Build and maintain a vulnerability gadget inventory for chaining — catalog every finding with its chaining potential and map bug-to-bug relationships
From greyhatccnpx claudepluginhub overtimepog/greyhatcc --plugin greyhatccThis skill uses the workspace's default tool permissions.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
/greyhatcc:gadgets show [program] — Display current gadget inventory/greyhatcc:gadgets add <finding_description> — Add a gadget to inventory/greyhatcc:gadgets chain — Analyze all gadgets for chaining opportunities/greyhatcc:gadgets check <new_finding> — Check if a new finding chains with existing gadgetsBefore executing this skill:
.greyhatcc/scope.json — verify target is in scope, note exclusions.greyhatcc/hunt-state.json — check active phase, resume contextfindings_log.md, tested.json, gadgets.json — avoid duplicating workAlso load:
A gadget is ANY finding — even informational — that could serve as input, precondition, or amplifier for another vulnerability. The core philosophy: "Does bug A produce input for bug B?"
Low-severity gadgets that seem worthless alone become HIGH/CRITICAL when chained:
When a v7 hunt is active (hunt-state/ directory exists):
hunt-state/gadgets.json (array of Gadget objects matching the Gadget interface from src/shared/hunt-types.ts)provides/requires arrays and discovered_by (WorkItem ID) fieldsLegacy storage:
File: bug_bounty/<program>_bug_bounty/gadgets.json
When reading/writing gadgets, check hunt-state/gadgets.json first. If it exists, use it as the primary source.
{
"program": "program_name",
"last_updated": "2026-02-24",
"gadgets": [
{
"id": "G-001",
"finding_id": "F-001",
"title": "Dangling CNAME on ag.syfe.com",
"type": "subdomain-takeover",
"asset": "ag.syfe.com",
"severity_alone": "MEDIUM",
"description": "Cloudflare Error 1016 — origin deprovisioned, CNAME still proxied",
"provides": ["trusted_origin", "js_hosting", "cookie_scope"],
"requires": [],
"chains_with": ["G-002"],
"chain_impact": "Provides trusted *.syfe.com origin for CORS bypass → authenticated API access",
"status": "confirmed",
"evidence": "evidence/F-001/"
},
{
"id": "G-002",
"finding_id": "F-006",
"title": "Wildcard CORS on api-au.syfe.com",
"type": "cors-misconfiguration",
"asset": "api-au.syfe.com",
"severity_alone": "MEDIUM",
"description": "Reflects any *.syfe.com origin with credentials:true",
"provides": ["cross_origin_read", "cross_origin_write", "credential_relay"],
"requires": ["trusted_origin"],
"chains_with": ["G-001"],
"chain_impact": "With G-001: full authenticated financial data theft + account modification (HIGH, CVSS 8.7)",
"status": "confirmed",
"evidence": "evidence/F-006/"
}
],
"chains": [
{
"id": "CHAIN-001",
"name": "Subdomain Takeover → CORS Bypass → Financial Data Theft",
"gadgets": ["G-001", "G-002"],
"severity_chained": "HIGH",
"cvss_chained": 8.7,
"description": "Claim dangling ag.syfe.com → host JS → CORS reads authenticated API → exfil financial data + modify bank accounts",
"report": "reports/006_cors_subdomain_bypass.md",
"status": "reported"
}
]
}
| Field | Purpose |
|---|---|
provides | What this gadget gives to the chain — capabilities it unlocks |
requires | What this gadget needs from another gadget — its prerequisites |
chains_with | Direct references to gadgets it connects with |
chain_impact | What the combined chain achieves (the "so what") |
severity_alone | Severity if reported standalone |
status | discovered → confirmed → chained → reported |
provides / requires VocabularyUse these consistent tags for automated chain matching:
Capabilities (provides/requires):
- trusted_origin → Can serve content from a trusted domain
- js_hosting → Can host and execute JavaScript on trusted origin
- cookie_scope → Can read/set cookies on the target's domain
- cross_origin_read → Can read responses cross-origin with credentials
- cross_origin_write → Can write/mutate cross-origin with credentials
- credential_relay → Can relay auth tokens/OTPs cross-origin
- ssrf → Can make server-side requests to arbitrary URLs
- cloud_credentials → Has cloud IAM/API credentials
- admin_access → Has administrative access
- user_pii → Has access to user personal data
- auth_bypass → Can bypass authentication
- session_token → Has a valid session token for another user
- code_execution → Can execute code on the server
- file_read → Can read arbitrary files on the server
- file_write → Can write files to the server
- redirect → Can redirect users to arbitrary URLs
- internal_network → Can access internal network resources
- api_endpoint → Discovered undocumented API endpoint
- api_key → Has a valid API key or secret
- user_enumeration → Can enumerate valid usernames/emails
- debug_info → Has debug/error information disclosing internals
When /greyhatcc:gadgets chain is invoked:
For each gadget, map provides → requires relationships. A chain exists when gadget A's provides satisfies gadget B's requires.
Test against these classic patterns:
| Chain Pattern | Gadgets Needed | Result |
|---|---|---|
| Open Redirect + OAuth | redirect + OAuth flow on target | Token theft → ATO |
| Self-XSS + CSRF | XSS (even self) + CSRF on same form | Forced XSS → session hijack |
| Subdomain Takeover + CORS | trusted_origin + permissive CORS | Authenticated data theft |
| SSRF + Cloud Metadata | ssrf + cloud deployment | IAM credentials → cloud takeover |
| IDOR + PII Endpoint | Sequential IDs + PII response | Mass data breach |
| API Downgrade + Auth Bypass | Old API version + missing auth | Unauthenticated access to v2+ data |
| Info Disclosure + Credential Stuffing | Leaked emails/usernames + password resets | Account takeover |
| JWT Confusion + Admin Claims | Algorithm confusion + role claim modification | Privilege escalation |
| File Upload + Path Traversal | Write capability + traversal | Remote code execution |
| SSTI + Any Input | Template injection + user-controlled input | Remote code execution |
For each discovered chain:
## Chain Analysis Results
### New Chains Discovered
| Chain | Gadgets | Standalone Max | Chained Severity | Delta |
|-------|---------|---------------|------------------|-------|
| CHAIN-002 | G-003 + G-005 | MEDIUM | HIGH | +1 tier |
### Unchained Gadgets (Potential)
| Gadget | Provides | Waiting For |
|--------|----------|-------------|
| G-004 | redirect | OAuth flow target |
| G-007 | user_enumeration | Valid credential source |
### Recommendations
1. [Finding X + Finding Y should be combined into one report]
2. [Finding Z needs a prerequisite — test for Y to complete the chain]
3. [Finding W is informational alone but becomes medium if we find X]
| Event | Action |
|---|---|
| New finding discovered | Add gadget with provides/requires tags |
| New finding chains with existing | Update both gadgets' chains_with, create chain entry |
| Report submitted | Update gadget/chain status to reported |
| Finding invalidated | Update gadget status to invalid, remove from active chains |
| New recon data | Check if new assets create new chain opportunities |
This skill is referenced by:
exploit-worker (opus) for novel chain identification and PoC developmentintel-worker (sonnet) as part of the periodic intel moduleWhen delegating to agents via Task(), ALWAYS:
After completing this skill:
tested.json — record what was tested (asset + vuln class)gadgets.json — add any informational findings with provides/requires tags for chainingfindings_log.md — log any confirmed findings with severity