency", "shopify not responding".
shopify-known-pitfalls
Identify and avoid Shopify API anti-patterns: ignoring userErrors, wrong API version, REST instead of GraphQL, missing GDPR webhooks, and webhook timeout issues. Trigger with phrases like "shopify mistakes", "shopify anti-patterns", "shopify pitfalls", "shopify what not to do", "shopify code review".
shopify-load-scale
Load test Shopify integrations respecting API rate limits, plan capacity with k6, and scale for Shopify Plus burst events (flash sales, BFCM). Trigger with phrases like "shopify load test", "shopify scale", "shopify BFCM", "shopify flash sale", "shopify capacity", "shopify k6 test".
shopify-migration-deep-dive
Migrate e-commerce data to Shopify using bulk operations, product imports, and the strangler fig pattern for gradual platform migration. Trigger with phrases like "migrate to shopify", "shopify data migration", "import products shopify", "shopify replatform", "move to shopify".
shopify-observability
Set up observability for Shopify app integrations with query cost tracking, rate limit monitoring, webhook delivery metrics, and structured logging. Trigger with phrases like "shopify monitoring", "shopify metrics", "shopify observability", "monitor shopify API", "shopify alerts", "shopify dashboard".
shopify-performance-tuning
Optimize Shopify API performance with GraphQL query cost reduction, bulk operations, caching strategies, and Storefront API for high-traffic storefronts. Trigger with phrases like "shopify performance", "optimize shopify", "shopify slow", "shopify caching", "shopify bulk operation", "shopify query cost".
shopify-rate-limits
Handle Shopify API rate limits for both REST (leaky bucket) and GraphQL (calculated query cost). Use when hitting 429 errors, implementing retry logic, or optimizing API request throughput. Trigger with phrases like "shopify rate limit", "shopify throttling", "shopify 429", "shopify THROTTLED", "shopify query cost", "shopify backoff".
shopify-sdk-patterns
Apply production-ready patterns for @shopify/shopify-api including typed GraphQL clients, session management, and retry logic. Use when implementing Shopify integrations, refactoring SDK usage, or establishing team coding standards for Shopify. Trigger with phrases like "shopify SDK patterns", "shopify best practices", "shopify code patterns", "idiomatic shopify", "shopify client wrapper".
shopify-upgrade-migration
Upgrade Shopify API versions and migrate from REST to GraphQL with breaking change detection. Use when upgrading API versions, migrating from deprecated REST endpoints, or handling Shopify's quarterly API release cycle. Trigger with phrases like "upgrade shopify", "shopify API version", "shopify breaking changes", "migrate REST to GraphQL", "shopify deprecation".
shopify-webhooks-events
Register and handle Shopify webhooks including mandatory GDPR compliance topics. Use when setting up webhook subscriptions, handling order/product events, or implementing the required GDPR webhooks for app store submission. Trigger with phrases like "shopify webhook", "shopify events", "shopify GDPR webhook", "handle shopify notifications", "shopify webhook register".
supabase-local-dev-loop
Configure Supabase local development with the CLI, Docker, and migration workflow. Use when initializing a Supabase project locally, starting the local stack, writing migrations, seeding data, or iterating on schema changes. Trigger with phrases like "supabase local dev", "supabase start", "supabase init", "supabase db reset", "supabase local setup".
twinmind-core-workflow-b
Execute TwinMind secondary workflow: Action item extraction and follow-up automation. Use when automating meeting follow-ups, extracting tasks, or integrating with project management tools. Trigger with phrases like "twinmind action items", "meeting follow-up automation", "extract tasks from meeting".
validating-api-schemas
Validate API schemas against OpenAPI, JSON Schema, and GraphQL specifications. Use when validating API schemas and contracts. Trigger with phrases like "validate API schema", "check OpenAPI spec", or "verify schema".
moai-domain-backend
Backend development specialist covering API design, database integration, microservices architecture, and modern backend patterns. Use when designing APIs, implementing server logic, authentication, or authorization.
moai-platform-deployment
Deployment and hosting platform specialist covering Vercel, Railway, and Convex. Use when deploying applications, configuring edge functions, setting up continuous deployment, or managing serverless infrastructure.
moai-workflow-jit-docs
Enhanced Just-In-Time document loading system that discovers, loads, and caches relevant documentation based on user intent and project context. Use when users need specific documentation on demand.
007
Security audit, hardening, threat modeling (STRIDE/PASTA), Red/Blue Team, OWASP checks, code review, incident response, and infrastructure security for any project.
api-documentation-generator
Generate comprehensive, developer-friendly API documentation from code, including endpoints, parameters, examples, and best practices
api-documenter
Master API documentation with OpenAPI 3.1, AI-powered tools, and modern developer experience practices. Create interactive docs, generate SDKs, and build comprehensive developer portals.
api-fuzzing-bug-bounty
Provide comprehensive techniques for testing REST, SOAP, and GraphQL APIs during bug bounty hunting and penetration testing engagements. Covers vulnerability discovery, authentication bypass, IDOR exploitation, and API-specific attack vectors.
api-patterns
API design principles and decision-making. REST vs GraphQL vs tRPC selection, response formats, versioning, pagination.
api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
api-security-testing
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
azure-mgmt-apicenter-dotnet
Azure API Center SDK for .NET. Centralized API inventory management with governance, versioning, and discovery.
c4-component
Expert C4 Component-level documentation specialist. Synthesizes C4 Code-level documentation into Component-level architecture, defining component boundaries, interfaces, and relationships.
c4-container
Expert C4 Container-level documentation specialist.
dotnet-backend
Build ASP.NET Core 8+ backend services with EF Core, auth, background jobs, and production API patterns.
graphql
GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server.
graphql-architect
Master modern GraphQL with federation, performance optimization, and enterprise security. Build scalable schemas, implement advanced caching, and design real-time systems.
security-scanning-security-sast
Static Application Security Testing (SAST) for code vulnerability analysis across multiple languages and frameworks
shopify-apps
Expert patterns for Shopify app development including Remix/React Router apps, embedded apps with App Bridge, webhook handling, GraphQL Admin API, Polaris components, billing, and app extensions.
shopify-development
Build Shopify apps, extensions, themes using GraphQL Admin API, Shopify CLI, Polaris UI, and Liquid.
trpc-fullstack
Build end-to-end type-safe APIs with tRPC — routers, procedures, middleware, subscriptions, and Next.js/React integration patterns.
graphql-mobile
GraphQL client integration for mobile applications
shopify-apps
Shopify app development - Remix, Admin API, checkout extensions
blog-taxonomy
Extract, suggest, and sync tags and categories for blog posts across all major CMS platforms. Supports WordPress REST API, Shopify GraphQL, Ghost Content API, Strapi REST/GraphQL, and Sanity GROQ. Generates tag suggestions from content analysis (keyword frequency, heading extraction, semantic grouping), enforces minimum post-count thresholds to prevent thin tag archives, and syncs taxonomy via authenticated API calls. Use when user says "tags", "categories", "taxonomy", "tag suggestions", "sync tags", "WordPress tags", "Shopify tags".
api-design-principles
Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers and stand the test of time.
nodejs-backend-patterns
Comprehensive guidance for building scalable, maintainable, and production-ready Node.js backend applications with modern frameworks, architectural patterns, and best practices.
architecture
架构设计能力索引。API设计、安全架构、云原生、数据安全。当用户提到架构、设计、API、云原生时路由到此。
security
攻防秘典索引。渗透测试、代码审计、红队攻击、蓝队防御、威胁情报、漏洞研究。安全研究全授权,零废话直出技术细节+PoC。当魔尊提到安全、渗透、攻防、红队、蓝队、漏洞时路由到此。
api-caching-strategy
Configure api caching strategy operations. Auto-activating skill for API Development. Triggers on: api caching strategy, api caching strategy Part of the API Development skill category. Use when working with APIs or building integrations. Trigger with phrases like "api caching strategy", "api strategy", "api".
api-key-auth-setup
Configure api key auth setup operations. Auto-activating skill for API Development. Triggers on: api key auth setup, api key auth setup Part of the API Development skill category. Use when working with APIs or building integrations. Trigger with phrases like "api key auth setup", "api setup", "api".
api-mock-generator
Generate api mock generator operations. Auto-activating skill for API Development. Triggers on: api mock generator, api mock generator Part of the API Development skill category. Use when working with APIs or building integrations. Trigger with phrases like "api mock generator", "api generator", "api".
api-rate-limiting-config
Configure api rate limiting config operations. Auto-activating skill for API Development. Triggers on: api rate limiting config, api rate limiting config Part of the API Development skill category. Use when working with APIs or building integrations. Trigger with phrases like "api rate limiting config", "api config", "api".
api-testing-helper
Assist with api testing helper operations. Auto-activating skill for API Development. Triggers on: api testing helper, api testing helper Part of the API Development skill category. Use when working with APIs or building integrations. Trigger with phrases like "api testing helper", "api helper", "api".
api-throttling-setup
Configure api throttling setup operations. Auto-activating skill for API Development. Triggers on: api throttling setup, api throttling setup Part of the API Development skill category. Use when working with APIs or building integrations. Trigger with phrases like "api throttling setup", "api setup", "api".
bearer-token-validator
Bearer Token Validator - Auto-activating skill for API Development. Triggers on: bearer token validator, bearer token validator Part of the API Development skill category.
conditional-request-helper
Configure with conditional request helper operations. Auto-activating skill for API Development. Triggers on: conditional request helper, conditional request helper Part of the API Development skill category. Use when working with conditional request helper functionality. Trigger with phrases like "conditional request helper", "conditional helper", "conditional".
etag-handler
Manage etag handler operations. Auto-activating skill for API Development. Triggers on: etag handler, etag handler Part of the API Development skill category. Use when working with etag handler functionality. Trigger with phrases like "etag handler", "etag handler", "etag".
filtering-query-builder
Build filtering query builder operations. Auto-activating skill for API Development. Triggers on: filtering query builder, filtering query builder Part of the API Development skill category. Use when working with filtering query builder functionality. Trigger with phrases like "filtering query builder", "filtering builder", "filtering".
graphql-mutation-builder
Build graphql mutation builder operations. Auto-activating skill for API Development. Triggers on: graphql mutation builder, graphql mutation builder Part of the API Development skill category. Use when working with graphql mutation builder functionality. Trigger with phrases like "graphql mutation builder", "graphql builder", "graphql".
graphql-resolver-creator
Create graphql resolver creator operations. Auto-activating skill for API Development. Triggers on: graphql resolver creator, graphql resolver creator Part of the API Development skill category. Use when working with graphql resolver creator functionality. Trigger with phrases like "graphql resolver creator", "graphql creator", "graphql".
graphql-schema-generator
Generate graphql schema generator operations. Auto-activating skill for API Development. Triggers on: graphql schema generator, graphql schema generator Part of the API Development skill category. Use when working with graphql schema generator functionality. Trigger with phrases like "graphql schema generator", "graphql generator", "graphql".
graphql-subscription-setup
Configure graphql subscription setup operations. Auto-activating skill for API Development. Triggers on: graphql subscription setup, graphql subscription setup Part of the API Development skill category. Use when working with graphql subscription setup functionality. Trigger with phrases like "graphql subscription setup", "graphql setup", "graphql".
http-method-helper
Configure with http method helper operations. Auto-activating skill for API Development. Triggers on: http method helper, http method helper Part of the API Development skill category. Use when working with http method helper functionality. Trigger with phrases like "http method helper", "http helper", "http".
hypermedia-link-generator
Generate hypermedia link generator operations. Auto-activating skill for API Development. Triggers on: hypermedia link generator, hypermedia link generator Part of the API Development skill category. Use when working with hypermedia link generator functionality. Trigger with phrases like "hypermedia link generator", "hypermedia generator", "hypermedia".
openapi-spec-generator
Generate openapi spec generator operations. Auto-activating skill for API Development. Triggers on: openapi spec generator, openapi spec generator Part of the API Development skill category. Use when working with APIs or building integrations. Trigger with phrases like "openapi spec generator", "openapi generator", "openapi".
pagination-helper
Configure with pagination helper operations. Auto-activating skill for API Development. Triggers on: pagination helper, pagination helper Part of the API Development skill category. Use when working with pagination helper functionality. Trigger with phrases like "pagination helper", "pagination helper", "pagination".
request-body-validator
Validate request body validator operations. Auto-activating skill for API Development. Triggers on: request body validator, request body validator Part of the API Development skill category. Use when working with request body validator functionality. Trigger with phrases like "request body validator", "request validator", "request".
response-schema-generator
Generate response schema generator operations. Auto-activating skill for API Development. Triggers on: response schema generator, response schema generator Part of the API Development skill category. Use when working with response schema generator functionality. Trigger with phrases like "response schema generator", "response generator", "response".
rest-endpoint-designer
Build rest endpoint designer operations. Auto-activating skill for API Development. Triggers on: rest endpoint designer, rest endpoint designer Part of the API Development skill category. Use when working with rest endpoint designer functionality. Trigger with phrases like "rest endpoint designer", "rest designer", "rest".
sorting-parameter-handler
Manage sorting parameter handler operations. Auto-activating skill for API Development. Triggers on: sorting parameter handler, sorting parameter handler Part of the API Development skill category. Use when working with sorting parameter handler functionality. Trigger with phrases like "sorting parameter handler", "sorting handler", "sorting".
status-code-recommender
Manage status code recommender operations. Auto-activating skill for API Development. Triggers on: status code recommender, status code recommender Part of the API Development skill category. Use when working with status code recommender functionality. Trigger with phrases like "status code recommender", "status recommender", "status".
swagger-doc-creator
Create swagger doc creator operations. Auto-activating skill for API Development. Triggers on: swagger doc creator, swagger doc creator Part of the API Development skill category. Use when working with swagger doc creator functionality. Trigger with phrases like "swagger doc creator", "swagger creator", "swagger".
versioning-strategy-helper
Configure with versioning strategy helper operations. Auto-activating skill for API Development. Triggers on: versioning strategy helper, versioning strategy helper Part of the API Development skill category. Use when working with versioning strategy helper functionality. Trigger with phrases like "versioning strategy helper", "versioning helper", "versioning".
windsurf-api-development
Generate API clients and documentation with Cascade. Activate when users mention "generate api client", "api documentation", "openapi generation", "sdk generation", or "api integration". Handles API development workflows. Use when working with APIs or building integrations. Trigger with phrases like "windsurf api development", "windsurf development", "windsurf".
ln-910-community-engagement
Analyzes community health and delegates engagement tasks. Use when managing GitHub issues, discussions, and announcements.
ln-912-community-announcer
Composes and publishes announcements to GitHub Discussions. Use when sharing releases, updates, or news with the community.
ln-913-community-debater
Launches RFC and debate discussions on GitHub. Use when proposing changes that need community input or voting.
ln-914-community-responder
Responds to unanswered GitHub discussions and issues with codebase-informed replies. Use when clearing community question backlog.
building-ioc-enrichment-pipeline-with-opencti
OpenCTI is an open-source platform for managing cyber threat intelligence knowledge, built on STIX 2.1 as its native data model. This skill covers building an automated IOC enrichment pipeline using O
conducting-api-security-testing
Conducts security testing of REST, GraphQL, and gRPC APIs to identify vulnerabilities in authentication, authorization, rate limiting, input validation, and business logic. The tester uses the OWASP API Security Top 10 as the testing framework, combining Burp Suite interception with Postman collections and custom scripts to test endpoint security at every privilege level. Activates for requests involving API security testing, REST API pentest, GraphQL security assessment, or API vulnerability testing.
exploiting-excessive-data-exposure-in-api
Tests APIs for excessive data exposure where endpoints return more data than the client application needs, relying on the frontend to filter sensitive fields. The tester intercepts API responses and analyzes them for leaked PII, internal identifiers, debug information, or sensitive business data that the UI does not display but the API transmits. This maps to OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving API data leakage testing, excessive data exposure, response filtering bypass, or API over-fetching.
integrating-dast-with-owasp-zap-in-pipeline
This skill covers integrating OWASP ZAP (Zed Attack Proxy) for Dynamic Application Security Testing in CI/CD pipelines. It addresses configuring baseline, full, and API scans against running applications, interpreting ZAP findings, tuning scan policies, and establishing DAST quality gates in GitHub Actions and GitLab CI.
performing-graphql-depth-limit-attack
Execute and test GraphQL depth limit attacks using deeply nested recursive queries to identify denial-of-service vulnerabilities in GraphQL APIs.
performing-graphql-introspection-attack
Performs GraphQL introspection attacks to extract the full API schema including types, queries, mutations, subscriptions, and field definitions from GraphQL endpoints. The tester uses introspection queries to map the attack surface, identifies sensitive fields and mutations, tests for query depth and complexity limits, and exploits GraphQL-specific vulnerabilities including batching attacks, alias-based brute force, and nested query DoS. Activates for requests involving GraphQL security testing, introspection attack, GraphQL enumeration, or GraphQL API penetration testing.
performing-graphql-security-assessment
Assessing GraphQL API endpoints for introspection leaks, injection attacks, authorization flaws, and denial-of-service vulnerabilities during authorized security tests.
testing-api-for-broken-object-level-authorization
Tests REST and GraphQL APIs for Broken Object Level Authorization (BOLA/IDOR) vulnerabilities where an authenticated user can access or modify resources belonging to other users by manipulating object identifiers in API requests. The tester intercepts API calls, identifies object ID parameters (numeric IDs, UUIDs, slugs), and systematically replaces them with IDs belonging to other users to determine if the server enforces per-object authorization. This is OWASP API Security Top 10 2023 risk API1. Activates for requests involving BOLA testing, IDOR in APIs, object-level authorization testing, or API access control bypass.
testing-api-security-with-owasp-top-10
Systematically assessing REST and GraphQL API endpoints against the OWASP API Security Top 10 risks using automated and manual testing techniques.
api-design-principles
Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers and stand the test of time.
auth-implementation-patterns
Build secure, scalable authentication and authorization systems using industry-standard patterns and modern best practices.
nodejs-backend-patterns
Comprehensive guidance for building scalable, maintainable, and production-ready Node.js backend applications with modern frameworks, architectural patterns, and best practices.
api-diff-analyzer
Compare API specifications to detect breaking changes. Compare OpenAPI spec versions, categorize changes by severity, generate migration guides, and block breaking changes in CI.
apollo-server
Apollo Server configuration, plugins, caching, federation, and performance optimization.
dast-scanner
Dynamic Application Security Testing execution and management. Configure and execute OWASP ZAP and Nuclei scans, run authenticated scanning, manage scan policies and scope, correlate findings with SAST results, and generate comprehensive vulnerability reports.
