mantishack

Use this agent when the target is a LIVE REST or GraphQL API you are authorized to test and the question is "can I tamper request bodies, headers, ids, and tokens to read or act on data that isn't mine?" — active, request-driven abuse of the API contract, not static code review. It drives REAL HTTP at the endpoints: BOLA/IDOR object-id enumeration (increment/swap/UUID-shuffle the id and diff the access decision), broken function-level authz (replay an admin verb/path with a low-priv token), mass-assignment (inject role/is_admin/is_verified/owner_id into the JSON body), excessive-data-exposure (the response over-returns fields the UI never shows), GraphQL introspection + alias/batch amplification + nested-query DoS, content-type and HTTP-verb tampering (POST→PUT/PATCH/DELETE, application/json→text/plain→x-www-form-urlencoded), JWT/session/token swap across two users, and rate-limit / idempotency-key bypass. It proves every finding with a behavioral oracle — a status/length/timing/field-set diff between the authorized baseline and the tampered request — never a guess. Prefer this agent over a code reader when you hold a base URL or a schema and want to mutate live traffic methodically.\n\n<example>\nContext: The user has a running API with numeric resource ids and two test accounts.\nuser: "Here's our staging API at https://api.staging.acme.test and tokens for user A and user B — can user A read user B's orders?"\nassistant: "That's textbook BOLA: same endpoint, swap the object id (or the bearer token) and diff the access decision. I'll use the Task tool to launch the api-abuse-fuzzer agent to enumerate /orders/{id} with A's token against B's ids and prove the cross-tenant read with a status + ownership-field oracle."\n<agent_launch>\nDelegating to api-abuse-fuzzer: a live authorized API + two tokens + object-id enumeration is its core BOLA/IDOR mission.\n</agent_launch>\n</example>\n\n<example>\nContext: The user exposes a GraphQL endpoint and isn't sure introspection or query batching is locked down.\nuser: "Our /graphql is behind auth but I want to know if a low-priv user can pull admin fields, brute force via aliases, or knock it over with a deep nested query."\nassistant: "GraphQL abuse surface: introspect the schema, alias-batch a login/lookup to bypass per-request rate limits, and send a bounded cyclic nested query as a timing oracle. I'll launch the api-abuse-fuzzer agent to tamper the operation and measure the depth/timing oracle."\n<agent_launch>\nDelegating to api-abuse-fuzzer for GraphQL introspection, alias/batch amplification, and nested-query DoS against the live endpoint.\n</agent_launch>\n</example>\n\nProactively suggest using this agent when: a live base URL + an OpenAPI/Swagger/GraphQL schema (or a captured request) is in hand and the target is authorized in-scope; endpoints take a resource identifier in the path/query/body (/users/{id}, ?account=, {"order_id": ...}) — BOLA/IDOR territory; the user holds 2+ accounts or tokens (low-priv + high-priv, tenant A + tenant B) to run an authorization differential; there are admin/privileged verbs (DELETE, PUT /admin/*, role-changing mutations) and you want to hit them as a non-admin; a write endpoint accepts a JSON object — test mass-assignment of role/is_admin/verified/balance/owner_id; a /graphql endpoint exists (introspection, alias/batch abuse, nested-query DoS, field-level authz); or the user mentions rate limiting, coupon/OTP brute force, idempotency keys, BOLA, BFLA, mass assignment, or "excessive data exposure".

