vulnhunter
Security vulnerability detection and variant analysis skill. Use when hunting for dangerous APIs, footgun patterns, error-prone configurations, and vulnerability variants across codebases. Combines sharp edges detection with variant hunting methodology.
git clone --depth 1 https://github.com/sendaifun/skills /tmp/vulnhunter && cp -r /tmp/vulnhunter/skills/vulnhunter ~/.claude/skills/vulnhunterSKILL.md
# VulnHunter - Security Vulnerability Detection & Analysis
A comprehensive security audit skill for identifying dangerous APIs, footgun patterns, error-prone configurations, and hunting for vulnerability variants across codebases. Inspired by Trail of Bits' sharp-edges and variant-analysis methodologies.
## Overview
VulnHunter combines two powerful security analysis techniques:
1. **Sharp Edges Detection** - Identify error-prone APIs, dangerous defaults, and footgun designs
2. **Variant Analysis** - Find similar vulnerabilities across codebases using pattern-based analysis
### When to Use VulnHunter
**Activate this skill when:**
- Conducting security code reviews or audits
- Reviewing third-party dependencies for dangerous patterns
- Hunting for variants of known vulnerabilities
- Assessing API design for security footguns
- Pre-audit reconnaissance of unfamiliar codebases
## Sharp Edges Detection
### Categories of Sharp Edges
#### 1. Dangerous Default Configurations
Look for configurations that are insecure by default:
```
- CORS: Access-Control-Allow-Origin: *
- Debug modes enabled in production
- Default credentials or API keys
- Permissive file permissions (777, 666)
- SSL/TLS verification disabled
- Insecure deserialization settings
```
#### 2. Error-Prone APIs
**Memory Safety:**
```c
// Dangerous: No bounds checking
strcpy(), strcat(), sprintf(), gets()
memcpy() without size validation
// Safer alternatives
strncpy(), strncat(), snprintf(), fgets()
memcpy_s() with explicit size
```
**Cryptography Footguns:**
```
- ECB mode encryption
- MD5/SHA1 for security purposes
- Hardcoded IVs or salts
- Custom crypto implementations
- Random without CSPRNG (Math.random for tokens)
```
**Concurrency Issues:**
```
- Race conditions in file operations
- Time-of-check to time-of-use (TOCTOU)
- Double-checked locking anti-patterns
- Non-atomic increment/decrement operations
```
#### 3. Language-Specific Footguns
**JavaScript/TypeScript:**
```javascript
// Dangerous patterns
eval(), new Function(), setTimeout(string)
innerHTML, outerHTML, document.write()
Object.assign() for deep clone (shallow only!)
== instead of === (type coercion)
```
**Python:**
```python
# Dangerous patterns
pickle.loads(untrusted) # RCE vector
yaml.load(untrusted) # Use safe_load
exec(), eval()
os.system(), subprocess with shell=True
```
**Rust:**
```rust
// Patterns requiring extra scrutiny
unsafe { }
.unwrap() in production code
mem::transmute()
raw pointer dereference
```
**Solidity/Smart Contracts:**
```solidity
// High-risk patterns
tx.origin for authentication // Phishing vulnerable
delegatecall to untrusted // Storage collision
selfdestruct // Permanent destruction
block.timestamp for randomness // Miner manipulable
```
### Sharp Edges Checklist
When reviewing code, systematically check for:
- [ ] **Authentication bypasses** - Missing auth checks, default credentials
- [ ] **Authorization flaws** - Privilege escalation, IDOR patterns
- [ ] **Injection vectors** - SQL, Command, Template, XSS
- [ ] **Cryptographic weaknesses** - Weak algorithms, improper key handling
- [ ] **Resource exhaustion** - Unbounded loops, memory allocation
- [ ] **Race conditions** - TOCTOU, concurrent state modification
- [ ] **Information disclosure** - Verbose errors, debug endpoints
- [ ] **Deserialization** - Untrusted data unmarshaling
- [ ] **Path traversal** - User-controlled file paths
- [ ] **SSRF vectors** - User-controlled URLs, redirects
## Variant Analysis
### The Variant Hunting Process
1. **Identify the Root Cause** - Understand WHY a vulnerability exists
2. **Extract the Pattern** - What code structure enables it?
