aeondave/zsteg
offensive-tools/forensic/zsteg/SKILL.md
Auth/lab ref: zsteg PNG/BMP steganography; LSB, bit-plane, color-channel, hidden-data extraction after metadata/strings checks.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill zstegInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 8, 2026, 3:48 AM119.6s1 file scanned
SKILL.md
- name:
- zsteg
- description:
- Auth/lab ref: zsteg PNG/BMP steganography; LSB, bit-plane, color-channel, hidden-data extraction after metadata/strings checks.
- compatibility:
- Linux, macOS, WSL; Ruby gem; strongest on PNG and BMP.
- author:
- AeonDave
- version:
- 1.0
zsteg
Bit-plane spelunking for images that are too quiet on the surface.
When to use zsteg
Use zsteg when you need to:
- scan PNG/BMP files for common LSB and channel-hiding tricks
- enumerate embedded payload candidates quickly
- extract a promising payload for deeper analysis
Quick Start
# Automatic scan
zsteg -a image.png
# Default inspection
zsteg image.png
High-Value Workflows
Extract a specific candidate
zsteg -E "b1,r,lsb,xy" image.png > payload.bin
Broad PNG/BMP triage
- Run
zsteg -a. - Review human-readable hits first.
- Extract promising payloads with
-E. - Feed extracted bytes into
file,strings,foremost, or archive tools.
Practical Notes
- zsteg shines on PNG/BMP artifacts; JPEG-focused suspects usually belong to other workflows.
- Not every hit is meaningful; short text fragments and compressed junk both show up.
- Pair with
steghide,stegseek, and normal image triage rather than betting everything on one pass.
Caveats
- False positives are common on busy or large images.
- The interesting payload may need decompression or decoding after extraction.
- Channel/bit-order choice matters; extraction without context can mislead.
Resources
No bundled scripts/, references/, or assets/.
Use the upstream README for extractor spec syntax and advanced scan flags.
Related Skills
aeondave/vibe-audit-technique
development
VerifiedTrustedCommunity
White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).
4SKILL.mdUpdated Jun 12, 2026
aeondave/source-review-technique
development
VerifiedTrustedCommunity
Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.
4SKILL.mdUpdated Jun 12, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 12, 2026
aeondave/container-technique
devops
VerifiedTrustedCommunity
Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.
4SKILL.mdUpdated Jun 12, 2026