
u/tcoder7

Pre-commit hook that blocks malicious AI agent skills before they're committed
Snyk's ToxicSkills scan flagged 76 credential-stealing payloads across ~4,000 public agent skills. No marketplace currently code-signs or vets these before install.
Made a free scanner — no signup, no key:
curl -s --data-binary u/SKILL.md https://skillsguard.apiskillsguard.workers.dev/scan | jq .
151 rules (prompt injection, exfil, persistence, obfuscation incl. base64/Unicode-tag tricks). CLI + MCP server if you want Claude to auto-audit skills before trusting them: github.com/Teycir/SkillsGuard
ApiHunter - Async API Security Scanner. MIT.
https://github.com/Teycir/ApiHunter
https://www.youtube.com/watch?v=W9LIYQvaJZg
Key Features
False Positive Reduction:
- SPA catch-all detection with canary probing
- Context-aware secret validation (frontend vs backend)
- Body content validation and referer checking
- Response fingerprinting to skip duplicates
Production-Safe:
- Adaptive concurrency (AIMD) - backs off on 429/503 errors
- Per-host rate limiting with configurable delays
- Dry-run mode for active checks
- Per-host HTTP client pools
WAF Evasion:
- Runtime User-Agent rotation (100+ real browser UAs)
- Randomized request delays with jitter
- Exponential backoff on retries
- No hardcoded scanner fingerprints
CI/CD Integration:
- Baseline diffing - only report NEW findings
- Streaming NDJSON output for real-time monitoring
- SARIF 2.1.0 for GitHub/GitLab Code Scanning
- Exit code bitmask for pipeline control (0x01 findings, 0x02 errors)
Extensibility:
- TOML-based CVE templates (no code changes needed)
- Nuclei YAML importer (
template-toolbinary) - Rust Scanner trait for complex logic
ApiHunter: Async API Security Scanner in Rust with 13 Modules (CORS/GraphQL/JWT/IDOR/CVE Templates) + CI/CD Integration
https://github.com/Teycir/ApiHunter
Open sourced my API pentester. MIT.
Key Features
False Positive Reduction:
- SPA catch-all detection with canary probing
- Context-aware secret validation (frontend vs backend)
- Body content validation and referer checking
- Response fingerprinting to skip duplicates
Production-Safe:
- Adaptive concurrency (AIMD) - backs off on 429/503 errors
- Per-host rate limiting with configurable delays
- Dry-run mode for active checks
- Per-host HTTP client pools
WAF Evasion:
- Runtime User-Agent rotation (100+ real browser UAs)
- Randomized request delays with jitter
- Exponential backoff on retries
- No hardcoded scanner fingerprints
CI/CD Integration:
- Baseline diffing - only report NEW findings
- Streaming NDJSON output for real-time monitoring
- SARIF 2.1.0 for GitHub/GitLab Code Scanning
- Exit code bitmask for pipeline control (0x01 findings, 0x02 errors)
Extensibility:
- TOML-based CVE templates (no code changes needed)
- Nuclei YAML importer (
template-toolbinary) - Rust Scanner trait for complex logic
Gemma 4 is perfect to enrich data locally before sending to server, enough to save a lot of tokens
I built ArxivExplorer, a semantic arXiv search engine with AI-generated summaries. The live version uses Cloudflare Workers AI (Llama 3.1 + BGE), but the free quota caps out fast. So I built a local bulk pipeline using Ollama.
**Models:**
- **Summarization:** `gemma4:e4b` (8B, Q4_K_M) — prompt produces structured JSON: tldr, key_contributions, methods, limitations, beginner_explain, technical_summary
- **Embeddings:** `nomic-embed-text` (137M, F16) — 768-dim vectors for cosine similarity search in Cloudflare Vectorize
**How it works:**
Pull pending papers from remote D1 via REST API
Run each through Ollama locally — both summary + embedding in one pass
Batch-upsert summaries to D1 REST API and vectors to Vectorize REST API
Mark papers `summary_ready = 1`
**Why direct REST API over `wrangler`:**
Spawning `wrangler d1 execute` per paper is roughly 100× slower than calling the D1 REST API directly. Special characters in paper abstracts (math notation, quotes, Unicode) also cause shell-escaping hell with subprocess calls.
