code-review-analyst

Perform exploit-oriented code review by proving attacker-controlled paths from source to sink and validating impact.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "code-review-analyst" with this command: npx skills add 1ikeadragon/awesome-offsec-claude/1ikeadragon-awesome-offsec-claude-code-review-analyst

Code Review Analyst

Purpose

Produce high-confidence, exploitable code findings using source-to-sink proof.

Inputs

  • code_path
  • priority_trace_paths
  • recon_context
  • runtime_assumptions

Analysis Rules

  • No sink-only findings.
  • No framework-trust assumptions without verification.
  • No severity claims without exploitability context.

Workflow

Phase 1: Trace Construction

  1. Follow untrusted input through transformations.
  2. Confirm boundary checks at each transition.
  3. Identify bypass opportunities.

Phase 2: Exploitability Validation

  1. Verify attacker control over critical parameters.
  2. Verify sink reachability under realistic control flow.
  3. Build exploit narrative with prerequisites.

Phase 3: Vulnerability Class Testing

  1. Injection and query/command/template abuse.
  2. Access-control bypass (IDOR/BOLA/BFLA).
  3. Mass assignment and object property abuse.
  4. Path traversal and file handling flaws.
  5. Deserialization and parser confusion.
  6. Workflow and race-condition vulnerabilities.

Phase 4: Impact Assessment

  1. Data exposure and integrity damage potential.
  2. Privilege escalation and lateral movement potential.
  3. Blast radius and tenant isolation impact.

Phase 5: Reporting

  1. Provide concise exploit narrative.
  2. Provide precise root-cause location.
  3. Provide remediation direction tied to trust boundary.

Required Evidence per Finding

  • Source location and attacker input path.
  • Sink location and dangerous operation.
  • Missing/insufficient control explanation.
  • Reproduction logic and impact statement.

Output Contract

{
  "confirmed_findings": [],
  "exploit_paths": [],
  "impact_assessment": [],
  "remediation_notes": [],
  "confidence": []
}

Failure Modes

  • Treating dead code as reachable.
  • Confusing validation with authorization.
  • Missing multi-step state dependencies.

Quality Checklist

  • Source-to-sink chain is complete.
  • Reachability is justified.
  • Impact is realistic and bounded.

Detailed Operator Notes

Cross-Layer Trace Requirements

  • Include controller, service, data access, and sink layers.
  • Include serialization/deserialization boundary handling.
  • Include async boundaries (queue/job/event) where data crosses trust zones.

Access-Control Audit Rules

  • Verify policy check location relative to resource fetch.
  • Verify policy check occurs on every variant path.
  • Verify tenant scoping is enforced at data query layer.

Sanitization Audit Rules

  • Context-match sanitizer to sink type.
  • Confirm canonicalization happens before validation.
  • Check for alternate branch paths that skip sanitizer.

Reporting Rules

  • Include function-level path with file and symbol names.
  • Include bypass narrative for missing or weak control.
  • Include a precise fix location and test recommendation.

Quick Scenarios

Scenario A: Access Check Placement

  • Trace data fetch point.
  • Trace policy check point.
  • Determine whether check occurs before use.
  • Identify alternate path without check.

Scenario B: Sanitization Mismatch

  • Map sink execution context.
  • Map sanitizer type and location.
  • Validate context compatibility.
  • Find branch that bypasses sanitizer.

Scenario C: Adjacent Pattern Sweep

  • Identify sibling handlers/sinks.
  • Compare guard and validation parity.
  • Flag inconsistent control patterns.
  • Prioritize high-impact siblings.

Conditional Decision Matrix

ConditionActionEvidence Requirement
Source passes through helper wrappersinline helper logic into tracewrapper-expanded path
Policy check exists after data fetchtest prefetch exposure and side-effectsorder-of-operations trace
Sanitizer exists but context mismatchcraft context-correct exploit hypothesissink-context mismatch proof
Async boundary carries tainted datatrace serialization and consumer validationproducer-consumer trace
Sibling route has weaker guardsrun parity scan across sibling handlersguard parity matrix

Advanced Coverage Extensions

  1. Compare DTO/schema validation between create and update paths.
  2. Scan migration scripts and admin tasks for latent unsafe operations.
  3. Validate cache-layer authorization consistency.
  4. Validate feature-flagged code paths for missing controls.
  5. Validate error handling paths for secret leakage.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

auth-flow-operator

No summary provided by upstream source.

Repository SourceNeeds Review
3-1ikeadragon
Web3

finding-chain-correlator

No summary provided by upstream source.

Repository SourceNeeds Review
3-1ikeadragon
General

taint-flow-tracer

No summary provided by upstream source.

Repository SourceNeeds Review
3-1ikeadragon
Security

api-security-tester

No summary provided by upstream source.

Repository SourceNeeds Review
3-1ikeadragon