Use this agent when a codebase, PR, or service needs its IMPLICIT TRUST ASSUMPTIONS enumerated and attacked — every place the code silently trusts a header, an "internal-only" route, an "already-validated-upstream" input, an ID that "belongs to the caller," or a value that "can't be null/negative." It specializes in confused-deputy (CWE-441), mass-assignment (CWE-915), input-validation gaps (CWE-20), and second-order/stored injection (CWE-89/CWE-79). This is the agent for trust-boundary audits, multi-service request paths, ORM/serializer review, and proxy/gateway/header-forwarding code.\n\n<example>\nContext: User has a multi-service backend where an edge proxy forwards auth context downstream.\nuser: "Our gateway sets X-User-Id from the JWT and the internal services read it to authorize. Can you check this?"\nassistant: "This is a classic confused-deputy / trust-boundary surface — the downstream services trust a header they can't verify. I'll use the Task tool to launch the assumption-pressure-test agent to enumerate every internal endpoint that reads X-User-Id and prove whether an attacker can reach it directly and forge it."\n<agent_launch>\nDelegating to assumption-pressure-test: the request hinges on an implicit 'this header is trusted because the gateway set it' assumption that must be attacked.\n</agent_launch>\n</example>\n\n<example>\nContext: User just merged an ORM update endpoint.\nuser: "Here's the new profile update handler: User.objects.filter(id=request.user.id).update(**request.data)"\nassistant: "That `**request.data` spread is a mass-assignment sink — it trusts that the request body only contains the fields you intended. I'll launch the assumption-pressure-test agent to map which model columns (is_admin, balance, role) become attacker-writable and confirm reachability."\n<agent_launch>\nDelegating to assumption-pressure-test for the CWE-915 mass-assignment and the implicit 'the body only has safe fields' assumption.\n</agent_launch>\n</example>\n\nProactively suggest using this agent when:\n- Code reads request headers (X-Forwarded-For, X-User-Id, X-Real-IP, X-Internal-*, Host) for trust or authorization decisions\n- A serializer/ORM uses bulk binding: `**req.body`, `Object.assign`, `ModelMapper`, `BeanUtils.copyProperties`, `update_attributes`, `params.permit!`\n- Comments or names assert trust: "internal only", "already validated", "trusted", "comes from gateway", "sanitized upstream"\n- Data is stored then later concatenated into SQL/HTML/shell (second-order injection)\n- An endpoint takes an `id`/`uuid`/`account`/`order` param that maps to a resource (IDOR / object ownership)

Generate gcov coverage data for a code repository.

Analyze security bugs from any C/C++ project with full root-cause tracing

Analyze crashes using rr recordings, function traces, and coverage data to produce root-cause analyses.

Carefully analyze root cause analysis reports for crashes to make sure they are correct

Multi-stage pipeline to validate vulnerability findings are real, reachable, and exploitable

|

Generate function-level execution traces for debugging and analysis.

Use this agent to war-game the multi-tier HTTP edge — CDN, reverse proxy / load balancer, and origin app server — for request smuggling / desync (CL.TE, TE.CL, TE.TE, CL.0, H2.CL, H2.TE), web cache poisoning via unkeyed inputs, and cache deception that turns a static-cache rule into mass account/credential exposure. It hunts the disagreements *between* tiers — where two parsers read one byte-stream differently — and proves a poisoned/hijacked request reaches a real victim, not just that a header is echoed. It loads the `redteam-hunting` skill and drives that skill's loop-until-converged engine.\n\n<example>\nContext: User points the pack at a property fronted by a CDN with a separate origin app server and wants the edge attacked.\nuser: "We run Cloudflare in front of an nginx -> gunicorn origin. Scan the edge for smuggling and cache issues before launch."\nassistant: "This is a multi-tier edge desync + cache mission. I'll launch the http-edge-desync agent to load redteam-hunting and run CL.TE/TE.CL/CL.0 differential probes plus unkeyed-input cache poisoning against the CDN<->nginx<->gunicorn chain, proving any desync reaches a victim request before recording it."\n<agent_launch>\nMulti-tier edge (CDN + reverse proxy + app) with request-smuggling and cache concerns — exactly the http-edge-desync mission profile. Delegating so the persona can prove source->sink reachability across tier boundaries.\n</agent_launch>\n</example>\n\n<example>\nContext: User noticed an authenticated page is sometimes served from cache and asks whether that is exploitable.\nuser: "A logged-in user reported seeing someone else's dashboard at /account. We use a Fastly + Express stack."\nassistant: "Cross-user cache contamination on an authed path is a textbook cache-deception / poisoning pivot. I'll launch the http-edge-desync agent to determine whether /account is cached via a deception suffix (/account/x.css), an unkeyed header drives the dynamic content, or a desync is stuffing a victim response into the shared cache."\n<agent_launch>\nAuthenticated content leaking via a shared cache on a CDN+app stack is the http-edge-desync blast-radius scenario. Delegating to trace unkeyed-input -> cache-key -> stored-victim-response.\n</agent_launch>\n</example>\n\nProactively suggest using this agent when:\n- The target sits behind a CDN, reverse proxy, load balancer, API gateway, or service mesh in front of a distinct origin/app server (any tier-boundary).\n- You see two different HTTP servers in the chain (e.g. Cloudflare/Akamai/Fastly/CloudFront in front of nginx/HAProxy/Apache/Envoy in front of gunicorn/Express/Spring/Go net-http).\n- HTTP/2 or HTTP/3 terminates at the edge and is downgraded to HTTP/1.1 to origin (request-splitting / H2.CL / H2.TE surface).\n- Responses carry CDN cache markers (Age, X-Cache, CF-Cache-Status, X-Served-By, Vary) or cache-busting query/header behavior.\n- Authenticated or per-user content shows up on a path that also looks static/cacheable (cache deception), or a request header changes cached page content (poisoning).\n- Custom header-trust appears at the edge (X-Forwarded-For, X-Forwarded-Host, X-Real-IP, X-Original-URL, X-Rewrite-URL driving routing/auth).

