Skip to content

Add five security skills: OAuth, AWS, prototype pollution, deserialization, Django#617

Merged
bearsyankees merged 4 commits into
usestrix:mainfrom
Ayush7614:feat/add-security-skills
Jul 3, 2026
Merged

Add five security skills: OAuth, AWS, prototype pollution, deserialization, Django#617
bearsyankees merged 4 commits into
usestrix:mainfrom
Ayush7614:feat/add-security-skills

Conversation

@Ayush7614

@Ayush7614 Ayush7614 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds five new community skills that were missing from the repository:

  • protocols/oauth — OAuth 2.0 / OIDC flow testing (redirect URI manipulation, PKCE bypass, token confusion, state/nonce CSRF)
  • cloud/aws — AWS security (S3 exposure, IAM escalation, IMDS abuse, Cognito/Lambda misconfigs)
  • vulnerabilities/prototype_pollution — Client/server prototype pollution with Node.js gadget guidance
  • vulnerabilities/insecure_deserialization — Java, Python, PHP, .NET deserialization and gadget chains
  • frameworks/django — Django/DRF testing (ORM injection, permissions, CSRF, sessions, admin)

Each skill follows the existing format: YAML frontmatter, attack surface, methodology, techniques, bypass methods, validation, and false-positive guidance.

Verification

  • All five skill names register in get_all_skill_names()
  • validate_requested_skills() passes for each skill
  • load_skills() loads full content with required sections
  • Category placement verified (protocols, cloud, vulnerabilities, frameworks)

Test plan

  • Skill discovery and validation script passes locally
  • Maintainer review of technical accuracy
  • Optional: spawn agent with skills="oauth,business_logic" to confirm prompt injection

@Ayush7614 Ayush7614 force-pushed the feat/add-security-skills branch from a27dbab to e990aee Compare July 1, 2026 19:04
Expand coverage with OAuth flow testing, AWS misconfigurations, prototype
pollution, insecure deserialization, and Django framework playbooks.
@greptile-apps

greptile-apps Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

Adds five new security skill markdown files across the cloud, frameworks, protocols, and vulnerabilities categories. All five follow the established skill format (YAML frontmatter, Attack Surface, Key Vulnerabilities, Testing Methodology, Validation, False Positives) and are technically accurate.

  • cloud/aws.md and protocols/oauth.md are clean additions with no issues; the S3 existence-vs-listing fix from the prior review round is correctly implemented in aws.md.
  • frameworks/django.md is comprehensive but contains imprecise wording for the simplejwt algorithm-confusion attack; the existing authentication-jwt skill uses the clearer "RS256→HS256 confusion" terminology.
  • vulnerabilities/insecure_deserialization.md and vulnerabilities/prototype_pollution.md use underscores in their frontmatter name fields, while every other multi-word skill in the repository uses hyphens. Skill registration uses filename stems, so there is no functional impact, but the inconsistency is worth aligning.

Confidence Score: 5/5

All five files are documentation-only skill markdown files with no executable code paths; merging carries no runtime risk.

The change is entirely additive markdown content. The skill loader strips frontmatter and reads file stems for registration, so none of the minor wording or naming observations affect how the skills load or validate. The technical content across all five files is accurate and well-structured.

The JWT wording in strix/skills/frameworks/django.md is the only content-accuracy nit worth a second look before merging.

Important Files Changed

Filename Overview
strix/skills/cloud/aws.md New AWS security skill covering IAM escalation, S3 exposure, IMDS abuse, Cognito, Lambda, and snapshots — technically accurate, well-structured, and the S3 existence-vs-listing distinction from the previous review has been cleanly addressed.
strix/skills/frameworks/django.md New Django/DRF security skill covering ORM injection, CSRF, IDOR, mass assignment, and WebSocket parity — solid overall, but the simplejwt JWT section uses imprecise wording for the algorithm confusion attack that differs from the established convention in the existing authentication-jwt skill.
strix/skills/protocols/oauth.md New OAuth 2.0/OIDC skill covering redirect URI manipulation, PKCE bypass, state/nonce CSRF, token confusion, and device flow abuse — comprehensive and technically accurate.
strix/skills/vulnerabilities/insecure_deserialization.md New deserialization skill covering Java, Python, PHP, .NET, Ruby, and Node.js gadget chains — the frontmatter description now correctly includes Node.js; the frontmatter name field uses underscores inconsistently with the repository hyphen convention.
strix/skills/vulnerabilities/prototype_pollution.md New prototype pollution skill covering client-side, server-side Node.js RCE gadget chains, and filter bypasses — technically accurate; frontmatter name field uses underscores inconsistently with the hyphen convention used by all other multi-word skills.

Reviews (2): Last reviewed commit: "Clarify S3 existence vs public listing c..." | Re-trigger Greptile

Comment thread strix/skills/cloud/aws.md
Comment thread strix/skills/vulnerabilities/insecure_deserialization.md Outdated
@Ayush7614 Ayush7614 force-pushed the feat/add-security-skills branch from e990aee to 100f561 Compare July 1, 2026 19:05
- Use head-bucket for S3 existence checks instead of duplicating s3 ls
- Add Node.js to insecure_deserialization frontmatter description

@rajpratham1 rajpratham1 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for contributing these security skills. The structure is consistent across all documents and the coverage is comprehensive, making them easy to consume. I only have one minor suggestion: in aws.md, the unauthenticated enumeration section should more clearly distinguish bucket existence checks (head-bucket/HTTP status) from public listing (aws s3 ls). Aside from that clarification, the content looks well organized and valuable.

Split unauthenticated enumeration into separate head-bucket/HTTP
and s3 ls steps with interpretation guidance per review.
@Ayush7614

Copy link
Copy Markdown
Contributor Author

Thanks for the review, @rajpratham1!

Addressed in d84930d — the unauthenticated enumeration section in aws.md is now split into two separate steps:

  1. Bucket existencehead-bucket / curl -I with 403 vs 404 interpretation
  2. Public listingaws s3 ls only, with a note that list failure does not disprove existence

Ready for another look when you have a moment.

@bearsyankees

Copy link
Copy Markdown
Collaborator

@greptile

@bearsyankees

Copy link
Copy Markdown
Collaborator

LGTM thanks @Ayush7614, added a few tools

@bearsyankees bearsyankees merged commit 7e808f7 into usestrix:main Jul 3, 2026
1 check passed
@Ayush7614 Ayush7614 deleted the feat/add-security-skills branch July 3, 2026 23:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants