Search everything...

Stats

Actions

Available In

Help us improve

Share bugs, ideas, or general feedback.

vuln-scout - Claude Code Plugin | ClaudePluginHub

Plugin

vuln-scout

Name: vuln-scout
Author: allsmog

By allsmog

Perform AI-powered whitebox penetration testing on polyglot monorepos across 9 languages: scan code with Semgrep/CodeQL/Joern, conduct STRIDE threat modeling, trace data flows to sinks, verify findings with agents, generate SARIF reports, and auto-apply fixes via commands.

npx claudepluginhub allsmog/vuln-scout --plugin whitebox-pentest

Popularity

Stars

Top 25%

Med: 0·Avg: 282

Installs

Med: 0·Avg: 1

What's Inside

Slash Commands12

auto-fix

/auto-fix

Auto-remediate verified findings by generating patches and optionally creating a PR

create-rule

/create-rule

Create a custom Semgrep detection rule from a confirmed vulnerability pattern

diff

/diff

Compare security posture between two git refs to find new/fixed vulnerabilities and track regression

mutate

/mutate

Security mutation testing -- weaken security controls and check if the scanner detects the resulting vulnerability

propagate

/propagate

Pattern propagation - find all instances of a vulnerability pattern throughout the codebase

Agents8

app-mapper

/app-mapper

Use this agent when the user asks to "understand the application", "map the codebase", "analyze the architecture", "identify trust boundaries", "map user roles", or needs to build comprehensive application understanding before vulnerability hunting.

attack-researcher

/attack-researcher

Autonomous attack vector exploration agent that hypothesizes novel attack vectors, tests them against the codebase, and iterates. Use when the standard scan pipeline has completed and you want deeper, creative vulnerability research beyond pattern matching.

code-reviewer

/code-reviewer

Use this agent when the user asks to "review code for security", "find vulnerabilities", "security audit", "analyze for security issues", or when exploring a codebase with security concerns.

false-positive-verifier

/false-positive-verifier

Use this agent to verify security findings and eliminate false positives. Analyzes code context, data flow paths, and exploitability with structured evidence to determine if a finding is a true positive or false positive.

local-tester

/local-tester

Use this agent when the user wants to "test a vulnerability", "confirm exploitation", "debug the application", "verify the finding", or needs guidance on dynamic testing during Phase 2 of whitebox pentesting.

Skills27

AI/ML Attack Surface

/ai-ml-attacks

This skill should be used when the user asks about "AI security", "ML pipeline attacks", "prompt injection", "model deserialization", "unsafe model loading", "Jupyter injection", "LLM security", or needs to identify AI/ML-specific vulnerabilities in codebases that use machine learning frameworks.

Business Logic Analysis

/business-logic

This skill should be used when the user asks about "business logic", "workflow vulnerability", "trust boundary", "state machine", "authorization bypass", "multi-step process", "workflow bypass", "application logic flaw", or needs to identify business logic vulnerabilities during whitebox pentesting.

Cache Poisoning & Web Cache Deception

/cache-poisoning

---

Cloud-Native Security

/cloud-native

This skill should be used when the user asks about "cloud security", "AWS security", "GCP security", "Azure security", "Kubernetes security", "IMDS", "instance metadata", "S3 bucket policy", "IAM", "serverless security", "Lambda security", "container security", "cloud misconfiguration", "SSRF to cloud metadata", or needs to identify cloud-native security issues during whitebox pentesting.

Compliance Mapping

/compliance-mapping

This skill should be used when the user asks about "compliance mapping", "PCI-DSS", "HIPAA", "SOC 2", "NIST CSF", "regulatory requirements", "compliance report", or needs to map security findings to compliance framework requirements.

Stats

Version1.4.0

ReleasedMar 30, 2026

LanguagePython

Stars18

Forks2

MaintenanceExcellent

LicenseMIT

Last CommitMar 27, 2026

AddedMar 21, 2026

Actions

View on GitHub View README Plugin Marketplace JSON

Own this plugin?

Verify ownership to unlock analytics, metadata editing, and a verified badge.

Available In

vuln-scout18

Safety Signals

Caution

Uses power tools

Uses Bash, Write, or Edit tools

Help us improve

Share bugs, ideas, or general feedback.

README

VulnScout

AI-powered whitebox penetration testing for Claude Code.

One command. Full audit. Any codebase.

/whitebox-pentest:full-audit /path/to/code

VulnScout is a Claude Code plugin that turns Claude into an autonomous security reviewer. It brings battle-tested pentesting methodology (HTB Academy, OffSec AWAE/OSWE) into your terminal with STRIDE threat modeling, evidence-first findings, and support for 9 languages including Solidity smart contracts.