3. **Generalize the Pattern** - Create regex/AST patterns
4. **Search Codebase** - Hunt for similar structures
5. **Validate Findings** - Confirm each variant is exploitable
### Pattern Extraction Templates
#### Template 1: Missing Validation Pattern
```
Original bug: User input flows to SQL query without sanitization
Pattern: [user_input] -> [sink_function] without [validation_function]
Search for:
- Direct database calls with string concatenation
- ORM raw query methods with user parameters
- Similar data flows in adjacent modules
```
#### Template 2: Authentication Bypass
```
Original bug: Endpoint missing auth middleware
Pattern: Route definition without auth decorator/middleware
Search for:
- Routes defined after the vulnerable one
- Similar API patterns in other modules
- Admin/internal endpoints
```
#### Template 3: Race Condition
```
Original bug: Check-then-act without atomicity
Pattern: if (check_condition()) { act_on_condition() }
Search for:
- File existence checks followed by file operations
- Permission checks followed by privileged actions
- Balance checks followed by transfers
```
### Search Strategies
#### Grep-Based Search
```bash
# Find potential SQL injection
grep -rn "execute.*%s" --include="*.py"
grep -rn "query.*\+" --include="*.js"
# Find dangerous deserialize
grep -rn "pickle.loads\|yaml.load\|eval(" --include="*.py"
# Find command injection vectors
grep -rn "os.system\|subprocess.*shell=True" --include="*.py"
```
#### Semantic Search (AST-Based)
For more precise matching, use AST-based tools:
- **Semgrep** - Cross-language semantic grep
- **CodeQL** - GitHub's semantic analysis
- **tree-sitter** - Universal parser
### Variant Analysis Report Template
```markdown
## Variant Analysis Report
### Original Finding
- **ID**: FINDING-001
- **Severity**: High
- **Root Cause**: [Description]
- **Affected File**: path/to/file.ext:line
### Pattern Extracted
[Code pattern or regex]
### Variants Discovered
| # | Location | Severity | Status | Notes |
|---|----------|----------|--------|-------|
| 1 | file.ext:42 | High | Confirmed | Same root cause |
| 2 | other.ext:100 | Medium | Suspected | Needs validation |
### Recommendations
[Systematic fix approach]
```
## Workflow
### Phase 1: Reconnaissance
1. Identify technology stack and>
Complete Birdeye API integration for real-time DeFi data across Solana and 15 other chains. Use for token prices, OHLCV charts, market discovery, on-chain trader intelligence, holder analysis, wallet portfolio & P&L, and WebSocket streams for live prices and whale alerts.
Build on Solana with Carbium infrastructure — bare-metal RPC, Standard WebSocket pubsub, gRPC Full Block streaming (~22ms), DEX aggregation via CQ1 engine (sub-ms quotes), gasless swaps, and MEV-protected execution via Jito bundling. Drop-in replacement for Helius, QuickNode, Triton, or Jupiter Swap API.
Complete CoinGecko Solana API integration for token prices, DEX pool data, OHLCV charts, trades, and market analytics. Use for building trading bots, portfolio trackers, price feeds, and on-chain data applications.
>
Complete deBridge Protocol SDK for building cross-chain bridges, message passing, and token transfers on Solana. Use when building cross-chain applications, bridging assets between Solana and EVM chains, or implementing trustless external calls.
Complete DFlow trading protocol SDK - the single source of truth for integrating DFlow on Solana. Covers spot trading, prediction markets, Swap API, Metadata API, WebSocket streaming, and all DFlow tools.
Template and guide for creating skills. Demonstrates the standard skill structure with resources, docs, examples, and templates directories. Use this as a reference when building new protocol integrations.