@elizaos/skills 2.0.0-alpha.10

package/skills/tmux/SKILL.md

@@ -0,0 +1,135 @@
+---
+name: tmux
+description: Remote-control tmux sessions for interactive CLIs by sending keystrokes and scraping pane output.
+metadata:
+  { "otto": { "emoji": "🧵", "os": ["darwin", "linux"], "requires": { "bins": ["tmux"] } } }
+---
+
+# tmux Skill (Otto)
+
+Use tmux only when you need an interactive TTY. Prefer exec background mode for long-running, non-interactive tasks.
+
+## Quickstart (isolated socket, exec tool)
+
+```bash
+SOCKET_DIR="${OTTO_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/otto-tmux-sockets}"
+mkdir -p "$SOCKET_DIR"
+SOCKET="$SOCKET_DIR/otto.sock"
+SESSION=otto-python
+
+tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
+tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- 'PYTHON_BASIC_REPL=1 python3 -q' Enter
+tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200
+```
+
+After starting a session, always print monitor commands:
+
+```
+To monitor:
+  tmux -S "$SOCKET" attach -t "$SESSION"
+  tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200
+```
+
+## Socket convention
+
+- Use `OTTO_TMUX_SOCKET_DIR`.
+- Default socket path: `"$OTTO_TMUX_SOCKET_DIR/otto.sock"`.
+
+## Targeting panes and naming
+
+- Target format: `session:window.pane` (defaults to `:0.0`).
+- Keep names short; avoid spaces.
+- Inspect: `tmux -S "$SOCKET" list-sessions`, `tmux -S "$SOCKET" list-panes -a`.
+
+## Finding sessions
+
+- List sessions on your socket: `{baseDir}/scripts/find-sessions.sh -S "$SOCKET"`.
+- Scan all sockets: `{baseDir}/scripts/find-sessions.sh --all` (uses `OTTO_TMUX_SOCKET_DIR`).
+
+## Sending input safely
+
+- Prefer literal sends: `tmux -S "$SOCKET" send-keys -t target -l -- "$cmd"`.
+- Control keys: `tmux -S "$SOCKET" send-keys -t target C-c`.
+- For interactive TUI apps like Claude Code/Codex, this guidance covers **how to send commands**.
+  Do **not** append `Enter` in the same `send-keys`. These apps may treat a fast text+Enter
+  sequence as paste/multi-line input and not submit; this is timing-dependent. Send text and
+  `Enter` as separate commands with a small delay (tune per environment; increase if needed,
+  or use `sleep 1` if sub-second sleeps aren't supported):
+
+```bash
+tmux -S "$SOCKET" send-keys -t target -l -- "$cmd" && sleep 0.1 && tmux -S "$SOCKET" send-keys -t target Enter
+```
+
+## Watching output
+
+- Capture recent history: `tmux -S "$SOCKET" capture-pane -p -J -t target -S -200`.
+- Wait for prompts: `{baseDir}/scripts/wait-for-text.sh -t session:0.0 -p 'pattern'`.
+- Attaching is OK; detach with `Ctrl+b d`.
+
+## Spawning processes
+
+- For python REPLs, set `PYTHON_BASIC_REPL=1` (non-basic REPL breaks send-keys flows).
+
+## Windows / WSL
+
+- tmux is supported on macOS/Linux. On Windows, use WSL and install tmux inside WSL.
+- This skill is gated to `darwin`/`linux` and requires `tmux` on PATH.
+
+## Orchestrating Coding Agents (Codex, Claude Code)
+
+tmux excels at running multiple coding agents in parallel:
+
+```bash
+SOCKET="${TMPDIR:-/tmp}/codex-army.sock"
+
+# Create multiple sessions
+for i in 1 2 3 4 5; do
+  tmux -S "$SOCKET" new-session -d -s "agent-$i"
+done
+
+# Launch agents in different workdirs
+tmux -S "$SOCKET" send-keys -t agent-1 "cd /tmp/project1 && codex --yolo 'Fix bug X'" Enter
+tmux -S "$SOCKET" send-keys -t agent-2 "cd /tmp/project2 && codex --yolo 'Fix bug Y'" Enter
+
+# When sending prompts to Claude Code/Codex TUI, split text + Enter with a delay
+tmux -S "$SOCKET" send-keys -t agent-1 -l -- "Please make a small edit to README.md." && sleep 0.1 && tmux -S "$SOCKET" send-keys -t agent-1 Enter
+
+# Poll for completion (check if prompt returned)
+for sess in agent-1 agent-2; do
+  if tmux -S "$SOCKET" capture-pane -p -t "$sess" -S -3 | grep -q "❯"; then
+    echo "$sess: DONE"
+  else
+    echo "$sess: Running..."
+  fi
+done
+
+# Get full output from completed session
+tmux -S "$SOCKET" capture-pane -p -t agent-1 -S -500
+```
+
+**Tips:**
+
+- Use separate git worktrees for parallel fixes (no branch conflicts)
+- `pnpm install` first before running codex in fresh clones
+- Check for shell prompt (`❯` or `$`) to detect completion
+- Codex needs `--yolo` or `--full-auto` for non-interactive fixes
+
+## Cleanup
+
+- Kill a session: `tmux -S "$SOCKET" kill-session -t "$SESSION"`.
+- Kill all sessions on a socket: `tmux -S "$SOCKET" list-sessions -F '#{session_name}' | xargs -r -n1 tmux -S "$SOCKET" kill-session -t`.
+- Remove everything on the private socket: `tmux -S "$SOCKET" kill-server`.
+
+## Helper: wait-for-text.sh
+
+`{baseDir}/scripts/wait-for-text.sh` polls a pane for a regex (or fixed string) with a timeout.
+
+```bash
+{baseDir}/scripts/wait-for-text.sh -t session:0.0 -p 'pattern' [-F] [-T 20] [-i 0.5] [-l 2000]
+```
+
+- `-t`/`--target` pane target (required)
+- `-p`/`--pattern` regex to match (required); add `-F` for fixed string
+- `-T` timeout seconds (integer, default 15)
+- `-i` poll interval seconds (default 0.5)
+- `-l` history lines to search (integer, default 1000)

