Use when conducting security assessments, OWASP/CWE audits, CVSS scoring, auditing PHP/TYPO3 projects for vulnerabilities, scanning dependencies, or reviewing code for security concerns.
WCAG 2.1 Level AA compliance patterns for semantic HTML, ARIA, keyboard navigation, and screen reader compatibility. Use for accessibility audits, ARIA reviews, and POUR principle validation.
This skill should be used when the user asks to install or audit an MCP server, especially from third-party sources. Security-focused: clones at pinned commits, runs security scans.
Apply Harness Engineering to make modules AI-maintainable. Use when creating new modules, retrofitting existing modules, validating module compliance, or keeping a module handoff-ready across sessions.
Use when the user asks for a bug audit of a project or component
Persistent browser daemon for live web testing, UI verification, and authenticated flows. Use when Claude needs to interact with a running web app — staging, localhost, or production.
Comprehensive Android APK security audit with static analysis, dynamic instrumentation, source-to-sink tracing, IPC/component abuse analysis, and CVSS 4.0 reporting. Covers decompilation, manifest analysis, deep links and intent injection, secrets detection, crypto analysis, Frida/Objection integration, and APK repackaging. Use when user says "audit APK", "analyze android app", "mobile pentest", "APK security", "decompile APK", "android vulnerability assessment", "reverse engineer android", "modify APK", "intent injection", "deep link abuse", "bypass SSL pinning", "bypass root detection", or provides an APK for security review, decompiled Android sources, or decoded resources.
Backend specialist — builds APIs, database operations, auth, and server-side logic with security and performance focus
Test for authentication and authorization flaws including credential attacks, session issues, and access control bypasses
Requires UAT for Feishu MCP. In bot chat: `/mw4auth` or `飞书授权` (card); or `orbit feishu authorize`; or FEISHU_MCP_UAT / channels.feishu.mcp_user_access_token. Bot app_secret is not sufficient.
axe-core - accessibility testing engine for automated WCAG compliance checks.
Manage multiple OpenAI Codex accounts. Capture current login tokens, switch between them, and auto-select the best account based on quota budget scoring. Syncs all tokens to OpenClaw agent auth-profiles using email-based keys. ⚠️ Reads and writes ~/.codex/auth.json, ~/.codex/accounts/*.json, and ~/.openclaw/agents/*/agent/auth-profiles.json (sensitive authentication tokens).
skill-sample/ ├─ SKILL.md ⭐ Required: skill entry doc (purpose / usage / examples / deps) ├─ manifest.sample.json ⭐ Recommended: machine-readable metadata (index / validation / autofill) ├─ LICENSE.sample ⭐ Recommended: license & scope (open source / restriction / commercial) ├─ scripts/ │ └─ example-run.py ✅ Runnable example script for quick verification ├─ assets/ │ ├─ example-formatting-guide.md 🧩 Output conventions: layout / structure / style │ └─ example-template.tex 🧩 Templates: quickly generate standardized output └─ references/ 🧩 Knowledge base: methods / guides / best practices ├─ example-ref-structure.md 🧩 Structure reference ├─ example-ref-analysis.md 🧩 Analysis reference └─ example-ref-visuals.md 🧩 Visual reference
More Agent Skills specs Anthropic docs: https://agentskills.io/home
├─ ⭐ Required: YAML Frontmatter (must be at top) │ ├─ ⭐ name : unique skill name, follow naming convention │ └─ ⭐ description : include trigger keywords for matching │ ├─ ✅ Optional: Frontmatter extension fields │ ├─ ✅ license : license identifier │ ├─ ✅ compatibility : runtime constraints when needed │ ├─ ✅ metadata : key-value fields (author/version/source_url...) │ └─ 🧩 allowed-tools : tool whitelist (experimental) │ └─ ✅ Recommended: Markdown body (progressive disclosure) ├─ ✅ Overview / Purpose ├─ ✅ When to use ├─ ✅ Step-by-step ├─ ✅ Inputs / Outputs ├─ ✅ Examples ├─ 🧩 Files & References ├─ 🧩 Edge cases ├─ 🧩 Troubleshooting └─ 🧩 Safety notes
Skill files are scattered across GitHub and communities, difficult to search, and hard to evaluate. SkillWink organizes open-source skills into a searchable, filterable library you can directly download and use.
We provide keyword search, version updates, multi-metric ranking (downloads / likes / comments / updates), and open SKILL.md standards. You can also discuss usage and improvements on skill detail pages.
Quick Start:
Import/download skills (.zip/.skill), then place locally:
~/.claude/skills/ (Claude Code)
~/.codex/skills/ (Codex CLI)
One SKILL.md can be reused across tools.
Everything you need to know: what skills are, how they work, how to find/import them, and how to contribute.
A skill is a reusable capability package, usually including SKILL.md (purpose/IO/how-to) and optional scripts/templates/examples.
Think of it as a plugin playbook + resource bundle for AI assistants/toolchains.
Skills use progressive disclosure: load brief metadata first, load full docs only when needed, then execute by guidance.
This keeps agents lightweight while preserving enough context for complex tasks.
Use these three together:
Note: file size for all methods should be within 10MB.
Typical paths (may vary by local setup):
One SKILL.md can usually be reused across tools.
Yes. Most skills are standardized docs + assets, so they can be reused where format is supported.
Example: retrieval + writing + automation scripts as one workflow.
Some skills come from public GitHub repositories and some are uploaded by SkillWink creators. Always review code before installing and own your security decisions.
Most common reasons:
We try to avoid that. Use ranking + comments to surface better skills:
