Ask me what skills you need
What are you building?
Tell me what you're working on and I'll find the best agent skills for you.
Hunting skill for Information Disclosure / Sensitive Data Exposure (CWE-200 / CWE-209 / CWE-215 / CWE-538 / CWE-668 / CWE-798). Built from 106 corpus reports plus 8K shared-platform reports across HackerOne, Bugcrowd, Huntr, GitHub Security Advisories, plus 2024-2026 meta verified against NVD — Spring Boot Actuator family (CVE-2025-41253 SpEL info-disclosure CVSS 7.5, CVE-2025-41243 Spring Cloud Gateway property modification CVSS 10.0, CVE-2025-22235 EndpointRequest.to wrong matcher CVSS 7.3, CVE-2025-8525 Exrick xboot, CVE-2025-8738 microservices-platform), .git/.env mass exposure (Sysdig EmeraldWhale 15K cloud creds Oct 2024, Unit42 110K domain .env scan Aug 2024), Spring Boot Actuator heapdump → 9TB GPS data Volkswagen disclosure (Wiz Threat Research Dec 2024), debug endpoint family (Dgraph /debug/pprof GHSA-95mq-xwj4-r47p, MinIO LDAP brute-force GHSA-jv87-32hw-hh99, Glances /api/4/serverslist GHSA-r297-p3v4-wp8m, FUXA plaintext DB creds GHSA-c5gq-4h56-4mmx, Harbor default password GHSA-hj7x-hmf2-hc2p, NetBird VPN default admin GHSA-g3j4-58mp-3x25, PraisonAI WebSocket no-auth GHSA-cfh6-vr3j-qc3g, Gradio ACL bypass GHSA-j2jg-fq62-7c3h, Rancher cluster template credentials, ArgoCD Redis cache crypto), and the secrets-in-repo wave (GitGuardian 2026 State of Secrets: 28.65M new hardcoded secrets in 2025, GitHub 2024 secret-scanning report: 39M leaks). Use when hunting exposed credentials, leaked API keys, .git/.env files, debug endpoints, Spring actuator endpoints, S3 bucket misconfig, source-code disclosure, stack trace leakage, user/email enumeration, PII via API, server-side debug surfaces (phpinfo, /server-status), or any Confidentiality-impact-only finding.
name: hunt-info-disclosure description: Hunting skill for Information Disclosure / Sensitive Data Exposure (CWE-200 / CWE-209 / CWE-215 / CWE-538 / CWE-668 / CWE-798). Built from 106 corpus reports plus 8K shared-platform reports across HackerOne, Bugcrowd, Huntr, GitHub Security Advisories, plus 2024-2026 meta verified against NVD — Spring Boot Actuator family (CVE-2025-41253 SpEL info-disclosure CVSS 7.5, CVE-2025-41243 Spring Cloud Gateway property modification CVSS 10.0, CVE-2025-22235 EndpointRequest.to wrong matcher CVSS 7.3, CVE-2025-8525 Exrick xboot, CVE-2025-8738 microservices-platform), .git/.env mass exposure (Sysdig EmeraldWhale 15K cloud creds Oct 2024, Unit42 110K domain .env scan Aug 2024), Spring Boot Actuator heapdump → 9TB GPS data Volkswagen disclosure (Wiz Threat Research Dec 2024), debug endpoint family (Dgraph /debug/pprof GHSA-95mq-xwj4-r47p, MinIO LDAP brute-force GHSA-jv87-32hw-hh99, Glances /api/4/serverslist GHSA-r297-p3v4-wp8m, FUXA plaintext DB creds GHSA-c5gq-4h56-4mmx, Harbor default password GHSA-hj7x-hmf2-hc2p, NetBird VPN default admin GHSA-g3j4-58mp-3x25, PraisonAI WebSocket no-auth GHSA-cfh6-vr3j-qc3g, Gradio ACL bypass GHSA-j2jg-fq62-7c3h,
npx skills add H-mmer/pentest-agents --skill hunt-info-disclosure