explaingit

0xpira/sskills

Analysis updated 2026-05-18

25JavaScriptAudience · developerComplexity · 2/5LicenseSetup · easy

TLDR

A growing library of structured security-specialist knowledge packages that help AI agents and reviewers triage findings like HTTP request smuggling.

Mindmap

mindmap
  root((repo))
    What it does
      Security knowledge library
      Signal triage specialists
      Structured output contracts
    Tech stack
      JavaScript
      Markdown
    Use cases
      Triage security signals
      Validate findings
      Add new specialists
    Audience
      Security engineers
    Caveats
      No automated attack payloads
      Only one specialist so far

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Load a security specialist package to triage a messy incoming vulnerability signal.

USE CASE 2

Classify and reject weak or false findings using documented proof contracts.

USE CASE 3

Validate a specialist's technique cards and metadata with the included scripts.

USE CASE 4

Add a new security specialist domain by following the standard folder layout.

What is it built with?

JavaScriptMarkdown

How does it compare?

0xpira/sskillsarulsebastin71/smartqueuebrunosimon/stylized-low-poly
Stars252525
LanguageJavaScriptJavaScriptJavaScript
Last pushed2023-02-11
MaintenanceDormant
Setup difficultyeasymoderatemoderate
Complexity2/53/52/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 30min

Validation scripts run locally with a single command per specialist.

In plain English

SSkills (short for Slop Skills) is a public library of specialist knowledge packages designed for security agents and human reviewers. The core idea is that when you get a messy security signal, you should not need to carry all knowledge at once. Instead, a broad specialist loads first, reads the incoming evidence, and then pulls in only the specific technique cards that apply. This keeps each session lightweight and targeted. The repository is organized into folders under a skills directory. Each folder represents one specialist domain and contains a standard set of files: a machine-readable metadata file that describes what signals the specialist handles, a human-readable entry document, a short routing guide for first-pass triage, a safety rules file, a structured output contract, compact technique cards written in plain Markdown, attribution sources, and a validation script. The first published specialist covers HTTP request smuggling, which is a class of web security issue where two network components disagree about where one request ends and the next begins. Safety is treated as a hard constraint throughout. The specialists are built to help classify signals, reject weak or false findings, and produce documented proof contracts that a human can verify. They do not automate the generation of attack payloads or perform active testing without explicit manual approval. Validation is handled by scripts you can run locally with a single command. Each specialist can be validated on its own, or you can run all validators at once. Adding a new specialist means creating a folder with the required files, registering it in a central index, and making sure the validator passes. The project is licensed under MIT and is intended as a growing collection rather than a finished tool. At the time of writing, only the request smuggling specialist is included, but the structure is designed to accept additional domains by following the same file layout.

Copy-paste prompts

Prompt 1
Walk me through how the HTTP request smuggling specialist folder is structured.
Prompt 2
How do I run the validation scripts for a single specialist versus all of them?
Prompt 3
Explain how the routing guide decides which technique cards to load for a signal.
Prompt 4
Help me draft a new specialist folder for a different vulnerability class following this layout.
Prompt 5
What safety rules keep these specialists from generating attack payloads automatically?

Frequently asked questions

What is sskills?

A growing library of structured security-specialist knowledge packages that help AI agents and reviewers triage findings like HTTP request smuggling.

What language is sskills written in?

Mainly JavaScript. The stack also includes JavaScript, Markdown.

How hard is sskills to set up?

Setup difficulty is rated easy, with roughly 30min to a first successful run.

Who is sskills for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.