Tested end-to-end on OWASP Juice Shop v17.1.1 -- 62 findings across SQL injection, XSS, path traversal, SSTI, SSRF, hardcoded secrets, and more.

Why VulnScout?

Traditional SAST tools find patterns. VulnScout understands your application.

Automated scan pipeline -- Semgrep + Joern CPG + secret scanning in one command, with SARIF and Markdown output
Threat models first, then hunts -- STRIDE analysis identifies what matters before scanning
Traces data flow, not just patterns -- follows user input from source to sink across files and services
15 CPG verification scripts -- proves exploitability through Code Property Graph analysis, not just pattern matching
CVSS 3.1 auto-scoring -- every finding gets a CVSS vector and numeric score
Handles massive codebases -- language-aware compression (Go: 97% reduction, Python: 90%) lets it audit million-token monorepos
Chains vulnerabilities -- finds SSRF-to-SSTI-to-RCE attack chains that single-pattern scanners miss
Polyglot-native -- audits Go + Python + TypeScript microservices as one interconnected system

Quick Start

# Option 1: Symlink into your project's plugin directory
mkdir -p .claude/plugins
ln -s /path/to/vuln-scout/whitebox-pentest .claude/plugins/whitebox-pentest

# Option 2: Copy into your project
cp -r /path/to/vuln-scout/whitebox-pentest .claude/plugins/whitebox-pentest

# Run a full audit
/whitebox-pentest:full-audit .

# Or start with threat modeling
/whitebox-pentest:threats

Note: .claude/plugins/ is relative to your project root. Claude Code automatically discovers plugins in this directory.

Standalone Scan Pipeline

VulnScout includes Python scripts that run independently of Claude Code:

# Scan with Semgrep + secret scanning
python3 scripts/scan_orchestrator.py /path/to/code --tools semgrep --secrets --format sarif

# Create a Joern CPG (cached by content hash)
python3 scripts/create_cpg.py /path/to/code

# Batch-verify findings with Joern CPG analysis
python3 scripts/batch_verify.py --findings .claude/findings.json --cpg .joern/*.cpg

# Render HTML or Markdown from an existing findings artifact
python3 scripts/report.py .claude/findings.json --format html --output security-report.html

# CI gate: fail on high-severity findings
python3 scripts/scan_orchestrator.py . --tools semgrep --fail-on high --format sarif --output findings.sarif

What You Get

13 Commands

Command	What it does
`/whitebox-pentest:full-audit`	One command does everything -- scopes, threat models, audits, reports
`/whitebox-pentest:threats`	STRIDE threat modeling with data flow diagrams
`/whitebox-pentest:sinks`	Find dangerous functions across 9 languages
`/whitebox-pentest:trace`	Follow data from source to sink
`/whitebox-pentest:scan`	Run Semgrep, CodeQL, and Joern into a shared findings artifact
`/whitebox-pentest:scope`	Handle large codebases with smart compression
`/whitebox-pentest:propagate`	Found one bug? Find every instance of the pattern
`/whitebox-pentest:verify`	CPG-based false positive elimination
`/whitebox-pentest:report`	Render Markdown, JSON, SARIF, or HTML from the shared findings artifact
`/whitebox-pentest:diff`	Compare security posture between git refs and highlight regressions
`/whitebox-pentest:auto-fix`	Auto-remediate verified findings with generated patches
`/whitebox-pentest:create-rule`	Generate a custom Semgrep rule from a confirmed vulnerability pattern
`/whitebox-pentest:mutate`	Mutation-test security controls to find detection gaps

8 Autonomous Agents

Agents run independently and return detailed analysis:

app-mapper -- Maps architecture and trust boundaries
threat-modeler -- STRIDE analysis and data flow diagrams (consumes app-mapper output)
code-reviewer -- Proactive vulnerability identification
local-tester -- Dynamic testing guidance (hands off to poc-developer)
poc-developer -- Proof of concept development
patch-advisor -- Specific remediation with code patches
false-positive-verifier -- Evidence-based verification with NEEDS_REVIEW resolution path
attack-researcher -- Autonomous attack vector exploration beyond pattern matching

15 Joern CPG Verification Scripts

View full README on GitHub

Help us improve

Find plugins for your project

Help us improve

vuln-scout

Popularity

What's Inside

Help us improve

Health & Quality

Confidence

README

VulnScout

Why VulnScout?

Quick Start

Standalone Scan Pipeline

What You Get

13 Commands

8 Autonomous Agents

15 Joern CPG Verification Scripts

Similar Plugins

ai-ide-vuln-skills

cybersecurity

cyber-neo

security-test-scanner

static-analysis

sentinel

More by allsmog

randori

shinsa

VulnScout

Why VulnScout?

Quick Start

Standalone Scan Pipeline

What You Get

13 Commands

8 Autonomous Agents

15 Joern CPG Verification Scripts