ai-ide-vuln-skills

AI IDE Vulnerability Skills

Claude Code skills plugin for security testing AI-assisted IDEs and coding agents. 8 skills covering 25 vulnerability patterns across 4 classes (code execution, prompt injection, data exfiltration, trust persistence), with 5 canonical attack chain templates. Supports both black-box assessment (documentation analysis, runtime observation, payload testing) and white-box assessment (source code auditing with semgrep/CodeQL queries, static analysis templates). Each skill includes step-by-step methodology, copy-pasteable payloads, and known vulnerability references.

Installation

Install from GitHub (permanent):

# Inside Claude Code:
/plugin marketplace add Mindgard/ai-ide-skills
/plugin install ai-ide-vuln-skills@mindgard

Local development -- clone and load for a single session:

git clone https://github.com/Mindgard/ai-ide-skills.git
claude --plugin-dir ./ai-ide-vuln-skills

Verify installation -- run /help to see all available skills. Skills are invoked by name (e.g., /ai-ide-recon).

How to Use

Each skill is a guided methodology. You invoke the skill, tell Claude what target you're testing, and it walks you through the steps — what to test, in what order, with payloads you can copy-paste. Skills are designed to be used in sequence: recon first, then pattern-specific skills, then chain construction.

Example: Black-Box Assessment

Testing a closed-source AI IDE you only have the binary and documentation for.

Step 1 — Recon. Map the attack surface:

/ai-ide-recon
> Assess the attack surface of [TargetIDE]. Documentation is at [URL].

Claude analyzes the docs, identifies security-relevant features (MCP support, command execution, workspace trust model, output rendering), detects blind spots, and produces a tier-annotated attack surface map. Tier 1 findings (auto-loading configs, no trust model) are flagged first.

Step 2 — Test highest-tier findings. Recon found MCP support with no documented trust model:

/mcp-config-poisoning
> Test whether [TargetIDE] auto-loads MCP configs from workspace files.
> Recon found the config path is .targetide/mcp.json.

Claude starts with the Tier 1 test (does the config load without approval?), then moves down through tiers.

Step 3 — Test additional findings. Recon found markdown rendering with images:

/ai-ide-data-exfil
> Test whether [TargetIDE] fetches external images in rendered markdown output.

Step 4 — Build chains. After confirming individual primitives:

/ai-ide-attack-chains
> Confirmed primitives: MCP auto-load (Tier 1), markdown image rendering (Tier 2).
> Build attack chains and assess severity.

Claude maps your confirmed primitives to canonical chains, constructs a PoC, and classifies severity by trigger model.

Example: White-Box Assessment

Testing an open-source AI IDE with full source code access.

Step 1 — Recon. Same as black-box — documentation analysis is faster than reading the entire codebase:

/ai-ide-recon
> Assess the attack surface of [TargetIDE]. Source is at [repo URL], docs at [URL].

Step 2 — Source audit. Focus on the six code areas that yield the most findings:

/ai-ide-source-audit
> Audit [TargetIDE] source code. Recon identified MCP support, command execution,
> and workspace config auto-loading. Start with Tier 1 targets.

Claude guides you through config auto-loading code, command execution pipeline, MCP integration layer — with grep patterns, semgrep rules, and CodeQL queries for each target.

Step 3 — Pattern skills + chains. Same as black-box steps 2-4, but informed by source findings.

Tips

• Keep the same conversation across skills — recon findings carry forward as context for pattern skills.
• Start from the target's project directory — some skills reference workspace files and config paths.
• Check references/ directories inside each skill for copy-pasteable payloads, config format templates, and known vulnerability tables.
• Use /help to list all available skills if you forget a name.

Vulnerability Patterns

Arbitrary Code/Command Execution