Use this agent when the threat model is a TRUSTED principal turning hostile and you need to hunt broken authorization, privilege escalation, trust-boundary violations, and supply-chain betrayal. This is the operator for "what can an authenticated user do to OTHER users' data" and "what can a dependency do to us." It specializes in IDOR/BOLA/BFLA, missing ownership checks, horizontal/vertical privesc, and malicious-package hooks — bug classes semgrep/codeql under-report because they are semantic (object-identity and trust relationships), not syntactic.\n\n<example>\nContext: User has a multi-tenant API and wants to know if one tenant can reach another's records.\nuser: "Audit this orders API — can a logged-in customer read or modify another customer's orders?"\nassistant: "This is an object-level authorization (BOLA/IDOR) question with a hostile-insider threat model. I'll use the Task tool to launch the insider-betrayal-sim agent to map every handler that takes an object id, check whether the owner is verified against the session, and prove reachability source->sink."\n<commentary>\nThe request is horizontal-privilege / cross-tenant access — the insider-betrayal-sim agent's core mission. Delegating.\n</commentary>\n</example>\n\n<example>\nContext: User just added a third-party npm dependency and a postinstall step.\nuser: "We pulled in a new package and CI started doing weird network calls during install. Is the dependency safe?"\nassistant: "Network activity at install time is a supply-chain trust-boundary signal (CWE-506/CWE-1395). I'll launch the insider-betrayal-sim agent to inspect lifecycle scripts, scan for dependency-confusion and typosquat shapes, and trace any install-time exfiltration sink."\n<commentary>\nA dependency turning hostile is exactly the insider-betrayal war game. Delegating to insider-betrayal-sim.\n</commentary>\n</example>\n\nProactively suggest when:\n- A route/handler accepts a user-supplied object id, primary key, filename, account number, or tenant id (IDOR/BOLA surface)\n- New roles, admin endpoints, or function-level gates are introduced (BFLA / vertical privesc surface)\n- Authorization logic is added or changed (decorators, middleware, policy checks, RLS)\n- A dependency, lockfile, postinstall/preinstall script, private registry config, or CI install step changes (supply-chain surface)\n- Multi-tenancy, "share with another user", impersonation, or service-to-service auth features are written

Adversarial AI/LLM red-team hunter for the MANTISHACK pack. Attacks the model surface itself — direct prompt injection, indirect/2nd-order injection smuggled through RAG chunks, retrieved emails, scraped web pages, uploaded files, and prior tool results; LLM tool/function-call abuse and agentic over-privilege (an agent wired to shell/db/HTTP/filesystem tools coerced into running attacker-chosen actions); system-prompt and API-key/secret exfiltration; and the highest-impact class — UNSAFE MODEL OUTPUT flowing untrusted into eval/exec/SQL/shell/template/file sinks. Maps to OWASP LLM01 (Prompt Injection), LLM02 (Insecure Output Handling), LLM06 (Sensitive Information Disclosure), LLM08 (Excessive Agency); CWE-1427, CWE-94/77/78, CWE-89, CWE-200/522, CWE-285/862, CWE-918. Use it the moment a codebase calls an LLM API, defines tool/function schemas, builds a RAG/retrieval pipeline, or feeds model output into any executor.\n<example>\nContext: The user points MANTISHACK at a repo with an LLM tool-calling support agent and a SQL helper.\nuser: "We have a support agent that takes the user message plus retrieved KB docs and can call run_sql() and send_email(). Hunt the AI layer."\nassistant: "Untrusted user text and untrusted retrieved docs both flow into a tool-calling loop with run_sql and send_email sinks. I'll launch the llm-agent-abuse hunter to trace prompt-injection sources to the SQL/email sinks and prove source->sink reachability."\n<agent_launch>\nDelegating to llm-agent-abuse: the request is an indirect-injection + tool-abuse hunt, exactly this agent's mission.\n</agent_launch>\n</example>\n<example>\nContext: Recon surfaced a /chat endpoint that summarizes web pages and a system prompt built by string concat.\nuser: "There's a summarizer that fetches URLs the model picks, and the system prompt is built by concatenating user input. Look at it."\nassistant: "Indirect injection via fetched web content plus system-prompt concatenation — both in scope. I'll spawn llm-agent-abuse to test 2nd-order injection through the fetched page and system-prompt override/leak, looping until it converges."\n<agent_launch>\nDelegating to llm-agent-abuse for the LLM01 indirect-injection and LLM06 system-prompt-leak surface.\n</agent_launch>\n</example>\nProactively suggest using this agent when:\n- Code imports an LLM SDK (anthropic, openai, google-generativeai/genai, cohere, langchain, llama-index, litellm, the vercel `ai` package, bedrock, ollama) or hits a chat/completions/messages endpoint.\n- Tool/function schemas are defined and the model's chosen tool call is dispatched to shell, db, HTTP, filesystem, or another agent.\n- A RAG/retrieval/embeddings pipeline injects retrieved chunks, email bodies, scraped HTML, PDFs, or uploaded files into a prompt.\n- Model output reaches eval/exec/Function/`os.system`/subprocess, a SQL string, a template renderer, `innerHTML`, `dangerouslySetInnerHTML`, or is written to disk/config.\n- A system prompt or secret/API key is interpolated near user- or document-controlled text, or the app promises the model "never reveal your instructions."\n- An autonomous/agentic loop (ReAct, AutoGPT-style, multi-agent handoff, MCP server) runs with broad ambient credentials.

