npx claudepluginhub kaivyy/perseus --plugin perseusThis skill uses the workspace's default tool permissions.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
IMPORTANT: This skill generates a professional security report for the user's own codebase. The report is intended to help developers and stakeholders understand and remediate security issues in their own software.
Report generation adapts remediation guidance based on detected language/framework:
| Language | Frameworks |
|---|---|
| JavaScript/TypeScript | Express, Fastify, Next.js, Nest.js |
| Go | Gin, Echo, Fiber, Chi |
| PHP | Laravel, Symfony, Slim |
| Python | FastAPI, Django, Flask |
| Rust | Actix-web, Axum, Rocket |
| Java | Spring Boot, Quarkus |
| Ruby | Rails, Sinatra |
| C# | ASP.NET Core |
This skill executes the Reporting Phase of the Perseus framework. It synthesizes findings from Scan, Audit, Exploit, and Specialist phases into a professional executive report.
Goal: Communicate verified risks effectively to stakeholders and drive remediation.
Methodology:
Read all files in deliverables/:
Core Phase Deliverables:
engagement_profile.md (Mode, scope, constraints)code_analysis_deliverable.md (Scan)*_analysis.md files (Audit)exploitation_report.md (Exploit)verification_scope.md (Verification limits and approved window)Specialist Deliverables (if present):
api_security_analysis.md (API + GraphQL + WebSocket + OAuth)injection_deep_analysis.md (NoSQL + SSTI + Log4j)crypto_security_analysis.md (JWT + Hashing + Encryption)supply_chain_analysis.md (CVEs + Typosquatting)file_security_analysis.md (Path Traversal + XXE + Zip Slip)business_logic_analysis.md (Race Conditions + AI Security)client_side_analysis.md (React/Vue/Angular + SSR)config_security_analysis.md (Docker + CI/CD + Cloud + K8s)Severity Scoring (CVSS-inspired):
| Severity | Criteria | Score |
|---|---|---|
| Critical | RCE, Auth Bypass, SQLi with data access, Admin takeover, Container escape, AI prompt injection leading to RCE | 9.0-10.0 |
| High | Stored XSS, SSRF to internal, Privilege Escalation, Sensitive data exposure, CI/CD injection, Public cloud storage | 7.0-8.9 |
| Medium | Reflected XSS, CSRF, Information disclosure, Missing security headers, Outdated dependencies, Docker misconfig | 4.0-6.9 |
| Low | Minor info leak, Best practice violations, Verbose errors, License issues | 0.1-3.9 |
Exploitability Factor:
Confidence Factor:
Verification Context Factor:
PRODUCTION_SAFE: Multiply by 1.0STAGING_ACTIVE: Multiply by 0.9LAB_FULL: Multiply by 0.85LAB_RED_TEAM: Multiply by 0.8POTENTIAL-PROD-BLOCKED: Multiply by 0.7Create deliverables/SECURITY_REPORT.md using this structure:
# Security Assessment Report
**Project:** [Project Name]
**Assessment Date:** [Date]
**Methodology:** Perseus Security Framework v2.0
**Scope:** [Repository/Application name]
**Engagement Mode:** [PRODUCTION_SAFE/STAGING_ACTIVE/LAB_FULL/LAB_RED_TEAM]
---
## Executive Summary
### Assessment Status
[Complete/Partial] - [X] phases completed, [Y] specialists run
### Technologies Analyzed
| Category | Detected |
|----------|----------|
| Language | [e.g., TypeScript, Go, Python] |
| Framework | [e.g., Next.js 14, Gin, FastAPI] |
| Database | [e.g., PostgreSQL, MongoDB, Redis] |
| Infrastructure | [e.g., Docker, Kubernetes, AWS] |
| CI/CD | [e.g., GitHub Actions, GitLab CI] |
| AI/LLM | [e.g., OpenAI, Anthropic, LangChain] |
### Risk Overview
| Severity | Verified | Potential | Total |
|----------|----------|-----------|-------|
| Critical | X | Y | Z |
| High | X | Y | Z |
| Medium | X | Y | Z |
| Low | X | Y | Z |
### Verification Coverage
| Category | Count |
|----------|-------|
| Verified | X |
| Failed Verification | Y |
| Potential (Prod Blocked) | Z |
| Aborted (Safety Kill-Switch) | W |
### Key Findings
1. **[Most Critical Finding]** - Brief description and impact
2. **[Second Critical Finding]** - Brief description and impact
3. **[Third Critical Finding]** - Brief description and impact
### Business Impact
- **Data Breach Risk:** [High/Medium/Low] - [Explanation]
- **Service Disruption:** [High/Medium/Low] - [Explanation]
- **Compliance Impact:** [Regulations affected: GDPR, PCI-DSS, HIPAA, SOC2, etc.]
