Share
## https://sploitus.com/exploit?id=5F3AED14-7257-5707-9F9F-8A4EC18CB83B
# offsec-exploit-research
Elite adaptive whitebox exploit research skill for **Claude Code** and **OpenCode**.
Not a scanner. Not a checklist. A reusable exploit research framework that classifies your target and loads the correct attack methodology.
---
## Install
```bash
npx offsec-exploit-research
```
That's it. The skill is installed globally and available in every project.
---
## Use
Open Claude Code or OpenCode in any project:
1. Type `/skills` to see the skill
2. Ask: *"audit this repo"* or *"find vulnerabilities"*
The skill will:
1. **Fingerprint** the target โ language, framework, architecture, trust model
2. **Classify** it โ kernel? browser? distributed? web app? CLI? (16 categories)
3. **Load the right methodology** โ domain-specific exploit research, not a generic checklist
4. **Map attack surfaces** โ entry points, trust boundaries, external interfaces
5. **Generate exploit hypotheses** โ ranked by `impact ร exploitability ร confidence`
6. **Trace code paths** โ from attacker input to exploitable behavior (not grep)
7. **Validate** โ build, run PoCs, test exploit paths when possible
8. **Synthesize chains** โ combine findings into realistic multi-step exploits
9. **Suppress noise** โ reject unreachable, theoretical, or unexploitable issues
10. **Report** โ structured findings with exact files, root cause, PoC, and remediation
---
## Supported Targets
The skill adapts to fundamentally different software classes:
| Category | Examples |
|---|---|
| Systems / Kernel | Linux kernel, drivers, hypervisors |
| Browser / Sandbox | Chromium, Electron, renderer engines |
| Native Memory-Safety | C/C++ parsers, codecs, protocol handlers |
| Distributed Systems | Kubernetes, service mesh, message brokers |
| Proxy / Gateway | Zuul, Envoy, Nginx, HAProxy, Kong |
| Enterprise Backend | Spring, Django, Rails, ASP.NET, Express |
| Java Platform | Spring Boot, Jakarta EE, Apache middleware |
| .NET Platform | ASP.NET Core, Blazor, Azure Functions |
| CLI / Dev Tooling | Package managers, build tools, agents |
| PowerShell | PS modules, DSC, Windows automation |
| CI/CD | Jenkins, GitHub Actions, GitLab CI |
| Supply Chain | Dependency resolution, plugin systems |
| Container Runtime | runc, containerd, Docker, Podman |
| Cloud Control Plane | IAM, API servers, IaC tooling |
| Parsers | File formats, protocols, data formats |
| Serialization | Java/Python/.NET deserialization surfaces |
| Sandbox Boundaries | seccomp, namespaces, WASM, isolates |
---
## What This Is NOT
- โ SAST / regex scanner
- โ OWASP checklist bot
- โ Generic security review prompt
- โ Noisy static analysis wrapper
## What This IS
- โ
Exploit researcher mindset
- โ
Architecture-aware analysis
- โ
Domain-specific methodology
- โ
Real exploitability validation
- โ
False positive suppression
- โ
Exploit chain synthesis
---
## License
MIT