Skills vulnhunter
Security vulnerability detection and variant analysis skill. Use when hunting for dangerous APIs, footgun patterns, error-prone configurations, and vulnerability variants across codebases. Combines sharp edges detection with variant hunting methodology.
install
source · Clone the upstream repo
git clone https://github.com/sendaifun/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/sendaifun/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/vulnhunter" ~/.claude/skills/sendaifun-skills-vulnhunter && rm -rf "$T"
manifest:
skills/vulnhunter/SKILL.mdsource content
VulnHunter - Security Vulnerability Detection & Analysis
A comprehensive security audit skill for identifying dangerous APIs, footgun patterns, error-prone configurations, and hunting for vulnerability variants across codebases. Inspired by Trail of Bits' sharp-edges and variant-analysis methodologies.
Overview
VulnHunter combines two powerful security analysis techniques:
- Sharp Edges Detection - Identify error-prone APIs, dangerous defaults, and footgun designs
- Variant Analysis - Find similar vulnerabilities across codebases using pattern-based analysis
When to Use VulnHunter
Activate this skill when:
- Conducting security code reviews or audits
- Reviewing third-party dependencies for dangerous patterns
- Hunting for variants of known vulnerabilities
- Assessing API design for security footguns
- Pre-audit reconnaissance of unfamiliar codebases
Sharp Edges Detection
Categories of Sharp Edges
1. Dangerous Default Configurations
Look for configurations that are insecure by default:
- CORS: Access-Control-Allow-Origin: * - Debug modes enabled in production - Default credentials or API keys - Permissive file permissions (777, 666) - SSL/TLS verification disabled - Insecure deserialization settings
2. Error-Prone APIs
Memory Safety:
// Dangerous: No bounds checking strcpy(), strcat(), sprintf(), gets() memcpy() without size validation // Safer alternatives strncpy(), strncat(), snprintf(), fgets() memcpy_s() with explicit size
Cryptography Footguns:
- ECB mode encryption - MD5/SHA1 for security purposes - Hardcoded IVs or salts - Custom crypto implementations - Random without CSPRNG (Math.random for tokens)
Concurrency Issues:
- Race conditions in file operations - Time-of-check to time-of-use (TOCTOU) - Double-checked locking anti-patterns - Non-atomic increment/decrement operations
3. Language-Specific Footguns
JavaScript/TypeScript:
// Dangerous patterns eval(), new Function(), setTimeout(string) innerHTML, outerHTML, document.write() Object.assign() for deep clone (shallow only!) == instead of === (type coercion)
Python:
# Dangerous patterns pickle.loads(untrusted) # RCE vector yaml.load(untrusted) # Use safe_load exec(), eval() os.system(), subprocess with shell=True
Rust:
// Patterns requiring extra scrutiny unsafe { } .unwrap() in production code mem::transmute() raw pointer dereference
Solidity/Smart Contracts:
// High-risk patterns tx.origin for authentication // Phishing vulnerable delegatecall to untrusted // Storage collision selfdestruct // Permanent destruction block.timestamp for randomness // Miner manipulable
Sharp Edges Checklist
When reviewing code, systematically check for:
- Authentication bypasses - Missing auth checks, default credentials
- Authorization flaws - Privilege escalation, IDOR patterns
- Injection vectors - SQL, Command, Template, XSS
- Cryptographic weaknesses - Weak algorithms, improper key handling
- Resource exhaustion - Unbounded loops, memory allocation
- Race conditions - TOCTOU, concurrent state modification
- Information disclosure - Verbose errors, debug endpoints
- Deserialization - Untrusted data unmarshaling
- Path traversal - User-controlled file paths
- SSRF vectors - User-controlled URLs, redirects
Variant Analysis
The Variant Hunting Process
- Identify the Root Cause - Understand WHY a vulnerability exists
- Extract the Pattern - What code structure enables it?
