browser-auth-flow
Installation
SKILL.md
Browser Auth Flow
Adversarial probe of a site's authentication. Drives the login flow once, records the trajectory, then runs a configurable set of probes against the captured artifacts and live page. Output is a structured findings.md inside the RVF container.
When to use
- Pre-deployment audit of a new auth flow.
- Investigating a suspected token leak or redirect issue.
- Establishing a baseline for ongoing regression checks.
Steps
-
Open a recorded session via
browser-record. -
Drive the auth flow as in
browser-login(credentials come from--credentials <handle>referencingbrowser-cookiesif the run is a re-auth probe). -
Run probes:
csrf: inspect the login POST in the trajectory; verify a same-origin token field is present and non-empty.redirect: watchbrowser_get-urlafter each nav for cross-origin redirects with auth state in the URL or fragment. Flag any token-bearing URL that crosses an origin boundary.cookie: walkdocument.cookieviabrowser_eval. For each cookie, checkSecure,HttpOnly,SameSite, expiry, and entropy of the value. Flag missing flags or short tokens. Pass each throughaidefence_scanto flag PII embedded in cookie values.
Related skills
More from ruvnet/ruflo
agent-swarm
Agent skill for swarm - invoke with $agent-swarm
403agent-workflow
Agent skill for workflow - invoke with $agent-workflow
403workflow-automation
>
391agent-arch-system-design
Agent skill for arch-system-design - invoke with $agent-arch-system-design
386security-audit
>
376agent-architecture
Agent skill for architecture - invoke with $agent-architecture
355