- **Reputation Risk:** [High/Medium/Low] - [Explanation]
### Top 3 Recommendations
1. [Highest priority fix]
2. [Second priority fix]
3. [Third priority fix]
---
## Attack Surface Summary
### Technology Stack
- **Language:** [e.g., TypeScript]
- **Framework:** [e.g., Next.js 14 (App Router)]
- **Database:** [e.g., MongoDB, PostgreSQL]
- **Authentication:** [e.g., JWT, NextAuth, OAuth]
- **Infrastructure:** [e.g., Docker, Kubernetes, Vercel]
### Entry Points Analyzed
| Type | Count | Critical Paths |
|------|-------|----------------|
| API Endpoints | X | `/api/auth/*`, `/api/admin/*` |
| GraphQL | X | `mutation { ... }` |
| WebSocket | X | `/ws/chat` |
| File Upload | X | `/upload` |
| Server Actions | X | `app/actions/*` |
### Dependencies
- **Total Packages:** X
- **With Known CVEs:** Y
- **Critical CVEs:** Z (list package names)
### Infrastructure
- **Docker Images:** X
- **CI/CD Pipelines:** Y
- **Cloud Resources:** Z
---
## Critical Findings (Verified Exploits)
> Only findings verified in the Exploit Phase appear here.
### CRITICAL-001: [Title]
**Severity:** Critical (9.5)
**Status:** VERIFIED EXPLOITABLE
**Category:** [Injection/Auth/Config/AI/etc.]
**Language:** [Node.js/Go/Python/etc.]
#### Description
[Clear explanation of the vulnerability]
#### Location
- **File:** `path/to/file.js`
- **Line:** 42-48
- **Endpoint:** `POST /api/vulnerable`
#### Proof of Concept
[Minimal reproduction steps or payload]
#### Evidence
[Screenshot, response, or output proving exploitation]
#### Impact
- [Specific impact: data access, RCE, etc.]
- [Business impact: what could attacker do?]
#### Remediation
```javascript
// Vulnerable code
[code snippet]
// Fixed code (language-specific)
[code snippet]
Findings from Docker, CI/CD, Cloud, and Kubernetes analysis.
| Check | Status | Issue |
|---|---|---|
| Non-root user | PASS/FAIL | [Details] |
| Pinned base image | PASS/FAIL | [Details] |
| No secrets in image | PASS/FAIL | [Details] |
| Minimal base | PASS/FAIL | [Details] |
| Check | Status | Issue |
|---|---|---|
| No command injection | PASS/FAIL | [Details] |
| Minimal permissions | PASS/FAIL | [Details] |
| Secrets not in logs | PASS/FAIL | [Details] |
| Resource | Issue | Severity |
|---|---|---|
| S3 Bucket | Public access | Critical |
| Security Group | Open ports | High |
| Check | Status |
|---|---|
| Non-root pods | PASS/FAIL |
| Network policies | PASS/FAIL |
| RBAC configured | PASS/FAIL |
| Secrets encrypted | PASS/FAIL |
Findings from AI security analysis (if applicable).
| Check | Status | Risk |
|---|---|---|
| Prompt Injection Protection | PASS/FAIL | [Details] |
| Output Filtering | PASS/FAIL | [Details] |
| Tool Use Validation | PASS/FAIL | [Details] |
| RAG Access Control | PASS/FAIL | [Details] |
| Rate Limiting | PASS/FAIL | [Details] |
Type: [Prompt Injection/Data Leakage/Tool Abuse] ...
Findings from Audit that could not be verified but remain risky.
Severity: [Estimated] Reason Not Verified: [Why exploitation wasn't confirmed] Mode Constraint: [Why blocked in current mode] Recommendation: [What to do about it]
| Severity | Count | Notable Packages |
|---|---|---|
| Critical | X | [packages] |
| High | X | [packages] |
| Medium | X | [packages] |
| Package | License | Risk |
|---|---|---|
| [pkg] | GPL-3.0 | Copyleft in proprietary |
| Package | Current | Latest | Gap |
|---|---|---|---|
| [pkg] | X.Y.Z | A.B.C | [major/minor] |
Components analyzed and found to be properly secured.
| Component | Security Measures | Notes |
|---|---|---|
| Authentication | bcrypt, rate limiting, MFA | Properly implemented |
| SQL Queries | Parameterized queries | No injection found |
| Docker | Non-root, minimal image | Best practices followed |
| ... | ... | ... |
## Tone & Style
* **Professional:** Objective and factual. No hyperbole or fear-mongering.
* **Actionable:** Every finding has a language-specific remediation.
* **Developer-Focused:** Code examples for fixes in the detected language.
* **Business-Aware:** Explain impact in business terms, not just technical.
* **Infrastructure-Aware:** Include Docker, CI/CD, Cloud, K8s findings.
## Quality Checklist
Before finalizing the report, verify:
- [ ] All verified exploits are documented with evidence
- [ ] All findings have language-specific remediation guidance
- [ ] Severity ratings are consistent
- [ ] Infrastructure findings are included (Docker, CI/CD, Cloud, K8s)
- [ ] AI/LLM findings are included (if applicable)
- [ ] Supply chain summary is complete
- [ ] No sensitive data (real credentials, PII) is included
- [ ] Report can be shared with stakeholders
**Assessment Complete.** Report saved to `deliverables/SECURITY_REPORT.md`.