aeondave/source-review-technique
offensive-techniques/source-review-technique/SKILL.md
Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill source-review-techniqueInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 12, 2026, 3:51 AM79.9s2 files scanned
SKILL.md
- name:
- source-review-technique
- description:
- Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.
source-review-technique
Goal: Discover zero-day vulnerabilities in source code by combining deterministic structural search with LLM-assisted data flow analysis.
When this technique applies
- A target's source code is available (open source, leaked, or decompiled/decompressed).
- You need to track tainted inputs to sensitive sinks (SAST).
- Pure regex/search is too noisy, but full manual review is too slow.
The Hybrid Workflow
Modern SAST effectively bridges static tools with LLMs. The LLM acts as the triage and data-flow validator, while tools like semgrep or grep map the initial graph.
1. Sink and Source Mapping (Deterministic)
Do not ask the LLM to "find bugs" across thousands of lines at once. It will hallucinate.
- Identify Sources: HTTP requests, CLI args, file reads, database returns, IPC.
- Identify Sinks:
exec,system,query,eval,deserialize,UnsafeCell, memory allocators. - Map: Use
grep_searchorvscode_listCodeUsagesto find all invocations of the sinks.
2. Taint Evaluation (LLM-Assisted)
For each high-value sink found:
- Traverse backward to find where the arguments originated.
- Verify if the arguments are controllable by an attacker (the Source).
- If the path crosses file boundaries (inter-procedural), explicitly read those files.
- Context enrichment: Search locally for validators, sanitizers, or middleware.
3. Verification & Evidence
- Do not report a vulnerability unless you can trace a continuous line from Source to Sink.
- Document the exact file, line number, and variables involved at each step.
- Identify what conditions must be bypassed to reach the sink.
Quality Gates
- No generic bug reports: If the finding is "Xss vulnerability because
printis used", reject it unless you can prove the input is strictly user-controlled and unescaped. - Dependency boundaries: If the sink is in a third-party framework, check how the target application actually invokes that framework instance.
- Evidence format: Produce a markdown file detailing the exact Attack Path, required preconditions, and the affected code snippet blocks.
References
- references/bug-classes.md — Targeted sink patterns for common architectures (e.g. Deserialization, Path Traversal, Memory Corruption).
Related Skills
aeondave/vibe-audit-technique
development
VerifiedTrustedCommunity
White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).
4SKILL.mdUpdated Jun 12, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 12, 2026
aeondave/container-technique
devops
VerifiedTrustedCommunity
Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.
4SKILL.mdUpdated Jun 12, 2026
aeondave/cicd-technique
development
VerifiedTrustedCommunity
CI/CD supply chain methodology: identifying poisoned pipelines, unsafe GitHub Actions, and extracting build secrets.
4SKILL.mdUpdated Jun 12, 2026