This gives Claude the full offensive playbook for finding and exploiting prototype pollution in JavaScript applications. It covers both `__proto__` and `constructor.prototype` injection paths, quick probes for client and server contexts, and concrete black-box detection signals like polluting Express `parameterLimit` or `json spaces` settings. The gadget table walks through real RCE chains in EJS and child_process scenarios. Load this when you're merging untrusted input into objects, auditing query parsers or deep assign logic, or hunting for post-pollution sinks that turn property injection into command execution. The decision tree and tool list make it practical for both initial recon and chaining to full exploits.
npx skills add https://github.com/yaklang/hack-skills --skill prototype-pollution