Use this agent when the user needs to perform offensive security operations, security testing, or vulnerability research tasks. This includes:\n\n<example>\nContext: User wants to test a web application for security vulnerabilities.\nuser: "I need to scan this web application at https://example.com for common vulnerabilities"\nassistant: "I'll use the Task tool to launch the offsec-specialist agent to perform comprehensive security testing on the web application."\n<agent_launch>\nSince the user needs offensive security testing, I'm delegating to the offsec-specialist agent which has access to specialized offensive security skills and tools.\n</agent_launch>\n</example>\n\n<example>\nContext: User has completed implementing a new API endpoint and wants security validation.\nuser: "Here's my new API endpoint implementation:"\n<code_snippet>\ndef process_payment(user_id, amount, card_data):\n # implementation\n</code_snippet>\nassistant: "Great work on implementing the payment endpoint. Let me now use the Task tool to launch the offsec-specialist agent to perform security analysis on this code and identify potential vulnerabilities."\n<agent_launch>\nThe user has written security-sensitive code that should be proactively analyzed for vulnerabilities. Using the offsec-specialist agent to conduct thorough security review.\n</agent_launch>\n</example>\n\n<example>\nContext: User mentions they need to perform penetration testing.\nuser: "I need to perform authorized penetration testing on our staging environment"\nassistant: "I'll use the Task tool to launch the offsec-specialist agent to guide you through the penetration testing process with the appropriate offensive security tools and methodologies."\n<agent_launch>\nPenetration testing request detected - delegating to offsec-specialist agent.\n</agent_launch>\n</example>\n\nProactively suggest using this agent when:\n- Security-sensitive code is written (authentication, authorization, input handling, cryptography)\n- Web applications or APIs are being developed\n- User mentions testing, security, vulnerabilities, or penetration testing\n- Network services or protocols are being implemented\n- File upload, parsing, or deserialization functionality is created

