Elite adaptive whitebox exploit research skill for Claude Code and OpenCode.
Not a scanner. Not a checklist. A reusable exploit research framework that classifies your target and loads the correct attack methodology.
npx offsec-exploit-researchThat's it. The skill is installed globally and available in every project.
Open Claude Code or OpenCode in any project:
- Type
/skillsto see the skill - Ask: "audit this repo" or "find vulnerabilities"
The skill will:
- Fingerprint the target — language, framework, architecture, trust model
- Classify it — kernel? browser? distributed? web app? CLI? (16 categories)
- Load the right methodology — domain-specific exploit research, not a generic checklist
- Map attack surfaces — entry points, trust boundaries, external interfaces
- Generate exploit hypotheses — ranked by
impact × exploitability × confidence - Trace code paths — from attacker input to exploitable behavior (not grep)
- Validate — verify exploitability through deep code tracing, generate detailed PoC steps
- Synthesize chains — combine findings into realistic multi-step exploits
- Suppress noise — reject unreachable, theoretical, or unexploitable issues
- Report — structured findings with exact files, root cause, PoC, and remediation
The skill adapts to fundamentally different software classes:
| Category | Examples |
|---|---|
| Systems / Kernel | Linux kernel, drivers, hypervisors |
| Browser / Sandbox | Chromium, Electron, renderer engines |
| Native Memory-Safety | C/C++ parsers, codecs, protocol handlers |
| Distributed Systems | Kubernetes, service mesh, message brokers |
| Proxy / Gateway | Zuul, Envoy, Nginx, HAProxy, Kong |
| Enterprise Backend | Spring, Django, Rails, ASP.NET, Express |
| Java Platform | Spring Boot, Jakarta EE, Apache middleware |
| .NET Platform | ASP.NET Core, Blazor, Azure Functions |
| CLI / Dev Tooling | Package managers, build tools, agents |
| PowerShell | PS modules, DSC, Windows automation |
| CI/CD | Jenkins, GitHub Actions, GitLab CI |
| Supply Chain | Dependency resolution, plugin systems |
| Container Runtime | runc, containerd, Docker, Podman |
| Cloud Control Plane | IAM, API servers, IaC tooling |
| Parsers | File formats, protocols, data formats |
| Serialization | Java/Python/.NET deserialization surfaces |
| Sandbox Boundaries | seccomp, namespaces, WASM, isolates |
- ❌ SAST / regex scanner
- ❌ OWASP checklist bot
- ❌ Generic security review prompt
- ❌ Noisy static analysis wrapper
- ✅ Exploit researcher mindset
- ✅ Architecture-aware analysis
- ✅ Domain-specific methodology
- ✅ Real exploitability validation
- ✅ False positive suppression
- ✅ Exploit chain synthesis
MIT