Claude-skill-registry analyzing-taint-flow

Tracks untrusted input propagation from sources to sinks in binary code to identify injection vulnerabilities. Use when analyzing data flow, tracing user input to dangerous functions, or detecting command/SQL injection.

install

source · Clone the upstream repo

git clone https://github.com/majiayu000/claude-skill-registry

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/analyzing-taint-flow" ~/.claude/skills/majiayu000-claude-skill-registry-analyzing-taint-flow && rm -rf "$T"

manifest: skills/data/analyzing-taint-flow/SKILL.md

Taint Analysis

Detection Workflow

Identify sources: Find recv, read, getenv, fgets, scanf, argv (input functions)
Identify sinks: Find system, popen, strcpy, sprintf, execve, malloc (dangerous functions)
Find taint paths: Use
```
xrefs_to
```
to trace from sources to sinks
Analyze sanitization: Check for input validation, length checks, character filtering, encoding/escaping
Assess risk: Determine reachability, check if attacker controls critical parts, evaluate exploitability

Key Patterns

Direct command injection: recv() -> buffer -> sprintf(cmd, "echo %s", buffer) -> system(cmd)
Path traversal: fgets() -> filename -> fopen(filename, "r")
Buffer overflow via tainted size: recv() -> size_buffer -> atoi(size_buffer) -> malloc(size)

Output Format

Report taint paths with: source (function, address, context), sink (function, address, context), path (list of functions), sanitizers_found, is_vulnerable, confidence, vulnerability_type.

Severity Guidelines

CRITICAL: Direct injection with no sanitization (command injection, SQL injection)
HIGH: Path traversal, buffer overflow via tainted size
MEDIUM: Potential injection with partial sanitization
LOW: Tainted data with limited impact