{"id":"9d7a9bfa-59e0-4456-8bbf-4568487123e1","shortId":"Ss2Xqp","kind":"skill","title":"mock-hunter","tagline":"Audit a live web page in five phases (catalog, click, trace, classify, report) to identify mock data, hardcoded values, LLM-generated metrics, and broken endpoints. Outputs a markdown report with REAL/MOCK/LLM/HARDCODED/BROKEN/UNKNOWN verdicts per visible value.","description":"# MockHunter — Live Page Reality Check\n\n## Overview\n\nMockHunter is a Claude Code skill that audits a live web page and tells you, for every visible value, whether it is real, mocked, LLM-generated, hardcoded, broken, or unknown. It is built for vibe-coded apps (Lovable, Bolt, v0, Replit, AI Studio, Cursor Composer) where the UI may look complete but the data layer often is not. It uses Playwright MCP to drive a real browser, then traces each visible value through the network and DOM to its source.\n\nThis skill adapts the upstream `CodeShuX/mockhunter` project (community source).\n\nBecause this workflow drives a real browser against live pages, treat it as an interactive audit tool, not a plugin-safe read-only helper. Default to observation-only until the user confirms the target is theirs, identifies a safe test account or environment, and explicitly approves any click, submit, or authenticated action that can mutate state.\n\n## When to Use This Skill\n\n- Use when auditing an AI-generated UI to find out which values are actually wired up\n- Use when reviewing a contractor or teammate's deliverable before sign-off\n- Use before showing a vibe-coded MVP to a customer or investor\n- Use when a dashboard \"looks too clean\" — every metric uniformly round, all timestamps clustered, no variance — and you suspect seeded data\n\n## How It Works\n\n### Phase 1: Setup & Smart Questions\n\n1. Greet the user, ask for the target URL\n2. Auto-detect the stack from the URL (`*.lovable.app`, `*.bolt.new`, `*.v0.app`, `*.replit.app`, `aistudio.google.com`, otherwise Custom)\n3. Ask 3-5 targeted questions: auth mode (public / localhost / form / skip), DB access (optional), suspicions, page goal\n4. Confirm the audit plan, ownership/permission, target environment, and allowed action classes before proceeding\n\n### Phase 2: Navigate & Catalog\n\n1. `browser_navigate` to the target URL\n2. Handle auth per chosen mode (form-login: fill fields, click submit)\n3. Wait for network idle (max 10s)\n4. Take full-page screenshot, capture accessibility snapshot\n5. Inventory every: heading, button, link, input, card, badge, stat, table cell, empty state, image\n6. Capture initial console errors and network requests\n\n### Phase 3: Test Interactivity\n\n1. For every tab: click only after the user has approved navigation-style interactions, then snapshot, scroll to bottom, re-catalog\n2. For every button: click only user-approved, allowlisted controls that are clearly non-destructive by role, accessible name, nearby text, icon, URL/action target, and expected network side effect; skip destructive or ambiguous controls rather than relying on a label regex alone\n3. For every form: identify required fields and prefer empty-submit validation; submit throwaway data only when the user explicitly approved the exact form, target environment, and test account\n4. Record per-element behavior\n\n### Phase 4: Trace Provenance\n\nFor every visible value, run this decision tree:\n\n```\nDid any network request return this value?\n├── YES — found in a response:\n│   ├── Status 4xx/5xx → BROKEN\n│   ├── Endpoint matches /ai|openai|generate|llm|chat → LLM\n│   ├── Response shape matches mock library (faker, MSW, mockoon) → MOCK\n│   ├── Uniformity flags trigger → MOCK or LLM (review)\n│   ├── DB connection provided?