captain-ai-hub/router-fs-vuln-audit
skills/router-fs-vuln-audit/SKILL.md
Audit extracted router firmware filesystems and binaries loaded in IDA via IDA MCP. Use when a user asks to identify externally exposed services (for example HTTP/HTTPS), prioritize binaries for reverse engineering, hunt pre-auth RCE, auth bypass, and post-auth RCE chains, and output a defensible vulnerability report with a minimal verification PoC.
$ install --global
skillsauthnpx skillsauth add captain-ai-hub/ida-mcp router-fs-vuln-auditInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 10:29 PM15.1s5 files scanned
SKILL.md
- name:
- router-fs-vuln-audit
- description:
- Audit extracted router firmware filesystems and binaries loaded in IDA via IDA MCP. Use when a user asks to identify externally exposed services (for example HTTP/HTTPS), prioritize binaries for reverse engineering, hunt pre-auth RCE, auth bypass, and post-auth RCE chains, and output a defensible vulnerability report with a minimal verification PoC.
Router Fs Vuln Audit
Goal
Execute a repeatable three-step router-firmware vulnerability workflow:
- Identify externally exposed services from the extracted filesystem and output a prioritized binary list for IDA loading.
- Audit those binaries through IDA MCP and correlate findings with scripts/web assets in the filesystem.
- Produce a report and a minimal reproducible PoC.
Workflow
Step 1: Identify Externally Exposed Services and Prioritize Binaries
Do not assume a fixed router filesystem layout. Different vendors place binaries, startup scripts, web roots, and configs in different paths.
Do not require the user to run bundled scripts. Prefer direct filesystem inspection and concise search commands as needed.
Focus on externally reachable attack surface first:
- HTTP/HTTPS management plane (for example
httpd,uhttpd,lighttpd,boa,goahead,nginx). - Other network-facing daemons (for example UPnP, DNS/DHCP, SSH/Telnet/FTP/TFTP, TR-069/CWMP, proprietary TCP/UDP services).
- Helper processes that parse network/user-controlled data and invoke command execution, nvram, or restart hooks.
Find evidence from files rather than hardcoded paths:
- Service startup and respawn logic (for example
rc, init scripts,inittab, service launch scripts). - Daemon binaries and symlinks in executable directories.
- Config files with listen ports, bind addresses, auth toggles, endpoint mappings, and CGI/handler directives.
- Web root assets (
.cgi,.asp,.htm,.js) and route/action strings from binaries.
Required Step 1 outputs:
- Exposed service inventory with protocol, port (if known), and evidence file paths.
ida-prioritylist of absolute binary paths ordered by likely exploitability.- HTTP route/endpoint candidate list when web services are present.
IDA prioritization order:
- HTTP request handlers and control-plane dispatchers.
- WAN/LAN-reachable management daemons.
- Data-parsing helpers that connect request input to sensitive sinks.
Deliver to user:
- Absolute paths of priority binaries.
- Brief reason per binary tied to external exposure.
- Explicit “load these into IDA first” instruction.
Step 2: Perform IDA MCP Vulnerability Audit
Use the playbook in references/ida-audit-playbook.md.
Always run this sequence:
mcp__IDAMCP__check_connectionmcp__IDAMCP__list_instancesmcp__IDAMCP__select_instance- Per target binary:
list_functions,decompile,xrefs_to,xrefs_from,strings-guided function review.
Hunt targets:
- Pre-auth RCE sinks:
system/popen/eval/doSystemCmd-style wrappers reachable from HTTP/UPnP/UDP handlers. - Auth bypass: weak/optional
auth_check, referrer-only checks, token/session logic inconsistencies, no-auth endpoint whitelists. - Post-auth RCE: config/apply handlers that pass user-controlled fields into command builders (
rc_service, shell scripts, nvram hooks).
Correlate each binary finding with filesystem evidence:
- Web forms and JS endpoints in discovered web roots.
- Service startup/restart paths in discovered init/rc/service scripts.
- Config templates in discovered config directories.
Require per-finding evidence:
- Function name/address.
- Data flow summary (source -> check -> sink).
- Trigger endpoint/protocol.
- Constraints and exploitability conditions.
Step 3: Produce Report and Minimal Verification PoC
Use templates:
references/report-template.mdreferences/poc-template.md
PoC requirements:
- Default to non-destructive verification payloads.
- Include prerequisites, exact request, and expected observable result.
- Avoid wormable, self-propagating, or destructive payload behavior.
- Clearly separate “verified” vs “inferred” claims.
Report requirements:
- Affected component and firmware build.
- Root cause with code evidence.
- Attack path (pre-auth / auth bypass + post-auth).
- Reproduction steps and expected output.
- Suggested fix and regression checks.
Resource Index
references/
references/ida-audit-playbook.md: MCP command flow and vulnerability hunt checklist.references/report-template.md: vendor-report structure.references/poc-template.md: minimal reproducible PoC format.
Related Skills
captain-ai-hub/idapython
development
VerifiedTrustedCommunity
IDA Pro Python scripting for reverse engineering. Use when writing IDAPython scripts, analyzing binaries, working with IDA's API for disassembly, decompilation (Hex-Rays), type systems, cross-references, functions, segments, or any IDA database manipulation. Covers ida_* modules (50+), idautils iterators, and common patterns.
190SKILL.mdUpdated Apr 3, 2026
openclaw/taskflow
tools
VerifiedTrustedCommunity
Use when work should span one or more detached tasks but still behave like one job with a single owner context. TaskFlow is the durable flow substrate under authoring layers like Lobster, ACPX, plugins, or plain code. Keep conditional logic in the caller; use TaskFlow for flow identity, child-task linkage, waiting state, revision-checked mutations, and user-facing emergence.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/extensions/lobster
tools
VerifiedTrustedCommunity
# Lobster Lobster executes multi-step workflows with approval checkpoints. Use it when: - User wants a repeatable automation (triage, monitor, sync) - Actions need human approval before executing (send, post, delete) - Multiple tool calls should run as one deterministic operation ## When to use Lobster | User intent | Use Lobster? | | ------------------------------------------------------ | --------------------------
357,764SKILL.mdUpdated Apr 10, 2026
steipete/extensions/lobster
tools
VerifiedTrustedCommunity
# Lobster Lobster executes multi-step workflows with approval checkpoints. Use it when: - User wants a repeatable automation (triage, monitor, sync) - Actions need human approval before executing (send, post, delete) - Multiple tool calls should run as one deterministic operation ## When to use Lobster | User intent | Use Lobster? | | ------------------------------------------------------ | --------------------------
357,588SKILL.mdUpdated Apr 13, 2026