**Gemma4 summary quality:**
Honestly pretty solid for academic abstracts. The structured prompt locks the output to JSON, and malformed outputs get marked `summary_ready = 2` (failed) and retried. ~95% first-pass success rate on cs.AI/cs.LG papers.
The full pipeline is in `scripts/process-pending-local.ts` in the repo:
https://github.com/Teycir/ArxivExplorer
Happy to share the Ollama prompt if useful — it's a single structured JSON prompt that handles all 6 summary fields in one inference call.
I built a full AI-powered search engine using only Cloudflare free tier — Workers + D1 + Vectorize + KV + Workers AI. Here's everything that actually worked (and what didn't)
```
Been lurking here for a while and finally have something worth sharing.
I built **ArxivExplorer** — a semantic search engine for arXiv research papers with AI-generated summaries, claim classification, and paper comparison. The entire backend runs on Cloudflare's free tier. No VPS, no managed Postgres, no external AI API bills.
Here's the full stack and what I learned from each piece:
---
### Workers (Frontend + API, two separate workers)
The Next.js frontend is deployed as a **Cloudflare Worker** via `@opennextjs/cloudflare`, not Cloudflare Pages. That distinction matters:
> **Pages injects a per-request nonce into `script-src` at the CDN layer, unconditionally.** No `_headers` file, no middleware, nothing you write in the app can override it. If you need to control your own CSP, you have to deploy as a Worker.
The API is a second Worker. Keeping them separate lets me rate-limit, CORS-lock, and deploy each independently.
---
### D1 (SQLite)
Running a full FTS5 virtual table in D1 with automatic insert/update/delete triggers. Works great. One thing I'd push back on: **don't use `wrangler d1 execute` per row in bulk scripts.** The subprocess overhead makes it ~100× slower than calling the D1 REST API directly. For bulk inserts (thousands of paper records), the REST API + batched statements is the only sane option. Special characters in JSON (math notation, Unicode, quotes) also cause shell-escaping issues with wrangler that just disappear when you go REST.
Current schema: papers, summaries, FTS5 virtual table, paper_categories, related_papers, topics, citation_snapshots, embeddings_meta. ~1,800 rows fully enriched.
---
### Vectorize
768-dimension cosine similarity search (BGE base v1.5 embeddings). Used for:
- Semantic paper search (merged with FTS5 at 25/75 keyword/semantic weight)
- Pre-computed top-8 related papers per paper stored in a `related_papers` table
- Query embedding cached in KV for 24h to avoid re-embedding the same searches
One thing to know: Vectorize REST API for bulk upserts is straightforward but watch your batch sizes. I built an admin endpoint (`POST /admin/vectorize/upsert`) that chunks large upsert jobs.
---
### KV
Caching everything that can be cached:
- Search results: 2h TTL, keyed by query + all filter params
- Paper detail: written on first access (lazy), not at ingestion
- Trending papers: 60-min TTL
- Query embeddings: 24h TTL
- Workers AI daily quota counter: resets at 00:00 UTC
Cache hit rate: ~85%, average hit time ~188ms. Cold D1 search averages ~240ms. The lazy KV write strategy (write on access, not at ingest) keeps the ingest pipeline simple and lets the cache warm naturally.
---
### Workers AI (Llama 3.1 + BGE base v1.5)
This is where the free tier gets tight. **5,000 neurons/day** runs out fast when you're processing 8B-parameter models. I track usage in KV and hard-cap at 50% of budget for live inference, reserving the rest for background enrichment.
For bulk ingestion of the full paper corpus, I built a local **Ollama pipeline** (`gemma4:e4b` for summaries, `nomic-embed-text` for embeddings) that writes directly to remote D1 + Vectorize via REST API. This let me enrich 1,800 papers locally and push the results up without touching the Workers AI quota at all.
---
### Performance under load (stress tested)
- 100 concurrent requests, 0% error rate
- 50 req/s mixed workload sustained
- ~188ms average cache hit
- ~240ms average search (KV cache), ~400ms cold D1
Rate limiting: per-IP token bucket on all public endpoints (60–100 req/min), lockout on breach. Implemented directly in the Worker with no external dependency.
---
### What I'd do differently
**Vectorize cold-start on the first query of a new embedding** — there's a noticeable spike. Pre-warming helps but isn't always practical on the free tier.
**D1 row-level TTL** — would love a native "expire this row after N seconds" in D1 so I could stop managing TTL logic in KV separately.
**Workers AI quota visibility** — I'm tracking this myself in KV because there's no native API to query remaining quota. A dashboard endpoint or binding property for this would save a lot of hacky workarounds.
---
Repo is open source (BSL 1.1, converts to MIT in 2029): https://github.com/Teycir/ArxivExplorer
https://github.com/Teycir/ArxivExplorer
I built ArxivExplorer, a semantic search engine for arXiv papers. The feature I'm most curious about is the **claim classifier**: you type a claim like "scaling laws generalize across modalities" and it uses Llama 3.1 to classify papers as supporting, contradicting, or neutral.
Other things it does:
- One-sentence TL;DR + key contributions for every paper
- "Beginner" and "researcher" explanations for the same paper
- Paste any abstract and it finds semantically similar papers
- Compare up to 6 papers side-by-side
- Author pages with full publication history
- RSS feed with AI summaries built in
No account needed. Runs on Cloudflare edge so it's fast globally.
I built a semantic arXiv search engine with AI-generated TL;DRs, claim classification, and paper comparison
github.comMass check LLM APIs
During a pipeline audit, found OpenAI and Anthropic keys hardcoded in a GitHub Actions workflow. Before reporting, I needed to know: are these still live? What's the blast radius?
Instead of writing one-off curl scripts for each provider, I used CheckAPIs — paste the keys, get instant confirmation of validity, which models they unlock, and latency. Took 30 seconds vs writing provider-specific auth logic for each one.
Useful for the "is this actually exploitable" section of your report. Free, open source, and everything runs client-side so you're not sending client keys to a third-party proxy.
https://checkapis.pages.dev
https://github.com/Teycir/checkapis
Mass LLM API checker
Quick way to check if leaked API keys from a pentest are still active
During recon you sometimes find hardcoded LLM API keys in repos or configs. Built a tool that validates them instantly — tells you provider, whether it's live, model access, and rate limits. Useful for reporting impact.
Mass LLM API tester
Quick way to check if leaked API keys from a pentest are still active
During recon you sometimes find hardcoded LLM API keys in repos or configs. Built a tool that validates them instantly — tells you provider, whether it's live, model access, and rate limits. Useful for reporting impact.
Check LLM API validity in batch
Side project I just open-sourced: [CheckAPIs](https://checkapis.pages.dev) — validates OpenAI, Anthropic, Groq, Gemini and 12+ other LLM keys instantly.
**The stack:**
- Next.js static export → Cloudflare Pages
- Rate limiting via Cloudflare D1 (SQLite at the edge)
- API endpoint via Pages Functions (Workers under the hood)
- All key validation runs client-side — keys never touch any server
**Why Workers specifically made this possible:**
The rate limiting was the interesting part. I'm using D1 to track request counts per IP with a sliding window — a query that would cost me a Redis instance or a paid DB elsewhere runs for basically free at the edge, globally, with zero cold starts.
The Pages Functions deploy alongside the static site in one `wrangler pages deploy` command. No separate Worker project, no routing glue, no ops overhead.
**Bill: $0.** The free tier covers everything at current traffic.
SeekYou — one input, 15 recon sources, one report.
SeekYou — one input, 15 recon sources, one report. Runs free on Cloudflare.
IP / domain / ASN → open ports, CVEs, BGP, RDAP, cert history, passive DNS, 5 threat feeds, exposed buckets, Wayback snapshots. 4-layer parallel execution so it's fast. KV caching + circuit breakers so it's stable. Typed diff engine so you get alerted when a host's attack surface changes.
No infra. No cost. ~5k lookups/day on the free tier.
SeekYou, unified host intelligence across 15 sources
SeekYou – unified host intelligence across 15 sources, runs free on Cloudflare.
- Built a tool that takes any IP, domain, or ASN and queries 15 sources in parallel: open ports, CVEs, BGP, RDAP, cert history, passive DNS, 5 threat feeds, exposed buckets, Wayback snapshots — all in one report.
- 4-layer parallel execution (total time ≈ slowest source, not sum of all).
- KV caching per source, circuit breakers, per-IP rate limiting.
- Typed diff engine — get alerted when ports open, CVEs appear, or certs expire on monitored hosts.
- Runs entirely on Cloudflare free tier (~5k lookups/day).
Source: https://github.com/Teycir/SeekYou (https://github.com/Teycir/SeekYou)