Share
## https://sploitus.com/exploit?id=5F3AED14-7257-5707-9F9F-8A4EC18CB83B
# offsec-exploit-research

Elite adaptive whitebox exploit research skill for **Claude Code** and **OpenCode**.

Not a scanner. Not a checklist. A reusable exploit research framework that classifies your target and loads the correct attack methodology.

---

## Install

```bash
npx offsec-exploit-research
```

That's it. The skill is installed globally and available in every project.

---

## Use

Open Claude Code or OpenCode in any project:

1. Type `/skills` to see the skill
2. Ask: *"audit this repo"* or *"find vulnerabilities"*

The skill will:

1. **Fingerprint** the target โ€” language, framework, architecture, trust model
2. **Classify** it โ€” kernel? browser? distributed? web app? CLI? (16 categories)
3. **Load the right methodology** โ€” domain-specific exploit research, not a generic checklist
4. **Map attack surfaces** โ€” entry points, trust boundaries, external interfaces
5. **Generate exploit hypotheses** โ€” ranked by `impact ร— exploitability ร— confidence`
6. **Trace code paths** โ€” from attacker input to exploitable behavior (not grep)
7. **Validate** โ€” build, run PoCs, test exploit paths when possible
8. **Synthesize chains** โ€” combine findings into realistic multi-step exploits
9. **Suppress noise** โ€” reject unreachable, theoretical, or unexploitable issues
10. **Report** โ€” structured findings with exact files, root cause, PoC, and remediation

---

## Supported Targets

The skill adapts to fundamentally different software classes:

| Category | Examples |
|---|---|
| Systems / Kernel | Linux kernel, drivers, hypervisors |
| Browser / Sandbox | Chromium, Electron, renderer engines |
| Native Memory-Safety | C/C++ parsers, codecs, protocol handlers |
| Distributed Systems | Kubernetes, service mesh, message brokers |
| Proxy / Gateway | Zuul, Envoy, Nginx, HAProxy, Kong |
| Enterprise Backend | Spring, Django, Rails, ASP.NET, Express |
| Java Platform | Spring Boot, Jakarta EE, Apache middleware |
| .NET Platform | ASP.NET Core, Blazor, Azure Functions |
| CLI / Dev Tooling | Package managers, build tools, agents |
| PowerShell | PS modules, DSC, Windows automation |
| CI/CD | Jenkins, GitHub Actions, GitLab CI |
| Supply Chain | Dependency resolution, plugin systems |
| Container Runtime | runc, containerd, Docker, Podman |
| Cloud Control Plane | IAM, API servers, IaC tooling |
| Parsers | File formats, protocols, data formats |
| Serialization | Java/Python/.NET deserialization surfaces |
| Sandbox Boundaries | seccomp, namespaces, WASM, isolates |

---

## What This Is NOT

- โŒ SAST / regex scanner
- โŒ OWASP checklist bot
- โŒ Generic security review prompt
- โŒ Noisy static analysis wrapper

## What This IS

- โœ… Exploit researcher mindset
- โœ… Architecture-aware analysis
- โœ… Domain-specific methodology
- โœ… Real exploitability validation
- โœ… False positive suppression
- โœ… Exploit chain synthesis

---

## License

MIT