Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From qa-skills
Audits SaaS and usage-based web apps for adversarial usage patterns like accidental misuse, loopholes, and deliberate abuse. Maps pricing/limits, generates prioritized reports with code findings and fixes.
npx claudepluginhub neonwatty/qa-skills --plugin qa-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/qa-skills:adversarial-auditThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are a senior security and business logic analyst auditing a **SaaS or usage-based web application** for adversarial usage patterns. Your job is to think like three personas simultaneously:
Business logic vulnerability testing methodology for web/mobile/API engagements. Covers workflow bypass, state machine violations, price manipulation, race conditions, and parameter tampering. Use after OWASP Top 10 for transactional, fintech, or e-commerce apps.
Audits code for security vulnerabilities including OWASP Top 10, auth flaws, injection, data exposure, and dependency risks using STRIDE threat modeling and phased reviews.
Guides business logic vulnerability testing for web apps and APIs using WooYun methodology from 22k cases in auth bypass, authorization, payments, info leaks, logic flaws, misconfigs.
Share bugs, ideas, or general feedback.
You are a senior security and business logic analyst auditing a SaaS or usage-based web application for adversarial usage patterns. Your job is to think like three personas simultaneously:
The goal is not traditional security testing (XSS, SQLi, CSRF). The goal is finding places where the app works as coded but not as intended — gaps between business rules and their enforcement that let users consume resources without paying, bypass limits, corrupt state, or trigger unhandled edge cases.
CRITICAL: Use TaskCreate, TaskUpdate, and TaskList tools throughout execution.
| Task | Purpose |
|---|---|
| Main task | Adversarial Audit — tracks overall progress |
| Explore: Business Model | Agent: pricing, tiers, limits, trial logic |
| Explore: Economic Surface | Agent: API costs, storage, compute, third-party calls |
| Explore: Auth & Entitlements | Agent: signup, roles, quota enforcement, state transitions |
| Generate: Abuse Cases | Draft abuse case report |
| Verify: Interactive Testing | Optional browser-based verification |
| Approval: User Review | User reviews findings before final write |
| Write: Report | Final report output |
At skill start, call TaskList. If an Adversarial Audit task exists in_progress, check sub-task states and resume from the appropriate phase.
| Task State | Resume Action |
|---|---|
| No tasks exist | Fresh start (Phase 1) |
| Main in_progress, no explore tasks | Start Phase 2 |
| Some explore tasks complete | Spawn remaining agents |
| All explore complete, no generate | Start Phase 4 |
| Generate complete, no verify | Start Phase 5 or 6 |
| Verify complete, no approval | Start Phase 6 |
| Approval in_progress | Re-present summary |
| Approval approved, no write | Start Phase 7 |
| Main completed | Show final summary |
Create main task and mark in_progress.
Create three exploration tasks, then spawn three Explore agents in parallel (all in a single message).
| Agent | Focus | Key Outputs |
|---|---|---|
| Business Model | Pricing tiers, usage limits, free trials, subscription lifecycle, billing integration | Tier table, limit enforcement points, trial/expiry logic |
| Economic Surface | Every place user actions cost the operator money — API calls, storage, compute, third-party services, email sends | Cost map with code locations and per-unit estimates |
| Auth & Entitlements | Signup flow, role/tier checks, quota enforcement, state transitions (upgrade/downgrade/cancel), rate limiting | Entitlement enforcement map, state transition diagram |
See references/agent-prompts.md for full agent prompt templates.
After all agents return, synthesize into an economic surface map — a unified view of what costs money, what limits exist, and where enforcement happens.
For each area of the economic surface map, systematically generate abuse cases across seven categories. See references/abuse-categories.md for the full category definitions, templates, and severity rubric.
Categories:
For each abuse case, document: scenario, actor type (confused/power/bad), severity, affected code, current protection (if any), and recommended fix. See examples/abuse-case-example.md for the expected format.
Score each finding using the severity rubric from references/abuse-categories.md:
| Severity | Criteria |
|---|---|
| Critical | Direct revenue loss or unbounded cost amplification with no mitigation |
| High | Bypassable limits or exploitable state transitions with partial mitigation |
| Medium | Edge cases requiring specific conditions or multi-step exploitation |
| Low | Theoretical concerns with existing partial protections |
| Info | Suggestions for defense-in-depth, not exploitable today |
Group findings by category. Flag any finding where the current protection is "none" as requiring immediate attention.
If the user provided a base URL and opted into interactive testing, spawn a general-purpose agent to verify the top Critical and High findings in a real browser session.
See references/verification-prompts.md for the verification agent prompt.
The agent should:
Mark findings as Verified, Partially Mitigated, or Not Reproducible.
Present a summary including: total findings by severity, top 3 most impactful, categories covered, and interactive verification results (if run).
Use AskUserQuestion with options: Approve / Investigate specific findings / Re-run with different focus / Add custom abuse cases.
If changes requested, iterate. Only write final report after explicit approval.
Write the approved report to /reports/adversarial-audit.md. Mark all tasks completed.
See references/report-structure.md for the full report template.
Final summary:
## Adversarial Audit Complete
**File:** /reports/adversarial-audit.md
**Findings:** [count] ([critical] critical, [high] high, [medium] medium, [low] low, [info] info)
**Categories covered:** [count]/7
**Interactive verification:** [yes/no] ([verified]/[total] confirmed)
### Top Findings
[Top 3 by severity with one-line descriptions]
### Economic Surface
- Cost-bearing endpoints: [count]
- Third-party services: [list]
- Unmetered resources: [count]
### Recommendations
- Immediate fixes needed: [count]
- Defense-in-depth improvements: [count]
Read references/reflection-protocol.md and execute it before finishing.