Fast security scan of the current repository using Endor Labs. Use when the user says "scan my code", "quick scan", "endor scan", "scan this repo", "run a security scan", or wants a rapid overview of vulnerabilities, secrets, and SAST issues. Also handles incremental PR scans when user mentions "just my changes" or "PR scan". Do NOT use for deep reachability analysis (/endor-scan-full) or checking a single package (/endor-check).

Check if a specific dependency has known vulnerabilities or malware using Endor Labs. Use when the user names a package and wants to know if it's safe, says "check lodash", "is express vulnerable", "any CVEs in django", "endor check", "is this package safe", or provides a package name after installing a dependency. Do NOT use for scanning an entire repo (/endor-scan) or viewing existing findings (/endor-findings).

Display and filter security findings from Endor Labs. Use when the user says "show findings", "list vulnerabilities", "what did the scan find", "endor findings", "show me critical reachable vulns", or wants to browse/filter results after a scan. Supports filtering by severity, reachability, category (vuln/sast/secrets/license). Do NOT use for running a new scan (/endor-scan) or explaining a specific CVE (/endor-explain).

Analyze the impact of upgrading a dependency before you do it. Use when the user says "should I upgrade lodash", "what breaks if I update express", "upgrade impact", "endor upgrade", "breaking changes from upgrading", or wants to find the safest version that fixes vulnerabilities. Uses pre-computed Endor Labs data — no scanning required. Do NOT use for just checking vulnerabilities (/endor-check) or applying a fix (/endor-fix).

Troubleshoot Endor Labs scan errors and failures. Use when the user says "scan failed", "why did the scan fail", "endor troubleshoot", "fix scan error", "diagnose error", or pastes an error message from a failed scan. Matches errors against known patterns across NPM, Maven, PyPI, Go, Cargo, NuGet, RubyGems, and Packagist. Do NOT use for setup issues (/endor-setup) or general scanning (/endor-scan).

Review and merge GitHub pull requests for Spatie packages. Use when asked to review a PR, review a pull request, merge a PR, or when given a GitHub PR URL to review. Also triggers on 'review this PR,' 'check this pull request,' 'merge this,' or '/review-pr'. Uses gh CLI for all GitHub operations.

Update Spatie package documentation by importing docs for a given repo. Use when the user says 'update docs for [package]', 'import docs for [repo]', or invokes /update-spatie-docs [repo-name]. Takes a repo name argument (e.g., 'backup', 'laravel-medialibrary').

Break a plan, spec, or PRD into independently-grabbable issues on the project issue tracker using tracer-bullet vertical slices. Use when user wants to convert a plan into issues, create implementation tickets, or break down work into issues.

Vite build tool configuration, plugin API, SSR, and Vite 8 Rolldown migration. Use when working with Vite projects, vite.config.ts, Vite plugins, or building libraries/SSR apps with Vite.

Use when working on Nuxt 4+ projects - provides server routes, file-based routing, middleware patterns, Nuxt-specific composables, and configuration with latest docs. Covers h3 v1 helpers (validation, WebSocket, SSE) and nitropack v2 patterns. Updated for Nuxt 4.3+.

Look up Microsoft API references, find working code samples, and verify SDK code is correct. Use when working with Azure SDKs, .NET libraries, or Microsoft APIs—to find the right method, check parameters, get working examples, or troubleshoot errors. Catches hallucinated methods, wrong signatures, and deprecated patterns by querying official docs.

Transforms vague or ill-defined questions into clear, structured, and actionable "good problems" by extracting the core objective, identifying comparison dimensions, and applying structured reasoning. Use when a user wants to compare multiple options, evaluate trade-offs, make a decision between alternatives, or asks questions like "which is better", "pros and cons", "help me decide", "how should I choose", or "what are the trade-offs". Produces a rewritten problem statement with explicit comparison dimensions, a structured evaluation framework, and a decision-ready output format.

Send emails, buy forwarding inboxes, manage custom subdomains, and read messages programmatically via x402. USE FOR: - Sending emails (one-off or from custom addresses) - Buying a forwarding inbox (username@x402email.com) - Purchasing custom email subdomains (you@yourname.x402email.com) - Reading and managing inbox messages programmatically - Setting up catch-all forwarding for subdomains - Managing authorized signers for shared subdomains TRIGGERS: - "send email", "email this to", "notify by email" - "buy inbox", "forwarding address", "email inbox" - "custom domain", "subdomain", "email subdomain" - "read emails", "check inbox", "list messages" - "email address", "disposable email", "temporary email" ALWAYS use `npx agentcash fetch` for stableemail.dev endpoints. IMPORTANT: Use exact endpoint paths from the Quick Reference table below.

Make AI phone calls, buy phone numbers, and get call transcripts via x402. USE FOR: - Making AI-powered outbound phone calls - Scheduling calls and getting transcripts - Buying and managing phone numbers - Leaving voicemails - Transferring calls to humans TRIGGERS: - "call", "phone call", "make a call", "dial" - "buy number", "phone number", "get a number" - "voicemail", "leave a message" - "transcript", "call recording", "call summary" - "AI call", "automated call", "bland" ALWAYS use `npx agentcash fetch` for stablephone.dev endpoints. IMPORTANT: Use exact endpoint paths from the Quick Reference table below.

Manage your agentcash wallet and call any x402-protected API with automatic payment. No API keys, no subscriptions — just a funded wallet (USDC on Base). USE FOR: - Checking wallet balance before API calls - Redeeming invite codes for free credits - Getting deposit address for USDC - Discovering endpoints and pricing on any x402-protected origin - Making paid API requests via the agentcash CLI - Troubleshooting payment failures TRIGGERS: - "balance", "wallet", "funds", "credits", "x402" - "redeem", "invite code", "promo code" - "deposit", "add funds", "top up" - "discover", "endpoints", "what APIs", "pricing" - "insufficient balance", "payment failed"

Set up the Artillery Playwright reporter in an existing Playwright E2E test suite. Installs @artilleryio/playwright-reporter, configures it in playwright.config.ts, sets up Artillery Cloud API key, and runs the suite to verify reporting works. Use when the user wants to add Artillery Cloud reporting to their Playwright tests, monitor E2E test results in a dashboard, or integrate Playwright with Artillery Cloud.

Create AI editor context files (.cursorrules, CLAUDE.md, GitHub Copilot instructions) that give AI coding tools deep knowledge of a project's API, conventions, and patterns. Use when someone wants their documentation project to work well with Cursor, Claude Code, GitHub Copilot, or other AI coding assistants. Also use when setting up developer experience for AI tools, creating project context files, or making a codebase more AI-assistant-friendly.

Create or fix llms.txt and llms-full.txt files for a documentation project, following the llmstxt.org specification. Use this skill whenever someone needs to create an llms.txt file, generate a full documentation text dump (llms-full.txt), or fix a malformed llms.txt. Also use when optimizing a docs site for AI crawlers, when setting up AI discoverability files, or when the user mentions making their docs readable by LLMs, ChatGPT, Perplexity, or other AI systems.

Writes failing tests first for test-driven development and hands off a strict implementation contract that requires agents to make those tests pass without weakening the tests. Use when users ask for test-first workflows, RED/GREEN cycles, or behavior-gating tasks with automated tests.