Skip to main content
Skills are Markdown instruction files that agents load as additional context. They encode domain-specific knowledge — attack techniques, testing methodologies, tool cheatsheets — that agents draw on during assessments.

How skills work

When an agent is invoked, CyberStrike resolves the skills assigned to it and injects their content into the agent’s context. Skills are referenced by name, not path, so the same skill can be reused across multiple agents. Skills are plain Markdown files named SKILL.md with YAML frontmatter: 
---
name: my-skill
description: Short description of what this skill covers
---

# Skill content

The full Markdown body becomes the skill's content.

Built-in skills

CyberStrike ships with the following built-in skills, stored in .cyberstrike/skill/:
Skill nameDescriptionUsed by
wstg-recon-configWSTG reconnaissance, configuration, error handling, and cryptography techniquesweb-application
wstg-auth-sessionAuthentication and session management testing techniquesweb-application
wstg-injectionInjection vulnerability testing (SQL, NoSQL, command, SSTI, etc.)web-application
wstg-logic-client-apiBusiness logic, client-side, and API testing techniquesweb-application
ad-securityActive Directory security testing and attack techniquesinternal-network
kerberos-attacksKerberos protocol attack techniques and exploitationinternal-network
You can inspect any built-in skill at .cyberstrike/skill/<name>/SKILL.md in the CyberStrike repository.

Skill file format

Every skill is a SKILL.md file inside a named directory. The directory name does not need to match the skill name, but the name frontmatter field must be unique across all loaded skills. 
my-skills/
  jwt-attacks/
    SKILL.md
  ssrf-techniques/
    SKILL.md
    payloads.txt       # Additional files can be co-located

Required frontmatter fields

FieldTypeDescription
namestringUnique skill identifier used to reference the skill from agents
descriptionstringShort description of what the skill covers
Additional frontmatter fields (like tags, version) are supported by convention but not required by the loader.

Adding custom skills

Local skill paths

Add a skills.paths entry to cyberstrike.json to load skills from a directory on disk: 
{
  "skills": {
    "paths": ["./my-skills", "~/shared-skills"]
  }
}
Paths starting with ~/ are expanded to the home directory. Relative paths are resolved from the project root. CyberStrike recursively scans each directory for SKILL.md files.

Remote skills

Add a skills.urls entry to load skills from a remote server: 
{
  "skills": {
    "urls": ["https://example.com/.well-known/skills/"]
  }
}
The URL must serve an index.json file listing available skills: 
{
  "skills": [
    {
      "name": "my-remote-skill",
      "description": "A remotely hosted skill",
      "files": ["SKILL.md"]
    }
  ]
}
CyberStrike downloads each skill’s files and caches them locally. Skills are fetched once and served from cache on subsequent runs.

Project-level skill directories

Place skill directories inside .cyberstrike/skill/ or .cyberstrike/skills/ for automatic discovery with no configuration required: 
.cyberstrike/
  skill/
    custom-injection/
      SKILL.md
    api-auth/
      SKILL.md

User-level skills

Place skills in ~/.cyberstrike/skill/ to make them available across all projects.

Creating a custom skill

1

Create the directory structure

mkdir -p .cyberstrike/skill/jwt-attacks
2

Write the SKILL.md file

Create .cyberstrike/skill/jwt-attacks/SKILL.md with the skill frontmatter and content:The file starts with a YAML frontmatter block containing name and description, followed by the full Markdown body with your attack techniques, payloads, tool commands, and methodology notes. The content is injected directly into the agent’s context window.Example structure:
  • Frontmatter: name: jwt-attacks, description: JWT vulnerability testing
  • Body sections: Algorithm Confusion, RS256-to-HS256, weak secret brute force, claim injection
3

Assign the skill to an agent

Reference the skill by name in your custom agent’s frontmatter, or use it with a built-in agent via cyberstrike.json. Skills are automatically available to any agent with access to the skill directory.

Skill loading order

CyberStrike loads skills in this order (later entries override earlier ones if names conflict):
  1. External directories (.claude/skills/, .agents/skills/) — global home first, then project-level
  2. .cyberstrike/skill/ directories (global config dir, then project)
  3. Additional paths from skills.paths in cyberstrike.json
  4. Remote skills from skills.urls in cyberstrike.json
If two skills share the same name, the later-loaded skill wins. CyberStrike logs a warning when it detects duplicate skill names.

Using skills in custom agents

Reference skills by name in an agent’s configuration. Skills loaded from any source are available to any agent — they are resolved by name at runtime. When creating a custom agent file, you can note in the system prompt which skills the agent relies on. The skill content is injected by CyberStrike automatically based on the agent’s skills array (set via code for built-in agents) or available skill context. For custom agents defined as .md files, all loaded skills are available as reference context that the agent can invoke via the skill tool when permitted.

Build docs developers (and LLMs) love

Get started for freeTalk to us