Analysis updated 2026-05-18
Load a security specialist package to triage a messy incoming vulnerability signal.
Classify and reject weak or false findings using documented proof contracts.
Validate a specialist's technique cards and metadata with the included scripts.
Add a new security specialist domain by following the standard folder layout.
| 0xpira/sskills | arulsebastin71/smartqueue | brunosimon/stylized-low-poly | |
|---|---|---|---|
| Stars | 25 | 25 | 25 |
| Language | JavaScript | JavaScript | JavaScript |
| Last pushed | — | — | 2023-02-11 |
| Maintenance | — | — | Dormant |
| Setup difficulty | easy | moderate | moderate |
| Complexity | 2/5 | 3/5 | 2/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Validation scripts run locally with a single command per specialist.
SSkills (short for Slop Skills) is a public library of specialist knowledge packages designed for security agents and human reviewers. The core idea is that when you get a messy security signal, you should not need to carry all knowledge at once. Instead, a broad specialist loads first, reads the incoming evidence, and then pulls in only the specific technique cards that apply. This keeps each session lightweight and targeted. The repository is organized into folders under a skills directory. Each folder represents one specialist domain and contains a standard set of files: a machine-readable metadata file that describes what signals the specialist handles, a human-readable entry document, a short routing guide for first-pass triage, a safety rules file, a structured output contract, compact technique cards written in plain Markdown, attribution sources, and a validation script. The first published specialist covers HTTP request smuggling, which is a class of web security issue where two network components disagree about where one request ends and the next begins. Safety is treated as a hard constraint throughout. The specialists are built to help classify signals, reject weak or false findings, and produce documented proof contracts that a human can verify. They do not automate the generation of attack payloads or perform active testing without explicit manual approval. Validation is handled by scripts you can run locally with a single command. Each specialist can be validated on its own, or you can run all validators at once. Adding a new specialist means creating a folder with the required files, registering it in a central index, and making sure the validator passes. The project is licensed under MIT and is intended as a growing collection rather than a finished tool. At the time of writing, only the request smuggling specialist is included, but the structure is designed to accept additional domains by following the same file layout.
A growing library of structured security-specialist knowledge packages that help AI agents and reviewers triage findings like HTTP request smuggling.
Mainly JavaScript. The stack also includes JavaScript, Markdown.
Setup difficulty is rated easy, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.