Skip to main content
Hacktron Skills extend AI agents with specialized security capabilities. A skill can provide domain-specific instructions, scripts, and references that help Hacktron perform more complex security tasks. Skills work with both the Hacktron CLI and the IDE extension. Both interfaces load skills from the same local directory, so a skill you develop once is available in both workflows.

What a skill contains

A Hacktron Skill can include:
  • Instructions for how the agent should approach a security task
  • Scripts for repeatable analysis or validation steps
  • References and supporting material for specialized workflows
Hacktron Skills follow the Agent Skills specification. For the current repository layout and development details, see the Hacktron Skills repository.

Develop skills locally

Because skills can execute arbitrary commands on your machine, Hacktron does not pull skills directly from arbitrary repositories. During development, place your skills in: 
~/.hacktron/skills/
This allows Hacktron to discover the skills you are working on locally. The IDE extension uses this same directory, so local skills configured for the CLI are available in the editor as well. To verify that Hacktron can see them, run: 
hacktron skills list

Use skills in the IDE extension

Once a skill is present under ~/.hacktron/skills/, it is available to both the CLI and the IDE extension. Use the CLI when you want to inspect discovery directly with hacktron skills list, and use the IDE extension when you want the same locally configured skills inside your editor workflow.

Use skills with environments

Hacktron Skills work best when paired with environments. Environments give the agent a concrete target to test, validate, and iterate against. In practice, a useful environment usually has:
  1. Services that can be started locally, typically with docker-compose up -d
  2. A clear objective exposed through a flag
A flag is a small piece of text that is only accessible when the objective has been met. For example, you might hide a flag:
  • In a user account to test for IDOR issues
  • In a database row to test for SQL injection issues
  • On the filesystem to validate remote code execution

Development workflow

Use this flow when building a new skill:
  1. Set up a reproducible local environment for the target application or vulnerability class.
  2. Implement the skill under ~/.hacktron/skills/.
  3. Verify the skill is detected with hacktron skills list.
  4. Run Hacktron against the environment from the CLI and refine the skill based on results.

Ideas for new skills

Common patterns that fit well as skills include:
  • Pulling and beautifying minified JavaScript from a target URL to support source-to-sink analysis
  • Parsing JSON or SARIF vulnerability output and validating findings with static plus dynamic checks
  • Generating local environments automatically when the codebase does not already include one
  • Producing remediation patches or fix suggestions for validated vulnerabilities
  • Decompiling packaged desktop or mobile applications for deeper analysis

Contribute

If you want to share a skill or environment with the community, open a pull request against the Hacktron Skills repository.

CLI Quickstart

Set up the CLI for local skill development and validation.

IDE Extensions

Use the same local skills inside VS Code, Cursor, or Windsurf.