security-research

Phase 4 of a security audit, and standalone mode for user-supplied findings. Reads verified findings and recon artifacts from AUDIT_DIR, invokes the write-report skill for methodology, checks for custom REPORT.md template, and writes a professional report.

Use this agent to conduct offensive security research on a target codebase. Performs reconnaissance, vulnerability hunting, and verification by invoking specialized skills — not a rigid pipeline. Spawns subagents only for parallel deep-dives or when context isolation is needed. PREREQUISITE: The user must run /security-research:claude-init first to set up the workspace.

Self-improvement skill. When a high-quality vulnerability is found, this skill analyzes what worked well and stores the technique in the appropriate detection skill's references/cool_techniques.md file for future audits. User-invoked only.

Initialize a security audit workspace interactively. Asks the user for target information one question at a time, then runs a deterministic setup script that installs tools (semgrep, gitnexus), indexes the codebase, and creates the audit workspace. Invoke this BEFORE running the security-orchestrator.

Reference guide for Phase 2 source code security review. Provides framework-specific route and auth annotation patterns, input source taxonomy, and sink catalog with grep commands for building source-to-sink chains. Use during endpoint mapping, auth gap analysis, and attack surface construction.

Exhaustive semantic analysis methodology for a single file or module. Read code deeply, understand every function, trace data flows, analyze state machines, reason about edge cases, and find vulnerabilities that pattern matching misses.

Detect all authentication, authorization, and access control vulnerabilities — IDOR/BOLA, BFLA, privilege escalation, mass assignment, JWT issues, session management, OAuth/SAML, multi-tenant isolation, GraphQL introspection, and role hierarchy flaws. Consolidated detection skill for all auth/access patterns.

Detect configuration, cryptographic, and deployment security vulnerabilities — debug mode, CORS misconfiguration, missing headers, exposed admin endpoints, default credentials, hardcoded secrets, weak password hashing, insecure RNG, ECB mode, TLS bypass, timing attacks, container/Kubernetes misconfig. Consolidated detection skill for all configuration and crypto patterns.

Detect all input-to-sink vulnerabilities — SQLi, NoSQLi, CMDi, path traversal, SSTI, SSRF, XSS, deserialization/XXE, and file handling. Consolidated detection skill covering all cases where user-controlled data reaches a dangerous operation.

Detect business logic, concurrency, and API-specific vulnerabilities — race conditions, TOCTOU, double-spend, workflow bypass, price/quantity manipulation, cache poisoning/deception, distributed lock issues, rate limiting gaps, GraphQL DoS, excessive data exposure, and webhook security. Consolidated detection skill for all logic/timing/API patterns.

Detect memory safety vulnerabilities across all languages — buffer overflow, use-after-free, double free, invalid free, type confusion, integer overflow, uninitialized memory, format string, OOB read/write, and unsafe language bindings (C/C++, Rust unsafe, Go cgo, Python ctypes, Java JNI, Node.js N-API). Includes exploitation chain construction with multi-allocator tactics.

Run additional security audit passes that build on previous work. Reads all existing findings, attack surfaces, and coverage data to identify gaps, generate new hunting hypotheses, and focus on unexplored areas. Maintains a coverage tracker across runs for stateful optimization. Use after an initial audit to find vulnerabilities missed in earlier passes.

Run Semgrep static analysis scans on target source code. Supports registry rule packs(security-audit, owasp-top-ten, secrets), custom taint rule writing, and structured JSON output parsing. Use when performing SAST scanning, writing taint analysis rules, hunting for vulnerabilities with pattern matching, or running automated security scans during any audit phase.

Create a Docker Compose testing environment from the target source code. Builds from existing Dockerfiles, public images, or source code. Seeds test data, applies custom security configurations, and auto-updates CLAUDE.md with live target info for PoC execution. Use before or after the orchestrator to get a live target for testing.

Gather open-source intelligence about a target project by searching official documentation, GitHub repositories, API references, deployment guides, and public security advisories. Enriches CVE findings with PoC exploits from the local PoC-in-GitHub database. Use during Phase 1 reconnaissance to build project understanding before source code analysis. Outputs a structured web_intelligence.md file to the audit workspace.

Analyze git history for security-related commits, scan dependency manifests for known CVEs, and search the codebase for unfixed variant patterns. Produces variant-analysis.md with security commits, dependency CVEs, and variant candidates.

Verification methodology for security findings. 5-step verification with adversarial disproval, severity calibration via CVSS 3.1, variant expansion, and PoC execution against live targets. Transforms UNVERIFIED findings into CONFIRMED/DOWNGRADED/FALSE_POSITIVE with evidence. User-invocable for re-verification and PoC execution.

Report generation methodology for security audits. Handles mode detection (pipeline vs standalone), custom template support, and produces a professional report with executive summary, findings table, vulnerability chains, and remediation roadmap.

clangd

csharp-ls

gopls

intelephense

jdtls

kotlin-lsp

lua-language-server

pyright-langserver

ruby-lsp

rust-analyzer

sourcekit-lsp

typescript-language-server