package/skills/tmux/scripts/find-sessions.sh

@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  cat <<'USAGE'
+Usage: find-sessions.sh [-L socket-name|-S socket-path|-A] [-q pattern]
+
+List tmux sessions on a socket (default tmux socket if none provided).
+
+Options:
+  -L, --socket       tmux socket name (passed to tmux -L)
+  -S, --socket-path  tmux socket path (passed to tmux -S)
+  -A, --all          scan all sockets under OTTO_TMUX_SOCKET_DIR
+  -q, --query        case-insensitive substring to filter session names
+  -h, --help         show this help
+USAGE
+}
+
+socket_name=""
+socket_path=""
+query=""
+scan_all=false
+socket_dir="${OTTO_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/otto-tmux-sockets}"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    -L|--socket)      socket_name="${2-}"; shift 2 ;;
+    -S|--socket-path) socket_path="${2-}"; shift 2 ;;
+    -A|--all)         scan_all=true; shift ;;
+    -q|--query)       query="${2-}"; shift 2 ;;
+    -h|--help)        usage; exit 0 ;;
+    *) echo "Unknown option: $1" >&2; usage; exit 1 ;;
+  esac
+done
+
+if [[ "$scan_all" == true && ( -n "$socket_name" || -n "$socket_path" ) ]]; then
+  echo "Cannot combine --all with -L or -S" >&2
+  exit 1
+fi
+
+if [[ -n "$socket_name" && -n "$socket_path" ]]; then
+  echo "Use either -L or -S, not both" >&2
+  exit 1
+fi
+
+if ! command -v tmux >/dev/null 2>&1; then
+  echo "tmux not found in PATH" >&2
+  exit 1
+fi
+
+list_sessions() {
+  local label="$1"; shift
+  local tmux_cmd=(tmux "$@")
+
+  if ! sessions="$("${tmux_cmd[@]}" list-sessions -F '#{session_name}\t#{session_attached}\t#{session_created_string}' 2>/dev/null)"; then
+    echo "No tmux server found on $label" >&2
+    return 1
+  fi
+
+  if [[ -n "$query" ]]; then
+    sessions="$(printf '%s\n' "$sessions" | grep -i -- "$query" || true)"
+  fi
+
+  if [[ -z "$sessions" ]]; then
+    echo "No sessions found on $label"
+    return 0
+  fi
+
+  echo "Sessions on $label:"
+  printf '%s\n' "$sessions" | while IFS=$'\t' read -r name attached created; do
+    attached_label=$([[ "$attached" == "1" ]] && echo "attached" || echo "detached")
+    printf '  - %s (%s, started %s)\n' "$name" "$attached_label" "$created"
+  done
+}
+
+if [[ "$scan_all" == true ]]; then
+  if [[ ! -d "$socket_dir" ]]; then
+    echo "Socket directory not found: $socket_dir" >&2
+    exit 1
+  fi
+
+  shopt -s nullglob
+  sockets=("$socket_dir"/*)
+  shopt -u nullglob
+
+  if [[ "${#sockets[@]}" -eq 0 ]]; then
+    echo "No sockets found under $socket_dir" >&2
+    exit 1
+  fi
+
+  exit_code=0
+  for sock in "${sockets[@]}"; do
+    if [[ ! -S "$sock" ]]; then
+      continue
+    fi
