Awesome-offsec-claude finding-verifier

Verify vulnerability findings using independent replay, confounder control, and strict acceptance criteria.

install

source · Clone the upstream repo

git clone https://github.com/1ikeadragon/awesome-offsec-claude

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/1ikeadragon/awesome-offsec-claude "$T" && mkdir -p ~/.claude/skills && cp -r "$T/finding-verifier" ~/.claude/skills/1ikeadragon-awesome-offsec-claude-finding-verifier && rm -rf "$T"

manifest: finding-verifier/SKILL.md

source content

Finding Verifier

Purpose

Ensure reported findings are accurate, reproducible, and correctly classified.

Inputs

```
finding_report
```
```
evidence_bundle
```
```
environment_notes
```

Verification Workflow

Phase 1: Evidence Integrity

Verify artifact completeness and timestamps.
Verify request-response pairing and context consistency.

Phase 2: Independent Replay

Reproduce with original method.
Reproduce with alternate method when possible.
Compare behavior consistency.

Phase 3: Confounder Analysis

Caching and stale session effects.
Timing and infrastructure noise.
Seed-data drift and race artifacts.

Phase 4: Final Status

```
confirmed
```
if replayable with clear impact.
```
disputed
```
if strong counter-evidence exists.
```
inconclusive
```
if unresolved blockers remain.

Acceptance Criteria by Class

Class	Confirmed Requires
Injection	parser/engine effect + attacker control
XSS	controlled script execution in target context
Authz	unauthorized action/object access proven
SSRF	outbound request influence or protected target reach

Output Contract

{
  "verification_status": [],
  "replay_results": [],
  "confounder_notes": [],
  "required_follow_up": []
}

Constraints

Do not confirm from single unstable run.
Do not dispute on intuition alone.

Quality Checklist

Independent replay attempted.
Confounders addressed.
Status rationale is explicit.

Detailed Operator Notes

Consistency Rules

Normalize terminology before scoring or chaining.
Separate prerequisite uncertainty from exploit uncertainty.
Treat environmental blockers independently from mitigation strength.

Risk Scoring Inputs

attacker starting privilege
required chain length
probability of reliable execution
blast radius if successful

Prioritization Output

```
immediate
```
: low-effort high-impact chains/findings.
```
next
```
: moderate effort with clear payoff.
```
watch
```
: plausible but currently low confidence.

Reporting Rules

Include one-line executive summary per chain/finding.
Include exact blocker needed to move an inconclusive item forward.
Include confidence rationale in plain technical language.

Quick Scenarios

Scenario A: Access Check Placement

Trace data fetch point.
Trace policy check point.
Determine whether check occurs before use.
Identify alternate path without check.

Scenario B: Sanitization Mismatch

Map sink execution context.
Map sanitizer type and location.
Validate context compatibility.
Find branch that bypasses sanitizer.

Scenario C: Adjacent Pattern Sweep

Identify sibling handlers/sinks.
Compare guard and validation parity.
Flag inconsistent control patterns.
Prioritize high-impact siblings.

Conditional Decision Matrix

Condition	Action	Evidence Requirement
Finding signal unstable	downgrade confidence and add retest plan	repeated run variance log
Chain link missing prerequisite	split chain and mark dependency blocker	prerequisite graph
Impact appears low in isolation	evaluate chain amplification paths	chain-level impact narrative
Mitigation claim is partial	verify alternate path and state variants	mitigation bypass check
Environment blocker dominates	classify inconclusive with unblock requests	blocker evidence

Advanced Coverage Extensions

Add attack-path branching for multiple privilege starting points.
Add defender-detection assumptions and likely monitoring signals.
Add rollback/cleanup verification after proof steps.
Add business-impact mapping to concrete assets and workflows.
Add reproducibility score based on run-to-run consistency.