graphql
GraphQL schema design, resolvers, directives, subscriptions, and best practices for API development.
graphql-schema-generator
Generate GraphQL schemas from data models with resolver stubs and federation support
subgraph-indexing
Subgraph development for The Graph protocol. Includes manifest configuration, GraphQL schema design, AssemblyScript handlers, entity relationships, and deployment to hosted and decentralized networks.
build-mcp-server
This skill should be used when the user asks to "build an MCP server", "create an MCP", "make an MCP integration", "wrap an API for Claude", "expose tools to Claude", "make an MCP app", or discusses building something with the Model Context Protocol. It is the entry point for MCP server development — it interrogates the user about their use case, determines the right deployment model (remote HTTP, MCPB, local stdio), picks a tool-design pattern, and hands off to specialized skills.
api-fuzzing-for-bug-bounty
This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques.
api-patterns
API design principles and decision-making. REST vs GraphQL vs tRPC selection, response formats, versioning, pagination.
cloudflare-api
Hit the Cloudflare REST API directly for operations that wrangler and MCP can't handle well. Bulk DNS, custom hostnames, email routing, cache purge, WAF rules, redirect rules, zone settings, Worker routes, D1 cross-database queries, R2 bulk operations, KV bulk read/write, Vectorize queries, Queues, and fleet-wide resource audits. Produces curl commands or scripts. Triggers: 'cloudflare api', 'bulk dns', 'custom hostname', 'email routing', 'cache purge', 'waf rule', 'd1 query', 'r2 bucket', 'kv bulk', 'vectorize query', 'audit resources', 'fleet operation'.
shopify-content
Create and manage Shopify pages, blog posts, navigation menus, redirects, and SEO metadata via the Admin API or browser automation. Use whenever the user wants to add a page to a Shopify store, write a Shopify blog post, update the storefront navigation, manage redirects, or tune SEO metadata on a Shopify site.
shopify-products
Create and manage Shopify products via the Admin GraphQL API or CSV import. Workflow: gather data, choose method, execute, verify. Use whenever the user wants to add products to Shopify, bulk-import a catalog from CSV/spreadsheet/URL, update variants or prices, manage inventory quantities, upload product images, or assign products to collections.
azure-mgmt-apicenter-dotnet
Azure API Center SDK for .NET. Centralized API inventory management with governance, versioning, and discovery. Use for creating API services, workspaces, APIs, versions, definitions, environments, deployments, and metadata schemas. Triggers: "API Center", "ApiCenterService", "ApiCenterWorkspace", "ApiCenterApi", "API inventory", "API governance", "API versioning", "API catalog", "API discovery".
api-fuzzing-for-bug-bounty
This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques.
flow-next-resolve-pr
Resolve PR review feedback — fetch unresolved threads, triage, dispatch per-thread resolver agents, validate, commit, reply + resolve via GraphQL. Triggers on /flow-next:resolve-pr.
flow-next-tracker-sync
Project a flow-next spec to a tracker issue (Linear first, GitHub next) and reconcile body/status/comments two-way — projection, not coordination. The spec stays the source of truth; the tracker is a co-editable mirror. Use to configure the bridge (discovery ceremony), link a spec to an issue (flow-first push or tracker-first "grab issue X and spec it"), push/pull/reconcile, or unlink. Triggers on /flow-next:tracker-sync, "sync to linear", "push this spec to the tracker", "grab issue X and spec it", "link this spec to the issue", "reconcile with the tracker". NOT /flow-next:sync (that is plan-sync, a different skill).
api-page-generator
When the user wants to create, optimize, or audit the API introduction/overview page. Also use when the user mentions "API page," "API landing page," "/api page," "API overview," "developer landing," "API marketing," or "API for developers." Note: API documentation (endpoint reference) lives in docs; use docs-page-generator.
api-designer
Use when designing REST or GraphQL APIs, creating OpenAPI specifications, or planning API architecture. Invoke for resource modeling, versioning strategies, pagination patterns, error handling standards.
graphql-architect
Use when designing GraphQL schemas, implementing Apollo Federation, or building real-time subscriptions. Invoke for schema design, resolvers with DataLoader, query optimization, federation directives.
nestjs-expert
Creates and configures NestJS modules, controllers, services, DTOs, guards, and interceptors for enterprise-grade TypeScript backend applications. Use when building NestJS REST APIs or GraphQL services, implementing dependency injection, scaffolding modular architecture, adding JWT/Passport authentication, integrating TypeORM or Prisma, or working with .module.ts, .controller.ts, and .service.ts files. Invoke for guards, interceptors, pipes, validation, Swagger documentation, and unit/E2E testing in NestJS projects.
php-pro
Use when building PHP applications with modern PHP 8.3+ features, Laravel, or Symfony frameworks. Invokes strict typing, PHPStan level 9, async patterns with Swoole, and PSR standards. Creates controllers, configures middleware, generates migrations, writes PHPUnit/Pest tests, defines typed DTOs and value objects, sets up dependency injection, and scaffolds REST/GraphQL APIs. Use when working with Eloquent, Doctrine, Composer, Psalm, ReactPHP, or any PHP API development.
shopify-expert
Builds and debugs Shopify themes (.liquid files, theme.json, sections), develops custom Shopify apps (shopify.app.toml, OAuth, webhooks), and implements Storefront API integrations for headless storefronts. Use when building or customizing Shopify themes, creating Hydrogen or custom React storefronts, developing Shopify apps, implementing checkout UI extensions or Shopify Functions, optimizing performance, or integrating third-party services. Invoke for Liquid templating, Storefront API, app development, checkout customization, Shopify Plus features, App Bridge, Polaris, or Shopify CLI workflows.
qdrant-vector-search
High-performance vector similarity search engine for RAG and semantic search. Use when building production RAG systems requiring fast nearest neighbor search, hybrid search with filtering, or scalable vector storage with Rust-powered performance.
api-testing
Comprehensive API testing for REST and GraphQL endpoints with contract validation
architecture-patterns
System and API design guidance covering component boundaries, data flow, integration patterns, and scalability considerations.
graphql-schema-designer
GraphQL schema design and optimization with federation support
msw
Mock Service Worker API mocking, request handlers, and integration testing.
python-sdk-specialist
Python SDK development with async support and type hints
weaviate-integration
Weaviate vector database setup with GraphQL queries and hybrid search
graphql
GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully.
shopify-apps
Expert patterns for Shopify app development including Remix/React Router apps, embedded apps with App Bridge, webhook handling, GraphQL Admin API, Polaris components, billing, and app extensions. Use when: shopify app, shopify, embedded app, polaris, app bridge.
ln-113-backend-docs-creator
Creates backend docs (api_spec.md, database_schema.md). Use when project has backend API or database.
ctf-web
Provides web exploitation techniques for CTF challenges. Use when the target is primarily an HTTP application, API, browser client, template engine, identity flow, or smart-contract frontend/backend surface, including XSS, SQLi, SSTI, SSRF, XXE, JWT, auth bypass, file upload, request smuggling, OAuth/OIDC, SAML, prototype pollution, and similar web bugs. Do not use it for native binary memory corruption, reverse engineering of standalone executables, disk or memory forensics, or pure cryptanalysis unless the web flaw is still the main path to the flag.
backend
Python server code, APIs, async, strict typing.
fullstack-dev
Full-stack backend architecture and frontend-backend integration guide. TRIGGER when: building a full-stack app, creating REST API with frontend, scaffolding backend service, building todo app, building CRUD app, building real-time app, building chat app, Express + React, Next.js API, Node.js backend, Python backend, Go backend, designing service layers, implementing error handling, managing config/auth, setting up API clients, implementing auth flows, handling file uploads, adding real-time features (SSE/WebSocket), hardening for production. DO NOT TRIGGER when: pure frontend UI work, pure CSS/styling, database schema only.
build-error-adapter
Build new Arcade error adapters from scratch using public Arcade TDK patterns. Use when adding provider integrations, mapping SDK exceptions, or extending HTTP/GraphQL/auth adapter behavior.
designing-apis
Designs REST and GraphQL APIs including endpoints, error handling, versioning, and documentation. Use when creating new APIs, designing endpoints, reviewing API contracts, or when asked about REST, GraphQL, or API patterns.
linear
Manage Linear issues, projects, and teams via the GraphQL API. Create, update, search, and organize issues. Uses API key auth (no OAuth needed). All operations via curl — no dependencies.
qdrant-vector-search
High-performance vector similarity search engine for RAG and semantic search. Use when building production RAG systems requiring fast nearest neighbor search, hybrid search with filtering, or scalable vector storage with Rust-powered performance.
api-and-interface-design
Guides stable API and interface design. Use when designing APIs, module boundaries, or any public interface. Use when creating REST or GraphQL endpoints, defining type contracts between modules, or establishing boundaries between frontend and backend.
documentation-and-adrs
Records decisions and documentation. Use when making architectural decisions, changing public APIs, shipping features, or when you need to record context that future engineers and agents will need to understand the codebase.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
aws-solution-architect
Design AWS architectures for startups using serverless patterns and IaC templates. Use when asked to design serverless architecture, create CloudFormation templates, optimize AWS costs, set up CI/CD pipelines, or migrate to AWS. Covers Lambda, API Gateway, DynamoDB, ECS, Aurora, and cost optimization.
senior-backend
Designs and implements backend systems including REST APIs, microservices, database architectures, authentication flows, and security hardening. Use when the user asks to "design REST APIs", "optimize database queries", "implement authentication", "build microservices", "review backend code", "set up GraphQL", "handle database migrations", or "load test APIs". Covers Node.js/Express/Fastify development, PostgreSQL optimization, API security, and backend architecture patterns.
spec-to-repo
Use when the user says 'build me an app', 'create a project from this spec', 'scaffold a new repo', 'generate a starter', 'turn this idea into code', 'bootstrap a project', 'I have requirements and need a codebase', or provides a natural-language project specification and expects a complete, runnable repository. Stack-agnostic: Next.js, FastAPI, Rails, Go, Rust, Flutter, and more.
instagram-hashtag-posts
Scrapes Instagram posts by hashtag, returning media items with captions, like/comment counts, media URLs and user info from the hashtag explore feed. Use when user mentions Instagram hashtag scraping, get posts by hashtag, IG hashtag feed, scrape Instagram by tag, hashtag posts Instagram, search Instagram hashtag, pull posts from hashtag, Instagram topic posts, trending hashtag content, Instagram tag posts.
api-documentation-generator
Generate comprehensive, developer-friendly API documentation from code, including endpoints, parameters, examples, and best practices
api-integration-specialist
Expert in integrating third-party APIs with proper authentication, error handling, rate limiting, and retry logic. Use when integrating REST APIs, GraphQL endpoints, webhooks, or external services. Specializes in OAuth flows, API key management, request/response transformation, and building robust API clients.
api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
opentargets-database
Query Open Targets Platform for target-disease associations, drug target discovery, tractability/safety data, genetics/omics evidence, known drugs, for therapeutic target identification.
senior-architect
Comprehensive software architecture skill for designing scalable, maintainable systems using ReactJS, NextJS, NodeJS, Express, React Native, Swift, Kotlin, Flutter, Postgres, GraphQL, Go, Python. Includes architecture diagram generation, system design patterns, tech stack decision frameworks, and dependency analysis. Use when designing system architecture, making technical decisions, creating architecture diagrams, evaluating trade-offs, or defining integration patterns.
senior-backend
Comprehensive backend development skill for building scalable backend systems using NodeJS, Express, Go, Python, Postgres, GraphQL, REST APIs. Includes API scaffolding, database optimization, security implementation, and performance tuning. Use when designing APIs, optimizing database queries, implementing business logic, handling authentication/authorization, or reviewing backend code.
senior-fullstack
Comprehensive fullstack development skill for building complete web applications with React, Next.js, Node.js, GraphQL, and PostgreSQL. Includes project scaffolding, code quality analysis, architecture patterns, and complete tech stack guidance. Use when building new projects, analyzing code quality, implementing design patterns, or setting up development workflows.
shopify-development
Build Shopify apps, extensions, themes using GraphQL Admin API, Shopify CLI, Polaris UI, and Liquid. TRIGGER: "shopify", "shopify app", "checkout extension", "admin extension", "POS extension", "shopify theme", "liquid template", "polaris", "shopify graphql", "shopify webhook", "shopify billing", "app subscription", "metafields", "shopify functions"
review-discussions-ag
Read all open GitHub Discussions, summarize them, respond to pending ones, create issues from actionable feature requests, and triage stale threads for closure
review-discussions-cc
Read all open GitHub Discussions, summarize them, respond to pending ones, create issues from actionable feature requests, and triage stale threads for closure
review-discussions-cx
Read all open GitHub Discussions, summarize them, respond to pending ones, create issues from actionable feature requests, and triage stale threads for closure
oma-backend
Backend specialist for APIs, databases, authentication with clean architecture (Repository/Service/Router pattern). Use for API, endpoint, REST, database, server, migration, and auth work.
project-workflow-analysis-blueprint-generator
Comprehensive technology-agnostic prompt generator for documenting end-to-end application workflows. Automatically detects project architecture patterns, technology stacks, and data flow patterns to generate detailed implementation blueprints covering entry points, service layers, data access, error handling, and testing approaches across multiple technologies including .NET, Java/Spring, React, and microservices architectures.
salesforce-component-standards
Quality standards for Salesforce Lightning Web Components (LWC), Aura components, and Visualforce pages. Covers SLDS 2 compliance, accessibility (WCAG 2.1 AA), data access pattern selection, component communication rules, XSS prevention, CSRF enforcement, FLS/CRUD in AuraEnabled methods, view state management, and Jest test requirements. Use this skill when building or reviewing any Salesforce UI component to enforce platform-specific security and quality standards.
automating-api-testing
This skill automates API endpoint testing, including request generation, validation, and comprehensive test coverage for REST and GraphQL APIs. It is used when the user requests API testing, contract testing, or validation against OpenAPI specifications. The skill analyzes API endpoints and generates test suites covering CRUD operations, authentication flows, and security aspects. It also validates response status codes, headers, and body structure. Use this skill when the user mentions "API testing", "REST API tests", "GraphQL API tests", "contract tests", or "OpenAPI validation".
api-versioning-strategy
Write an API versioning strategy document for a service or API platform. Use when asked to define versioning policy, plan API deprecation, classify breaking changes, or document version lifecycle. Produces a complete versioning strategy with breaking-change classification table, deprecation timeline, migration guide template, and client communication template.
agent-dev-backend-api
Agent skill for dev-backend-api - invoke with $agent-dev-backend-api
api-patterns
REST/GraphQL API design: naming, versioning, pagination, idempotency, OpenAPI. Triggers: API design, REST, GraphQL, OpenAPI, Swagger, idempotency, rate limit.
app-builder
App scaffolding: Next.js, Vite, Nuxt, Astro, FastAPI, Django, Laravel, RN, Flutter. Triggers: scaffold, bootstrap, new project, starter, dashboard, mobile app.
ecommerce-patterns
E-commerce: cart, checkout, payments (Stripe/Adyen), order state, inventory, promos, tax. Triggers: cart, checkout, SKU, payment, Stripe, Shopify, Medusa, Magento, coupon, refund.
babysit
Watch a pull request or review cycle until it is ready to merge. Use when asked to babysit, monitor, or keep checking PR comments, reviews, and CI until all actionable issues are resolved.
api-design-principles
Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers. Use when designing new APIs, reviewing API specifications, or establishing API design standards.
auth-implementation-patterns
Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.
nodejs-backend-patterns
Build production-ready Node.js backend services with Express/Fastify, implementing middleware patterns, error handling, authentication, database integration, and API design best practices. Use when creating Node.js servers, REST APIs, GraphQL backends, or microservices architectures.
rag-implementation
Build Retrieval-Augmented Generation (RAG) systems for LLM applications with vector databases and semantic search. Use when implementing knowledge-grounded AI, building document Q&A systems, or integrating LLMs with external knowledge bases.
api-design
Use this skill when designing APIs, choosing between REST/GraphQL/gRPC, writing OpenAPI specs, implementing pagination, versioning endpoints, or structuring request/response schemas. Triggers on API design, endpoint naming, HTTP methods, status codes, rate limiting, authentication schemes, HATEOAS, query parameters, and any task requiring API architecture decisions.
api-testing
Use this skill when testing REST or GraphQL APIs, implementing contract tests, setting up mock servers, or validating API behavior. Triggers on API testing, Postman, contract testing, Pact, mock servers, MSW, HTTP assertions, response validation, and any task requiring API test automation.
backend-engineering
Use this skill when designing backend systems, databases, APIs, or services. Triggers on schema design, database migrations, indexing strategies, distributed systems architecture, microservices, caching, message queues, observability setup, logging, metrics, tracing, SLO/SLI definition, performance optimization, query tuning, security hardening, authentication, authorization, API design (REST, GraphQL, gRPC), rate limiting, pagination, and failure handling patterns. Acts as a senior backend engineering advisor for mid-level engineers leveling up.
azure-data-api-builder
Expert knowledge for Azure Data Api Builder development including troubleshooting, best practices, decision making, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when defining DAB entities over SQL/Cosmos, exposing REST/GraphQL, securing auth/RLS, or deploying via Docker/Azure, and other Azure Data Api Builder related development tasks. Not for Azure API Management (use azure-api-management), Azure Functions (use azure-functions), Azure App Service (use azure-app-service), Azure Logic Apps (use azure-logic-apps).
migration-architect
Migration Architect
amplify-workflow
Orchestrates AWS Amplify Gen 2 workflows for building full-stack apps with React, Next.js, Vue, Angular, React Native, Flutter, Swift, or Android. Use when user wants to BUILD, CREATE, or DEPLOY Amplify projects, add authentication, data models, storage, GraphQL APIs, Lambda functions, or deploy to sandbox/production. Do NOT invoke for conceptual questions, comparisons, or troubleshooting unrelated to active development.
omega-memory
Persistent memory for AI coding agents. Teaches agents how to use OMEGA's MCP tools for storing decisions, querying context, coordinating multi-agent workflows, and resuming tasks across sessions.
sveltia-cms
Sveltia CMS Git-backed content management (Decap/Netlify CMS successor). 5x smaller bundle (300 KB), GraphQL performance, solves 260+ issues. Use for static sites (Hugo, Jekyll, 11ty, Gatsby, Astro, Next.js), blogs, docs, i18n, or encountering OAuth errors, TOML/YAML issues, CORS problems, content listing errors.
api-forge
Design REST/GraphQL APIs with OpenAPI 3.1, error handling, pagination, rate limiting, webhooks, and idempotency. Use when user asks to design an API, create endpoints, define REST/GraphQL schema, or generate OpenAPI spec. Do NOT use for database schema design, frontend API integration, or non-HTTP protocols (gRPC, WebSocket, MQTT).
api-doc-generator
Generate API documentation from source code, supporting REST APIs, GraphQL, and various documentation formats.
opentargets-database
Query Open Targets Platform for target-disease associations, drug target discovery, tractability/safety data, genetics/omics evidence, known drugs, for therapeutic target identification.
pr-finisher
Prepare an open pull request for merge from a GitHub Copilot cloud agent. Drives Reviews, local validation, and Mergeable to a ready state. Does not merge, and cannot trigger CI.
nestjs
Provides comprehensive NestJS framework patterns with Drizzle ORM integration for building scalable server-side applications. Generates REST/GraphQL APIs, implements authentication guards, creates database schemas, and sets up microservices. Use when building NestJS applications, setting up APIs, implementing authentication, working with databases, or integrating Drizzle ORM.