- Generalize the Pattern - Create regex/AST patterns
- Search Codebase - Hunt for similar structures
- Validate Findings - Confirm each variant is exploitable
Pattern Extraction Templates
Template 1: Missing Validation Pattern
Original bug: User input flows to SQL query without sanitization Pattern: [user_input] -> [sink_function] without [validation_function] Search for: - Direct database calls with string concatenation - ORM raw query methods with user parameters - Similar data flows in adjacent modules
Template 2: Authentication Bypass
Original bug: Endpoint missing auth middleware Pattern: Route definition without auth decorator/middleware Search for: - Routes defined after the vulnerable one - Similar API patterns in other modules - Admin/internal endpoints
Template 3: Race Condition
Original bug: Check-then-act without atomicity Pattern: if (check_condition()) { act_on_condition() } Search for: - File existence checks followed by file operations - Permission checks followed by privileged actions - Balance checks followed by transfers
Search Strategies
Grep-Based Search
# Find potential SQL injection grep -rn "execute.*%s" --include="*.py" grep -rn "query.*\+" --include="*.js" # Find dangerous deserialize grep -rn "pickle.loads\|yaml.load\|eval(" --include="*.py" # Find command injection vectors grep -rn "os.system\|subprocess.*shell=True" --include="*.py"
Semantic Search (AST-Based)
For more precise matching, use AST-based tools:
- Semgrep - Cross-language semantic grep
- CodeQL - GitHub's semantic analysis
- tree-sitter - Universal parser
Variant Analysis Report Template
## Variant Analysis Report ### Original Finding - **ID**: FINDING-001 - **Severity**: High - **Root Cause**: [Description] - **Affected File**: path/to/file.ext:line ### Pattern Extracted [Code pattern or regex] ### Variants Discovered | # | Location | Severity | Status | Notes | |---|----------|----------|--------|-------| | 1 | file.ext:42 | High | Confirmed | Same root cause | | 2 | other.ext:100 | Medium | Suspected | Needs validation | ### Recommendations [Systematic fix approach]
Workflow
Phase 1: Reconnaissance
- Identify technology stack and languages
- Map entry points (APIs, CLI, file inputs)
- Locate authentication/authorization logic
- Find cryptographic operations
- Identify external integrations
Phase 2: Sharp Edges Scan
- Run through sharp edges checklist
- Focus on security-critical paths
- Document all suspicious patterns
- Cross-reference with known CVEs
Phase 3: Variant Hunting
- For each finding, extract pattern
- Search for variants systematically
- Validate each potential variant
- Assess aggregate risk
Phase 4: Reporting
- Consolidate findings by category
- Assign severity ratings
- Provide remediation guidance
- Highlight systemic issues
Integration with Static Analysis
Semgrep Rules for Common Patterns
# Example: Detect SQL injection in Python rules: - id: sql-injection-format patterns: - pattern: $CURSOR.execute($QUERY % ...) message: "Potential SQL injection via string formatting" severity: ERROR languages: [python]
CodeQL Queries
// Find tainted data flowing to dangerous sinks import python import semmle.python.dataflow.TaintTracking from DataFlow::PathNode source, DataFlow::PathNode sink where TaintTracking::localTaint(source.getNode(), sink.getNode()) and sink.getNode().asExpr().(Call).getTarget().getName() = "execute" select sink, source, sink, "Tainted input reaches SQL execution"
Examples
See the
/examples- Real-world sharp edges examples by language
- Variant analysis case studies
- Pattern extraction walkthroughs
Resources
- Comprehensive catalog of dangerous patternsresources/sharp-edges-catalog.md
- Common vulnerability pattern templatesresources/variant-patterns.md
- Report template for variant analysistemplates/variant-report.md
Guidelines
- Always verify - Don't report theoretical issues as confirmed vulnerabilities
- Context matters - A pattern may be safe in one context, dangerous in another
- Prioritize exploitability - Focus on patterns that lead to real impact
- Document assumptions - Note any threat model assumptions
- Systemic over point fixes - Recommend architectural improvements when patterns repeat
Skill Files
vulnhunter/ ├── SKILL.md # This file ├── resources/ │ ├── sharp-edges-catalog.md # Categorized dangerous patterns │ └── variant-patterns.md # Vulnerability pattern templates ├── examples/ │ ├── smart-contracts/ # Solidity/blockchain examples │ ├── web-apps/ # Web application examples │ └── native-code/ # C/C++/Rust examples ├── templates/ │ └── variant-report.md # Analysis report template └── docs/ └── methodology.md # Detailed methodology guide