tahr-test-authentication

Installation
SKILL.md

Test Authentication

Find identity-boundary failures, not merely unusual responses. Treat auth material as untrusted until it proves the intended identity and transport.

Establish safe scope

  1. Identify source roots, runtime origins, supported authentication methods, supplied identities, and expected account lifecycle.
  2. Do not send runtime requests unless the user supplied or authorized the target. Use source-only analysis otherwise.
  3. Treat all supplied accounts as protected unless explicitly labeled disposable. Do not lock, reset, disable, delete, re-role, enroll or remove MFA/passkeys, rotate credentials, or invalidate all sessions on protected accounts.
  4. Use invalid identifiers for low-volume response-shape checks and disposable accounts for lockout, reset completion, password changes, MFA mutation, code replay, and takeover proof.
  5. Stop runtime testing on lockout text, CAPTCHA, rate limiting, disabled-account state, unexpected notification delivery, or unclear side effects.

Prove identity truth first

For each supplied identity:

Installs
3
First Seen
1 day ago
tahr-test-authentication — tahr-security/tahr-security-skills