ghostonbutterbread/brainstorm-spec
skills/brainstorm-spec/SKILL.md
Use when creating, editing, summarizing, or importing a target-lane brainstorm spec with /brainstorm-spec so zero_day_team, apk_team, and future harness modules can consume hypothesis-driven dynamic agents.
data-ai
Updated May 8, 2026
$ install --global
skillsauthnpx skillsauth add ghostonbutterbread/bug-bounty-harness brainstorm-specInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 8, 2026, 2:48 AM117.1s2 files scanned
SKILL.md
- name:
- brainstorm-spec
- description:
- Use when creating, editing, summarizing, or importing a target-lane brainstorm spec with /brainstorm-spec so zero_day_team, apk_team, and future harness modules can consume hypothesis-driven dynamic agents.
Brainstorm Spec
Create and maintain a durable brainstorm/spec.md for a target lane.
Invocation
/brainstorm-spec <program> [--family <family>] [--lane <lane>] [--target-kind <kind>] [--target-path <path>]
/brainstorm-spec <program> --add-hypothesis
/brainstorm-spec <program> --summarize-gaps
/brainstorm-spec <program> --from-report <report.md>
Examples:
/brainstorm-spec canva --family binaries --lane exe --target-kind electron-exe
/brainstorm-spec canva --add-hypothesis
/brainstorm-spec canva --summarize-gaps
/brainstorm-spec canva --from-report /home/ryushe/Shared/binaries/canva/exe/reports/dormant/index.md
Required Preflight
Read shared state before changing the brainstorm spec:
- Existing
brainstorm/spec.md, if present brainstorm/coverage.jsonl, if present- Current confirmed and dormant reports for the target lane
notes/summary.md,notes/observations.md,checklist.md, andtodo.mdwhen they exist$HARNESS_ROOT/prompts/brainstorm-spec-playbook.md
Canonical Files
- Playbook:
$HARNESS_ROOT/prompts/brainstorm-spec-playbook.md - Default lane spec:
~/Shared/{family}/{program}/{lane}/brainstorm/spec.md - Default coverage ledger:
~/Shared/{family}/{program}/{lane}/brainstorm/coverage.jsonl - Legacy web spec:
$HARNESS_SHARED_BASE/{program}/brainstorm/spec.md(read-only discovery/migration source only) - Parser/runtime module:
$HARNESS_ROOT/agents/brainstorm_spec.py
Use the existing target lane root when one is obvious from reports, team output, or the requested --family, --lane, or --target-path.
Do not create or update new specs under $HARNESS_SHARED_BASE; write to the lane-local ~/Shared/{family}/{program}/{lane}/brainstorm/ path unless the user explicitly overrides the spec path.
Responsibilities
- Create the canonical
brainstorm/spec.mdif missing. - Convert rough target ideas into structured hypotheses.
- Pull impact primitives from current dormant or confirmed reports.
- Summarize unresolved, blocked, retired, and tested hypotheses.
- Preserve human-written context and unknown sections when editing.
- Keep findings in the normal findings ledger; do not create a separate vulnerability ledger.
- Do not run high-volume security tools from this skill.
Workflow
- Resolve the lane root and spec path.
- Read
$HARNESS_ROOT/prompts/brainstorm-spec-playbook.md. - If the spec does not exist, create it from the playbook template.
- For
--add-hypothesis, ask for or infer the surface, entry point, expected chain, priority, suggested agents, tags, focus files, and evidence. - For
--from-report, extract impact primitives and hypothesis candidates from the report, then add only source-backed entries. - For
--summarize-gaps, useBrainstormSpecStore.coverage_summaryorsummarize_coverageto report authoritative statuses and outcomes fromcoverage.jsonl, then list remaining untested or blocked hypotheses. - Validate the spec with
BrainstormSpecStore.loadoragents.brainstorm_spec.parse_brainstorm_specwhen possible. - Leave team execution to
zero_day_team --brainstorm-specorapk_team --brainstorm-spec.
Runtime Handoff
When the user wants to run hypotheses, pass the spec to the team runtime instead of implementing execution here:
cd "${HARNESS_ROOT:-$HOME/projects/bug_bounty_harness}"
PYTHONPATH="$PWD${PYTHONPATH:+:$PYTHONPATH}" \
python3 agents/zero_day_team.py <program> <target> --brainstorm-spec <spec-path>
cd "${HARNESS_ROOT:-$HOME/projects/bug_bounty_harness}"
PYTHONPATH="$PWD${PYTHONPATH:+:$PYTHONPATH}" \
python3 agents/apk_team.py <program> <target> --brainstorm-spec <spec-path>
Use focused runtime flags only when explicitly requested:
--brainstorm-only
--brainstorm-hypothesis H001
Validation
Lightweight validation:
cd "${HARNESS_ROOT:-$HOME/projects/bug_bounty_harness}"
SPEC_PATH="PATH_TO_BRAINSTORM_SPEC" \
PYTHONPATH="$PWD${PYTHONPATH:+:$PYTHONPATH}" \
python3 - <<'PY'
import os
from agents.brainstorm_spec import BrainstormSpecStore
spec = BrainstormSpecStore.load(os.environ["SPEC_PATH"])
coverage = spec.path.with_name("coverage.jsonl")
summary = BrainstormSpecStore.coverage_summary(coverage, spec=spec)
print(f"loaded {len(spec.hypotheses)} hypotheses from {spec.path}")
print(f"status counts: {summary['counts_by_status']}")
print(f"outcome counts: {summary['counts_by_outcome']}")
PY
Do not move brainstorm code into bounty_core from this skill.
Related Skills
ghostonbutterbread/stored-xss
documentation
VerifiedTrustedCommunity
Use when attacker-controlled input is saved and rendered later in a profile, comment, title, notification, admin view, export, email, feed, upload metadata, or other stored render surface.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/reflected-xss
content-media
VerifiedTrustedCommunity
Use when attacker-controlled input appears in the immediate HTTP response or browser-rendered page and needs reflected XSS context classification, payload selection, mutation, and browser verification.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/pwnfox
data-ai
VerifiedTrustedCommunity
Use when inspecting proxy traffic from PwnFox-profiled browser sessions, filtering Caido/Burp/proxy history by X-PwnFox-Color, or interpreting user phrases like 'Red session' as a distinct browser/auth/profile lane.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/skills/lfi
tools
VerifiedTrustedCommunity
# LFI — Local File Inclusion Bypass ## What It Does Tests LFI bypass techniques: path traversal, null bytes, wrappers, log poisoning. Load `general-security-testing-policy`, `live-testing-policy`, and `injection-testing-policy` before live testing. For file/path sinks, absence of an immediate file read or response delta is not a stop reason by itself; use the policy to reason about path normalization, extension allowlists, wrappers, encoding, parser differences, and stack-specific proof ladder
SKILL.mdUpdated Jun 6, 2026