ghostonbutterbread/appmap-research-librarian
skills/appmap-research-librarian/SKILL.md
Use when creating a gated research campaign for AppMap where one agent scouts external sources, another validates them into structured technique packs, and AppMap later ingests only reviewed local seed data or explicit validated URLs.
testing
Updated May 8, 2026
$ install --global
skillsauthnpx skillsauth add ghostonbutterbread/bug-bounty-harness appmap-research-librarianInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 8, 2026, 2:48 AM131.2s2 files scanned
SKILL.md
- name:
- appmap-research-librarian
- description:
- Use when creating a gated research campaign for AppMap where one agent scouts external sources, another validates them into structured technique packs, and AppMap later ingests only reviewed local seed data or explicit validated URLs.
AppMap Research Librarian
Create an offline campaign workspace that bridges open-ended source research and deterministic AppMap ingest.
Invocation
/appmap-research-librarian init <program> --category <class> [--research-query WORD [WORD ...]] [--target-kind <kind>] [--focus rce]
/appmap-research-librarian validate <campaign_dir> [--seed <validated_seed.json>]
/appmap-research-librarian plan-appmap <campaign_dir> <target_path> [--write-specs] [--output-mode standalone|canonical] [--family <family>] [--lane <lane>] [--use-web-sources]
Examples:
/appmap-research-librarian init canva --category electron-ipc --research-query electron rce --target-kind electron-exe
/appmap-research-librarian validate ~/Shared/appmap/canva/research-librarian/<run_id>
/appmap-research-librarian plan-appmap ~/Shared/appmap/canva/research-librarian/<run_id> /home/ryushe/Shared/binaries/canva/exe/input/app_asar --write-specs --output-mode canonical --family binaries --lane exe
Required Preflight
Read the playbook first:
$HARNESS_ROOT/prompts/appmap-research-librarian-playbook.md$HARNESS_ROOT/prompts/appmap-playbook.mdwhen planning AppMap ingest- Existing target lane notes if a family/lane is obvious
Canonical Files
- Wrapper:
$HARNESS_ROOT/agents/appmap_research_librarian.py - Playbook:
$HARNESS_ROOT/prompts/appmap-research-librarian-playbook.md - Default campaigns:
~/Shared/appmap/{program}/research-librarian/{run_id}/ - Scout brief:
{campaign}/scout_brief.md - Validator brief:
{campaign}/validator_brief.md - Scout source candidates:
{campaign}/sources.todo.jsonl - Validated seed:
{campaign}/validated_research_seed.json - Validation report:
{campaign}/validation_report.json - Planned AppMap command:
{campaign}/plan_appmap_command.txt
Responsibilities
- Create a research campaign directory for a category/class.
- Generate a source-scout brief for a research agent.
- Generate a validator brief for a second agent that filters sources and writes structured seed data.
- Validate local seed JSON/JSONL without network access.
- Plan the AppMap ingest command.
- Keep AppMap deterministic: no search scraping, browser crawling, autonomous spidering, or target probing inside this wrapper.
Workflow
- Run
initwith the program and category/class. - Spawn or instruct a scout agent using
scout_brief.md. - Put curated source candidates in
sources.todo.jsonl. - Spawn or instruct a validator agent using
validator_brief.md. - Validator writes
validated_research_seed.jsonwith citedsourcesandtechnique_packs. - Run
validate; fix anyvalidation_report.jsonerrors. Planning requires at least one validated source and one validated technique pack. - Run
plan-appmap; prefer local seed mode unless the user explicitly wants validated URL web mode. - Run the generated AppMap command only when the user asks to proceed.
Safety
- This wrapper is offline by design.
- Research scouts may use their own allowed search/browser tools, but their output must be reviewed before AppMap sees it.
- Prefer
--research-mode local --research-seed <validated_seed>for replayable campaigns. --use-web-sourcesplans--research-mode webonly from validator-approved HTTPS source URLs.
Related Skills
ghostonbutterbread/request-exploration
testing
VerifiedTrustedCommunity
Systematic live request mutation: flip booleans, field ops, headers, content-type, parser differentials, replay vs intercept, null/empty testing. Inherits live-testing-policy scope/rate/ownership rules.
SKILL.mdUpdated Jun 13, 2026
ghostonbutterbread/password-reset
development
VerifiedTrustedCommunity
Test password reset, forgot-password, reset-token, email reset, and account recovery flows for account takeover risks.
SKILL.mdUpdated Jun 13, 2026
ghostonbutterbread/intelligent-fuzzing
tools
VerifiedTrustedCommunity
Targeted param/field discovery using tech stack clues, naming conventions, and controlled-rate ffuf — then feeds findings into request-exploration for mutation. Not brute-force; informed and scoped.
SKILL.mdUpdated Jun 13, 2026
ghostonbutterbread/create-account
testing
VerifiedTrustedCommunity
Ghost-only workflow for creating approved bug bounty test accounts and saving credential references.
SKILL.mdUpdated Jun 13, 2026