kuzushi-security-plugin
A local-first vulnerability confirmation and remediation pipeline that lives inside Claude Code.
Point it at source you already have checked out and kuzushi turns security review into a
reproducible evidence pipeline: map the code, threat-model it, hunt source-to-sink paths, verify
exploitability, build sandboxed proof, synthesize variant rules, and validate patches before they
touch your working tree.
kuzushi is built for maintainers and product-security teams who need answers they can ship:
- Is it real? Findings advance through explicit proof states instead of staying as scanner hits.
- Can I reproduce it? Verification, PoC, fuzz, rule-pack, and patch artifacts stay under
.kuzushi/ with provenance and policy digests.
- Can I fix it safely?
/fix validates exploit regression, functional behavior, and supported
semantic oracles in a sandbox copy before apply.
- Can I trust the workflow? The plugin is local-first, policy-gated, network-denied by default
for locked profiles, and designed for auditable CI/SARIF output.
It is self-contained Node (no daemon, no hosted service): plain stdio MCP servers, skills, agents,
schemas, and a SessionStart hook wire up Tree-sitter, Semgrep, CodeQL, Joern, fuzz harnesses, and
language tooling only when the repo needs them.
context ─► x-ray ─► threat-model ─► threat-intel ─► ┌ invariant-test ┐ ─► findings.json ─► verify ─► poc ─► fix
(langs, (entry (PASTA DFD + (CVEs for └ threat-hunt ┘ (open (exploit- (sandbox- (PoC⁺
deps) points) threats) stack + peers) (adversarial) findings) ability) proven) patch)
│
└─► mem-exploitability
(memory-corruption tier
+ mitigation posture)
Each step writes an artifact under .kuzushi/ that the next step consumes. You stay in
control: heavy or outbound steps ask first, and everything runs against your local repo.
Scope & boundaries
This is a local source-code tool with static-first analysis and sandboxed dynamic proof
for harnessable targets. How complete that is depends on what you point it at.
Always in scope (any target with source on disk): PASTA threat model, version-checked CVE
intel, source→sink taint analysis, adversarial guard-bypass review, static exploitability
verdicts, memory-corruption exploitability assessment, and a sandboxed PoC harness.
Web apps / HTTP services — the plugin covers the static half of a grey-box review. Pair
it with a dynamic tool (Burp / DAST) for the rest: browsing the live app, mapping observed
traffic (endpoints, parameters, cookies, roles) to handlers, and triggering against a running
target. None of that lives here.
Libraries, native / systems code, parsers, CLIs — there's no HTTP layer to proxy, so most
of that dynamic half simply doesn't apply. Source→sink plus the sandboxed /poc harness is
much of the standard workflow. The dynamic complement here is fuzzing: /fuzz creates a
campaign plan from confirmed/proven findings, executes runnable harnesses in the same offline
sandbox model, triages/minimizes crashes, and only advances findings when empirical crash or
sanitizer evidence exists.
Across the board: it loads source, it does not recover it (no decompilation / bytecode);
/poc proves the code in an isolated sandbox (--network none), not a deployed app. Findings are
triaged independently; /chain then reasons over them to surface multi-bug attack chains as an
analysis overlay (it does not auto-build a combined exploit — the chain is a documented composition).
Install
Via the plugin marketplace (recommended):
/plugin marketplace add allsmog/kuzushi-security-plugin
/plugin install kuzushi-security-plugin@kuzushi-security
Then npm install once in the plugin directory (bundles the MCP SDK, tree-sitter grammars,
and the TypeScript/Python language servers).
For local development:
git clone https://github.com/allsmog/kuzushi-security-plugin
cd kuzushi-security-plugin && npm install
claude --plugin-dir .
Requires Node ≥ 20. Some analysis backends need a system toolchain (see Tooling).
Quickstart