007
Security audit, hardening, threat modeling (STRIDE/PASTA), Red/Blue Team, OWASP checks, code review, incident response, and infrastructure security for any project.
defending-applications
Application security defense knowledge for builders, not pentesters. Covers Web/API/GraphQL hardening (XSS/SQLi/SSRF/IDOR/BOLA/Mass Assignment/deserialization/upload/path traversal), authentication/authorization (OAuth 2.0/OIDC/JWT/Session/Cookie/SAML/SSO), and LLM application security (prompt injection, jailbreak, RAG poisoning, agent privilege escalation, output filtering). Use when designing or reviewing application-layer defenses, fixing CVE-class bugs in your own code, hardening auth flows, or threat-modeling LLM-powered features. Do NOT use for offensive testing (see securing-systems/pentest), incident response (see securing-systems/blue-team), or infra-layer hardening (see provisioning-infrastructure).
api-patterns
API design, versioning, testing, schema validation, and contract testing patterns for REST and GraphQL APIs.
microservices-patterns
Design microservices architectures with service boundaries, event-driven communication, and resilience patterns. Use when building distributed systems, decomposing monoliths, or implementing microservices.
producthunt
Search and retrieve content from Product Hunt. Get posts, topics, users, and collections via the GraphQL API. Use when user mentions Product Hunt, PH, or product launches.
shopify-customer
The Customer Account API allows customers to access their own data including orders, payment methods, and addresses.
backendapi-development
后端API开发方法论,包括RESTful/GraphQL设计、请求验证、错误处理和安全实现
aios-architect
Architect (Aria). Use for system architecture (fullstack, backend, frontend, infrastructure), technology stack selection (technical evaluation), API design (REST/GraphQL/tRPC/We...
one-way-door
Use this skill when creating new files that represent architectural decisions — data models, infrastructure configs, auth boundaries, API contracts, CI/CD pipelines, or event systems. Flags irreversible decisions and forces a discussion about trade-offs before committing.
api-design-principles
Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers. Use when designing new APIs, reviewing API specifications, or establishing API design standards.
api-testing
HTTP API testing for TypeScript (Supertest) and Python (httpx, pytest). Test REST APIs, GraphQL, request/response validation, authentication, and error handling.
graphql-implementation
Builds GraphQL APIs with schema design, resolvers, error handling, and performance optimization using Apollo or Graphene. Use when creating flexible query APIs, migrating from REST, or implementing real-time subscriptions.
microservices-patterns
Design microservices architectures with service boundaries, event-driven communication, and resilience patterns. Use when building distributed systems, decomposing monoliths, or implementing microservices.
cybersecurity-red-team-master
红队渗透 / 攻防 — 受授权的红队作业者 + 渗透测试工程师 + 攻击型安全顾问的认知操作系统 (侦察 OSINT / 外网渗透 / 内网 AD 渗透 BloodHound + Kerberoasting + ADCS 利用 + 横向移动 / Web 应用渗透 OWASP WSTG / 移动 OWASP MASTG / 云渗透 AWS Azure GCP IAM 路径 + 容器逃逸 + K8s / C2 操作 Cobalt Strike Sliver Mythic Havoc + OPSEC / 初始访问 + AV EDR 绕过 (仅授权场景) / 无线 RF / 物理社工 / 报告与整改 / 框架 MITRE ATT&CK + D3FEND + PTES + OSSTMM + NIST 800-115 + Kill Chain / 法律伦理 CFAA + 网络安全法 + 刑法 285 286 + 数据安全法 + GDPR + 授权书 + 范围 + 交战规则 — 不含 黑产 / 未授权攻击 / 大规模 exploitation / 供应链投毒 / 未授权 DoS — 这是 重罪 + 行业封杀 + 律师吊销, 本 skill 严守 authorized-only 边界 — 也不含 蓝队 SOC + 恶意软件 即服务 / 僵尸网络 / 勒索软件作者 — 这是 cybercrime 不是 红队) (Cybersecurity Red Team / Offensive Security Operations — the cognitive operating system of authorized red team operators, penetration testers, and offensive security consultants covering (a) reconnaissance & OSINT (passive + active discovery, asset surface mapping), (b) external network pentest (perimeter, exposed services, web), (c) internal network / Active Directory pentest (AD enumeration via BloodHound, Kerbe
designing-architectures
Architecture knowledge reference covering API design, security architecture, cloud-native patterns, caching strategies, message queues, and data security. Use when designing system architecture, APIs, or cloud-native infrastructure.
securing-systems
Security engineering router for authorized assessments and defensive engineering. Covers penetration testing, code auditing, red/blue/purple team operations, threat intelligence, and vulnerability research. For specialized application security, cloud security, detection engineering, or security architecture, route to dedicated skills (defending-applications, securing-cloud-and-supply-chain, detecting-and-responding, architecting-security).
fetch-pr-comments
Fetch and summarize unresolved GitHub PR review comments without making changes. Use when the user asks to "fetch PR comments", "show PR comments", "check PR for unresolved comments", "list review comments", "what comments are on the PR", "show unresolved threads", or "summarize PR feedback".
reply-to-pr-threads
Draft, confirm, and post replies to GitHub PR review threads. Handles per-category reply formatting, re-fetches thread resolution state so auto-resolved threads are skipped, and posts via GraphQL. Use when the user asks to "reply to PR threads", "post PR thread replies", or "draft PR reply messages".
resolve-pr-comments
Evaluate, fix, answer, and reply to GitHub pull request review comments. Handles both change requests (fix or skip) and reviewer questions (explain using reasoning recalled from past Claude Code transcripts). Use when the user asks to "resolve PR comments", "fix review comments", "address PR feedback", "handle review comments", "address review feedback", "respond to PR comments", "answer review questions", or "address code review".
web-application-security-testing
OWASP Top 10 testing, injection vulnerability detection, API security assessment, authentication testing, and web vulnerability reporting for authorized assessments
uxc
Discover and call remote schema-exposed interfaces with UXC. Use when an agent or skill needs to list operations, inspect operation schemas, and execute OpenAPI, GraphQL, gRPC, MCP, or JSON-RPC calls via one CLI contract.
fetch-pr-feedback
Fetch unresolved review comments from a PR and evaluate with receive-feedback skill
respond-pr-feedback
Respond to review comments on a PR after evaluation and fixes
api-design
REST/GraphQL/gRPC API design best practices. Use when designing APIs, defining contracts, handling versioning. Covers OpenAPI 3.2, GraphQL Federation, gRPC streaming.
ios-development
Comprehensive iOS app development skill. Use this skill for ANY iOS-related task: writing Swift/SwiftUI/UIKit code, architecting apps, debugging crashes, setting up navigation, networking, data persistence, animations, performance optimization, App Store submission, Xcode configuration. Trigger when user mentions: iOS, Swift, SwiftUI, UIKit, Xcode, iPhone/iPad app, Combine, CoreData, SwiftData, MVVM, TCA, URLSession, async/await, @State/@Binding/@ObservableObject, NavigationStack, XCTest, TestFlight, provisioning profiles, or any Apple platform development. Always use this skill before writing iOS code or architecture.
ops-linear
Linear command center. Shows current sprint, creates/updates issues, manages priorities, syncs with GSD phases.
ops-triage
Cross-platform issue triage. Pulls from Sentry (MCP), Linear (MCP), GitHub Issues (gh). Cross-references against code to find already-fixed issues. Auto-resolves fixed ones. Dispatches agents for active issues.
api-documentation-writer
Generate comprehensive API documentation including endpoint descriptions, request/response examples, authentication guides, error codes, and SDKs. Creates OpenAPI/Swagger specs, REST API docs, and developer-friendly reference materials. Use when users need to document APIs, create technical references, or write developer documentation.
api-design-framework
Use this skill when designing REST, GraphQL, or gRPC APIs. Provides comprehensive API design patterns, versioning strategies, error handling conventions, authentication approaches, and OpenAPI/AsyncAPI templates. Ensures consistent, well-documented, and developer-friendly APIs across all backend services.
api-fuzzing-bug-bounty
This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug b...
api-security-testing
API security testing workflow for REST and GraphQL APIs covering authentication, authorization, rate limiting, input validation, and security best practices.
dotnet-backend
Build ASP.NET Core 8+ backend services with EF Core, auth, background jobs, and production API patterns.
type-safety-validation
Achieve end-to-end type safety with Zod runtime validation, tRPC type-safe APIs, Prisma ORM, and TypeScript 5.7+ features. Build fully type-safe applications from database to UI for 2025+ development.
api-fuzzing-for-bug-bounty
This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques.
api-patterns
API design principles and decision-making. REST vs GraphQL vs tRPC selection, response formats, versioning, pagination.
hunt-csrf
Hunting skill for csrf vulnerabilities. Built from 15 public bug bounty reports including modern variants — SameSite=Lax sibling-subdomain bypass (Argo CD CVE-2024-22424), GraphQL mutations-via-GET (GitLab $3,370), framework-wide CSRF middleware disabled (Stripe Dashboard $5,000), path-traversal CSRF-token bypass (GitHub Enterprise CVE-2022-23732 $10k), Origin-omission bypass (TikTok $2,500), OAuth-state null-byte (Streamlabs), WebSocket CSRF / CSWSH (Coda), default-SameSite email-change → ATO (YoYo Games $400), social-account-link CSRF (HackerOne), JSON-CSRF via text/plain on email-change (TikTok $500). Use when hunting modern CSRF — heavy emphasis on chain-to-ATO patterns.
hunt-graphql
Hunting skill for graphql vulnerabilities. Built from 12 public bug bounty reports across IDOR via node() / GID, mutation IDOR including AI/LLM features, cross-tenant IDOR, SSRF via argument, batching-DoS, query-cost-bypass, SQLi via argument, broken-object-level-authz, auth-bypass via unscoped mutations, and PII exposure from missing field-level authz. Use when hunting graphql on any target.
hunt-idor
Hunting skill for idor vulnerabilities. Built from 26 public bug bounty reports. Use when hunting idor on any target.
hunt-misc
Hunting skill for misc vulnerabilities. Built from 225 public bug bounty reports. Use when hunting misc on any target.
hunt-sqli
Hunting skill for sqli vulnerabilities. Built from 12 public bug bounty reports including modern NoSQL injection (Rocket.Chat CVE-2021-22911 MongoDB $regex, Mongoose ORM CVE-2024-53900 $where bypass), modern ORM raw-fragment SQLi (Django CVE-2024-42005, Sequelize GHSA-wrh9-cjv3-2hpw), second-order SOQL injection (HackerOne Salesforce), time-based blind SQLi in GraphQL resolvers, and SQLi on OIDC-proxy backends. Use when hunting SQLi / NoSQLi on any target.
hunt-xxe
Hunting skill for xxe vulnerabilities. Built from 10 public bug bounty reports including SVG-upload XXE, Office-doc (PPTX/DOCX) XXE, SOAP XXE, SAML AssertionConsumer XXE, blind OOB XXE via DTD callback, parameter-entity XXE, XXE-to-LFI, XXE-to-SSRF, and XXE-to-RCE chains (Adobe Commerce CosmicSting CVE-2024-34102). Use when hunting XXE on any target — emphasis on OOB-Or-It-Didn't-Happen Gate for blind cases.
offensive-osint
Operational arsenal for authorized external red-team and bug-bounty recon. Concrete probes, wordlists, regexes, dorks, curl one-liners for: subdomain enum, GraphQL/Swagger/REST discovery, identity fabric (Entra/Okta/ADFS/Google/SAML/M365 deep — Teams/SharePoint/OneDrive), cloud bucket enum (S3/GCS/Azure), CDN/WAF bypass, origin discovery, vendor fingerprinting (Citrix/F5/Pulse/Fortinet/PaloAlto/Cisco/VMware), CI/CD exposure, 48-pattern secret-scan catalog (AWS/GCP/GitHub/Stripe/Slack/Anthropic/OpenAI/Atlassian/DataDog/npm/PyPI), Postman workspaces, breach correlation (HudsonRock/HIBP/DeHashed/IntelX), TLS/JA3 audit, certificate transparency, JS endpoint extraction, package registry leaks, mobile/APK recon, sat imagery, sector-specific recon (healthcare DICOM, finance SWIFT, ICS/SCADA Modbus/BACnet). Detail content in 15 modular reference files, loaded on demand. Use for any authorized recon: scoping, asset discovery, attack-path mapping, secret triage, severity scoring.
mkapi-design
REST/GraphQL API design: resource naming, HTTP methods, status codes, pagination, versioning, error formats. Use for 'design API', 'endpoint patterns'.
prismatic-api
Prismatic API access patterns and GraphQL reference. Covers the two-tier access hierarchy (MCP tools → Prism CLI), CLI usage rules, GraphQL query patterns, pagination, authentication, and managing platform resources programmatically.
rust-best-practices
Guide for writing idiomatic Rust code based on Apollo GraphQL's best practices handbook. Use this skill when: (1) writing new Rust code or functions, (2) reviewing or refactoring existing Rust code, (3) deciding between borrowing vs cloning or ownership patterns, (4) implementing error handling with Result types, (5) optimizing Rust code for performance, (6) writing tests or documentation for Rust projects.
api-design
API design patterns for REST/GraphQL framework design, versioning strategies, and RFC 9457 error handling. Use when designing API endpoints, choosing versioning schemes, implementing Problem Details errors, or building OpenAPI specifications.
github-operations
GitHub CLI operations for issues, PRs, milestones, and Projects v2. Covers gh commands, REST API patterns, and automation scripts. Use when managing GitHub issues, PRs, milestones, or Projects with gh.
blog-taxonomy
Extract, suggest, and sync tags and categories for blog posts across all major CMS platforms. Supports WordPress REST API, Shopify GraphQL, Ghost Content API, Strapi REST/GraphQL, and Sanity GROQ. Generates tag suggestions from content analysis (keyword frequency, heading extraction, semantic grouping), enforces minimum post-count thresholds to prevent thin tag archives, and syncs taxonomy via authenticated API calls. Use when user says "tags", "categories", "taxonomy", "tag suggestions", "sync tags", "WordPress tags", "Shopify tags".
api-breaker
Automated API security testing starting from domains. Discovers REST, GraphQL, and SOAP APIs, reconstructs schemas, and tests for BOLA/IDOR, BFLA, mass assignment, JWT attacks, rate limiting bypass, and business logic flaws. Use when user asks to "test API security", "break API", "find API vulnerabilities", "test GraphQL", "test JWT", "API pentest", or provides domains with API endpoints. For authorized testing only.
attack-path-architect
Generates strategic attack trees and kill chains from reconnaissance data or domain input. Maps MITRE ATT&CK TTPs, identifies chaining opportunities, trust relationships, and prioritizes attack paths by feasibility and impact. Use when user asks for "attack path", "kill chain", "attack tree", "threat modeling from recon", "attack surface analysis", or "prioritize targets". Requires prior recon data or a domain to analyze. For authorized pentesting and red team engagements only.
github
GitHub CLI patterns for issues, projects, and PRs. Invoke when: creating issues, linking PRs to issues, updating project status, or any GitHub project operations.
biome
Lint and format frontend code with Biome 2.4. Covers type-aware linting, GritQL custom rules, domains, import organizer, and migration from ESLint/Prettier. Use when configuring linting rules, formatting code, writing custom lint rules, or setting up CI checks. Triggers on biome, biome config, biome lint, biome format, biome check, biome ci, gritql, migrate from eslint, migrate from prettier, import sorting, code formatting, lint rules, type-aware linting, noFloatingPromises.
cloudflare-workers
Rapid development with Cloudflare Workers - build and deploy serverless applications on Cloudflare's global network. Use when building APIs, full-stack web apps, edge functions, background jobs, or real-time applications. Triggers on phrases like "cloudflare workers", "wrangler", "edge computing", "serverless cloudflare", "workers bindings", or files like wrangler.toml, worker.ts, worker.js.
linear
Managing Linear issues, projects, and teams. Use when working with Linear tasks, creating issues, updating status, querying projects, or managing team workflows.
contentful-graphql-automation
Automate Contentful Graphql tasks via Rube MCP (Composio). Always search tools first for current schemas.
search-mcp-github
Search MCP PRs, issues, and discussions across the modelcontextprotocol GitHub org
api-design
REST/GraphQL/gRPC API design best practices. Use when designing APIs, defining contracts, handling versioning. Covers OpenAPI 3.2, GraphQL Federation, gRPC streaming.
craftcms
Craft CMS 5 plugin and module development — extending Craft with PHP. Covers elements, element queries, services, models, records, project config, controllers, CP templates, migrations, queue jobs, console commands, field types, native fields, events, behaviors, Twig extensions, utilities, widgets, filesystems, permissions, debugging, testing, GraphQL, and Craft configuration. Triggers on: beforePrepare(), afterSave(), defineSources(), defineTableAttributes(), attributeHtml(), MemoizableArray, BaseNativeField, EVENT_REGISTER_*/DEFINE_*/BEFORE_*/AFTER_*, CraftVariable, registerTwigExtension, custom element type, custom field type (normalizeValue, serializeValue, inputHtml), webhook, API endpoint, queue job, batch processing, CP section, control panel, element action, element exporter, element condition, dashboard widget, utility page, registerUserPermissions, requirePermission, GraphQL custom types/mutations, schema building, defineRules, canView/canSave/canDelete authorization, session invalidation, elevated
nw-sd-framework
4-step system design framework with back-of-envelope estimation, scaling ladder, and common pitfalls
anvil
Building terminal UIs, CLI tools, and dev-tool integrations (linter/test-runner/build-tool wiring). Use when CLI/TUI design or implementation is needed. Language-agnostic — supports Node.js, Python, Go, and Rust.
