npx claudepluginhub joranhonig/grimoireThis skill uses the workspace's default tool permissions.
Initialize Grimoire on a new codebase. Build context, create the audit workspace, and produce
Orchestrates repo security scans (SAST, SCA, secrets, config) with adaptive agent swarms: subagents for small repos, teams for large. Verifies findings, compiles reports.
Audits full codebase for security issues via SAST, OWASP Top 10/LLM Top 10, SCA, Zero Trust validation, code quality; outputs prioritized report with remediation plan.
Scans local projects for dependency vulnerabilities (SCA), code security patterns (SAST), leaked secrets, auth/crypto flaws, misconfigs, supply chain risks, CI/CD issues. Generates prioritized report with remediation guidance.
Share bugs, ideas, or general feedback.
Initialize Grimoire on a new codebase. Build context, create the audit workspace, and produce
GRIMOIRE.md — the living contextual map for this security engagement.
Build context first. Top researchers always establish contextual understanding before hunting
for bugs. Summon explores the target, builds a map, and gives you and future agents the context
needed to do meaningful work. Keep GRIMOIRE.md concise — it is loaded into every agent context.
Detailed notes belong in grimoire/tomes/.
When this skill is activated, create a todo list from the following steps. Mark each task in_progress before starting it and completed when done.
- [ ] 1. Verify workspace layout — confirm directory structure, identify in-scope repo(s)
- [ ] 2. Create audit directory structure — set up grimoire/, findings/, spells/, tomes/
- [ ] 3. Build initial context — language, tooling, frameworks, integrations, problem & approach
- [ ] 4. Map architecture and flows — identify structure, primary flows, key components
- [ ] 5. Identify crown jewels — determine high-impact targets and threat model
- [ ] 5b. Capture scope constraints — capability vs trust assumptions, out-of-scope, invariants
- [ ] 6. Write GRIMOIRE.md — assemble the contextual map
- [ ] 7. Review GRIMOIRE.md — kick off subagent to verify accuracy and trim bloat
- [ ] 8. Surface automation opportunities — check for spellbook modules to run
- [ ] 9. Spawn sigil swarm — run checks-based sigils against the codebase
Check the current working directory. The ideal layout is:
project/ <-- cwd
in_scope_repo/
The project directory should contain the repository (or repositories) that are in scope. Grimoire creates its own files and directories alongside (not inside) the scoped code.
Verify:
If multiple repositories are in scope, identify each one. GRIMOIRE.md should cover all in-scope repos in a single document, with architecture and flows sections clearly delineating per-repo structure where they differ.
If the layout looks wrong, explain the expected structure to the user and ask them to confirm or adjust before proceeding. Do not silently continue with a bad layout.
If the user has additional context available (meeting notes, scope documents, prior audit reports), ask whether they'd like to point Grimoire at those directories.
Create the following directories if they don't already exist:
project/
in_scope_repo/ # already present
grimoire/
findings/ # findings during this audit
sigil-findings/ # findings sourced from sigil agents
spells/ # scripts, PoCs, static analysis modules
tomes/ # documentation, detailed notes, learnings
tmp/ # temporary files and scripts
GRIMOIRE.md # main contextual map (created in step 6)
Documents in grimoire/tomes/ are cross-linked from GRIMOIRE.md using Obsidian-style wiki links:
[[tomes/auth-flow]] links to grimoire/tomes/auth-flow.md.
Optionally create if the user indicates they have relevant materials:
meeting_notes/ # context from client meetings
scope/ # scope documentation from client
Do not overwrite existing directories or files.
Explore the in-scope repository to answer these questions. Use subagents to parallelize exploration where possible.
Concrete details:
Problem and approach:
Start by reading documentation if available (README, docs/, wiki). Then scan the codebase structure, dependency manifests, and configuration files. Documentation conveys intent; code conveys reality. Cross-reference both.
Dive deeper into the codebase to understand structure and behavior. Use subagents to explore individual modules, components, or flows in parallel. Keep the main context focused on assembling the map.
Architecture (structure):
Primary flows (behavior):
Keep this high-level. The goal is a map for navigation, not a line-by-line audit. Detailed flow
analysis belongs in grimoire/tomes/ and will happen during the actual research.
Determine what matters most from a security perspective. In the end, we care about bugs that have impact. Crown jewels are the assets and capabilities that attackers would target.
Common crown jewels by domain:
For each crown jewel, note:
Consult references/domain-crown-jewels.md for a comprehensive breakdown of assets, attack
vectors, and exploitation patterns by domain.
This is an initial assessment. The user will refine crown jewels as the engagement progresses. GRIMOIRE.md is living memory.
Scope constraints are what the familiar agent uses to decide whether a finding is in or out
of bounds. Capture them structurally, not as prose. Read any materials the user pointed you
at (scope/, meeting_notes/, or client-provided docs) and extract:
When a clause is ambiguous, classify it as trust (the weaker claim). This errs toward surfacing findings rather than silently dismissing them.
If no scope materials exist, say so explicitly in the Scope section rather than leaving it empty — downstream triage needs to know the constraints are unknown, not assume none exist.
Assemble findings from steps 3-5 into GRIMOIRE.md at the project root. This file serves as:
Template:
# GRIMOIRE — [Project Name]
> Summoned: [date]
## Target
- **Language:** [languages]
- **Build/Test:** [build system, test framework]
- **Frameworks:** [key frameworks/libraries]
- **Integrations:** [external systems]
## Problem & Approach
[2-3 sentences: what the project does and how]
## Scope
- **In-scope:** [paths / contracts / components covered by this engagement]
- **Out-of-scope:** [explicit exclusions, with source]
### Capability assumptions (foreclose within granted capability)
- [role or actor]: can only [narrower capability]. Source: [scope doc / clause]
### Trust assumptions (context only; do not foreclose findings)
- [actor]: assumed to [act honestly / not behave adversarially]. Source: [scope doc / clause]
### Protocol invariants (claimed to hold)
- [invariant statement]. Source: [scope doc / clause]
[If no scope materials were provided: state "No scope materials available — constraints
unknown" so downstream triage is not silently uncalibrated.]
## Architecture
[High-level component map. Use a simple list or ASCII diagram. Keep it scannable.]
## Primary Flows
[List the main use cases / activities. For each: 1-2 line description of the flow path through
the system. More detail belongs in grimoire/tomes/.]
## Crown Jewels
[For each high-value target: asset, location, likely attack vectors. Bulleted list.]
## Attack Surface Notes
[Initial observations about security-relevant patterns, trust boundaries, areas that warrant
deeper investigation. Keep this brief — it will grow during the engagement.]
## Automation
[List any spellbook modules that were run or are available to run. Note results if applicable.]
Important constraints:
[[document-name]] cross-linking to reference detailed notes in grimoire/tomes/.examples/grimoire-md-example.md for a concrete reference of what a completed
GRIMOIRE.md looks like.After writing GRIMOIRE.md, kick off a subagent to review it. The subagent should read both GRIMOIRE.md and the in-scope codebase independently to verify accuracy and flag bloat. Do not skip this step — the main agent built context progressively and may have carried forward assumptions or included too much detail.
Subagent instructions:
Give the subagent the following mandate. It should read GRIMOIRE.md and then independently spot-check claims against the actual codebase:
Accuracy check — Verify factual claims against the codebase:
Bloat check — GRIMOIRE.md is loaded into every agent context. Every unnecessary line degrades future agent performance. Flag:
grimoire/tomes/Completeness check — Flag obvious gaps:
The subagent should return a short list of specific corrections, cuts, and additions. Apply them to GRIMOIRE.md before presenting the final version to the user. Show the user what the subagent found and what was changed.
Check if the user has a spellbook (prior static analysis modules, detection scripts, or research automation).
Look for:
spells/ directory content from previous engagementsIf automation modules exist:
If no spellbook exists yet:
If the researcher has a personal grimoire (~/.grimoire/sigils/), list what's available and
suggest running the Scribe GC skill (/scribe-gc with scope "both") to check for duplicates
between personal and project-local sigils before applying them.
Note in GRIMOIRE.md under Automation that new detection modules can be distilled from findings
as the engagement progresses using the Scribe agent (/scribe-distill).
After automation discovery, spawn sigil agents to hunt for known vulnerability patterns across the codebase. Each sigil is a single-context agent that hunts one bug pattern using a check from the spellbook.
Consult references/sigil-spawning.md for the subagent prompt template and detailed guidance.
Index available checks.
Run the index-checks.sh script from the checks skill's scripts/ directory, passing
grimoire/spells/checks/ as the target. If the directory does not exist or contains no
checks, note "No checks available — sigil swarm skipped" in GRIMOIRE.md under Automation
and skip this step. A fresh engagement with no prior checks is normal.
Filter by language.
Match each check's languages field against the languages identified in step 3 (the Target
section of GRIMOIRE.md). Only include checks whose language matches the target codebase.
Include checks with an empty or wildcard languages field regardless of target.
Run the select-checks.sh script from this skill's scripts/ directory, passing
grimoire/spells/checks/ and a comma-separated list of target languages from GRIMOIRE.md.
The script outputs only the checks that apply.
Confirm with the user.
Present the user with:
Ask whether to: spawn all, select a subset, or skip. Sigil spawning is the most expensive operation in the workflow — the user must explicitly approve it.
If there are more than 20 applicable checks, warn about the time cost and suggest filtering by tag or selecting a subset.
Spawn sigils.
For each approved check, spawn a subagent sigil. Process in batches of 5 to manage context budget. For each check, give the subagent these instructions:
<filepath> for the vulnerability patternreferences/sigil-spawning.md — formulate a hypothesis from
the check, search the codebase, evaluate evidence, produce a finding or dismissgrimoire/sigil-findings/<check-slug>.md where <check-slug> is the
check's filename without extension. If a check produces multiple findings, append a numeric
suffix (e.g., reentrancy-1.md, reentrancy-2.md)Wait for each batch of 5 to complete before spawning the next batch.
Collect and present results.
After all sigils complete, aggregate results. Present a summary:
## Sigil Swarm Results
Checks run: [N] | Findings: [N] | Dismissed: [N]
| Check | Verdict | Severity | Confidence | Finding |
|-------|---------|----------|------------|---------|
Group findings by severity (Critical/High first).
Familiar Triage. Invoke the familiar agent in batch triage mode (Mode 2) on
grimoire/sigil-findings/. The familiar will independently verify each finding, dismiss
false positives (moving them to grimoire/sigil-findings/dismissed/), and adjust severity
where warranted. Present the familiar's triage summary to the user instead of raw sigil
results.
Update GRIMOIRE.md.
Append to the Automation section:
grimoire/sigil-findings/ for detailsgrimoire/tomes/.