aeondave/libfuzzer
offensive-tools/fuzzing/libfuzzer/SKILL.md
In-process, coverage-guided fuzzing engine integrated with Clang/LLVM. Use for fast unit-level fuzz targets, parser hardening, sanitizer-first bug discovery, and corpus-driven regression loops in C/C++ code.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill libfuzzerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 19, 2026, 4:45 AM183.1s1 file scanned
SKILL.md
- name:
- libfuzzer
- description:
- In-process, coverage-guided fuzzing engine integrated with Clang/LLVM. Use for fast unit-level fuzz targets, parser hardening, sanitizer-first bug discovery, and corpus-driven regression loops in C/C++ code.
- license:
- NCSA
- compatibility:
- Clang/LLVM toolchains on Linux/macOS/Windows.
- author:
- GitHub Copilot
- version:
- 1.1
libfuzzer
LLVM-native in-process fuzzer using LLVMFuzzerTestOneInput entrypoints.
Quick Start
# Minimal target
# extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
# Build with libFuzzer + ASAN
clang++ -g -O1 -fsanitize=fuzzer,address fuzz_target.cc -o fuzz_target
# Run
./fuzz_target corpus/
Operator Flow
- Build a narrow, deterministic
LLVMFuzzerTestOneInputharness. - Add ASAN/UBSAN first; add MSAN when dependency hygiene allows.
- Seed with small valid/invalid corpus.
- Run long enough to stabilize coverage features, then merge/minimize corpus.
- Keep crashing artifacts as regression tests.
Key Practice
- Keep fuzz target deterministic, fast, and side-effect-light.
- Prefer narrow targets per format/API instead of one giant dispatcher.
- Seed with small valid+invalid samples; then minimize via
-merge=1.
Useful Flags
| Flag | Purpose |
|------|---------|
| -runs=N | Bounded runs |
| -max_total_time=N | Time budget |
| -dict=file | Token dictionary |
| -jobs / -workers | Parallel campaigns |
| -fork=N | Crash/OOM/timeout-resistant subprocess mode |
| -use_value_profile=1 | Stronger cmp-guided search |
| -merge=1 | Corpus minimization/merge |
Practical Tricks
- Use
FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTIONto disable fuzz-hostile randomness/checksums in harness builds. - Return
-1for intentionally rejected inputs to reduce corpus pollution. - Use
-artifact_prefix/ fixed artifact paths in CI pipelines for predictable collection. - For very large corpora, use resumable merge workflows.
Common Pitfalls
- Original authors shifted major innovation to Centipede; libFuzzer remains supported for bug fixes.
- Excellent fit for CI regression with saved crash artifacts.
- Non-deterministic harness behavior causes corpus bloat and noisy triage.
- Overly broad max lengths can waste cycles on low-value regions.
- Neglecting sanitizers in in-process mode delays detection of latent memory issues.
Resources
- https://llvm.org/docs/LibFuzzer.html
- https://clang.llvm.org/docs/SanitizerCoverage.html
- https://google.github.io/oss-fuzz/
Related Skills
aeondave/offensive-linux-role
data-ai
VerifiedTrustedCommunity
Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.
4SKILL.mdUpdated Jun 5, 2026
aeondave/ics-technique
development
VerifiedTrustedCommunity
Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).
4SKILL.mdUpdated Jun 2, 2026
aeondave/game-technique
tools
VerifiedTrustedCommunity
Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).
4SKILL.mdUpdated Jun 2, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 2, 2026