canon
Assessing standards compliance and analyzing gaps. Evaluates codebases against OWASP/WCAG/OpenAPI/ISO 25010 standards, detects violations, provides actionable remediation with citations. Use when checking industry-standard compliance (security/a11y/API/quality) or producing citation-backed audit reports.
gateway
Designing and reviewing APIs via OpenAPI spec generation, versioning strategy, breaking change detection, and REST/GraphQL best practices. Ensures API quality and consistency. Use when API design or OpenAPI specs are needed.
api-design-rest
When creating or extending an HTTP API for client consumption.
api-dev
Modern API development patterns for building high-performance, scalable web services. Expert in async/await patterns, REST/GraphQL APIs, middleware, error handling, rate limiting, OpenAPI documentation, testing, and production optimizations. Framework-agnostic patterns that work with Python, Node.js, Go, and other languages.
api-documenter
Master API documentation with OpenAPI 3.1, AI-powered tools, and modern developer experience practices. Create interactive docs, generate SDKs, and build comprehensive developer portals. Use PROACTIVELY for API documentation or developer portal creation.
api-fuzzing-for-bug-bounty
This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug bounty API testing", or needs guidance on API security assessment techniques.
api-patterns
API design principles and decision-making. REST vs GraphQL vs tRPC selection, response formats, versioning, pagination.
authentication-setup
Design and implement authentication and authorization systems. Use when setting up user login, JWT tokens, OAuth, session management, or role-based access control. Handles password security, token management, SSO integration.
azure-mgmt-apicenter-dotnet
Azure API Center SDK for .NET. Centralized API inventory management with governance, versioning, and discovery. Use for creating API services, workspaces, APIs, versions, definitions, environments, deployments, and metadata schemas. Triggers: "API Center", "ApiCenterService", "ApiCenterWorkspace", "ApiCenterApi", "API inventory", "API governance", "API versioning", "API catalog", "API discovery".
backend-architect
Expert backend architect specializing in scalable API design, microservices architecture, and distributed systems. Masters REST/GraphQL/gRPC APIs, event-driven architectures, service mesh patterns, and modern backend frameworks. Handles service boundary definition, inter-service communication, resilience patterns, and observability. Use PROACTIVELY when creating new backend services or APIs.
c4-component
Expert C4 Component-level documentation specialist. Synthesizes C4 Code-level documentation into Component-level architecture, defining component boundaries, interfaces, and relationships. Creates component diagrams and documentation. Use when synthesizing code-level documentation into logical components.
c4-container
Expert C4 Container-level documentation specialist. Synthesizes Component-level documentation into Container-level architecture, mapping components to deployment units, documenting container interfaces as APIs, and creating container diagrams. Use when synthesizing components into deployment containers and documenting system deployment architecture.
copilot-coding-agent
GitHub Copilot Coding Agent automation. Apply the ai-copilot label to an issue → GitHub Actions auto-assigns Copilot via GraphQL → Copilot creates a Draft PR. One-click issue-to-PR pipeline.
graphql-architect
Master modern GraphQL with federation, performance optimization, and enterprise security. Build scalable schemas, implement advanced caching, and design real-time systems. Use PROACTIVELY for GraphQL architecture or performance optimization.
managing-projects
GitHub Projects v2 expertise for creating and managing project boards, fields, views, and items. Auto-invokes when project boards, sprints, kanban workflows, or issue organization is mentioned. Uses GraphQL for advanced project operations.
managing-relationships
Expert at managing GitHub issue relationships including parent/sub-issues, blocking dependencies, and tracking links using the GraphQL API. Auto-invokes when creating issue hierarchies, setting parent-child relationships, managing dependencies, or linking related issues.
security-guardian
Expert en sécurité applicative pour détecter les vulnérabilités, auditer le code, et guider les bonnes pratiques de sécurité. OWASP Top 10, authentification, autorisation, cryptographie, gestion de secrets. Utiliser pour audits sécurité, reviews de code sensible, conception de features sécurisées, ou résolution de failles.
security-scanning-security-sast
Static Application Security Testing (SAST) for code vulnerability analysis across multiple languages and frameworks
technical-analysis
Technical analysis capabilities for APIs, data models, integrations, and security requirements. Use when analyzing technical aspects of systems or documenting technical requirements.
dev-api
Develop and document a REST or GraphQL API. Use when the user wants to create an endpoint, a route, or structure an API.
api-documentation-generator
Generate comprehensive, developer-friendly API documentation from code, including endpoints, parameters, examples, and best practices
api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
bb-local-toolkit
Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gate
bug-bounty
Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gate
evidence-hygiene
Evidence-capture and PoC-redaction discipline for bug-bounty submissions: cookie redaction protocol (which fields to mask, Preview annotation / Burp panel hiding / DevTools workflow), PII black-bar discipline (what to mask in other-user data — names, emails, phones, faces — vs what is safe to leave — usernames, trace IDs, request bodies), HAR file sanitization (jq filters for Cookie/Set-Cookie/Authorization headers), Burp Repeater/Intruder screenshot hygiene (hide request body, show only Results table for rate-limit attacks), Chrome DevTools Console PoC patterns (credentials include so cookies are not echoed, labeled console.log), screenshot capture order, filename conventions, post-submission rotation hygiene. Use BEFORE any PoC screenshot, BEFORE attaching a HAR, or whenever preparing evidence with session cookies or other-user PII. Pairs with bugcrowd-reporting and report-writing.
typescript-dynamodb-toolbox
DynamoDB single-table design using dynamodb-toolbox v2. Use when creating entities, defining key patterns, designing GSIs, writing queries, implementing pagination, or working with any DynamoDB data layer in TypeScript projects.
go-graphql
Use when building or reviewing a GraphQL API in Go. Covers library choice (gqlgen vs graph-gophers), schema design (nullability, pagination, mutation envelopes), thin resolver pattern, per-request DataLoaders for N+1, authentication via context plus schema directives, error presenters, subscription lifecycle (context cancellation), and production hardening (complexity limits, introspection gating). Apply when working with github.com/99designs/gqlgen or github.com/graph-gophers/graphql-go.
webiny-skill-generator
Generate, update, and maintain abstraction catalogs from the Webiny platform's public API. Use this skill whenever you need to: scan the `webiny` package to discover exported EventHandlers and UseCases, regenerate catalog JSON files after a platform release, check which abstractions are available, or add support for a new abstraction type.
besser-dev
Contributor guide for developing BESSER itself (https://github.com/BESSER-PEARL/BESSER). Use this skill whenever the user is working *inside* the BESSER source tree — adding a new generator (the most common contribution), adding a new metamodel or sub-DSL under `besser/BUML/metamodel/`, writing pytest tests for generators or metamodels, writing JSON↔BUML converters for the web editor, building Sphinx documentation under `docs/source/`, registering a generator in `SUPPORTED_GENERATORS`, or preparing a pull request to BESSER. Trigger on phrases like "add a new generator", "register in the web editor", "GeneratorInterface", "json_to_buml", "buml_to_json", "write tests for my generator", "build the docs", "open a PR to BESSER", or any work that touches `besser/generators/`, `besser/BUML/metamodel/`, `besser/utilities/web_modeling_editor/`, or `tests/`. Prefer this skill over besser-user when the user is contributing *to* BESSER rather than *using* BESSER to build something else.
api-design
Use this skill when designing APIs, choosing between REST/GraphQL/gRPC, writing OpenAPI specs, implementing pagination, versioning endpoints, or structuring request/response schemas. Triggers on API design, endpoint naming, HTTP methods, status codes, rate limiting, authentication schemes, HATEOAS, query parameters, and any task requiring API architecture decisions.
api-testing
Use this skill when testing REST or GraphQL APIs, implementing contract tests, setting up mock servers, or validating API behavior. Triggers on API testing, Postman, contract testing, Pact, mock servers, MSW, HTTP assertions, response validation, and any task requiring API test automation.
backend-engineering
Use this skill when designing backend systems, databases, APIs, or services. Triggers on schema design, database migrations, indexing strategies, distributed systems architecture, microservices, caching, message queues, observability setup, logging, metrics, tracing, SLO/SLI definition, performance optimization, query tuning, security hardening, authentication, authorization, API design (REST, GraphQL, gRPC), rate limiting, pagination, and failure handling patterns. Acts as a senior backend engineering advisor for mid-level engineers leveling up.
aws-solution-architect
Expert AWS solution architecture for startups focusing on serverless, scalable, and cost-effective cloud infrastructure with modern DevOps practices and infrastructure-as-code
self-consistency
Generate N independent reasoning paths and vote on the answer. Use for architectural trade-offs, ambiguous design decisions, or when single-path reasoning risks locking onto the first plausible answer. Paper: Wang et al. 2022.
webiny-api-event-publisher-catalog
api/event-publisher — 2 abstractions.
api-design-principles
Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers. Use when designing new APIs, reviewing API specifications, or establishing API design standards.
graphql
GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully.
shopify-apps
Expert patterns for Shopify app development including Remix/React Router apps, embedded apps with App Bridge, webhook handling, GraphQL Admin API, Polaris components, billing, and app extensions. Use when: shopify app, shopify, embedded app, polaris, app bridge.
api-designer
Use when designing REST or GraphQL APIs, creating OpenAPI specifications, or planning API architecture. Invoke for resource modeling, versioning strategies, pagination patterns, error handling standards.
graphql-architect
Use when designing GraphQL schemas, implementing Apollo Federation, or building real-time subscriptions. Invoke for schema design, resolvers with DataLoader, query optimization, federation directives.
nestjs-expert
Creates and configures NestJS modules, controllers, services, DTOs, guards, and interceptors for enterprise-grade TypeScript backend applications. Use when building NestJS REST APIs or GraphQL services, implementing dependency injection, scaffolding modular architecture, adding JWT/Passport authentication, integrating TypeORM or Prisma, or working with .module.ts, .controller.ts, and .service.ts files. Invoke for guards, interceptors, pipes, validation, Swagger documentation, and unit/E2E testing in NestJS projects.
php-pro
Use when building PHP applications with modern PHP 8.3+ features, Laravel, or Symfony frameworks. Invokes strict typing, PHPStan level 9, async patterns with Swoole, and PSR standards. Creates controllers, configures middleware, generates migrations, writes PHPUnit/Pest tests, defines typed DTOs and value objects, sets up dependency injection, and scaffolds REST/GraphQL APIs. Use when working with Eloquent, Doctrine, Composer, Psalm, ReactPHP, or any PHP API development.
api-diff
Diff an OpenAPI spec across commits and classify each change as major/minor/patch per SemVer-for-APIs
monday-com
Monday.com workspace management via official MCP server. This skill should be used when creating, updating, moving, archiving, or deleting items/boards/groups on Monday.com, managing columns, adding comments, or querying workspace data. Supports both hosted and local MCP deployment with interactive setup guidance.
am-agent-code-standards-enforcer
Enforce coding standards, style guides, and architectural patterns across projects. Specializes in linting configuration, code review automation, and team consistency. Use PROACTIVELY for code quality gates and CI/CD pipeline integration.
api-design-principles
Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers. Use when designing new APIs, reviewing API specifications, or establishing API design standards.
auth-implementation-patterns
Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.
microservices-patterns
Design microservices architectures with service boundaries, event-driven communication, and resilience patterns. Use when building distributed systems, decomposing monoliths, or implementing microservices.
nodejs-backend-patterns
Build production-ready Node.js backend services with Express/Fastify, implementing middleware patterns, error handling, authentication, database integration, and API design best practices. Use when creating Node.js servers, REST APIs, GraphQL backends, or microservices architectures.
api-designer
Design and document RESTful and GraphQL APIs with OpenAPI/Swagger specifications, authentication patterns, versioning strategies, and best practices. Use for: (1) Creating API specifications, (2) Designing REST endpoints, (3) GraphQL schema design, (4) API authentication and authorization, (5) API versioning strategies, (6) Documentation generation
api-documentation-generator
Generate comprehensive, developer-friendly API documentation from code, including endpoints, parameters, examples, and best practices
api-integration-specialist
Expert in integrating third-party APIs with proper authentication, error handling, rate limiting, and retry logic. Use when integrating REST APIs, GraphQL endpoints, webhooks, or external services. Specializes in OAuth flows, API key management, request/response transformation, and building robust API clients.
api-route-design
Use when designing RESTful API endpoints in FastAPI or Python projects. Triggers for: creating GET/POST/PUT/DELETE endpoints, request validation with Pydantic, response formatting with JSON schemas, status code selection, pagination, filtering, or sorting parameters. NOT for: GraphQL APIs, WebSocket handlers, or non-RESTful endpoints.
api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
ask-graphql-mcp
Use Ask GraphQL MCP to handle Web3 and on-chain questions through GraphQL endpoints (especially SubQuery/SubGraph). Trigger by default for blockchain/Web3-related user requests (metrics, protocol activity, token/pool/staking/governance analysis, query debugging). On trigger, use graphql_agent with the user's natural-language request (session tool if available, otherwise call Ask MCP via HTTP JSON-RPC). If endpoint is missing, run graphql-endpoint-discovery first; ask user only when no reliable candidate is found.
aws-solution-architect
Expert AWS solution architecture for startups focusing on serverless, scalable, and cost-effective cloud infrastructure with modern DevOps practices and infrastructure-as-code
designing-apis
Designs REST and GraphQL APIs including endpoints, error handling, versioning, and documentation. Use when creating new APIs, designing endpoints, reviewing API contracts, or when asked about REST, GraphQL, or API patterns.
graphql-schema
GraphQL queries, mutations, and code generation patterns. Use when creating GraphQL operations, working with Apollo Client, or generating types.
happyflow-generator
Automatically generate and execute Python test scripts from OpenAPI specifications and GraphQL schemas with enhanced features
linear
Manages Linear issues, teams, and projects via CLI. Lists issues, creates tasks, views details, links issues, and runs GraphQL queries. Must use for "my Linear issues", "create Linear task", "link issues in Linear", "Linear API query", or any Linear project management request.
mock-server
Create and manage mock API servers for development and testing.
opentargets-database
Query Open Targets Platform for target-disease associations, drug target discovery, tractability/safety data, genetics/omics evidence, known drugs, for therapeutic target identification.
payload
Use when working with Payload CMS projects (payload.config.ts, collections, fields, hooks, access control, Payload API). Use when debugging validation errors, security issues, relationship queries, transactions, or hook behavior.
senior-architect
Comprehensive software architecture skill for designing scalable, maintainable systems using ReactJS, NextJS, NodeJS, Express, React Native, Swift, Kotlin, Flutter, Postgres, GraphQL, Go, Python. Includes architecture diagram generation, system design patterns, tech stack decision frameworks, and dependency analysis. Use when designing system architecture, making technical decisions, creating architecture diagrams, evaluating trade-offs, or defining integration patterns.
senior-backend
Comprehensive backend development skill for building scalable backend systems using NodeJS, Express, Go, Python, Postgres, GraphQL, REST APIs. Includes API scaffolding, database optimization, security implementation, and performance tuning. Use when designing APIs, optimizing database queries, implementing business logic, handling authentication/authorization, or reviewing backend code.
senior-fullstack
Comprehensive fullstack development skill for building complete web applications with React, Next.js, Node.js, GraphQL, and PostgreSQL. Includes project scaffolding, code quality analysis, architecture patterns, and complete tech stack guidance. Use when building new projects, analyzing code quality, implementing design patterns, or setting up development workflows.
shopify-development
Build Shopify apps, extensions, themes using GraphQL Admin API, Shopify CLI, Polaris UI, and Liquid. TRIGGER: "shopify", "shopify app", "checkout extension", "admin extension", "POS extension", "shopify theme", "liquid template", "polaris", "shopify graphql", "shopify webhook", "shopify billing", "app subscription", "metafields", "shopify functions"
twscrape
Python library for scraping Twitter/X data using GraphQL API with account rotation and session management. Use when extracting tweets, user profiles, followers, trends, or building social media monitoring tools.
backend-endpoint
Create REST/GraphQL API endpoint with validation, error handling, and tests. Auto-invoke when user says "add endpoint", "create API", "new route", or "add route".
fec-api-integration
用于设计、实现或审查前后端 API 集成、类型化 API client、REST/tRPC/OpenAPI 客户端选型、认证刷新、API 错误映射、上传流程、SSE/WebSocket/轮询选择、CORS 相关前端行为或跨边界 loading/error 状态。不要用于纯后端服务架构或仅 TanStack Query 缓存策略;中文触发词包括 API 集成、前后端联调、typed API client、接口错误处理、SSE、WebSocket。
dev-graphql
GraphQL API development. Trigger when the user wants to create schemas, resolvers, or GraphQL queries.
microservices-patterns
Design microservices architectures with service boundaries, event-driven communication, and resilience patterns. Use when building distributed systems, decomposing monoliths, or implementing microservices.
debug-fe-be-integration
Debug frontend-backend integration issues for any project by analyzing backend logs, identifying incorrect API calls, and fixing both sides. Auto-detects FE/BE frameworks, API style (REST/GraphQL/tRPC), and validation library. Uses Sentry MCP for production error context, Firecrawl for debugging pattern research, and Supabase MCP for data verification. Replaces hardcoded paths with auto-detected patterns. Use when diagnosing API errors, mismatched requests, integration issues between frontend and backend, or when the user mentions API 4xx/5xx errors, validation failures, or FE-BE contract mismatches.
design-api
Design RESTful and GraphQL APIs following best practices. Use when designing APIs, creating endpoints, structuring responses, or planning API architecture.
api-testing
HTTP API testing with Supertest (TS) and httpx/pytest (Python). Use when the user mentions API testing, Supertest, httpx, REST/GraphQL validation, or HTTP response errors.
api-design
Design and implement professional REST APIs with consistent patterns, proper error handling, versioning, pagination, and OpenAPI documentation. Use when building any API endpoint, service, or backend interface. Triggers on: REST API, GraphQL, endpoint design, API routes, backend services, webhooks.
architecture
架构设计能力索引(API 设计、安全架构、云原生、数据安全)。
security
攻防秘典索引(渗透/审计/红队/蓝队/威胁情报/漏洞研究),全授权直出技术细节+PoC。
loom-api-and-interface-design
Use when a shared interface needs consumer, compatibility, error, permission, or migration design before implementation, including REST, GraphQL, CLI, event, module, component, file-format, worker, or cross-system contracts.
bounty-api
Use when bug-bountying an API target — REST, GraphQL, gRPC, WebSocket. Covers OWASP API Top 10 (BOLA, BFLA, mass assignment, rate limiting bypass, JWT issues, GraphQL abuse). Triggers on "bounty api", "graphql security", "rest api testing", "api top 10".
microservices-patterns
Design microservices architectures with service boundaries, event-driven communication, and resilience patterns. Use when building distributed systems, decomposing monoliths, or implementing microservices.
