docs/advanced/skills.mdx
Skills are structured knowledge packages that give Strix agents deep expertise in specific vulnerability types, technologies, and testing methodologies.
LLMs have broad but shallow security knowledge. They know about SQL injection, but lack the nuanced techniques that experienced pentesters use—parser quirks, bypass methods, validation tricks, and chain attacks.
Skills inject this deep, specialized knowledge directly into the agent's context, transforming it from a generalist into a specialist for the task at hand.
When Strix spawns an agent for a specific task, it selects up to 5 relevant skills based on the context:
# Agent created for JWT testing automatically loads relevant skills
create_agent(
task="Test authentication mechanisms",
skills=["authentication_jwt", "business_logic"]
)
The skills are injected into the agent's system prompt, giving it access to:
Core vulnerability classes with deep exploitation techniques.
| Skill | Coverage |
|---|---|
authentication_jwt | JWT attacks, algorithm confusion, claim tampering |
idor | Object reference attacks, horizontal/vertical access |
sql_injection | SQL injection variants, WAF bypasses, blind techniques |
xss | XSS types, filter bypasses, DOM exploitation |
ssrf | Server-side request forgery, protocol handlers |
csrf | Cross-site request forgery, token bypasses |
xxe | XML external entities, OOB exfiltration |
rce | Remote code execution vectors |
business_logic | Logic flaws, state manipulation, race conditions |
race_conditions | TOCTOU, parallel request attacks |
path_traversal_lfi_rfi | File inclusion, path traversal |
open_redirect | Redirect bypasses, URL parsing tricks |
mass_assignment | Attribute injection, hidden parameter pollution |
insecure_file_uploads | Upload bypasses, extension tricks |
information_disclosure | Data leakage, error-based enumeration |
subdomain_takeover | Dangling DNS, cloud resource claims |
broken_function_level_authorization | Privilege escalation, role bypasses |
Framework-specific testing patterns.
| Skill | Coverage |
|---|---|
fastapi | FastAPI security patterns, Pydantic bypasses |
nextjs | Next.js SSR/SSG issues, API route security |
Third-party service and platform security.
| Skill | Coverage |
|---|---|
supabase | Supabase RLS bypasses, auth issues |
firebase_firestore | Firestore rules, Firebase auth |
Protocol-specific testing techniques.
| Skill | Coverage |
|---|---|
graphql | GraphQL introspection, batching, resolver issues |
Sandbox CLI playbooks for core recon and scanning tools.
| Skill | Coverage |
|---|---|
nmap | Port/service scan syntax and high-signal scan patterns |
nuclei | Template selection, severity filtering, and rate tuning |
httpx | HTTP probing and fingerprint output patterns |
ffuf | Wordlist fuzzing, matcher/filter strategy, recursion |
subfinder | Passive subdomain enumeration and source control |
naabu | Fast port scanning with explicit rate/verify controls |
katana | Crawl depth/JS/known-files behavior and pitfalls |
sqlmap | SQLi workflow for enumeration and controlled extraction |
Each skill is a Markdown file with YAML frontmatter for metadata:
---
name: skill_name
description: Brief description of the skill's coverage
---
# Skill Title
Key insight about this vulnerability or technique.
## Attack Surface
What this skill covers and where to look.
## Methodology
Step-by-step testing approach.
## Techniques
How to discover and exploit the vulnerability.
## Bypass Methods
How to bypass common protections.
## Validation
How to confirm findings and avoid false positives.
Community contributions are welcome. Create a .md file in the appropriate category with YAML frontmatter (name and description fields). Good skills include: