Stats
Actions
Tags
From decx
Generates DECX vulnerability reports from proof-graph finalized findings. Use after decx-app-vulnhunt or decx-framework-vulnhunt. Prefers HTML output; optionally emits Markdown.
How this skill is triggered — by the user, by Claude, or both
Slash command
/decx:decx-reportThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Use this skill only for report writing from existing finalized finding records in the evidence graph.
Use this skill only for report writing from existing finalized finding records in the evidence graph.
Use only when the user asks for a report from existing DECX finalized findings or residual candidate summaries. Query the evidence graph with node scripts/decx-analysis-db.mjs. Do not use for vulnerability discovery, chain tracing, PoC construction, or generic security-report templates. If no finalized findings exist, route back to the relevant vulnhunt skill.
# All complete evidence chains
node scripts/decx-analysis-db.mjs chains <dir> --root-prefix entrypoint --leaf-prefix impact
# Single chain detail
node scripts/decx-analysis-db.mjs path <dir> --from <entrypoint_fact> --to <sink_fact>
node scripts/decx-analysis-db.mjs ancestors <dir> --fact <sink_fact>
# Full graph export
node scripts/decx-analysis-db.mjs export <dir>
# Unresolved intents (residual section)
node scripts/decx-analysis-db.mjs intents <dir> --status open
# Re-fetch minimal source for evidence quotes
decx code method-source "<method>" -P <port>
Determine target kind from fact prefixes: service-entrypoint or binder-reachability → framework; otherwise app.
| Rule | Rationale |
|---|---|
Report only chains proven via path or chains queries | unproven chains are not findings |
| Keep unresolved intents in residual section | open intents are not confirmed issues |
Never write verified / runtime-validated / poc-validated | report mirrors DB state; promotion is vulnhunt's job |
| Do not invent missing guards, call-chain nodes, impact, or bypass conditions | fabricated evidence fails review |
Default language: Chinese (zh); English/bilingual only when explicitly requested | language contract |
| Prefer HTML output; Markdown only when requested or environment requires it | output contract |
| Minimal source citations only; no full DB dumps | context + artifact hygiene |
Anchors (findingId / sourceId-sinkId-flowSig) must match between HTML and Markdown | cross-format integrity |
Chain origin by target kind:
entrypoint prefix): start from exported component callback (Activity onCreate/onNewIntent, Receiver onReceive, Provider query/insert/update/delete/call, Service onBind/onStartCommand). NOT from AttackerApp.*, bindService, startActivity, sendBroadcast, ContentResolver.*, adb, or PoC driver.service-entrypoint/binder-reachability prefix): start from Binder service / Stub / manager facade entry. Include identity + authorization at trust boundary (identity + permission-guard/appop-guard/user-guard).Attack Path.Four sections per finding (equal visual weight, each <section> with <h2>):
meta-row (component/permission/process)pre evidence.fix callout组合链利用 must contain:
enable/carry/amplify/bypass), why realisticWhen a finding cannot compose: show dead-end notice with reason. Do not skip composition analysis — explain which compositions were evaluated and rejected.
Default: report.html — standalone HTML with inline CSS, no remote resources, residual candidates in separate section.
Optional: report.md only when requested. Content semantically identical to HTML.
Templates: assets/report-template-html.html, optional assets/report-template-zh.md, assets/report-template-en.md.
AttackerApp.* or PoC driverdecx code method-source on exact signature, do not infer from training dataidentity + guard facts at trust boundaryassets/report-template-html.htmlassets/report-template-zh.md (optional)assets/report-template-en.md (optional)npx claudepluginhub jygzyc/decx --plugin decxGenerates client-facing red-team reports in a canonized Subject/Observations/Description/Impact/Recommendation/PoC structure for external enterprise engagements with DOCX/PDF output.
Penetration test and red team report writing methodology covering executive summaries, technical finding format, CVSS/OWASP scoring, evidence hygiene, and deliverable formats.
Generates Markdown audit reports for confirmed smart contract vulnerabilities, including impact, code snippets, and fixes; writes to findings/ files for submission.