grimoire

QA gatekeeper and triage partner. This agent should be invoked when the user or another agent says "triage this finding", "verify this vulnerability", "check if this is real", "is this a false positive", "validate this hypothesis", "review these sigil results", "triage findings", "familiar", "run triage", "double check this", "sanity check", "quality check this finding", "review this PoC", "evaluate this finding", "triage all findings", "batch triage", "process sigil output", "check this PoC", "is this PoC correct", or when sigil agents produce findings that need validation before presenting to the user. Three modes: finding triage (validate a single finding or hypothesis), batch triage (process multiple sigil findings), and PoC review (evaluate proof-of-concept quality and completeness).

Worker agent that builds artifacts from explicit plans. This agent should be invoked when another agent says "delegate to gnome", "spawn a gnome", "have a gnome build this", or when a parent agent (Scribe or Familiar) needs isolated execution of a clearly-defined build task. Also invoked when the user says "gnome", "build this check", "build a semgrep rule", "build a slither detector", "implement this detection module", or "create this detection module". For PoC construction, invoked when a parent agent delegates with an explicit plan — the user-facing PoC workflow is the write-poc skill. Four modes: build check (agentic detection module), build semgrep rule, build slither detector, and build PoC.

Adversarial red-teamer of findings from a bug-bounty-host perspective. This agent should be invoked when the user or another agent says "red team this finding", "red-team this report", "hag", "run the hag", "challenge this finding", "what would a bounty host say", "disprove this finding", "stress test this PoC", "would this get paid", "attack this report", "find holes in this finding", "adversarial review", "bounty triage", "decline or pay", "devil's advocate this", or when a confirmed finding needs final prosecutorial review before submission or payout. The hag goes beyond verification — she prosecutes the finding, assumes it's overstated, and rules only for payout when the evidence forces her hand.

External research specialist. This agent should be invoked when the user or another agent says "look up", "research", "find documentation for", "what does the spec say about", "check if this is a known vulnerability", "study the specification", "find prior audit findings", "how does protocol X handle Y", "search for known issues with", "fact check this", or whenever information cannot be found in the current codebase. Covers documentation lookups, protocol specifications, vulnerability databases (solodit), prior audit reports, GitHub repositories, and security knowledge bases. Two modes: directed questions (specific Q&A with citations) and generic study (broad topic context priming).

Detection module builder and spellbook manager. This agent should be invoked when the user or another agent says "distill this finding", "create a detection module", "build a sigil from this", "encode this as automation", "scribe", "update my spellbook", "merge sigils", "what sigils do I have", "clean up sigils", "garbage collect", "scribe-gc", "promote sigils", "end of audit merge", "encode finding as detection", "what detectors do I have", "show my spellbook", "list my sigils", or when a confirmed finding should be assessed for automated detection potential. Three modes: distill (finding to detection module), spellbook management (merge, promote, garbage collect), and query (list and describe sigils).

Single-context vulnerability hunter. This agent should be invoked when the user or another agent says "hunt for bugs", "find vulnerabilities", "run a sigil", "variant analysis", "scan for a pattern", "check the code for issues", "security scan", "look for reentrancy", "audit this contract", "find bugs in this function", "spawn a sigil", "run a variant sigil", "security review", or when another agent needs focused vulnerability detection on a specific pattern or code area. Two modes: single-target hypothesis-driven hunting (one vector per invocation with evidence-backed findings) and variant analysis (scanning the full codebase for recurrences of a confirmed bug pattern).

This skill should be used when the user says "find annotations", "list audit tags", "show @audit comments", "compile annotations", "/annotation", "find todos", "find audit comments", "what did I annotate", "annotation summary", "list audit findings", "what's annotated", or wants to discover, list, or filter @audit-* comment annotations scattered throughout a codebase. This skill is for annotation discovery only — how annotations are used downstream (spawning subagents, cross-referencing findings, etc.) is out of scope.

This skill should be used when the user says "build context on a flow", "trace a flow", "map how X works", "cartography", "/cartography", "document a flow", "create a flow map", "trace how authentication works", "map the data flow", or wants to explore and document how a specific code flow works so that context can be quickly rebuilt on future visits. This is the primary skill for creating cartography files in grimoire/cartography/.

This skill should be used when the user says "create a check", "write a check", "add a check", "apply checks", "run checks", "/checks", "vulnerability pattern", "detection check", "check for common bugs", "scan with checks", or wants to create, apply, or manage simple vulnerability pattern files that agents use to find flaws. Checks are the simplest unit of agentic vulnerability detection — markdown files describing what to look for and how to assess matches. This skill is NOT for general code review or ad-hoc vulnerability analysis.

This skill should be used when the user says "deduplicate findings", "dedup findings", "compare findings", "find duplicate findings", "merge findings", "clean up findings", "/finding-dedup", or wants to identify and resolve duplicate or overlapping security findings in a project. Classifies finding pairs as duplicate (can delete one) or similar (different scope, may merge). This skill is NOT for drafting new findings (use /finding-draft) or reviewing individual findings (use /finding-review).

