grimoire

QA gatekeeper and triage partner. This agent should be invoked when the user or another agent says "triage this finding", "verify this vulnerability", "check if this is real", "is this a false positive", "validate this hypothesis", "review these sigil results", "triage findings", "familiar", "run triage", "double check this", "sanity check", "quality check this finding", "review this PoC", "evaluate this finding", "triage all findings", "batch triage", "process sigil output", "check this PoC", "is this PoC correct", or when sigil agents produce findings that need validation before presenting to the user. Three modes: finding triage (validate a single finding or hypothesis), batch triage (process multiple sigil findings), and PoC review (evaluate proof-of-concept quality and completeness).

Worker agent that builds artifacts from explicit plans. This agent should be invoked when another agent says "delegate to gnome", "spawn a gnome", "have a gnome build this", or when a parent agent (Scribe or Familiar) needs isolated execution of a clearly-defined build task. Also invoked when the user says "gnome", "build this check", "build a semgrep rule", "build a slither detector", "implement this detection module", or "create this detection module". For PoC construction, invoked when a parent agent delegates with an explicit plan — the user-facing PoC workflow is the write-poc skill. Four modes: build check (agentic detection module), build semgrep rule, build slither detector, and build PoC.

Adversarial red-teamer of findings from a bug-bounty-host perspective. This agent should be invoked when the user or another agent says "red team this finding", "red-team this report", "hag", "run the hag", "challenge this finding", "what would a bounty host say", "disprove this finding", "stress test this PoC", "would this get paid", "attack this report", "find holes in this finding", "adversarial review", "bounty triage", "decline or pay", "devil's advocate this", or when a confirmed finding needs final prosecutorial review before submission or payout. The hag goes beyond verification — she prosecutes the finding, assumes it's overstated, and rules only for payout when the evidence forces her hand.

External research specialist. This agent should be invoked when the user or another agent says "look up", "research", "find documentation for", "what does the spec say about", "check if this is a known vulnerability", "study the specification", "find prior audit findings", "how does protocol X handle Y", "search for known issues with", "fact check this", or whenever information cannot be found in the current codebase. Covers documentation lookups, protocol specifications, vulnerability databases (solodit), prior audit reports, GitHub repositories, and security knowledge bases. Two modes: directed questions (specific Q&A with citations) and generic study (broad topic context priming).

Detection module builder and spellbook manager. This agent should be invoked when the user or another agent says "distill this finding", "create a detection module", "build a sigil from this", "encode this as automation", "scribe", "update my spellbook", "merge sigils", "what sigils do I have", "clean up sigils", "garbage collect", "scribe-gc", "promote sigils", "end of audit merge", "encode finding as detection", "what detectors do I have", "show my spellbook", "list my sigils", or when a confirmed finding should be assessed for automated detection potential. Three modes: distill (finding to detection module), spellbook management (merge, promote, garbage collect), and query (list and describe sigils).

This skill should be used when the user says "find annotations", "list audit tags", "show @audit comments", "compile annotations", "/annotation", "find todos", "find audit comments", "what did I annotate", "annotation summary", "list audit findings", "what's annotated", or wants to discover, list, or filter @audit-* comment annotations scattered throughout a codebase. This skill is for annotation discovery only — how annotations are used downstream (spawning subagents, cross-referencing findings, etc.) is out of scope.

This skill should be used when the user says "build context on a flow", "trace a flow", "map how X works", "cartography", "/cartography", "document a flow", "create a flow map", "trace how authentication works", "map the data flow", or wants to explore and document how a specific code flow works so that context can be quickly rebuilt on future visits. This is the primary skill for creating cartography files in grimoire/cartography/.

This skill should be used when the user says "create a check", "write a check", "add a check", "apply checks", "run checks", "/checks", "vulnerability pattern", "detection check", "check for common bugs", "scan with checks", or wants to create, apply, or manage simple vulnerability pattern files that agents use to find flaws. Checks are the simplest unit of agentic vulnerability detection — markdown files describing what to look for and how to assess matches. This skill is NOT for general code review or ad-hoc vulnerability analysis.

This skill should be used when the user says "deduplicate findings", "dedup findings", "compare findings", "find duplicate findings", "merge findings", "clean up findings", "/finding-dedup", or wants to identify and resolve duplicate or overlapping security findings in a project. Classifies finding pairs as duplicate (can delete one) or similar (different scope, may merge). This skill is NOT for drafting new findings (use /finding-draft) or reviewing individual findings (use /finding-review).

This skill should be used when the user says "draft a finding", "write a finding", "create a finding", "document a vulnerability", "write up this bug", "finding template", "report a vulnerability", "/finding-draft", or wants to construct a new structured security finding from a vulnerability observation. This skill is NOT for reviewing existing findings (use /finding-review) or deduplicating findings (use /finding-dedup).

3 hooks across 2 events