\n│   │   ├── Run read-only SELECT, value matches DB row → REAL\n│   │   └── Value not in DB → MOCK\n│   └── No DB → UNKNOWN (best-guess)\n└── NO — value not in any network response:\n    ├── String literal in DOM source → HARDCODED\n    ├── Computed from Math.random / Date.now / faker → MOCK\n    └── Cannot determine → UNKNOWN\n```\n\nUniformity heuristics flag suspicious data:\n- All numeric values identical across rows\n- All percentages round (50%, 75%, 90%)\n- All timestamps cluster within a single minute\n- < 3 unique values across 10+ rows\n\n### Phase 5: Report\n\nGenerate `mockhunter-report.md` with:\n- Summary table (verdict counts)\n- Findings per section/tab (element / value / verdict / source / severity / action)\n- Console errors and network failures\n- NO-OP buttons\n- Suspicious patterns\n- Smart follow-up questions for the user\n\n## Examples\n\n### Example 1: Auditing a Lovable admin dashboard\n\n```\nUser: /mockhunter audit https://my-app.lovable.app/admin\nSkill: [Phase 1] Stack detected: Lovable. Auth: skip. DB: no.\n       [Phase 2] Catalog: 6 stat cards, 4 verification queues, 8 activity items.\n       [Phase 3] Search box: NO-OP (zero network requests). Activity link → 404.\n       [Phase 4] Bundle 2.7 MB. Zero /api/, zero supabase, zero axios.\n                 \"$42,850\" → string literal in JSX → HARDCODED.\n                 \"+12% vs last month\" → string literal → HARDCODED.\n       [Phase 5] Verdict: 23 HARDCODED, 1 BROKEN, 1 NO-OP, 0 REAL.\n                 Report written to ./mockhunter-report.md\n```\n\n### Example 2: Public marketing site (mostly real)\n\n```\nUser: /mockhunter audit https://example-saas.com\nSkill: ...\n       [Phase 5] Verdict: 8 REAL, 18 HARDCODED (intentional marketing copy),\n                 0 MOCK, 0 BROKEN, 2 UNKNOWN.\n                 No console errors, no broken endpoints.\n```\n\n## Best Practices\n\n- ✅ Provide DB access when available — lifts UNKNOWN verdicts to REAL or MOCK\n- ✅ Use a dedicated test account for form-login auth\n- ✅ Run cold-start tests (zero data) — many vibe-coded apps fail there\n- ✅ Tell the skill if specific sections are intentionally AI-generated, so it doesn't false-flag them\n- ❌ Don't run active interaction on apps you don't own without permission — live clicks and form submissions can mutate state\n- ❌ Don't trust a destructive-button exclusion list by itself — localized labels, icons, aria text, and backend routes can hide mutating actions\n- ❌ Don't trust the audit if the page failed to load — check console first\n\n## Limitations\n\n- Single-page audit per run — no multi-page crawl in v0.1.0\n- Form-login only for auth — no OAuth, magic-link, or 2FA in v0.1.0\n- Caps at ~30 most-prominent buttons per page\n- Markdown report only — no JSON output yet\n- DB verification supports any DB reachable via shell command (psql, mysql, mongosh, wrangler, supabase REST), but not Firestore directly\n\n## Security & Safety Notes\n\n- The skill runs read-only DB SELECTs only, never INSERT/UPDATE/DELETE\n- Skips destructive-looking, ambiguous, icon-only, localized, or external-write controls unless the user has explicitly allowlisted the exact control and environment\n- Never submits forms that look like payment, account deletion, external write operations, account changes, invites, publishing, deployment, messaging, or money movement\n- Uses placeholder credentials (`mockhunter@example.com`) for any throwaway form tests, never the user's real credentials\n- All Playwright actions happen in a controlled MCP browser context — no headless escalation","tags":["mock","hunter","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows"],"capabilities":["skill","source-sickn33","skill-mock-hunter","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/mock-hunter","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 37911 github stars · SKILL.md body (6,792 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T18:51:23.665Z","embedding":null,"createdAt":"2026-05-08T12:51:33.912Z","updatedAt":"2026-05-18T18:51:23.665Z","lastSeenAt":"2026-05-18T18:51:23.665Z","tsv":"'+12':732 '-5':301 '/admin':678 '/ai':529 '/api':720 '/mockhunter':674,764 '/mockhunter-report.md':755 '0':750,778,780 '1':269,273,334,397,667,681,744,746 '10':625 '10s':360 '18':773 '2':282,331,341,420,690,757,782 '2.7':717 '23':742 '2fa':931 '3':298,300,354,394,464,621,702 '30':936 '4':316,361,494,501,695,715 '404':713 '42':725 '4xx/5xx':525 '5':370,628,740,769 '50':611 '6':385,692 '75':612 '8':698,771 '850':726 '90':613 'access':311,368,439,794 'account':180,493,808,1015,1020 'across':606,624 'action':191,326,645,890,1046 'activ':699,711,850 'actual':215 'adapt':130 'admin':671 'ai':89,206,837 'ai-gener':205,836 'aistudio.google.com':295 'allow':325 'allowlist':429,1002 'alon':463 'ambigu':454,987 'app':84,825,853 'approv':185,407,428,485 'aria':882 'ask':277,299 'audit':4,53,152,203,319,668,675,765,895,909 'auth':304,343,685,813,924 'authent':190 'auto':284 'auto-detect':283 'avail':796 'axio':724 'backend':885 'badg':378 'behavior':499 'best':573,790 'best-guess':572 'bolt':86 'bolt.new':292 'bottom':416 'box':704 'broken':28,74,526,745,781,788 'browser':114,143,335,1052 'built':79 'bundl':716 'button':374,423,654,874,940 'cannot':594 'cap':934 'captur':367,386 'card':377,694 'catalog':12,333,419,691 'cell':381 'chang':1021 'chat':533 'check':44,902 'chosen':345 'class':327 'classifi':15 'claud':49 'clean':250 'clear':433 'click':13,187,352,401,424,861 'cluster':257,616 'code':50,83,237,824 'codeshux/mockhunter':133 'cold':816 'cold-start':815 'command':958 'communiti':135 'complet':98 'compos':92 'comput':588 'confirm':171,317 'connect':552 'consol':388,646,785,903 'context':1053 'contractor':222 'control':430,455,996,1005,1050 'copi':777 'count':636 'crawl':916 'credenti':1031,1043 'cursor':91 'custom':241,297 'dashboard':247,672 'data':20,101,264,479,601,820 'date.now':591 'db':310,551,561,567,570,687,793,950,954,978 'decis':510 'dedic':806 'default':163 'delet':1016 'deliver':226 'deploy':1024 'destruct':436,452,873,985 'destructive-button':872 'destructive-look':984 'detect':285,683 'determin':595 'direct':968 'doesn':841 'dom':124,585 'drive':111,140 'effect':450 'element':498,640 'empti':382,474 'empty-submit':473 'endpoint':29,527,789 'environ':182,323,490,1007 'error':389,647,786 'escal':1056 'everi':62,251,372,399,422,466,505 'exact':487,1004 'exampl':665,666,756 'example-saas.com':766 'exclus':875 'expect':447 'explicit':184,484,1001 'extern':994,1017 'external-writ':993 'fail':826,899 'failur':650 'faker':540,592 'fals':844 'false-flag':843 'field':351,470 'fill':350 'find':210,637 'firestor':967 'first':904 'five':10 'flag':545,599,845 'follow':659 'follow-up':658 'form':308,348,467,488,811,863,920,1010,1036 'form-login':347,810,919 'found':520 'full':364 'full-pag':363 'generat':25,72,207,531,630,838 'goal':315 'greet':274 'guess':574 'handl':342 'happen':1047 'hardcod':21,73,587,731,738,743,774 'head':373 'headless':1055 'helper':162 'heurist':598 'hide':888 'hunter':3 'icon':443,881,989 'icon-on':988 'ident':605 'identifi':18,176,468 'idl':358 'imag':384 'initi':387 'input':376 'insert/update/delete':982 'intent':775,835 'interact':151,396,411,851 'inventori':371 'investor':243 'invit':1022 'item':700 'json':947 'jsx':730 'label':461,880 'last':734 'layer':102 'librari':539 'lift':797 'like':1013 'limit':905 'link':375,712,929 'list':876 'liter':583,728,737 'live':6,41,55,145,860 'llm':24,71,532,534,549 'llm-gener':23,70 'load':901 'local':879,991 'localhost':307 'login':349,812,921 'look':97,248,986,1012 'lovabl':85,670,684 'lovable.app':291 'magic':928 'magic-link':927 'mani':821 'markdown':32,943 'market':759,776 'match':528,537,560 'math.random':590 'max':359 'may':96 'mb':718 'mcp':109,1051 'messag':1025 'metric':26,252 'minut':620 'mock':2,19,69,538,543,547,568,593,779,803 'mock-hunt':1 'mockhunt':40,46 'mockhunter-report.md':631 'mockhunter@example.com':1032 'mockoon':542 'mode':305,346 'money':1027 'mongosh':961 'month':735 'most':761 'most-promin':937 'movement':1028 'msw':541 'multi':914 'multi-pag':913 'mutat':194,866,889 'mvp':238 'my-app.lovable.app':677 'my-app.lovable.app/admin':676 'mysql':960 'name':440 'navig':332,336,409 'navigation-styl':408 'nearbi':441 'network':122,357,391,448,514,580,649,709 'never':981,1008,1038 'no-op':651,705,747 'non':435 'non-destruct':434 'note':971 'numer':603 'oauth':926 'observ':166 'observation-on':165 'often':103 'op':653,707,749 'openai':530 'oper':1019 'option':312 'otherwis':296 'output':30,948 'overview':45 