This skill should be used when the user says "draft a finding", "write a finding", "create a finding", "document a vulnerability", "write up this bug", "finding template", "report a vulnerability", "/finding-draft", or wants to construct a new structured security finding from a vulnerability observation. This skill is NOT for reviewing existing findings (use /finding-review) or deduplicating findings (use /finding-dedup).

This skill should be used when the user says "review finding", "review my finding", "check my finding", "fact check finding", "improve finding", "/finding-review", or provides a path to an existing finding file and wants it evaluated for quality. Reviews findings against best practices for title clarity, description completeness, recommendation objectivity, severity accuracy, and reference validity. This skill is NOT for drafting new findings (use /finding-draft) or deduplicating findings (use /finding-dedup).

This skill should be used when the user asks about findings, finding structure, finding format, finding best practices, "how should a finding look", "what goes in a finding", "/finding", or wants to understand how security findings are structured and written. Teaches the format, best practices, and conventions for security findings. For specific workflows use /finding-draft, /finding-review, or /finding-dedup.

This skill should be used when the user says "clean up flows", "merge flows", "gc cartography", "garbage collect flows", "deduplicate flows", "consolidate cartography", "too many flow files", "overlapping flows", "duplicate cartography", "reduce flow count", or wants to identify and merge overlapping cartography files, remove stale references, and reduce duplication in the grimoire/cartography/ directory.

Use this skill when the user says "clean librarian cache", "clear librarian cache", "clean up librarian repos", "prune librarian cache", "shrink librarian cache", "librarian is using too much space", "free up disk space from librarian", "how much space is librarian using", or wants to remove cached repositories that the librarian has cloned locally. Clears ~/.grimoire/librarian/cache/ to reclaim disk space without touching the curated library/ directory.

Use this skill when the user says "index the library", "index my libraries", "build the search index", "index the librarian", "rebuild the index", "update the search index", "index library content", "index for semantic search", "run librarian-index", or wants to make library content searchable via semantic/vector search. Reads all registered libraries from libraries.yaml, chunks their files, and stores them in the local Qdrant vector database so the librarian agent can do semantic search.

Semantic search across the librarian's indexed knowledge bases. This skill is invoked by the librarian agent when it needs to search local libraries by meaning rather than exact text. It runs a vector similarity query against the Qdrant database built by librarian-index and returns ranked results with source metadata for citation. Not user-invocable — called by the librarian agent as part of its research workflow.

Use this skill when the user wants to add, remove, or change a library in the grimoire librarian. Trigger phrases include: "add a library", "add a git library", "add a local library", "add a symlink library", "remove a library", "remove the X library", "change a library", "update a library", "update a library source", "upgrade a library", "switch library source", "edit a library", "modify a library", "register a library", "unregister a library", "delete a library entry", "add knowledge base", "add a repo to the librarian", "add library to librarian", or any request to change what libraries the librarian has access to. Modifies ~/.grimoire/librarian/library/libraries.yaml to add, remove, or update library entries. Supports git repositories and local symlink directories.

This skill should be used when the user says "review a flow", "improve a flow", "verify a flow", "refine cartography", "check a cartography file", "verify flow accuracy", "are my flows still accurate", or wants to verify and improve an existing cartography file against the actual codebase. It cross-references documented flows with real code, fills gaps, fixes stale paths, adds related flow links, and introduces conditional sections where needed.

This skill should be used when the user says "distill this finding", "create a detection module", "encode this finding", "make a sigil from this", "automate detection for this", "build a sigil from this", "scribe distill", "/scribe-distill", or when a confirmed finding should be transformed into a reusable automated detection module. Analyzes a finding's vulnerability pattern, assesses automation feasibility, and creates a detection module (sigil) in the project spellbook.

This skill should be used when the user says "clean up sigils", "garbage collect", "deduplicate sigils", "scribe gc", "/scribe-gc", "merge duplicate detectors", "review my spellbook", "prune sigils", or when duplicate detection modules need to be identified and resolved. Scans the personal grimoire or project spellbook for overlapping or duplicate sigils and proposes resolutions.

This skill should be used when the user says "list my sigils", "what detectors do I have", "show my spellbook", "scribe info", "/scribe-utilities", "what's in my grimoire", "search sigils", "spellbook stats", or wants information about available detection modules. Read-only queries against the personal grimoire and project spellbook.

This skill should be used when the user says "summon", "summon grimoire", "/summon", "initialize grimoire", "start an audit", "begin security review", "set up audit workspace", "kick off security research", "scope a codebase", "map a codebase for security", "prepare for an audit", or wants to initialize Grimoire on a new codebase. This is the first skill run on a new engagement. It builds initial context, creates the audit workspace structure, and produces GRIMOIRE.md — the living contextual map that primes all future agent interactions for security research.

This skill should be used when the user asks to "write a proof of concept", "create a PoC", "demonstrate a vulnerability", "write an exploit PoC", "show this bug is exploitable", "prove this vulnerability exists", "PoC for CVE", "demonstrate the impact", "exploit this bug", "build an exploit", "write a Foundry test for this bug", "create a forge test PoC", or needs to create a working demonstration of a security vulnerability for responsible disclosure and remediation purposes.

3 hooks across 2 events