Stats
Actions
Tags
From grimoire
Transforms confirmed security findings into reusable automated detection modules (sigils) by analyzing vulnerability patterns and assessing automation feasibility.
How this skill is triggered — by the user, by Claude, or both
Slash command
/grimoire:scribe-distillThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Transform confirmed findings into reusable automated detection modules.
Transform confirmed findings into reusable automated detection modules.
Every confirmed finding is a potential lesson for future audits. The Scribe's distill workflow determines whether that lesson can be encoded as automated detection and, if so, builds the detection module. Static analysis is always preferred — it is deterministic, fast, and cheap. Agentic checks are a fallback for patterns that require reasoning. Some findings simply cannot be automated; for those, encode the knowledge as a reference artifact rather than letting it be forgotten.
A low false-positive rate is more important than coverage. A detection module that fires on every audit but produces false positives is worse than one that misses edge cases but is always right when it fires.
When this skill is activated, create a todo list from the following steps. Mark each task in_progress before starting it and completed when done.
- [ ] 1. Load finding and context
- [ ] 2. Check for existing coverage
- [ ] 3. Extract generalizable pattern
- [ ] 4. Assess automation feasibility
- [ ] 5. Determine sigil type
- [ ] 6. Create detection module
- [ ] 7. Validate detection module
- [ ] 8. Assess variant analysis potential
- [ ] 9. Present results and suggest follow-ups
Read the finding file. Extract:
context frontmatter field)Read GRIMOIRE.md for codebase context — architecture, crown jewels, technology stack.
Check in with the user before continuing.
Run bash skills/checks/scripts/index-checks.sh grimoire/spells/checks/ to list existing
checks. Read any that might cover the same vulnerability class.
If a check already covers this exact pattern:
If partial overlap exists, note which aspects are already covered so the new module can focus on the gap.
If the directory does not exist, no existing checks exist — skip to step 3.
Strip instance-specific details from the finding:
Express the pattern as: "Code that does X without Y, in the context of Z."
Example: A reentrancy finding in Vault.withdraw() becomes "Functions that make external
calls before updating state in contracts holding user funds."
Check in with the user to confirm the generalized pattern captures the essence of the vulnerability.
Consult references/feasibility-criteria.md for detailed guidance. Classify the pattern:
Static-feasible — The pattern is identifiable by searching for specific strings, function calls, code shapes, or AST patterns. Proceed to check creation.
Agentic-feasible — The pattern is identifiable by grep but requires reading surrounding context to assess whether a match is a real issue. Create a check with assessment criteria that guide the applying agent.
Not automatable — The pattern requires deep business logic understanding, external state knowledge, or full-codebase reasoning that cannot be reduced to a check. Create a knowledge artifact instead.
Present the feasibility assessment to the user.
Consult references/sigil-types.md for the type taxonomy and decision flowchart.
For now, the only implementable types are:
If the pattern would be better served by semgrep, slither, or codeql, note this as a future improvement but create a check as a fallback.
For checks (static-feasible and agentic-feasible):
Follow the check format from skills/checks/references/check-format.md:
attribution-name and attribution-url to
credit the sourceCreate the file in grimoire/spells/checks/ with a slugified filename. Consult
skills/checks/examples/ for worked examples at different complexity levels.
Gnome delegation: Spawn a Gnome agent to build the check. Provide it with the generalized pattern, target language(s), severity/confidence guidance, and assessment criteria. The Gnome handles file creation, format compliance, and validation.
For knowledge artifacts (not automatable):
Create a markdown file in grimoire/spells/knowledge/ (create directory with mkdir -p if
needed) with:
For checks, run:
bash skills/checks/scripts/validate-check.sh <path-to-check>
If validation fails, fix the issues and re-validate.
For knowledge artifacts, verify: frontmatter is well-formed, description is clear and actionable, the document is self-contained.
Check in with the user.
Consider whether the pattern is likely to recur elsewhere in the current codebase:
If variant analysis is warranted, suggest spawning a variant sigil with the generalized pattern from step 3.
Summarize what was created using the Scribe distill output format from
agents/scribe.md.
Suggest follow-ups:
npx claudepluginhub joranhonig/grimoireCreate, apply, and manage vulnerability pattern checks — simple markdown files that describe what to look for in a codebase and how to assess matches for agentic vulnerability detection.
Creates custom Semgrep rules for detecting bug patterns and security vulnerabilities. Activates when asked to create, write, make, or build Semgrep rules, or detect specific insecure code patterns.
Creates production-quality Semgrep rules with tests and validation for security vulnerabilities, bug patterns, and code standards. Use when writing custom static analysis rules.