'ownership/permission':321 'page':8,42,57,146,314,365,898,908,915,942 'pattern':656 'payment':1014 'per':37,344,497,638,910,941 'per-el':496 'percentag':609 'permiss':859 'phase':11,268,330,393,500,627,680,689,701,714,739,768 'placehold':1030 'plan':320 'playwright':108,1045 'plugin':157 'plugin-saf':156 'practic':791 'prefer':472 'proceed':329 'project':134 'promin':939 'proven':503 'provid':553,792 'psql':959 'public':306,758 'publish':1023 'question':272,303,661 'queue':697 'rather':456 're':418 're-catalog':417 'reachabl':955 'read':160,556,976 'read-on':159,555,975 'real':68,113,142,563,751,762,772,801,1042 'real/mock/llm/hardcoded/broken/unknown':35 'realiti':43 'record':495 'regex':462 'reli':458 'replit':88 'replit.app':294 'report':16,33,629,752,944 'request':392,515,710 'requir':469 'respons':523,535,581 'rest':964 'return':516 'review':220,550 'role':438 'round':254,610 'rout':886 'row':562,607,626 'run':508,554,814,849,911,974 'safe':158,178 'safeti':970 'screenshot':366 'scroll':414 'search':703 'section':833 'section/tab':639 'secur':969 'seed':263 'select':558,979 'setup':270 'sever':644 'shape':536 'shell':957 'show':233 'side':449 'sign':229 'sign-off':228 'singl':619,907 'single-pag':906 'site':760 'skill':51,129,200,679,767,830,973 'skill-mock-hunter' 'skip':309,451,686,983 'smart':271,657 'snapshot':369,413 'sourc':127,136,586,643 'source-sickn33' 'specif':832 'stack':287,682 'start':817 'stat':379,693 'state':195,383,867 'status':524 'string':582,727,736 'studio':90 'style':410 'submiss':864 'submit':188,353,475,477,1009 'summari':633 'supabas':722,963 'support':952 'suspect':262 'suspici':600,655 'suspicion':313 'tab':400 'tabl':380,634 'take':362 'target':173,280,302,322,339,445,489 'teammat':224 'tell':59,828 'test':179,395,492,807,818,1037 'text':442,883 'throwaway':478,1035 'timestamp':256,615 'tool':153 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'trace':14,116,502 'treat':147 'tree':511 'trigger':546 'trust':870,893 'ui':95,208 'uniform':253,544,597 'uniqu':622 'unknown':76,571,596,783,798 'unless':997 'upstream':132 'url':281,290,340 'url/action':444 'use':107,198,201,218,231,244,804,1029 'user':170,276,405,427,483,664,673,763,999,1040 'user-approv':426 'v0':87 'v0.1.0':918,933 'v0.app':293 'valid':476 'valu':22,39,64,119,213,507,518,559,564,576,604,623,641 'varianc':259 'verdict':36,635,642,741,770,799 'verif':696,951 'via':956 'vibe':82,236,823 'vibe-cod':81,235,822 'visibl':38,63,118,506 'vs':733 'wait':355 'web':7,56 'whether':65 'wire':216 'within':617 'without':858 'work':267 'workflow':139 'wrangler':962 'write':995,1018 'written':753 'yes':519 'yet':949 'zero':708,719,721,723,819","prices":[{"id":"f20e55b1-7d44-4717-9886-8dc3a4da39ab","listingId":"9d7a9bfa-59e0-4456-8bbf-4568487123e1","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-05-08T12:51:33.912Z"}],"sources":[{"listingId":"9d7a9bfa-59e0-4456-8bbf-4568487123e1","source":"github","sourceId":"sickn33/antigravity-awesome-skills/mock-hunter","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/mock-hunter","isPrimary":false,"firstSeenAt":"2026-05-08T12:51:33.912Z","lastSeenAt":"2026-05-18T18:51:23.665Z"}],"details":{"listingId":"9d7a9bfa-59e0-4456-8bbf-4568487123e1","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"mock-hunter","github":{"repo":"sickn33/antigravity-awesome-skills","stars":37911,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-05-18T08:24:49Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"c51b5f1f7c597861c76d6088e7527a337db66682","skill_md_path":"skills/mock-hunter/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/mock-hunter"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"mock-hunter","license":"MIT","description":"Audit a live web page in five phases (catalog, click, trace, classify, report) to identify mock data, hardcoded values, LLM-generated metrics, and broken endpoints. Outputs a markdown report with REAL/MOCK/LLM/HARDCODED/BROKEN/UNKNOWN verdicts per visible value."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/mock-hunter"},"updatedAt":"2026-05-18T18:51:23.665Z"}}