superhacker preflight PASS / contract 97/97 / auth gate ARMED
GitHub
Authorized-security routing

/superhacker

One security objective, routed to the one reference that owns it.

A single intent-routing skill: scope under a mandatory authorization gate, classify the work into 1 of 14 routes, execute least-impact, and report with reproducible evidence. Offense is always paired with detection and remediation.

Type: agent skill (SKILL.md) Folds: 26 domains plus clue hunt into 14 routes Use: authorized testing, CTF, lab, defense
Engagement loop

Five steps, every engagement.

The same disciplined arc whether you are attacking, defending, or investigating. The objective enters at Scope and never moves without authorization.

01

Scope

State objective, authorization status, and posture in one line. Hard stop if active work lacks authorization.

02

Frame & route

Gather context passively, classify the intent, and load only the one routed reference.

03

Execute

Run the routed workflow passive to active, in-scope only, capturing evidence as you go.

04

Verify

Reproduce every finding with command and output, rate severity, drop false positives.

05

Report

Severity-ordered findings with repro, remediation, and detection guidance.

Safety spine

Authorization is a hard stop, not a checkbox.

The gate loads at Scope on every engagement. Passive and read-only is the default. Active scanning, exploitation, credential attacks, or persistence against anything you cannot prove is in-scope: the skill refuses and asks first.

  • Written RoE or scope for client work
  • Owned systems, lab, and CTF are self-authorizing, stated in one line
  • Least-impact ordering: passive before active, non-destructive before destructive
  • Never DoS, mass-target, destroy data, or persist beyond scope
  • Offense always paired with detection and remediation
Route table

One intent resolves to one route.

An upstream library of 26 domains and 754 skills, plus passive-first clue hunting, folded into 14 routes. The router classifies the objective and loads exactly one reference on demand, so context stays small and the workflow stays focused.

offensive (authorization-gated) defensive both or clue hunt (passive-first)
clue-huntpassive-first

Vulnerability Clue Discovery

Turns source and behavior signals into hypotheses, confidence, and a least-impact validation queue.

OWASP WSTG / ASVS / CWE
reconoffensive

Reconnaissance & Vulnerability Discovery

OSINT, scanning, attack-surface enumeration, vuln triage by CVSS and exploitability.

ATT&CK TA0043 / CVSS
web-apioffensive

Web & API Exploitation

OWASP Top 10, SQLi / XSS / SSRF / IDOR / auth bypass, GraphQL and REST, WAF behavior.

OWASP Top 10 / API Top 10
networkboth

Network & OT/ICS Security

Segmentation, traffic analysis, IDS/IPS, OT/ICS protocols. Passive-first for ICS.

ATT&CK ICS / IEC 62443
redteamoffensive

Red Team & Adversary Emulation

AD attack paths, privilege escalation, lateral movement, phishing sim, purple-team handoff.

ATT&CK kill chain / ATLAS
cloud-containerboth

Cloud & Container Security

AWS/Azure/GCP hardening, CSPM, Kubernetes RBAC, image scanning, runtime detection.

CIS Benchmarks / ATT&CK Cloud
identitydefensive

Identity, Access & Zero Trust

IAM review, least-privilege, PAM, MFA/SSO, zero-trust segmentation design.

NIST 800-207 / CISA ZTMM
appsecdefensive

AppSec, DevSecOps & Cryptography

Secure SDLC, SAST/SCA/secret gates, IaC audit, TLS and key management, signing.

NIST SSDF / SLSA / SAMM
soc-detectdefensive

SOC, Detection & Threat Hunting

SIEM, log analysis, Sigma/YARA rules, hypothesis-driven hunts, LOTL analytics.

ATT&CK / D3FEND / CSF Detect
threat-inteldefensive

Threat Intelligence

STIX/TAXII, MISP, feed profiling, actor and campaign attribution, intel requirements.

Diamond Model / Kill Chain
incident-responsedefensive

Incident Response, Ransomware & Phishing

Triage, containment, eradication, recovery, BEC and phishing response.

NIST 800-61 / SANS PICERL
forensicsdefensive

Digital Forensics & Malware Analysis

Disk/memory imaging, timeline reconstruction, static and dynamic malware analysis.

NIST 800-86 / Volatility3
mobileboth

Mobile Security

Android/iOS app analysis, mobile pentest, MASVS controls, MDM forensics.

OWASP MASVS / MASTG
governdefensive

Compliance, Governance & Deception

CIS / SOC 2 / ISO 27001 mapping, gap assessment, honeytokens and canaries.

NIST CSF 2.0 / ISO 27001
Core principles

The discipline behind the routing.

01

Authorization-first

Confirm written scope before any active or intrusive action. Default to passive. Refuse and ask when you cannot prove in-scope.

02

Least impact

Order actions passive to active, non-destructive to destructive. Never DoS, mass-target, or persist beyond the agreed scope.

03

Evidence-based

Every finding is backed by reproducible evidence. A plausible-but-unverified finding is the failure mode, so drop or downgrade it.

04

Defensive purpose

Offensive technique exists to improve defense. Always deliver detection and remediation alongside any exploit finding.

05

Faithful reporting

Accurate severity with no inflation, clear repro, and an explicit not-tested section so silence is never read as safe.

06

One reference at a time

The router loads only the reference it classified. Context stays small, the procedure stays focused, the deliverable stays clean.

By the numbers

Simplified on purpose.

The whole point is one skill that routes, not a sprawl of skills to install. The breadth lives in the references; the entry point stays single.

1
skill loaded
14
routes
26
domains folded
754
upstream skills
97
contract checks