nodejs-backend-patterns
Build production-ready Node.js backend services with Express/Fastify, implementing middleware patterns, error handling, authentication, database integration, and API design best practices. Use when creating Node.js servers, REST APIs, GraphQL backends, or microservices architectures.
ccc-linear-board
"View your Linear board, pick a task to work on, and sync issue status. Use when: 'linear board', 'show issues', 'pick a task', 'what should I work on', 'my Linear',…
api-and-interface-design
Design API and module boundaries with clear contracts, error semantics, pagination, and additive compatibility. Use before implementing REST/GraphQL endpoints, SDKs, or public module APIs.
api-security-testing
Security testing checklist for HTTP APIs—authn/z, input validation, rate limits, sensitive data exposure, and common OWASP API issues. Use when reviewing or testing REST/GraphQL endpoints before release.
doncheli-api-contract
Design complete API contracts covering endpoints, auth, rate limiting, error handling, retries, circuit breaker and idempotency. Activate when user mentions "api contract", "api design", "endpoint", "webhook", "REST", "GraphQL", "OpenAPI", "design the API".
gnomad-database
gnomAD v4 population variant frequencies via GraphQL API. Allele counts and frequencies stratified by ancestry (AFR, AMR, EAS, NFE, SAS, FIN, ASJ, MID), gene-level constraint (pLI, LOEUF, missense z), and coverage. Identify rare or constrained variants. For clinical pathogenicity use clinvar-database; for GWAS use gwas-database.
create-relay-nodes-component
Generate Relay-based Nodes components with BAITable integration following established patterns (BAIUserNodes, SessionNodes, BAISchedulingHistoryNodes, BAIRouteNodes). Automatically creates component file with GraphQL fragment, type definitions, column configurations, and customization patterns. Minimal user input required - just provide GraphQL type name and the skill generates a complete starting template.
framework-expert
Unified framework expertise bundle. Lazy-loads relevant framework patterns (React, Vue, Angular, Next.js, Node.js, Python, Laravel, Go, Flutter, Godot) based on detected tech stack.
backend-developer
Backend Developer (/be, alias: James, /james) - Senior Backend Developer with 10+ years experience. Covers Java/Spring Boot (default), Kotlin, Python/FastAPI, PHP/Laravel, Quarkus, and Kafka/messaging - detects the project's stack and loads the matching reference. Use when implementing server features, REST APIs, business logic, persistence, messaging, or unit/integration tests in any of these stacks.
frontend-developer
Frontend Developer (/fe, alias: Finn, /finn) - Senior Frontend Developer with 10+ years web and mobile experience. Covers React/Next.js (default), Angular, Vue/Nuxt, Flutter/Dart, and JavaFX desktop - detects the project's framework and loads the matching stack reference. Use when implementing UI components, state management, data fetching, styling, forms, or any web/cross-platform frontend feature in any of these stacks.
github
Execute GitHub operations (PRs, issues, milestones, labels, comments, merges) using Python scripts with structured output and error handling. Use when working with pull requests, issues, review comments, CI checks, or milestones instead of raw gh.
api-design
Generates RESTful and GraphQL API designs with OpenAPI specs, proper resource naming, HTTP method usage, status codes, pagination, filtering, error responses, versioning strategies, and GraphQL schema patterns. Triggers on: "design API", "create API spec", "OpenAPI", "REST endpoint design", "GraphQL schema".
stacked-pr-base-branch-deletion-auto-closes-dependent
Recover from the trap where deleting a base PR's branch auto-closes any open dependent stacked PR, and the closed PR cannot be reopened or retargeted. Use when: (1) you set up a stacked PR pair (PR2's `base` field = PR1's branch instead of `main`), (2) you merged PR1 via squash, (3) PR1's remote branch got deleted — via ANY route: `gh pr merge <N> --squash --delete-branch`, `gh api -X DELETE refs/heads/<branch>`, or `gh pr merge` followed by separate branch cleanup — (4) the dependent PR2 is now reported as `state: CLOSED` even though you never closed it, (5) `gh pr reopen N` fails with `Could not open the pull request`, (6) `gh pr edit N --base main` fails with `Cannot change the base branch of a closed pull request`. The only recovery for the stacked-PR case is to open a fresh PR from the same head branch with base=main. **v1.2.0 (2026-05-19) adds the recoverable single-PR variant**: if the deleted branch was the HEAD of a single, in-flight, NEVER-MERGED PR (e.g. user deleted the branch after a failed merge
write-script-graphql
MUST use when writing GraphQL queries.
hypermedia-link-generator
Hypermedia Link Generator - Auto-activating skill for API Development. Triggers on: hypermedia link generator, hypermedia link generator Part of the API Development skill category.
stress-test
Adversarially stress-test a technical plan by verifying claims against real docs, running POC code, and updating the plan before you build.
document
Generate or sync API / contract / user-facing documentation from the live system. Use when the user says '/document', 'document this endpoint', 'document the API', 'sync the contract docs', 'capture the new pages', 'write the user guide', 'export the SDK', 'auto-generate', 'generate the wiki for X', or 'refresh the docs'.
api-design-principles
Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers. Use when designing new APIs, reviewing API specifications, or establishing API design standards.
auth-implementation-patterns
Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.
doc-consistency-reviewer
文档一致性审核官,检查代码实现与文档说明的一致性。当用户请求审查文档与代码的一致性、检查 README/docs 是否过时、验证 API 文档准确性时使用此技能。适用于:(1) 审查 README 与实现一致性 (2) 检查 docs/ 目录文档是否过时 (3) 验证 API/配置文档准确性 (4) 生成文档一致性报告。触发词包括:文档审查、doc review、文档一致性、documentation consistency、检查文档过时、verify docs。
nodejs-backend-patterns
Build production-ready Node.js backend services with Express/Fastify, implementing middleware patterns, error handling, authentication, database integration, and API design best practices. Use when creating Node.js servers, REST APIs, GraphQL backends, or microservices architectures.
backend-api-development
Comprehensive backend API development skill for building robust, scalable APIs. Use when creating new endpoints, services, or backend functionality. Keywords: API, backend, endpoint, service, REST, GraphQL, server, controller, route
dojo-indexer
Set up and configure Torii indexer for GraphQL queries, gRPC subscriptions, and SQL access. Use when indexing your deployed world for client queries or real-time updates.
find-best-reviewers
Find the best code reviewers in a GitHub repository or for specific file paths — uses GraphQL to analyze PR review history, filters bots, weights review states, surfaces domain specialists
offensive-osint
Operational arsenal for external red-team and bug-bounty reconnaissance. Concrete wordlists (28 Swagger paths, 13 GraphQL paths, 35 high-risk ports, 6 missing-header findings, 15 always-on HTTP checks, 5 SAML paths, cloud bucket permutations, JS guess-paths, vendor product fingerprints for Citrix/F5/Pulse/Fortinet/Cisco/PaloAlto/VMware/Exchange, cloud-native service fingerprints, container/K8s exposure paths, CI/CD platform paths, documentation/wiki leak paths, WHOIS/RDAP, DNS record catalog, Wayback CDX recipes), 43+-pattern secret-regex catalog (incl. modern AI API keys: Anthropic/OpenAI/HuggingFace/Cloudflare/DigitalOcean/npm/PyPI/Docker Hub/Atlassian/DataDog/Sentry/ngrok), 80+ dork corpus across 9 categories, GitHub code-search dorks, copy-paste curl/httpie probes for every check, post-discovery enumeration workflows (AWS/GitHub/Slack/JWT/PMAK/Anthropic/OpenAI), endpoint interest scoring rubric (0–100), mobile app ownership confidence, identity-fabric endpoints (Entra/Okta/ADFS/Google/SAML/M365 Teams+Shar
software-system-analyzer
Detects repository context, maps dependencies (enterprise-specific or general), and generates/persists architectural documentation.
api-designer
Use when designing REST or GraphQL APIs, creating OpenAPI specifications, or planning API architecture. Invoke for resource modeling, versioning strategies, pagination patterns, error handling standards.
code-documenter
Use when adding docstrings, creating API documentation, or building documentation sites. Invoke for OpenAPI/Swagger specs, JSDoc, doc portals, tutorials, user guides.
graphql-architect
Use when designing GraphQL schemas, implementing Apollo Federation, or building real-time subscriptions. Invoke for schema design, resolvers with DataLoader, query optimization, federation directives.
nestjs-expert
Use when building NestJS applications requiring modular architecture, dependency injection, or TypeScript backend development. Invoke for modules, controllers, services, DTOs, guards, interceptors, TypeORM/Prisma.
define-architecture
Capture the architecture of the project — platforms, service shape (monolith vs. modular vs. services), integrations, data flow, trust boundaries, and multi-tenancy. Use when the project-builder agent is gathering architecture information.
api-design-patterns
Comprehensive REST and GraphQL API design patterns with versioning, pagination, error handling, and HATEOAS principles. Use when designing APIs, defining endpoints, or architecting service contracts requiring production-grade patterns.
api-gateway-patterns
API Gateway patterns for routing, authentication, rate limiting, and service composition in microservices architectures. Use when implementing API gateways, building BFF layers, or managing service-to-service communication at scale.
designing-apis
Designs REST and GraphQL APIs including endpoints, error handling, versioning, and documentation. Use when creating new APIs, designing endpoints, reviewing API contracts, or when asked about REST, GraphQL, or API patterns.
scrum-master-agent
Comprehensive Scrum Master assistant for sprint planning, backlog grooming, retrospectives, capacity planning, and daily standups with intelligent context-aware reporting
rust-best-practices
Guide for writing idiomatic Rust code based on Apollo GraphQL's best practices handbook. Use this skill when: (1) writing new Rust code or functions, (2) reviewing or refactoring existing Rust code, (3) deciding between borrowing vs cloning or ownership patterns, (4) implementing error handling with Result types, (5) optimizing Rust code for performance, (6) writing tests or documentation for Rust projects.
fabric-app-bootstrap
Use when creating or deploying a Microsoft Fabric App (preview, Rayfin CLI) — 'build my first Fabric App', 'host this SPA inside Fabric', 'deploy to Fabric Apps', 'rayfin up fails', 'what can Fabric Apps host', or when a deploy needs to run headless/CI with a service principal and zero portal clicks. Also use BEFORE porting an existing app into Fabric, to check what survives static hosting (no Node SSR, no server secrets, no Python runtime, 100 MB zip cap). Do NOT use for the data layer — that is fabric-app-lakehouse-live (read-only) or fabric-app-sqldb-writeback (write-back).
fabric-app-lakehouse-live
Use when a web app (especially a Fabric App SPA) must read EXISTING Lakehouse data live with no backend — 'query the Lakehouse from the browser', 'live data without a server', 'call Fabric GraphQL from my SPA', or when debugging that path: 403 InsufficientPrivileges on a Fabric GraphQL API, MSAL sign-in returning to a blank page, popup 'tela preta', token works but queries fail, rows silently missing. Read-only by design — the Lakehouse SQL endpoint has no mutations and syncs lazily. If the app writes data back, use fabric-app-sqldb-writeback instead. For creating/deploying the app shell, use fabric-app-bootstrap.
fabric-app-sqldb-writeback
Use when a Fabric App needs transactional WRITE-BACK (comments, edits, requests, approvals) on top of Lakehouse data — 'users edit data in my Fabric app', 'write back to the source', 'my saved comment takes forever to appear', 'read-your-own-writes', 'mirror Gold into the app database', 'seed the Rayfin SQL DB headless', or when the app is juggling multiple data tiers/auth flows and needs consolidation. Encodes the operational-data-store architecture: app owns its SQL DB, a copy job mirrors Lakehouse Gold into it, one SDK for everything. For read-only apps use fabric-app-lakehouse-live; for app creation/deploy use fabric-app-bootstrap.
api-examples
Generate API usage examples and tutorials from code analysis
api-test-generate
Auto-generate comprehensive API tests for REST and GraphQL endpoints with request/response validation
api-design
API design principles for REST, GraphQL, and gRPC
api-patterns
API design principles and decision-making. REST vs GraphQL vs tRPC selection, response formats, versioning, pagination.
aws-solution-architect
Design AWS architectures for startups using serverless patterns and IaC templates. Use when asked to design serverless architecture, create CloudFormation templates, optimize AWS costs, set up CI/CD pipelines, or migrate to AWS. Covers Lambda, API Gateway, DynamoDB, ECS, Aurora, and cost optimization.
pr-dev
Manage PR lifecycle — fetch fresh PR state, address every unresolved review thread, fix CI, get user approval, then squash-merge and clean up. Use when the user wants to drive a PR through review and merge.
architecture-runtime-topology
Use when code work touches runtime shape: services, app/CLI/background flows, deployment/IaC, observability, resilience, external integrations, ownership, and runtime coupling.
pentest-api
API security testing — REST/GraphQL/WebSocket, OWASP API Top 10, JWT/OAuth analysis, mass assignment, broken object-level authorization advisory. Triggers on API pentest, OWASP API, REST security, GraphQL test, WebSocket, JWT analysis, OAuth flow, BOLA, BFLA, mass assignment.
pii-detector
Proactive PII add-on — augments the main response with PII guidance. Auto-trigger on any form, schema, migration, model, API route, GraphQL resolver, auth flow, or data design discussion. Also fires on: middleware, webhooks, workers, seed/fixture/factory files, delete/export/purge/anonymize functions, cron jobs, HTTP clients, controllers, services, resolvers. Trigger phrases: "build a form", "collect X data", "what fields should I include", "how should I design the schema", "POC / lead / contact / user / customer information", "store / save / persist X", "sign up / login / auth / registration", "share thoughts on how to build". Trigger on field names: email, phone, name, dob, ssn, card, cvv, password, token, secret, api_key, health, biometric, ip_address, salary, session, device_id, notes, metadata (on user-facing models).
api-design
This skill should be used when the user needs to "design the API", do "endpoint design", pin down a "request/response shape", choose a "pagination" strategy (cursor vs offset), add an "idempotency key" to a write, plan "API versioning", an "error contract", or pick between "REST vs gRPC vs GraphQL" or "WebSocket vs polling". Use it whenever a design has reached the interface — the concrete request, response, primary access path, and how clients page, retry, and version — even if the user only said "the boxes talk to each other".
build-mcp-server
This skill should be used when the user asks to "build an MCP server", "create an MCP", "make an MCP integration", "wrap an API for Claude", "expose tools to Claude", "make an MCP app", or discusses building something with the Model Context Protocol. It is the entry point for MCP server development — it interrogates the user about their use case, determines the right deployment model (remote HTTP, MCPB, local stdio), picks a tool-design pattern, and hands off to specialized skills.
shopify-dev
Shopify Developer. Activate when a user is building or modifying a Shopify theme, app, or integration. Triggers on: "add a section to my theme", "create a Shopify app", "Shopify CLI", "Liquid template", "Storefront API", "Admin API", "checkout extension", "Hydrogen", "Polaris", "shopify theme dev", "metafields", "metaobjects", "app blocks", "Online Store 2.0", "section schema". Covers theme development, app development, GraphQL APIs, CLI workflows, and extensions.
api-design
Design production-grade REST, GraphQL, gRPC, and Python library APIs with correct schemas, error contracts, auth, and versioning. Use when the user asks to design an API, define endpoints, create an OpenAPI/Swagger spec, design a GraphQL schema, build a gRPC service, model request/response with Pydantic, add pagination, or review API contracts. NOT for building MCP server tools (use mcp-server). NOT for Node.js/Express API routes or backend patterns (use backend-patterns or typescript-development).
codebase-onboarding
Auto-generate onboarding documentation from codebase analysis, tailored to the reader's experience level. TRIGGER when: user asks to onboard someone to a codebase, document this codebase, generate project documentation for new team members, write a codebase walkthrough or tour, create a getting-started guide, or explain a codebase to a specific audience. DO NOT TRIGGER when: user wants API reference docs (use language-specific tooling), or wants to understand a single file (just read it).
digest
Generate a multi-platform activity digest for a topic. Fetches and ranks items from HN, GitHub, Reddit, YouTube, ethresear.ch, Snapshot, Polymarket, package registries, CoinGecko, Blockscout, and Shodan. TRIGGER when: user invokes "/digest" or asks for a "digest", "what's happening with X", "activity summary for X", "news about X". DO NOT TRIGGER when: user asks about digest agent code/implementation.
agentx
Drive X/Twitter from the CLI (read, post, DM, lists, communities, Grok, scheduling, analytics). Use when an agent needs to read or act on X/Twitter. Every command prints one JSON envelope.
api-and-interface-design
Use when designing APIs, module boundaries, or any public interface. Use when creating REST or GraphQL endpoints, defining type contracts between modules, or establishing boundaries between frontend and backend.
documentation-and-adrs
Use when making architectural decisions, changing public APIs, shipping features, or when you need to record context that future engineers and agents will need to understand the codebase.
advisory-mining
Mine GitHub Security Advisories and CVE databases for incomplete fixes, finding variant vulnerabilities in patched code or similar patterns in related packages.
api-design-principles
Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers. Use when designing new APIs, reviewing API specifications, or establishing API design standards.
auth-implementation-patterns
Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.
microservices-patterns
Design microservices architectures with service boundaries, event-driven communication, and resilience patterns. Use when building distributed systems, decomposing monoliths, or implementing microservices.
mcp2cli
Turn any MCP server, OpenAPI spec, or GraphQL endpoint into a CLI. Use this skill when the user wants to interact with an MCP server, OpenAPI/REST API, or GraphQL API via command line, discover available tools/endpoints, call API operations, or generate a new skill from an API. Triggers include "mcp2cli", "call this MCP server", "use this API", "list tools from", "create a skill for this API", "graphql", or any task involving MCP tool invocation, OpenAPI endpoint calls, or GraphQL queries without writing code.
connector-init
Interactively generate a custom connector.md for a run by interviewing the user about their data source. Use when no template fits (e.g. a proprietary API, a custom on-disk format, a browser-driven extraction).
ecommerce-api
e커머스 마켓플레이스 API 통합 가이드
graphql
GraphQL pentest playbook — find the endpoint, dump the schema (introspection or field-suggestion fallback), then test for authorization gaps, query batching, alias overload, depth-based DoS, and SQLi/NoSQLi in resolver arguments. Use when the target exposes a /graphql endpoint, GraphiQL, Apollo, or accepts GraphQL queries.
webvuln
Web vulnerability hunting playbook. Use after recon, when you have specific hosts/endpoints to test for IDOR/BAC, injection, auth flaws, SSRF, and known CVEs. Emphasizes real PoC + concrete impact.
api-design
【API设计】根据业务需求设计 RESTful/GraphQL API,输出 OpenAPI 规范文档。包含路由设计、请求/响应 Schema、错误码体系、版本策略。 触发时机: - 用户要求"设计API"、"定义接口"、"写API文档" - 需要从数据库 Schema 推导 API 端点 - 需要统一团队 API 规范 不依赖外部工具,纯 prompt 模板驱动。
graphql-design
【GraphQL设计】设计 GraphQL Schema,包含类型定义、查询/变更设计、分页方案、错误处理、性能优化(N+1防护)。 触发时机: - 用户要求"设计GraphQL API"、"GraphQL Schema" - 从 REST 迁移到 GraphQL - 需要优化 GraphQL 性能 输出可执行的 Schema 定义。
microservice-patterns
【微服务模式】微服务架构设计模式,包含服务拆分、通信方式、数据管理、服务发现、熔断降级、链路追踪。 触发时机: - 用户要求"微服务架构"、"服务拆分" - 需要设计分布式系统 - 需要实现服务治理 提供模式选择建议和代码实现。
designing-apis
Design APIs that are secure, scalable, and maintainable using RESTful, GraphQL, and event-driven patterns. Use when designing new APIs, evolving existing APIs, or establishing API standards for teams.
generating-documentation
Generate comprehensive technical documentation including API docs (OpenAPI/Swagger), code documentation (TypeDoc/Sphinx), documentation sites (Docusaurus/MkDocs), Architecture Decision Records (ADRs), and diagrams (Mermaid/PlantUML). Use when documenting APIs, libraries, systems architecture, or building developer-facing documentation sites.
implementing-api-patterns
API design and implementation across REST, GraphQL, gRPC, and tRPC patterns. Use when building backend services, public APIs, or service-to-service communication. Covers REST frameworks (FastAPI, Axum, Gin, Hono), GraphQL libraries (Strawberry, async-graphql, gqlgen, Pothos), gRPC (Tonic, Connect-Go), tRPC for TypeScript, pagination strategies (cursor-based, offset-based), rate limiting, caching, versioning, and OpenAPI documentation generation. Includes frontend integration patterns for forms, tables, dashboards, and ai-chat skills.
ingesting-data
Data ingestion patterns for loading data from cloud storage, APIs, files, and streaming sources into databases. Use when importing CSV/JSON/Parquet files, pulling from S3/GCS buckets, consuming API feeds, or building ETL pipelines.
load-balancing-patterns
When distributing traffic across multiple servers or regions, use this skill to select and configure the appropriate load balancing solution (L4/L7, cloud-managed, self-managed, or Kubernetes ingress) with proper health checks and session management.
nestjs-patterns
NestJS best practices, module architecture, DTOs, Guards, Interceptors, and common patterns. Use when building or reviewing NestJS backend services.
nextjs-app-router
Next.js App Router best practices, Server Components, Server Actions, routing patterns, and data fetching strategies. Use when building Next.js applications with the App Router.
prisma-workflow
Prisma ORM best practices, schema design, migrations, seeding, and query optimization for PostgreSQL. Use when working with database schemas, migrations, or Prisma queries.
prompt-engineering
Comprehensive prompt engineering framework for designing, optimizing, and iterating LLM prompts. Use when creating prompts, optimizing existing prompts, or improving AI instructions.
tfx-debate
기술 선택, 아키텍처 비교, 설계 결정에서 3-CLI 구조화 토론으로 최적 답을 도출한다. 'A vs B', '뭐가 나을까', '비교해줘', '어떤 걸 쓸까', '장단점', 'tradeoff' 같은 비교/선택 요청에 반드시 사용한다. 단순 질문이 아닌 여러 옵션 사이의 결정이 필요할 때 적극 활용.
api-integrator
API integration expert. Automatically activates when users need to connect backend APIs, write request wrappers, handle data transformation, or error handling.
api-integrator
API integration expert. Automatically activates when users need to connect backend APIs, write request wrappers, handle data transformation, or error handling.
generating-nest-servers
Handles ALL NestJS and @lenne.tech/nest-server development tasks including module creation, service implementation, controller/resolver development, model definition, and debugging. Covers lt server commands, @Roles/@Restricted security, CrudService patterns, and API tests. Supports monorepos (projects/api/, packages/api/). Activates when working with src/server/ files, NestJS modules, services, controllers, resolvers, models, DTOs, guards, decorators, or REST/GraphQL endpoints. NOT for Vue/Nuxt frontend (use developing-lt-frontend). NOT for nest-server version updates (use nest-server-updating). NOT for TDD workflow orchestration (use building-stories-with-tdd).
api-and-interface-design
Guides stable API and interface design. Use when designing APIs, module boundaries, or any public interface. Use when creating REST or GraphQL endpoints, defining type contracts between modules, or establishing boundaries between frontend and backend.
documentation-and-adrs
Records decisions and documentation. Use when making architectural decisions, changing public APIs, shipping features, or when you need to record context that future engineers and agents will need to understand the codebase.
super-claudiosoftware-development
Software development skill. Use when the user wants to build, code, automate, or deploy anything technical. Covers backend APIs, databases, workflow automation, scripts, free public APIs, and hosting/deployment. Trigger on backend: "build an API", "REST API", "database schema", "Supabase", "Firebase", "PostgreSQL", "MongoDB", "FastAPI", "Express", "Fastify", "GraphQL", "Node.js server", "Python API", "Prisma", "ORM", "authentication backend", "serverless functions". Trigger on automation: "automate this", "connect these apps", "n8n", "Make.com", "Zapier", "when X happens do Y", "no-code automation", "schedule a script", "webhook", "automate posting", "IFTTT", "auto-post to Instagram", "batch processing", "automate email". Trigger on free APIs: "free API for X", "public API", "build a weather app", "NASA API", "real-time data", "open data", "free data source", "API without credit card", "government API". Trigger on deployment: "deploy my app", "Docker", "Railway", "GitHub Actions", "CI/CD", "hosting", "go live
speckit.backend
Backend/API Developer - Xay dung API service, business logic, auth, integration theo API standards.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
drift-canary
Compatibility and schema drift canary — checks for database schema migration safety, breaking API contract changes, serializable payload mismatches, and backward compatibility drift. Triggers on keywords: "/drift-canary", "drift-canary", "contract drift", "breaking changes". Use when changing DB schemas, API contracts, serialized payloads, or required config keys.
api-design
This skill should be used when designing or building an API — endpoints, routes, request/response shapes, error formats, pagination, versioning, or deciding REST vs GraphQL. Trigger phrases include "design the API", "build an endpoint", "REST or GraphQL", "how should I structure my routes", "API error format", "paginate results", "version my API", "validate env vars", "idempotency", "what should this endpoint return". It applies proven REST conventions and a clear REST-vs-GraphQL decision, with env-config validation.
bug-bounty
Complete bug bounty workflow — recon (subdomain enumeration, asset discovery, fingerprinting, HackerOne scope, source code audit), pre-hunt learning (disclosed reports, tech stack research, mind maps, threat modeling), vulnerability hunting (IDOR, SSRF, XSS, auth bypass, CSRF, race conditions, SQLi, XXE, file upload, business logic, GraphQL, HTTP smuggling, cache poisoning, OAuth, timing side-channels, OIDC, SSTI, subdomain takeover, cloud misconfig, ATO chains, agentic AI), LLM/AI security testing (chatbot IDOR, prompt injection, indirect injection, ASCII smuggling, exfil channels, RCE via code tools, system prompt extraction, ASI01-ASI10), A-to-B bug chaining (IDOR→auth bypass, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth), bypass tables (SSRF IP bypass, open redirect bypass, file upload bypass), language-specific grep (JS prototype pollution, Python pickle, PHP type juggling, Go template.HTML, Ruby YAML.load, Rust unwrap), and reporting (7-Question Gate, 4 validation gate
web2-vuln-classes
Complete reference for 18 web2 bug classes with root causes, detection patterns, bypass tables, exploit techniques, and real paid examples. Covers IDOR, auth bypass, XSS, SSRF (11 IP bypass techniques), SQLi, business logic, race conditions, OAuth/OIDC, file upload (10 bypass techniques), GraphQL, LLM/AI (ASI01-ASI10 agentic framework), API misconfig, ATO taxonomy, SSTI, subdomain takeover, cloud/infra misconfigs, HTTP smuggling, cache poisoning. Use when hunting a specific vuln class or studying what makes bugs pay.
atlas-crew-tasks
Use when filing, updating, sequencing, or querying tasks in any atlas-crew repo (Facet + the Atlas Crew Security repos: Apparatus, Chimera, Crucible, Synapse, Bridge). These repos track work in GitHub Issues on Projects v2 boards, NOT backlog.md. Covers the two boards, the Type/Area/Status field model, cross-repo Initiative grouping, gh seq execution ordering, and the non-obvious gh/GraphQL mechanics for setting issue types and project fields. Trigger on: file an issue, create a task, set priority/type/area/status, add to board, what should I work on next, execution order, sequencing, blocked-by, milestone, where does this task go.
bird
X/Twitter CLI for reading, searching, posting, and engagement via cookies.
frontend-navigation
React Router v7 navigation - route definitions, SSR integration, auth guards, Link/Navigate patterns, layout nesting, and project conventions
linear-issue-manager
Linear Issue Manager is built around GraphQL API ecosystem. The underlying ecosystem is represented by graphql/graphql-js (20,335+ GitHub stars). It gives an agent a more technical and reliable way to work with the tool than a thin one-line wrapper, using stable interfaces like queries, mutations, schema introspection, fragments, pagination, subscriptions and preserving the operational context […]
android-reverse-engineering
Decompile Android APK, XAPK, AAB, DEX, JAR, and AAR files using jadx or Fernflower/Vineflower. Reverse engineer Android apps, extract HTTP API endpoints (Retrofit, OkHttp, Volley, GraphQL, WebSocket), trace call flows from UI to network layer, analyze security patterns (cert pinning, exposed secrets), perform dynamic analysis with Frida (adaptive bypass generation, crash analysis, runtime hooking), and — only when the decompiled app contains Google API keys or Firebase configuration — run a conditional Firebase & Google API testing phase (Auth, Realtime DB, Firestore, Remote Config, Storage, Dynamic Links, FCM, Gemini, Maps). Use when the user wants to decompile, analyze, or reverse engineer Android packages, find API endpoints, follow call flows, audit app security, bypass runtime protections, or test exposed Google/Firebase credentials.
api
Use for REST API contracts: endpoints, fields, evolution, status codes, errors, pagination, idempotency.
f5-shared-patterns
Shared reference patterns used across F5 skills
craftcms
Craft CMS 5 plugin and module development — extending Craft with PHP. Covers the full extend surface: elements, element queries, services, models, records, project config, controllers, CP templates, migrations, queue jobs, console commands, field types, native fields, events, behaviors, Twig extensions, utilities, widgets, filesystems, permissions, debugging, testing, GraphQL, and Craft configuration (config/app.php, config/general.php, Redis, SMTP, database replicas). Triggers on: beforePrepare(), afterSave(), defineSources(), defineTableAttributes(), attributeHtml(), MemoizableArray, getConfig(), handleChanged, $allowAnonymous, $enableCsrfValidation, BaseNativeField, EVENT_DEFINE_NATIVE_FIELDS, FieldLayoutBehavior, EVENT_REGISTER, EVENT_DEFINE, EVENT_BEFORE, EVENT_AFTER, CraftVariable, registerTwigExtension, DefineConsoleActionsEvent, PHPStan, Pest, plugin development, module development, custom element type, custom field type, webhook, API endpoint, queue job, batch processing, data sync, migration, CP sec
graphql
Sets up a GraphQL API — schema-first design, resolvers, subscriptions, with PostgreSQL or MongoDB, and optional codegen
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
rich-api-skill
A comprehensive skill covering authentication, operations, and error handling for the Rich API.
api-checklist
Generate an API-level QA checklist in CSV format for manual GraphQL API testing (Postman / GraphQL Playground). Reads the project GraphQL schema from .claude/context/schema.graphql. Use when you need to verify backend/API behavior for a feature separately from UI checks.
silverremove
This skill should be used to remove a tracked work item by ID — closes a GitHub Issue as "not planned" with a removed-by-silver-bullet label (when issue_tracker=github), or marks a local SB-I-N or SB-B-N entry with [REMOVED YYYY-MM-DD] inline in docs/issues/ISSUES.md or docs/issues/BACKLOG.md (when issue_tracker=gsd or absent).
senior-backend
Designs and implements backend systems including REST APIs, microservices, database architectures, authentication flows, and security hardening. Use when the user asks to "design REST APIs", "optimize database queries", "implement authentication", "build microservices", "review backend code", "set up GraphQL", "handle database migrations", or "load test APIs". Covers Node.js/Express/Fastify development, PostgreSQL optimization, API security, and backend architecture patterns.
speckit-extract-run
Extract knowledge, guidelines, and ADRs from one or more completed spec directories into the project documentation system.
graphql-architect
Design and review GraphQL schemas, resolvers, mutations, pagination, and data-loading patterns. Use when building or refactoring GraphQL APIs, adding fields, fixing resolver design, or improving GraphQL performance and safety.
clinical-data-review
Review clinical data models and APIs for HL7 FHIR conformance, terminology standards, interoperability, and clinical workflow correctness. Use when: 'check FHIR compliance', 'review clinical data model', 'audit HL7 conformance', 'validate medical terminology codes', 'assess interoperability readiness', 'check SNOMED/LOINC/ICD-10 usage', 'review EHR data layer'.
resume-target
Use when managing target job positions for resume customization. Handles JD parsing, match score calculation, gap analysis, and multi-target comparison for directed resume generation.
shopify-development
Build Shopify apps, extensions, themes using GraphQL Admin API, Shopify CLI, Polaris UI, and Liquid. TRIGGER: "shopify", "shopify app", "checkout extension", "admin extension", "POS extension", "shopify theme", "liquid template", "polaris", "shopify graphql", "shopify webhook", "shopify billing", "app subscription", "metafields", "shopify functions"
resolve-pr-threads
Orchestrates resolution of GitHub PR review threads AND reads recent non-thread PR comments (top-level + review bodies) by grouping related feedback, processing each group sequentially inline with superpowers:receiving-code-review, and resolving threads via GraphQL. Use when you need to batch-process review feedback to unblock a PR merge.
squash-merge-pr
Squash-merge a PR into main. Invoke only when the user explicitly requests a squash merge. Single PR by number or current branch.
pattern-architect-api-endpoint
Resource-oriented REST design — the single authority for API endpoint shape decisions (paths, verbs, request / response body, status codes, error envelope, pagination, sorting, filtering, versioning, idempotency policy, rate-limit policy, trailing-slash spelling). Activate when designing, adding, or refactoring an HTTP endpoint, controller, or handler. Every decision lands in the api contract at `docs/api-contract/<entity>.yaml` which engineers implement against and reviewers verify.
fabric-apps
Build data-driven applications on Microsoft Fabric Apps (the preview workload that turns TypeScript data models into a SQL database, GraphQL APIs, auth, and static hosting via the Rayfin CLI). Use this skill whenever the user is working with Fabric Apps, the Rayfin CLI (`rayfin`, `npx rayfin up`, `npm create @microsoft/rayfin`), the `@microsoft/rayfin-core` or `@microsoft/rayfin-client` packages, `RayfinClient`, `rayfin.yml`, the `rayfin/data/` folder, or `@entity()`/`@role()` decorators — even if they only say "build an app on Fabric", "scaffold a Fabric app", "add a table/entity to my Fabric app", "query my Fabric data with GraphQL", "deploy to Fabric with rayfin", or describe an internal tool/dashboard/prototype backed by Fabric capacity. Do NOT use this for Azure Service Fabric, Fabric data engineering (notebooks, lakehouses, pipelines, Spark), or Power BI — those are unrelated to Fabric Apps.
universal-data-acquisition-pipeline
Trigger when the user wants to collect, structure, evaluate, crawl, extract, refresh, or build reusable data acquisition pipelines from websites, APIs, portals, files, or rendered apps. Use for dataset design, source classification, feasibility, endpoint discovery, authorized/owned-session scraping plans, Patchright warm-session cookie generation, Playwright fallback, source probing, pagination analysis, scraper/pipeline architecture, sample validation, refresh design, and output contracts. Do not trigger for ordinary browsing, exploitative access, credential theft, CAPTCHA solving, auth bypass, rate-limit bypass, or non-data tasks.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes. USE WHEN building or refactoring Node/Express/Next.js backend code, API routes, or data-access and server-side logic.
api-architect
Design HTTP APIs (REST or GraphQL) from a requirements document — endpoints, resource names, request/response shapes, auth model, pagination, errors, versioning. Produces an OpenAPI 3.1 spec for REST or a typed SDL for GraphQL, plus a one-page design rationale. Use when the user says "design an API for", "plan the endpoints", "give me the API schema for", "REST or GraphQL for this?", or hands over a feature spec and asks for the API surface.
api-architect
Design HTTP APIs (REST or GraphQL) from a requirements document — endpoints, resource names, request/response shapes, auth model, pagination, errors, versioning. Produces an OpenAPI 3.1 spec for REST or a typed SDL for GraphQL, plus a one-page design rationale. Use when the user says "design an API for", "plan the endpoints", "give me the API schema for", "REST or GraphQL for this?", or hands over a feature spec and asks for the API surface.
ios-networking
iOS networking expert skill covering URLSession with async/await, type-safe generic API clients, Codable JSON encoding/decoding, error handling with retry and exponential backoff, OAuth2 token management, WebSocket connections, caching strategies (URLCache/NSCache), network monitoring (NWPathMonitor), multipart uploads, certificate pinning, and GraphQL with Apollo. Use this skill whenever the user builds networking code, API clients, handles JSON, implements authentication flows, or works with remote data. Triggers on: URLSession, networking, API client, REST, HTTP, JSON, Codable, endpoint, fetch data, download, upload, WebSocket, cache, network monitor, reachability, multipart, GraphQL, Apollo, bearer token, refresh token, retry, backoff, certificate pinning, URL, request, response, async networking.
api-designer
Expert guidance on API design including REST vs GraphQL vs gRPC selection, endpoint patterns, authentication strategies, and versioning
drf-patterns
Django REST Framework patterns, serializers, viewsets, permissions, throttling, filtering, pagination, and review checklist. Use whenever the project contains `djangorestframework` in dependencies, `rest_framework` in INSTALLED_APPS, files following DRF naming patterns (`serializers.py`, `viewsets.py`, `permissions.py`), OR the user asks about DRF, Django REST, serializers, viewsets, ModelViewSet, permission_classes, throttle_classes, even if DRF is not mentioned by name.
fastapi-patterns
FastAPI patterns, Pydantic schemas, dependency injection, async correctness, response models, error handling, OpenAPI, and auth. Use whenever the project contains `fastapi` in dependencies, files importing from `fastapi`, `@app.get`/`@router.get` decorators, Pydantic BaseModel subclasses used as request/response types, OR the user asks about FastAPI, Pydantic v2, Depends(), HTTPException, OAuth2PasswordBearer, APIKeyHeader, response_model, even if FastAPI is not mentioned by name.
using-lt-cli
Provides reference for the lenne.tech CLI tool (lt command). Covers lt fullstack init (workspace creation with local template symlinks), lt fullstack update (version sync), lt fullstack convert-mode (npm/vendor switch), lt git get/reset (branch management), lt server create (project scaffolding), lt server object/addProp (element generation), and lt dev (parallel project orchestration via Caddy + dedicated LaunchAgent — install/uninstall/migrate/up/down/status/doctor/tunnel). Activates when user mentions "lt", "lt CLI", "lenne.tech CLI", "lt fullstack", "lt git", "lt server", "lt dev", "fullstack workspace", "local templates", "--api-link", "--frontend-link", "--noConfirm", "convert-mode", "npm mode", "vendor mode", "Caddy tunnel", "trycloudflare", or any lt command syntax. NOT for NestJS module/object/property creation (use generating-nest-servers). NOT for Vue/Nuxt frontend code (use developing-lt-frontend).
api-sculptor
Designs and implements APIs: REST, GraphQL, gRPC, and WebSocket. Produces OpenAPI 3.1 specs, GraphQL SDL schemas, Protocol Buffer definitions, and working server implementations. Use this skill when the user asks about API design, endpoint structure, schema definition, versioning strategy, pagination, authentication, rate limiting, or any API implementation work. Also triggers on "design an API for," "write an OpenAPI spec," "create a GraphQL schema," "set up gRPC," "REST API best practices," or casual requests like "I need endpoints for my app" or "how should I structure my API."
set-blocked-by
Set or remove a GitHub blocked-by relationship between issues. Run with /set-blocked-by <blocked#> <blocker#> or /set-blocked-by remove <blocked#> <blocker#>.
set-parent
Set or remove a GitHub sub-issue (parent/child) relationship. Run with /set-parent <child#> <parent#> or /set-parent remove <child#> <parent#>.
build-data-pipeline
Build a Sui data indexer or analytics pipeline. Use when the user wants to index Sui events, build a pipeline, or query Sui RPC data.
sast-analysis
Perform codebase analysis and architecture mapping as the first phase of a security assessment. Explores the tech stack, frameworks, entry points, data flows, and trust boundaries. Outputs sast/architecture.md. Run this before any vulnerability detection skill. Use when asked to analyze a codebase for security or when sast/architecture.md does not yet exist.
sast-graphql
Detect GraphQL injection vulnerabilities in a codebase using a three-phase approach: recon (confirm GraphQL usage and find unsafe operation document assembly sites), batched verify (trace user input to those sites in parallel subagents, up to 3 candidate sites each), and merge (consolidate batch results). Requires sast/architecture.md (run sast-analysis first). Outputs findings to sast/graphql-results.md. If no GraphQL technology is found in Phase 1, later phases are skipped. Use when asked to find GraphQL injection, unsafe GraphQL document construction, or operation string injection bugs.
sast-report
Consolidate all SAST vulnerability results from the sast/ folder into a single final report ranked by severity and confidentiality impact. Reads all *-results.md files and produces sast/final-report.md. Run after all vulnerability detection skills complete. Use when asked to generate a final report, consolidate findings, or summarize security results.
obsidian-tagging
Specialist skill that owns the tag taxonomy of an Obsidian vault — assigning tags to new notes, keeping tags consistent, extending the hierarchy, and auditing/fixing tag drift. Normally invoked by the obsidian-documentation orchestrator as the final pass of every documentation run, and directly for "fix my tags", "what tags should this have", "tags are a mess" requests.
spotify-web-api-with-fixes-and-improvements-from-sonallux
Spotify Web API with fixes and improvements from sonallux API skill. Use when working with Spotify Web API with fixes and improvements from sonallux for albums, artists, shows. Covers 97 endpoints.
square
Square API skill. Use when working with Square for mobile, oauth2, {location_id}. Covers 327 endpoints.
api-contract-first
Hard gate before implementing any API endpoint or service interface. Requires a written, reviewed contract (OpenAPI 3.x, protobuf, or GraphQL schema) before any implementation code is written. Prevents breaking changes, misaligned clients, and undocumented behaviour.
advisor-triggers
Detects when user requests warrant critical analysis via /advise command
workflow-address-feedback
Use when a PR owner wants to address review feedback — fetches outstanding threads, presents a per-thread triage (ADDRESSED / CLARIFIED / DEFERRED), applies fixes via the Edit tool, commits via workflow-commit-and-pr, posts per-thread replies via the GitHub comments API, and resolves addressed threads via GraphQL resolveReviewThread.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
api-design-principles
Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers. Use when designing new APIs, reviewing API specifications, or establishing API design standards.
auth-implementation-patterns
Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.
dhh-rails-style
This skill should be used when writing Ruby and Rails code in DHH's distinctive 37signals style. It applies when writing Ruby code, Rails applications, creating models, controllers, or any Ruby file. Triggers on Ruby/Rails code generation, refactoring requests, code review, or when the user mentions DHH, 37signals, Basecamp, HEY, or Campfire style. Embodies REST purity, fat models, thin controllers, Current attributes, Hotwire patterns, and the "clarity over cleverness" philosophy.
microservices-patterns
Design microservices architectures with service boundaries, event-driven communication, and resilience patterns. Use when building distributed systems, decomposing monoliths, or implementing microservices.
nodejs-backend-patterns
Build production-ready Node.js backend services with Express/Fastify, implementing middleware patterns, error handling, authentication, database integration, and API design best practices. Use when creating Node.js servers, REST APIs, GraphQL backends, or microservices architectures.
rag-implementation
Build Retrieval-Augmented Generation (RAG) systems for LLM applications with vector databases and semantic search. Use when implementing knowledge-grounded AI, building document Q&A systems, or integrating LLMs with external knowledge bases.
data-acquisition-discovery
Use for discovering and reverse-engineering data sources: official APIs, XHR/fetch, GraphQL, persisted queries, Algolia, Shopify, Salesforce Commerce Cloud, sitemaps, feeds, embedded JSON, hydration state, page-data routes, pagination limits, headers, params, and endpoint templates.
api-and-interface-design
Guides stable API and interface design. Use when designing APIs, module boundaries, or any public interface. Use when creating REST or GraphQL endpoints, defining type contracts between modules, or establishing boundaries between frontend and backend.
documentation-and-adrs
Records decisions and documentation. Use when making architectural decisions, changing public APIs, shipping features, or when you need to record context that future engineers and agents will need to understand the codebase.
frontend-headless
Conventions for decoupled/headless frontends — a React SPA (or Next.js) consuming Optimizely's Content Delivery API / Optimizely Graph (GraphQL) rather than Razor server rendering. Use for tasks involving a headless/decoupled Optimizely frontend, Content Delivery API or Optimizely Graph, or a React/Next.js SPA against a CMS. Load when the repo's frontend mode is "headless".
api-fuzzing-bug-bounty
This skill should be used when the user asks to "test API security", "fuzz APIs", "find IDOR vulnerabilities", "test REST API", "test GraphQL", "API penetration testing", "bug b...
api-patterns
API design principles and decision-making. REST vs GraphQL vs tRPC selection, response formats, versioning, pagination.
bosskuai-api-design
Use this for API contract design across REST, GraphQL, and event-driven interfaces, including resource modeling, versioning, errors, pagination, idempotency, and integration-facing correctness.
gh-cli-patterns
Canonical reference for all gh CLI command shapes used by skills in this plugin. Defines the placeholder convention, allowed --json fields, GraphQL fallback rules, -f/-F/--raw-field flag semantics, the PR-readiness gate, code-scanning alert query, review-thread fetch/count/resolve mutations, and heredoc bodies. Prevents Unknown JSON field errors and divergent query shapes.
gh-gemini-review-loop
Use after a GitHub PR is opened, or when the user asks to handle gemini-code-assist review feedback, run the Gemini review loop, fix Gemini comments, or re-request Gemini review. Waits, fixes, pushes, re-asks. Capped by user preference, default 3 cycles.
api-design-principles
Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers. Use when designing new APIs, reviewing API specifications, or establishing API design standards.
sui-frontend
Sui frontend dApp development with @mysten/dapp-kit-react (React) and @mysten/dapp-kit-core (Vue, vanilla JS, other frameworks). Use when building browser apps that connect to Sui wallets, query on-chain data, or execute transactions. Use alongside the sui-ts-sdk skill for PTB construction patterns.
rcode-dalil-scout
Codebase Scout — Dalil (دليل) — for repository discovery, multi-root exploration, focused topic sweeps, and producing structured codebase documents (STACK, ARCHITECTURE, STRUCTURE, INTEGRATIONS, CONVENTIONS, TESTING, CONCERNS). Activates when the user says "scan the codebase", "map the codebase", "what's in this repo", "discover X across the project", "audit instrumentation", "find all callers of Y", "is there any Sentry / GraphQL / Redis usage", "explore the project structure", "talk to Dalil", or "scout this repo". Also activates via /rcode-scan and /rcode-map-codebase. Do NOT use for: plan execution (use executor), strategic decisions (use Sadiq / Waleed), test design (use Fatima), or code modification (use Hanzla / Omar).
api-and-interface-design
Guides stable API and interface design. Use when designing APIs, module boundaries, or any public interface. Use when creating REST or GraphQL endpoints, defining type contracts between modules, or establishing boundaries between frontend and backend.
documentation-and-adrs
Records decisions and documentation. Use when making architectural decisions, changing public APIs, shipping features, or when you need to record context that future engineers and agents will need to understand the codebase.
api-design-principles
Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers. Use when designing new APIs, reviewing API specifications, or establishing API design standards.
api-doc-generator
从代码生成API文档和OpenAPI规范,支持多种后端框架。 使用场景:为REST API项目生成OpenAPI 3.0规范、创建或更新API接口文档。
api
API skill. Use when working with for extractor. Covers 1 endpoint.
openapi-generator-online
OpenAPI Generator Online API skill. Use when working with OpenAPI Generator Online for api. Covers 7 endpoints.
learner-profile
Analyze git repositories to build and update a personalized user technical profile. Run once to initialize, then after each completed project to update the global profile.
api-design-review
Invoked helper skill for higher-risk API contract decisions, usually called from /research or /write-a-prd. Use when the unresolved question is API shape, compatibility, auth, webhook design, or paradigm choice. Not a default top-level workflow step or a substitute for ordinary implementation work.
shopify-development
Build Shopify apps, extensions, themes using GraphQL Admin API, Shopify CLI, Polaris UI, and Liquid. TRIGGER: "shopify", "shopify app", "checkout extension", "admin extension", "POS extension", "shopify theme", "liquid template", "polaris", "shopify graphql", "shopify webhook", "shopify billing", "app subscription", "metafields", "shopify functions"
design_api_contracts
Use this skill when designing or reviewing HTTP REST APIs, GraphQL schemas, RPC interfaces, or any API contract between services or between frontend and backend. Triggers on: "design an API for X", "what endpoints do I need?", "review this API design", "how should I structure this REST API?", "what's the right shape for this response?", "versioning strategy", "error response format", "API contract design", "OpenAPI spec". Also use proactively when implementing a backend feature that needs an API surface.
api-design-principles
当设计/评审 REST 或 GraphQL API、定接口规范、在范式间迁移时使用;做出资源命名、HTTP 语义、分页、版本化、错误格式、Schema 与 N+1 优化的可落地规范与方案;不适用于具体业务代码实现、框架运维部署、接口安全渗透测试;触发词:API 设计、REST、GraphQL、接口规范、endpoint、分页、版本化、HATEOAS、DataLoader、schema design
api-design-reviewer
当评审新增/改动 API 端点的 PR、为 v2 迁移审计现有 API 或为团队制定 API 规范时使用;做 REST 约定 lint、破坏性变更检测与设计评分,产出问题清单与改进建议;不适用于 GraphQL/gRPC 接口设计、纯实现编码或后端性能压测;触发词:API 设计评审、api review、REST 规范、breaking change、破坏性变更、OpenAPI lint、接口评审、versioning
api-test-suite-builder
当需要为 REST API 批量补齐集成/契约测试时使用;扫描 Next.js/Express/FastAPI/Django REST 路由并生成覆盖鉴权、入参校验、错误码、分页、文件上传、限流的可运行测试套件(Vitest+Supertest 或 Pytest+httpx);不适用于纯前端 UI、单元测试或 GraphQL/gRPC;触发词:生成 API 测试、集成测试套件、契约测试
system-architect
System architecture skill for designing scalable, maintainable software systems. Covers microservices/monolith decisions, API design, DB selection, caching, security, and scalability planning.
skills
Use when the user wants to run one of the hostile audit skills in this repo, or asks what skills are available.
shopify-development
Build Shopify apps, extensions, themes using GraphQL Admin API, Shopify CLI, Polaris UI, and Liquid. TRIGGER: "shopify", "shopify app", "checkout extension", "admin extension", "POS extension", "shopify theme", "liquid template", "polaris", "shopify graphql", "shopify webhook", "shopify billing", "app subscription", "metafields", "shopify functions"
skill-forge
Create specialized agents and skills on the fly when existing ones don't fit the task. Scaffolds the agent definition, persona contract, KB stubs, and integration wiring through a guided workflow.
api-doc-generator
Use when user wants to generate API documentation, create OpenAPI/Swagger specs, document REST or GraphQL endpoints, auto-generate docs from code, or produce interactive API reference pages
aw-daily
Fully autonomous daily pipeline for the aw-author plugin. Executes intelligence research (web search + GitHub activity queries), posts to Discussions, performs gap analysis against reference files, creates issues, implements changes on develop branch, creates PR, requests review, and auto-merges. Designed for unattended execution with zero human intervention. Triggers on: "aw-daily", "daily pipeline", "daily cycle", "autonomous update".
write-script-graphql
MUST use when writing GraphQL queries.
creating-pds-issues
Create GitHub issues in NASA-PDS repositories using organizational templates (bug reports, I&T bug reports, feature requests, tasks, vulnerabilities, release themes). Use when user requests to create, file, or submit PDS issues.
api-contract-sync-manager
Validate OpenAPI, Swagger, and GraphQL schemas match backend implementation. Detect breaking changes, generate TypeScript clients, and ensure API documentation stays synchronized. Use when working with API spec files (.yaml, .json, .graphql), reviewing API changes, generating frontend types, or validating endpoint implementations.
agent-collaboration
Enable multi-agent brainstorming and collaborative problem-solving using pub/sub messaging. Use for complex decisions requiring multiple perspectives.
api-documentation-generator
Generate comprehensive, developer-friendly API documentation from code, including endpoints, parameters, examples, and best practices
api-security-best-practices
Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
system-design
Architecture reference - core concepts, technologies, system patterns, software design patterns, anti-patterns, and real-world case studies. Use when designing systems, evaluating tradeoffs, choosing technologies, or selecting an appropriate design pattern.
documentation-generator
Auto-generate technical documentation, README files, and API documentation for software projects.
api-design-plan
Planning and designing scalable, secure, and intuitive APIs
api-discovery
Hidden API discovery and intelligence tool. Detects internal APIs, REST/GraphQL endpoints, WebSocket connections, and authentication patterns on any website. Useful for competitive intelligence, integration building, and understanding how SPA applications work under the hood. Triggers on: hidden API, discover APIs, endpoint, SPA, intercept, XHR, fetch requests, websocket, internal API, reverse engineer API, API patterns, API endpoints, API mapping.
engineering-advanced
Advanced engineering patterns for AI-native products. Use when the user mentions agent design, RAG architecture, AI pipelines, MCP servers, API design best practices, CI/CD pipeline architecture, system design interviews, observability, infrastructure as code, or advanced engineering topics. Also triggers on: agent, RAG, retrieval augmented generation, MCP, API design, REST, GraphQL, CI/CD, GitHub Actions, Docker, Kubernetes, microservices architecture, event-driven, message queues, caching strategies, database design, system design.
openapi-doc-generator
当需要为 REST/事件驱动 API 编写或重写规范、搭建交互式开发者文档与门户时使用;做 OpenAPI 3.1/AsyncAPI 规范编写、示例与鉴权流程补全、交互文档与多语言 SDK 生成及示例可测试化的产物;不适用于无 API 面、纯后端实现或只需内部速记的场景;触发词:OpenAPI、API 文档、SDK 生成、Swagger/Redoc、开发者门户
007
Security audit, hardening, threat modeling (STRIDE/PASTA), Red/Blue Team, OWASP checks, code review, incident response, and infrastructure security for any project.
7
Security audit, hardening, threat modeling (STRIDE/PASTA), Red/Blue Team, OWASP checks, code review, incident response, and infrastructure security for any project.
cm-reactor
Strategic codebase re-direction when requirements change, architecture doesn't fit, or tech debt blocks progress. TRIZ-powered pivot protocol for large codebases.
doc-consistency-reviewer
文档一致性审核官,检查代码实现与文档说明的一致性。当用户请求审查文档与代码的一致性、检查 README/docs 是否过时、验证 API 文档准确性时使用此技能。适用于:(1) 审查 README 与实现一致性 (2) 检查 docs/ 目录文档是否过时 (3) 验证 API/配置文档准确性 (4) 生成文档一致性报告。触发词包括:文档审查、doc review、文档一致性、documentation consistency、检查文档过时、verify docs。
graphql-client-integration
- Setting up a GraphQL client in a React or Next.js project - Consuming a GraphQL API with typed queries - Configuring Apollo Client, urql, or Tanstack Query with GraphQL - Adding GraphQL Code Generat
payload-cms
Payload CMS: TypeScript-first headless CMS, collection schemas, access control, hooks, REST+GraphQL APIs, Next.js App Router integration
catalog-audit
Validate product data integration between Adobe Commerce and an AEM Edge Delivery Services storefront. Checks Catalog Service API connectivity, product data rendering accuracy, pricing consistency, image loading, category navigation, and Live Search results. Identifies mismatches between the catalog source and the storefront display. Use when product pages show incorrect data, images fail to load, or after catalog updates to verify storefront accuracy.
api-testing-patterns
API test automation patterns — httpx/requests client wrappers, response validation with Pydantic, test data factories, retry/polling utilities, schema testing, and contract testing.
fastapi-patterns
FastAPI patterns for building production-grade APIs — routing, Pydantic models, dependency injection, middleware, async patterns, WebSockets, and background tasks.
graphql-security
Security audit for GraphQL APIs covering query depth and complexity limits, introspection exposure, field-level authorization, mutation auth, persisted queries, batching abuse, error message leakage, subscription auth, and Apollo/urql/graphql-yoga/Mercurius/Hasura/PostGraphile-specific patterns. Use this skill whenever the user mentions GraphQL, Apollo Server, Apollo Client, urql, graphql-yoga, Mercurius, Hasura, PostGraphile, Strawberry (Python), gqlgen (Go), resolvers, schema.graphql, .gql files, query depth, query complexity, or asks "audit my GraphQL", "GraphQL security review", "depth limit", "persisted queries". Trigger when the codebase contains `.graphql`/`.gql` files, `apollo-server`, `@apollo/server`, `graphql-yoga`, `mercurius`, or `graphql` packages.
nestjs-security
Security audit for NestJS applications including Guards (AuthGuard, RolesGuard), Interceptors, Pipes (ValidationPipe), custom decorators, module structure, dependency injection scoping, GraphQL/REST integration, microservices (TCP, Redis, Kafka transports), and NestJS-specific patterns. Use this skill whenever the user mentions NestJS, @nestjs/common, @nestjs/core, Guards, Interceptors, ValidationPipe, NestFactory, @Injectable, @Module, @Controller, @UseGuards, @UseInterceptors, or asks "audit my NestJS app", "NestJS guards safe", "ValidationPipe security". Trigger when the codebase contains `@nestjs/core` or `@nestjs/common` in package.json.
saas-api-security
Audit SaaS API surface security including rate limiting, CORS configuration, webhook signature verification, GraphQL query depth/complexity, REST API best practices, idempotency keys, request signing, and API key management. Use this skill whenever the user asks about rate limiting, CORS, webhook security, HMAC signatures, GraphQL security, API abuse, throttling, idempotency, replay protection, or "is my API safe". Trigger on phrases like "audit my API", "review my CORS", "webhook security", "rate limit", "GraphQL depth attack", "API abuse", "signature verification". Use this even when only one API surface is mentioned.
saas-code-security-review
Application-code security review for SaaS backends focusing on authentication, authorization, IDOR/BOLA, SSRF, JWT handling, injection (SQL/NoSQL/command/template), deserialization, mass assignment, and SAST findings. Multi-stack (Node/TypeScript, Python, Go, Java, Ruby). Use this skill whenever the user asks to review code for security bugs, find IDOR or BOLA vulnerabilities, audit auth flows, check JWT validation, look for SSRF, hunt for injection, review session management, or interpret SAST output from CodeQL/Semgrep/Snyk Code. Trigger on phrases like 'review this code for security', 'find IDOR', 'is my JWT validation safe', 'SSRF check', 'SAST report', 'auth bypass', 'BOLA', 'audit my auth', 'session security'. Use this when the user shares a code file and security context.
dhh-rails-reviewer
Use this agent when you need a brutally honest Rails code review from the perspective of David Heinemeier Hansson. Use kieran-rails-reviewer for strict convention and taste checks; use this agent for opinionated architectural critique.
address-copilot-review
Take a GitHub pull request through Copilot's code review end to end: check out the PR, fetch Copilot's summary and inline review comments, investigate the codebase to judge each one, apply agreed fixes, commit and push, then reply to and resolve each Copilot thread. Pauses for approval before any GitHub write and asks before dismissing a comment it disagrees with. Use when the user asks to "address the Copilot review", "go through Copilot comments", handle/triage a Copilot PR review, or reply to and resolve Copilot review threads on a PR.
address-review
Take a GitHub pull request's code review feedback end to end: check out the PR, fetch review summaries and unresolved inline threads from any reviewer (bots like Copilot and humans alike), investigate the codebase to judge each comment, apply agreed fixes, commit and push, then reply to each thread and resolve where appropriate. Pauses for approval before any GitHub write, asks before dismissing a comment it disagrees with, and leaves human-opened threads for the human to resolve unless told otherwise. Use when the user asks to "address the review", "address review comments", "go through the PR feedback", "address the Copilot review", handle/triage a PR review, or reply to and resolve review threads on a PR.
graphql
GraphQL schema design standards and resolver conventions. Use when writing or reviewing any GraphQL schema, resolver, or operation — naming, nullability, types, input objects, mutations, queries, and operation structure.
new-feature
Start a new feature for this project. Use when the user says "start a feature", "plan X", "new feature", "begin work on", "let's build X", or picks up a Linear issue to work on. Sets up the run folder, writes a plan with the Three-Surface Rule and test approach baked in, and claims the Linear issue.
api-security
API security review against OWASP API Top 10 2023. Covers auth (OAuth2/JWT/API-keys), object-level authorization (BOLA/IDOR), schema validation, rate-limiting, CORS, SSRF, and GraphQL-specific concerns (introspection, query depth, batching).
secure-coding
Language-agnostic secure-coding patterns — input validation, injection-safe APIs, authN/authZ, crypto, secrets, dependency hygiene. The default lens when no framework-specific skill applies.
api-design-principles
Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers. Use when designing new APIs, reviewing API specifications, or establishing...
web3-dao-tooling
Build DAO governance agents with SpoonOS. Use when monitoring proposals, automating voting, managing delegations, or analyzing governance patterns.
gqlguide
Interactive guide to soda-gql features and patterns
identity-fabric
Concrete endpoints, probes, and enumeration techniques for identity provider fingerprinting and auth surface mapping. Covers Microsoft Entra (Azure AD), Okta, ADFS, Google Workspace, generic OIDC (Keycloak/Auth0/Ping/OneLogin/Duo), SAML metadata, AWS account-ID extraction, Microsoft 365 deep enumeration (Teams/SharePoint/OneDrive/OAuth/Power Platform), GraphQL field-suggestion enumeration when introspection is disabled, and LinkedIn employee enumeration with role prioritization. Use when mapping an org's auth architecture, enumerating SSO/IdP surfaces, or building a target employee list.
web-surface
Probe paths, endpoint scoring, email security analysis, vendor fingerprints, documentation leak hunting, and API endpoint references for authorized web-surface enumeration.
shopify-development
Build Shopify apps, extensions, themes using GraphQL Admin API, Shopify CLI, Polaris UI, and Liquid. TRIGGER: "shopify", "shopify app", "checkout extension", "admin extension", "POS extension", "shopify theme", "liquid template", "polaris", "shopify graphql", "shopify webhook", "shopify billing", "app subscription", "metafields", "shopify functions"
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
aws
AWS hosting and deployment patterns covering compute (EC2, ECS, Lambda), networking (ALB, CloudFront, Route 53, API Gateway), databases (RDS, ElastiCache), infrastructure-as-code (CDK), IAM, monitoring (CloudWatch), and cost optimization. Use when deploying applications to AWS or designing cloud architecture. Triggers on AWS, EC2, ECS, Fargate, Lambda, CloudFront, CDK, API Gateway, Route 53, RDS, IAM.
aio-grafana-diagram
Create Grafana diagrams for system visualization — analyzes codebase to auto-generate Mermaid diagrams with metric binding. For standalone Mermaid diagrams use aio-mermaid instead.
executor
Load before using the `execute` tool, external systems, and configured MCP/OpenAPI/GraphQL integrations. Use `tools.search({ ... })`, then `tools.describe.tool({ path })`, then call the full `tools.<namespace>.<tool>(args)` path.
graphql
GraphQL security testing methodology covering introspection abuse, IDOR via query manipulation, batching attacks, injection via arguments, and subscription abuse.
sqli
SQL injection expert methodology covering UNION-based, blind (boolean/time), error-based, and second-order injection. Includes WAF bypass, out-of-band exfiltration, and post-exploitation DB pivoting.
spike-first
在写任何代码或计划之前,对抓取/爬虫/API集成/第三方服务/自动化对接类任务强制做一道"可行性闸门"—— 先用一次性探针对真实目标验证最大未知点(先打靶再造枪),探针通过才放行到设计和实现,不通过当场喊停换方案。 Use this skill whenever the user asks to scrape a website, crawl data, integrate with an external or third-party API/service, build an automated data pipeline against a system you don't control, or any task where "can we even reliably get the data or access we need?" is still an open question — even if they don't explicitly ask for validation. 触发词:抓取、爬虫、采集、集成、对接、API、第三方服务、自动化对接、 反爬、scrape、crawl、integrate、webhook。务必在这类任务一出现就触发,不要等撞墙了才想起。 但以下情况**不要触发**(即使句子里带了上面的关键词):维护或调试**已经在跑**的抓取/集成代码、 处理已经拿到的数据、纯本地的重构或性能优化、跑测试(含"集成测试")、写文档、 纯概念问答(如"解释 REST 和 GraphQL 的区别")。判据只有一条——有没有一个开工前还不确定 "能不能稳定拿到"的外部数据或访问;没有,就不是这个 skill 的活。
sf-lwc
Lightning Web Components (Brite edition) with PICKLES methodology and 165-point scoring. TRIGGER when user creates/edits LWC components, touches lwc/**/*.js, .html, .css, .js-meta.xml files, works in brite-salesforce, asks about wire service, SLDS, Jest LWC tests, the LWC Jest pre-commit hook, Dynamic Forms requiring FLS even for admins (`View All Data` does NOT bypass FLS), Dynamic Forms field-level vs section-level visibility evaluation, Flexipage IndexedDB cache flushing (hard refresh insufficient), the `flexipage:recordHomeTemplateDesktop` two-column template name (NOT `...TwoColTemplateDesktop`), Dynamic Forms DateTime `uiBehavior=readonly` for auto-populated fields, or `@AuraEnabled` security primitives. DO NOT TRIGGER when Apex classes (use sf-apex), Aura components, or Visualforce.
api-design-principles
Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers. Use when designing new APIs, reviewing API specifications, or establishing API design standards.
senior-architect
Comprehensive software architecture skill for designing scalable, maintainable systems using ReactJS, NextJS, NodeJS, Express, React Native, Swift, Kotlin, Flutter, Postgres, GraphQL, Go, Python. Includes architecture diagram generation, system design patterns, tech stack decision frameworks, and dependency analysis. Use when designing system architecture, making technical decisions, creating architecture diagrams, evaluating trade-offs, or defining integration patterns.
graphql-schema
GraphQL queries, mutations, and code generation patterns. Use when creating GraphQL operations, working with Apollo Client, or generating types.
full-stack-audit
Comprehensive website and web app audit covering security, UX, performance, accessibility, SEO, compliance, and revenue protection. Use this skill whenever the user asks to audit, review, check, or score a website or web application. Also use when the user says 'full-stack audit', 'UX audit', 'security audit', 'launch checklist', 'is my site ready to launch', 'check my site', 'review my code for issues', 'what did I miss', or any variation of wanting a comprehensive quality review before or after launch. This skill catches the issues that AI-built and vibe-coded sites consistently get wrong: client-side paywalls, exposed database tables, missing security headers, broken mobile layouts, and trust gaps that kill conversion. Triggers even if the user only asks about one area (e.g., 'check my security') because problems compound across categories.
github-issues
HwHubプロジェクトのGitHub Issue参照・作成・更新の手順。SM・DEV・POがIssueを取得する、Issueを作成する、IssueのBodyを更新する操作が必要なときは必ずこのスキルを参照すること。Issue操作はMCPを優先し、Projectsフィールド操作はGraphQL APIを使う。このスキルを読まずに操作してはならない。
product-owner-workflow
HwHubスクラムチームのProduct Ownerとしての行動フロー。バックログ管理・Issue起票・ACの詳細化・スプリント中の仕様確認対応の手順を定義する。POとして動くときは必ずこのスキルを参照すること。
scrum-master-workflow
HwHubスクラムチームのScrum Masterとしての行動フロー。Planning・DEV起動・レビュー集約・Sprint Review・Retroの進行手順を定義する。SMとして動くときは必ずこのスキルを参照すること。
api-security
Audita y refuerza la seguridad de APIs REST y GraphQL. Usa cuando el usuario desarrolle endpoints, configure auth, o revise código backend por vulnerabilidades comunes.
github-cli
Advanced GitHub CLI workflows for PR review, CI/CD debugging, Actions management, API queries, and code search. Use when the user needs to review PRs, debug failing checks, manage workflows, search across repos, or make complex gh API calls. Not needed for basic gh commands the agent already knows.
api-integration
Expert API integration decisions for iOS/tvOS: REST vs GraphQL trade-offs, API versioning strategies, caching layer design, and offline-first architecture choices. Use when designing network architecture, implementing offline support, or choosing between API patterns. Trigger keywords: REST, GraphQL, API versioning, caching, offline-first, URLSession, background fetch, ETag, pagination, rate limiting
aws
AWS hosting and deployment patterns covering compute (EC2, ECS, Lambda), networking (ALB, CloudFront, Route 53, API Gateway), databases (RDS, ElastiCache), infrastructure-as-code (CDK), IAM, monitoring (CloudWatch), and cost optimization. Use when deploying applications to AWS or designing cloud architecture. Triggers on AWS, EC2, ECS, Fargate, Lambda, CloudFront, CDK, API Gateway, Route 53, RDS, IAM.
bird
X/Twitter CLI for reading, searching, posting, and engagement via cookies.
dojo-indexer
Set up and configure Torii indexer for GraphQL queries, gRPC subscriptions, and SQL access. Use when indexing your deployed world for client queries or real-time updates.
make-issue
Create a new GitHub issue with guided template, type, and label selection. Gathers repo metadata, suggests labels, writes a well-structured issue body, and asks for confirmation before submitting.
refresh-tarkovdev-schema
Update the tarkov.dev GraphQL schema and regenerate the Go client code
backend-development
バックエンド開発の基礎。API設計、データベース設計、認証・認可、エラーハンドリング、セキュリティなど、堅牢なバックエンドシステム構築のベストプラクティス。
apex-pipeline
Unified application security testing workflow — combines recon, SAST, DAST, manual hunting, validation, and reporting into a single orchestrated pipeline. Runs as an "app" with automated phase transitions. Supports web apps (React, Next.js, Django, Flask, Laravel, Spring, Rails, Express), mobile APIs, GraphQL, REST, gRPC, and microservices. Phases — Phase 0 (target intake + scope lock), Phase 1 (passive recon + tech fingerprint), Phase 2 (SAST deep scan via semgrep/grep/trufflehog), Phase 3 (DAST active probing — nuclei/ffuf/dalfox), Phase 4 (manual hunt — IDOR/SSRF/XSS/SQLi/auth-bypass/race/business-logic/LLM), Phase 5 (chain building + impact escalation), Phase 6 (7-Question Gate validation), Phase 7 (report generation). Use when starting a full security assessment on any application, when asked to "test this app", "audit this codebase", "find bugs in this project", or when you need an end-to-end security workflow that combines static and dynamic analysis with manual expertise.
graphql-advanced
Comprehensive guide to graphql advanced. Master the concepts, implementation, best practices, and real-world applications of graphql advanced in professional environments.
claude-architecture-skill
Claude-Opus模型同款架构机制
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
fastapi-project
Scaffold and evolve FastAPI projects with uv-based tooling, structured settings, and production-ready observability, resilience, availability, and security patterns aligned with python.instructions.md.
refresh-tarkovdev-schema
Update the tarkov.dev GraphQL schema and regenerate the Go client code
spec-builder
Transform vague product or feature ideas into concrete, detailed specification documents through an interactive interview process. Use when the user wants to flesh out an idea, create a spec, write requirements, plan a product/feature/prototype, or go from "I have this idea..." to a concrete document. Works for software products, physical products, services, or any concept that needs specification.
api-and-interface-design
Guides stable API and interface design. Use when designing APIs, module boundaries, or any public interface. Use when creating REST or GraphQL endpoints, defining type contracts between modules, or establishing boundaries between frontend and backend.
documentation-and-adrs
Records decisions and documentation. Use when making architectural decisions, changing public APIs, shipping features, or when you need to record context that future engineers and agents will need to understand the codebase.
senior-backend
Designs and implements backend systems including REST APIs, microservices, database architectures, authentication flows, and security hardening. Use when the user asks to "design REST APIs", "optimize database queries", "implement authentication", "build microservices", "review backend code", "set up GraphQL", "handle database migrations", or "load test APIs". Covers Node.js/Express/Fastify development, PostgreSQL optimization, API security, and backend architecture patterns.
graphile-search
Unified PostGraphile v5 search plugin (graphile-search). Consolidates tsvector, BM25, pg_trgm, and pgvector into a single adapter-based architecture with composite searchScore and unifiedSearch fields. Includes codegen SDK query patterns for all search types. Use when asked to "add search to GraphQL", "expose search in PostGraphile", "configure search adapters", "query search via SDK/codegen", or when building search features on a Constructive or PostGraphile v5 stack.
address-feedback
Works through all open PR review threads by fixing code, replying to reviewers, and resolving threads. Use when 'address feedback', 'fix PR comments', 'resolve review threads', or after a code review has left feedback on the PR.
senior-backend
Designs and implements backend systems including REST APIs, microservices, database architectures, authentication flows, and security hardening. Use when the user asks to "design REST APIs", "optimize database queries", "implement authentication", "build microservices", "review backend code", "set up GraphQL", "handle database migrations", or "load test APIs". Covers Node.js/Express/Fastify development, PostgreSQL optimization, API security, and backend architecture patterns.
logics-connector-linear
Connect Linear (GraphQL) to the Logics workflow: list issues and import a Linear issue into `logics/backlog/` as a new `item_###_*.md` with a link back to Linear.
shopify-apps
Expert patterns for Shopify app development including Remix/React Router apps, embedded apps with App Bridge, webhook handling, GraphQL Admin API, Polaris components, billing, and app extensions. U...
vendure
Assiste au développement avec le framework e-commerce Vendure pour Node.js. Gère le commerce headless, les APIs GraphQL, la gestion des commandes, les catalogues produits, l'intégration des paiements et le développement TypeScript e-commerce. Utiliser lors du travail sur des projets Vendure, la création de plugins, ou l'intégration de storefronts.
senior-backend
This skill should be used when the user asks to "design REST APIs", "optimize database queries", "implement authentication", "build microservices", "review backend code", "set up GraphQL", "handle database migrations", or "load test APIs". Use for Node.js/Express/Fastify development, PostgreSQL optimization, API security, and backend architecture patterns.
shopify-development
Build Shopify apps, extensions, themes using GraphQL Admin API, Shopify CLI, Polaris UI, and Liquid. TRIGGER: "shopify", "shopify app", "checkout extension", "admin extension", "POS extension", "shopify theme", "liquid template", "polaris", "shopify graphql", "shopify webhook", "shopify billing", "app subscription", "metafields", "shopify functions"
Integration detected automatically from skill content. Some results may be false positives.