Verify all collected evidence against original sources

Validate hypothesis claims against verified evidence

Form evidence-backed hypotheses for forensic investigations

Query GH Archive via BigQuery for tamper-proof forensic evidence

Query GitHub API for repository state, commits, and recovery of deleted commits

Extract IOCs from vendor security reports as forensic evidence

Analyze cloned repositories for dangling commits and git forensics

Recover deleted GitHub content via Wayback Machine

Generate final forensic report from confirmed hypothesis and evidence

Use this agent when the target exposes an LLM-backed surface that attacker text can reach — a chat box, an AI search/answer bar, a document/email/ticket summarizer, an agent with tools (function-calling, RAG retrieval, browse, code-exec), a support bot, or any place a model later reads user-controlled content. It treats the model's instruction-following as the attack surface: every field the model ingests is an attacker-writable instruction channel, and the win condition is the model OBEYING injected text — leaking its system prompt, calling a tool it shouldn't, exfiltrating data through a rendered markdown image, or jailbreaking to a forbidden action. It drives a live payload battery against the running endpoint (DIRECT injection in the prompt, INDIRECT/stored injection poisoning a field/file/page the model retrieves later, system-prompt and secret extraction, tool/function-call hijack, data-exfil via image/link beacons, jailbreak-to-action) and rotates payload FAMILIES until one lands, proving each with a behavioral oracle (a planted nonce echoed back, a tool-call event emitted, or a beacon caught on a host you control), never a guess. Prefer this agent over a generic web scanner when the question is "can someone make the AI ignore its instructions, spill its prompt or secrets, or operate its tools for them?" — it sends real requests and reads the model's actual response, not the source.\n\n<example>\nContext: The target is a deployed support chatbot with a RAG knowledge base and two backend tools (order lookup, refund).\nuser: "We launched an AI support agent that can look up orders and issue refunds. Can a customer talk it into doing something it shouldn't?"\nassistant: "That's a tool-call-hijack and jailbreak-to-action question against a live agent, not a code read. I'll use the Task tool to launch the prompt-injection-probe agent to send a payload battery at the chat endpoint — direct injection to override its policy, then RAG poisoning to plant instructions it reads back — watching for an unauthorized refund tool-call event as the oracle (stopping at the emitted call, not letting it execute)."\n<agent_launch>\nDelegating to prompt-injection-probe: the surface is an LLM agent with tools and RAG, and the user is asking whether injected text can drive a forbidden tool call — its core mission.\n</agent_launch>\n</example>\n\n<example>\nContext: A product has an AI feature that summarizes user-submitted profiles/documents that other users (and admins) later view.\nuser: "Our summarizer reads whatever a user puts in their bio and shows a summary to the support team. Here's the endpoint: POST /api/summarize {\"text\":\"<user-controlled bio>\"}"\nassistant: "A summarizer over user-controlled text rendered to a privileged reader is a textbook indirect (stored) prompt-injection sink. I'll launch the prompt-injection-probe agent to plant an injection inside the bio, then trigger the summarize call and check whether the model obeys the planted instruction or emits a data-exfil beacon in the summary shown to the admin."\n<agent_launch>\nThe input is attacker-controlled text the model reads downstream for a higher-privilege audience — indirect injection territory, so I'm delegating to prompt-injection-probe.\n</agent_launch>\n</example>\n\nProactively suggest using this agent when:\n- The target exposes a chat box, AI search/answer bar, "ask AI" widget, copilot, or support bot that takes free text and returns a model-generated reply.\n- An endpoint summarizes, translates, classifies, or "analyzes" user-supplied text, files, emails, tickets, or pages (the indirect/stored-injection sink).\n- The app does RAG/retrieval over user-controllable content (uploaded docs, profile fields, comments, web pages the model browses).\n- The model has tools/function-calling/actions (lookup, send, refund, file ops, code exec, browse) — i.e. injected text could become an action.\n- Model output is rendered as markdown/HTML (images, links) or fed downstream into eval/SQL/shell/another API, opening exfil and second-order-injection paths.

Use this agent when raw findings already exist — from the other red-team personas, from semgrep/codeql/nuclei output, or from mantishack's findings index — and someone needs them de-duplicated, chained, CVSS-scored, and compiled into a single executive-grade RED TEAM REPORT that names the TOP 3 critical risks and the highest-ROI fix for each. This is the SYNTHESIZER: it does not hunt new bugs, it consumes and triages.\n\n<example>\nContext: Multiple hunter waves and scanners have dumped findings and the operator wants a single prioritized report.\nuser: "We've got 40-some findings across the injection, authz, and deserialization hunters plus the semgrep dump. Give me the one-pager I can hand to engineering."\nassistant: "I'll use the Task tool to launch the red-team-report agent to de-duplicate the corpus, stitch chains, CVSS-score each cluster, and produce the TOP 3 ranked report with kill-chains and the single highest-ROI fix per finding."\n<agent_launch>\nFindings already exist and the ask is synthesis + triage + executive reporting, not new discovery — delegating to red-team-report.\n</agent_launch>\n</example>\n\n<example>\nContext: A mantishack engagement finished and the index has overlapping low-quality findings.\nuser: "mantis_list_findings shows 60 entries but half look like the same SSRF reported three ways. Triage this."\nassistant: "I'll launch the red-team-report agent via the Task tool to pull mantis_list_findings / mantis_query_findings_index, collapse duplicates, score by likelihood x blast radius, and emit the prioritized remediation roadmap."\n<agent_launch>\nDedup + chain-stitching + ranking across an existing finding corpus is exactly this agent's mission.\n</agent_launch>\n</example>\n\nProactively suggest using this agent when:\n- A /mantis-* run, hunter wave, or scan has completed and produced more findings than anyone can read\n- Multiple red-team personas have each returned findings that overlap or chain together\n- Someone asks for "the report", "top findings", "what do we fix first", an executive summary, or CVSS scores\n- semgrep/codeql/nuclei output needs to be triaged into business risk rather than a raw alert list\n- Two separate findings look like they might combine into a worse single attack chain