Skip to main content
Status: Stable Version: 1.0.0 Author: Rifteo Tags: pentest, security, infrastructure
Installation 
rifteo-skills add nuclei-template-writer

Summary

Turns a finding into a Nuclei template that can detect the same vulnerability at scale across thousands of targets.
  • Parses any input type description only, HTTP request, request + response, or multi-step flow and adjusts template quality accordingly
  • Classifies the vulnerability class, selects the right detection strategy (word, regex, status, DSL, or interactsh matchers), and handles all auth strategies (unauthenticated, Bearer, session cookie, Basic, CSRF token)
  • Always generates an unauthenticated probe variant alongside the authenticated template
  • Outputs the complete YAML template, a “customize before running” checklist, the exact nuclei command, and any limitations (OOB required, OAuth not templateable, etc.)

SKILL.md file

Nuclei Template Writer

Converts a vulnerability description or HTTP request/response pair into a ready-to-run Nuclei YAML template.

When to Use This Skill

Use this skill when the user:
  • Found a vulnerability and wants to automate detection on other targets
  • Pastes an HTTP request/response and asks for a Nuclei template
  • Says “write a nuclei template for this”, “automate this finding”, or “turn this into a scanner”
  • Wants to build a personal template library from bug bounty findings

What Does It Check?

The skill determines the input type (description / request / request+response / multi-step), then selects the best matchers and auth strategy to produce a production-ready template. Quality depends on input richness a full request+response produces precise matchers, while a description alone produces a skeleton with placeholder payloads.In scope:
  • All vulnerability classes: XSS, SQLi, SSRF, LFI, IDOR, SSTI, RCE, auth bypass, etc.
  • All auth strategies: unauthenticated, Bearer JWT, API key, session cookie, Basic auth, CSRF token, login-flow
  • OOB detection via interactsh for blind vulnerabilities (SSRF, blind XXE, blind command injection)
  • Multi-step flows (IDOR with two accounts, CSRF with token extraction)
Out of scope:
  • OAuth / SAML / SSO flows too complex to template reliably
  • Running or adapting templates this skill generates them, not executes them

How It Works

Step 0: Parse the InputIdentify input type (A: description / B: request / C: request+response / D: multi-step). Extract HTTP method, path, parameters, headers, body, and response signals. Ask one clarifying question if the input is ambiguous.Step 1: Classify the VulnerabilityMatch against references/vuln-classes.md to identify primary class, severity, tags, and detection method. If the class is unknown, fall back to: word matcher → regex matcher → interactsh (blind) → stop and ask.Step 2: Choose Detection StrategyPriority: word matcher → regex matcher → status matcher (secondary only) → DSL matcher (time-based/headers) → interactsh (OOB blind).Step 2.5: Determine Auth StrategyAlways generate an unauthenticated probe first (strip all auth). Then handle the authenticated case: Bearer/API key via -var, session cookie via login-flow template with cookie-reuse: true, Basic auth via b64creds variable.Step 3: Generate the TemplateBuild the complete Nuclei YAML: ID, info block, HTTP block ({{BaseURL}}, matchers, extractors, variables), following the schema exactly. For multi-step templates use raw: blocks with cookie-reuse: true.Step 4: OutputProduce the complete template, a customize checklist, the exact nuclei run command, and a validation reminder (test on one confirmed-vulnerable target before bulk-running).Step 5: Flag LimitationsState clearly if OOB is required, auth cannot be templated (OAuth/SSO), multi-account is needed (IDOR), or matchers are inferred from description only (Type A/B).

Output

Input TypeTemplate Quality
Description only (A)Skeleton with placeholder payloads mark what needs customization
HTTP request (B)Parameterized request, best-guess matchers
Request + response (C)Full template with precise matchers production ready
Multi-step / IDOR (D)Multi-step raw template with cookie reuse
Example run command:
# No auth run directly
nuclei -t template-name.yaml -l targets.txt

# Bearer / API key
nuclei -t template-name.yaml -l targets.txt -var "token=eyJ..."

# Login-flow with credentials
nuclei -t template-name.yaml -l targets.txt -var "username=test@test.com" -var "password=Test1234"

Known Limitations

  • OOB templates require an interactsh server hits appear in the interactsh dashboard, not nuclei output
  • OAuth/SAML/SSO auth cannot be reliably templated manual testing required
  • IDOR templates need two valid accounts; replace VICTIM_OBJECT_ID and ATTACKER_SESSION with real values
  • Type A/B matchers are inferred always validate against the real response before bulk-running

Benchmark Results

Tested on claude-sonnet-4-6 via Claude Code CLI. Same prompt, same model, same target. The only variable is whether the skill is loaded.
MetricWithout SkillWith Skill
Turns to complete11
Response tokens~1,632~1,585
Output qualityGoodComplete

check-exploit

Search known exploit databases for a given service, version, or CVE

xss-hunter

Complete XSS testing methodology reflected, stored, DOM, blind, CSP bypass, WAF evasion

finding-writer

Convert raw pentest notes into structured audit findings ready for reporting