OpenSkillIndex← back to search
claude-code

Claude-skill-registry attack-flow

Generate SITF-compliant attack flow JSON files from attack descriptions or incident reports. Use when analyzing supply chain attacks, breaches, or security incidents.

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/attack-flow" ~/.claude/skills/majiayu000-claude-skill-registry-attack-flow && rm -rf "$T"
manifest: skills/data/attack-flow/SKILL.md
source content

Attack Flow Generator

Generate SITF-compliant attack flow JSON files from attack descriptions or incident reports.

Usage

/attack-flow <attack-name> [source]

  • attack-name
    : Identifier for the attack (e.g., "s1ngularity", "solarwinds")
  • source
    : URL, "websearch" for auto-research, or omit to use conversation context

Arguments: $ARGUMENTS

Instructions

When this skill is invoked:

Phase 1: Research

  1. If source is "websearch" or a URL, gather attack details:

    • Attack timeline and phases
    • Entry point and initial access method
    • Lateral movement and persistence techniques
    • Data exfiltration or impact
    • Affected components (CI/CD, VCS, Registry, Endpoint, Production)

  2. If source is omitted, use context from the current conversation.

Phase 2: Technique Mapping

  1. Read 

    techniques.json
    to get the full technique library.

  2. For each attack step, find the best matching technique:

    • Match by action semantics, not surface keywords
    • Example: Uploading stolen data to repos → T-V003 (Secret Exfiltration), NOT T-V008 (Malicious Hosting)
    • Example: Accessing VCS with stolen creds → T-V001 must come BEFORE any VCS actions

  3. If no matching technique exists:

    • Create a placeholder node with 
      "type": "technique-gap"
    • Include suggested technique metadata in the data field
    • Note in output that 
      /technique-proposal
      should be run for gaps

Phase 3: Layout Calculation

Apply these layout rules:

Rule 1: Component Layout (Left-to-Right by Attack Flow)

  • Order components by their sequence in the attack chain, not by standard SITF order
  • If attack flows CI/CD → Registry → Endpoint → VCS, layout left-to-right accordingly
  • Minimum horizontal gap between components: 80-100px
  • Component x-positions: Use increments of ~300px starting from x=0

Rule 2: Technique Ordering (Top-to-Bottom)

  • Primary: Order techniques by their sequence in the attack flow
  • Secondary: Within same attack step, order by stage (Initial Access → Discovery → Post-Compromise)
  • Vertical gap between techniques: ~130-150px
  • First technique starts at y = component.y + 80

Rule 3: Technique-Component Alignment

  • Every technique node MUST be visually positioned within its parent component
  • Calculate x-position: 
    component.x + 30
  • Validate technique.data.component matches parent component.data.componentId

Rule 4: Component Sizing

  • Height = (technique_count × 150) + 120 (padding)
  • Width = 230-250px

Rule 5: Edge Connections

  • Connect source.bottom → target.top for vertical flows within component
  • Connect source.right → target.left for cross-component flows
  • Add labels for significant transitions ("Second wave", etc.)
  • Use 
    "type": "smoothstep"
    for all edges

Phase 4: JSON Generation

Generate the attack flow JSON with this structure:

{
  "metadata": {
    "name": "Attack Name",
    "created": "ISO-8601 timestamp",
    "version": "1.0",
    "framework": "SITF",
    "description": "Brief attack description"
  },
  "nodes": [
    // Entry points, components, techniques, exit points
  ],
  "edges": [
    // Connections between nodes
  ]
}

Node types:

  • entryPoint
    : Attack entry (Phishing, Vulnerability Exploit, Stolen Credentials, etc.)
  • component
    : SITF component container (endpoint, vcs, cicd, registry, production)
  • technique
    : Attack technique from techniques.json
  • technique-gap
    : Placeholder for missing technique (flag for /technique-proposal)
  • exitPoint
    : Attack outcome (Future Breach, Persistence, Secondary Supply Chain Attack, etc.)

Phase 5: Validation

Run this checklist before outputting:

[ ] Valid JSON structure (parse test passes)
[ ] Required fields present: metadata.{name,created,version,framework}, nodes[], edges[]
[ ] All node IDs are unique
[ ] All edge source/target reference valid node IDs
[ ] All techniques positioned within their component boundaries (x/y validation)
[ ] Techniques ordered by attack flow sequence
[ ] Initial Access techniques appear first when order is ambiguous
[ ] All technique IDs exist in techniques.json OR flagged as technique-gap
[ ] Exit points connected to terminal techniques
[ ] No orphaned nodes (every non-entry node has incoming edge)

Phase 6: Output

  1. Write the JSON file to 
    sample-flows/<attack-name>.json
  2. Validate the JSON with Python: 
    python3 -c "import json; json.load(open('file'))"
  3. Provide a summary table of the attack flow
  4. If any technique-gaps exist, list them and recommend running 
    /technique-proposal

Example

/attack-flow s1ngularity websearch

This will:

  1. Search for s1ngularity attack details
  2. Map attack steps to SITF techniques
  3. Generate 
    sample-flows/s1ngularity.json
  4. Output attack flow summary