+    list_sessions "socket path '$sock'" -S "$sock" || exit_code=$?
+  done
+  exit "$exit_code"
+fi
+
+tmux_cmd=(tmux)
+socket_label="default socket"
+
+if [[ -n "$socket_name" ]]; then
+  tmux_cmd+=(-L "$socket_name")
+  socket_label="socket name '$socket_name'"
+elif [[ -n "$socket_path" ]]; then
+  tmux_cmd+=(-S "$socket_path")
+  socket_label="socket path '$socket_path'"
+fi
+
+list_sessions "$socket_label" "${tmux_cmd[@]:1}"

package/skills/tmux/scripts/wait-for-text.sh

@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  cat <<'USAGE'
+Usage: wait-for-text.sh -t target -p pattern [options]
+
+Poll a tmux pane for text and exit when found.
+
+Options:
+  -t, --target    tmux target (session:window.pane), required
+  -p, --pattern   regex pattern to look for, required
+  -F, --fixed     treat pattern as a fixed string (grep -F)
+  -T, --timeout   seconds to wait (integer, default: 15)
+  -i, --interval  poll interval in seconds (default: 0.5)
+  -l, --lines     number of history lines to inspect (integer, default: 1000)
+  -h, --help      show this help
+USAGE
+}
+
+target=""
+pattern=""
+grep_flag="-E"
+timeout=15
+interval=0.5
+lines=1000
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    -t|--target)   target="${2-}"; shift 2 ;;
+    -p|--pattern)  pattern="${2-}"; shift 2 ;;
+    -F|--fixed)    grep_flag="-F"; shift ;;
+    -T|--timeout)  timeout="${2-}"; shift 2 ;;
+    -i|--interval) interval="${2-}"; shift 2 ;;
+    -l|--lines)    lines="${2-}"; shift 2 ;;
+    -h|--help)     usage; exit 0 ;;
+    *) echo "Unknown option: $1" >&2; usage; exit 1 ;;
+  esac
+done
+
+if [[ -z "$target" || -z "$pattern" ]]; then
+  echo "target and pattern are required" >&2
+  usage
+  exit 1
+fi
+
+if ! [[ "$timeout" =~ ^[0-9]+$ ]]; then
+  echo "timeout must be an integer number of seconds" >&2
+  exit 1
+fi
+
+if ! [[ "$lines" =~ ^[0-9]+$ ]]; then
+  echo "lines must be an integer" >&2
+  exit 1
+fi
+
+if ! command -v tmux >/dev/null 2>&1; then
+  echo "tmux not found in PATH" >&2
+  exit 1
+fi
+
+# End time in epoch seconds (integer, good enough for polling)
+start_epoch=$(date +%s)
+deadline=$((start_epoch + timeout))
+
+while true; do
+  # -J joins wrapped lines, -S uses negative index to read last N lines
+  pane_text="$(tmux capture-pane -p -J -t "$target" -S "-${lines}" 2>/dev/null || true)"
+
+  if printf '%s\n' "$pane_text" | grep $grep_flag -- "$pattern" >/dev/null 2>&1; then
+    exit 0
+  fi
+
+  now=$(date +%s)
+  if (( now >= deadline )); then
+    echo "Timed out after ${timeout}s waiting for pattern: $pattern" >&2
+    echo "Last ${lines} lines from $target:" >&2
+    printf '%s\n' "$pane_text" >&2
+    exit 1
+  fi
+
+  sleep "$interval"
+done

