Stats
Actions
Tags
From vuln-scout
Identifies security-sensitive functions (sinks) for command injection, SQL injection, code execution in PHP, Java, Python, JS, .NET, Go, Ruby, Rust during whitebox pentesting.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vuln-scout:dangerous-functionsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Provide comprehensive knowledge of security-sensitive functions (sinks) across programming languages for whitebox penetration testing. These functions are common targets during code review because improper use leads to critical vulnerabilities.
disable-functions-bypass.mdreferences/dotnet-sinks.mdreferences/go-ruby-sinks.mdreferences/java-sinks.mdreferences/javascript-sinks.mdreferences/kotlin-sinks.mdreferences/nginx-sinks.mdreferences/php-sinks.mdreferences/python-sinks.mdreferences/rust-sinks.mdreferences/solidity-sinks.mdreferences/swift-sinks.mdProvide comprehensive knowledge of security-sensitive functions (sinks) across programming languages for whitebox penetration testing. These functions are common targets during code review because improper use leads to critical vulnerabilities.
Activate this skill during:
Sources: Entry points where user input enters the application
Sinks: Functions where malicious input causes damage
| Category | Impact | Common Languages |
|---|---|---|
| Command Injection | Remote Code Execution | All |
| Code Injection | Remote Code Execution | PHP, Python, JS |
| SQL Injection | Data breach | All with databases |
| Deserialization | Remote Code Execution | Java, PHP, Python, .NET |
| File Operations | LFI/RFI/Arbitrary Write | All |
| SSRF | Internal network access | All |
| Template Injection | Remote Code Execution | Python, Java, JS |
| Reentrancy | Fund theft | Solidity |
| Flash Loan Attacks | Price/state manipulation | Solidity |
| Access Control | Privilege escalation | Solidity |
Determine the primary language(s) used:
Consult the appropriate reference file for comprehensive sink lists:
references/php-sinks.md for PHP applicationsreferences/java-sinks.md for Java applicationsreferences/python-sinks.md for Python applicationsreferences/javascript-sinks.md for Node.js/JavaScriptreferences/dotnet-sinks.md for .NET/C# applicationsreferences/go-ruby-sinks.md for Go and Rubyreferences/rust-sinks.md for Rust applicationsreferences/kotlin-sinks.md for Kotlin/Android applications (preview -- not in supported language list)references/swift-sinks.md for Swift/iOS applications (preview -- not in supported language list)references/solidity-sinks.md for Solidity smart contractsUse Grep tool to search for dangerous functions:
For each identified sink, document:
Rank findings using this framework:
| Priority | Criteria |
|---|---|
| Critical | Direct user input reaches sink |
| High | Database/file data (user-controlled) reaches sink |
| Medium | Authenticated user input reaches sink |
| Low | Admin-only input reaches sink |
| Info | Hardcoded values only |
When reviewing identified sinks, consider:
For comprehensive function lists by language, consult:
references/php-sinks.md - PHP dangerous functions with grep patternsreferences/java-sinks.md - Java dangerous functions with grep patternsreferences/python-sinks.md - Python dangerous functions with grep patternsreferences/javascript-sinks.md - JavaScript/Node.js dangerous functionsreferences/dotnet-sinks.md - .NET/C# dangerous functionsreferences/go-ruby-sinks.md - Go and Ruby dangerous functionsreferences/rust-sinks.md - Rust dangerous functions (unsafe, FFI, etc.)references/kotlin-sinks.md - Kotlin/Android dangerous functions (preview -- not in supported language list)references/swift-sinks.md - Swift/iOS dangerous functions (preview -- not in supported language list)references/solidity-sinks.md - Solidity smart contract sinks (reentrancy, access control, flash loans)npx claudepluginhub allsmog/vuln-scout --plugin whitebox-pentestIdentifies common web vulnerability patterns like SQL injection, command injection, XSS, and OWASP Top 10 during whitebox pentesting and code reviews.
This skill should be used when the user asks to "analyze code for security issues", "check for OWASP vulnerabilities", "review code against CWE Top 25", "find injection vulnerabilities", "do a security code review", or needs manual security analysis against OWASP Top 10, API Top 10, Mobile Top 10, or CWE/SANS frameworks.
Reviews code for security vulnerabilities like SQL/command injection, XSS, unsafe deserialization in Python, JavaScript/TypeScript, React, Java, Go, Ruby, SQL.