package/skills/trello/SKILL.md

@@ -0,0 +1,95 @@
+---
+name: trello
+description: Manage Trello boards, lists, and cards via the Trello REST API.
+homepage: https://developer.atlassian.com/cloud/trello/rest/
+metadata:
+  {
+    "otto":
+      { "emoji": "📋", "requires": { "bins": ["jq"], "env": ["TRELLO_API_KEY", "TRELLO_TOKEN"] } },
+  }
+---
+
+# Trello Skill
+
+Manage Trello boards, lists, and cards directly from Otto.
+
+## Setup
+
+1. Get your API key: https://trello.com/app-key
+2. Generate a token (click "Token" link on that page)
+3. Set environment variables:
+   ```bash
+   export TRELLO_API_KEY="your-api-key"
+   export TRELLO_TOKEN="your-token"
+   ```
+
+## Usage
+
+All commands use curl to hit the Trello REST API.
+
+### List boards
+
+```bash
+curl -s "https://api.trello.com/1/members/me/boards?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" | jq '.[] | {name, id}'
+```
+
+### List lists in a board
+
+```bash
+curl -s "https://api.trello.com/1/boards/{boardId}/lists?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" | jq '.[] | {name, id}'
+```
+
+### List cards in a list
+
+```bash
+curl -s "https://api.trello.com/1/lists/{listId}/cards?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" | jq '.[] | {name, id, desc}'
+```
+
+### Create a card
+
+```bash
+curl -s -X POST "https://api.trello.com/1/cards?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" \
+  -d "idList={listId}" \
+  -d "name=Card Title" \
+  -d "desc=Card description"
+```
+
+### Move a card to another list
+
+```bash
+curl -s -X PUT "https://api.trello.com/1/cards/{cardId}?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" \
+  -d "idList={newListId}"
+```
+
+### Add a comment to a card
+
+```bash
+curl -s -X POST "https://api.trello.com/1/cards/{cardId}/actions/comments?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" \
+  -d "text=Your comment here"
+```
+
+### Archive a card
+
+```bash
+curl -s -X PUT "https://api.trello.com/1/cards/{cardId}?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" \
+  -d "closed=true"
+```
+
+## Notes
+
+- Board/List/Card IDs can be found in the Trello URL or via the list commands
+- The API key and token provide full access to your Trello account - keep them secret!
+- Rate limits: 300 requests per 10 seconds per API key; 100 requests per 10 seconds per token; `/1/members` endpoints are limited to 100 requests per 900 seconds
+
+## Examples
+
+```bash
+# Get all boards
+curl -s "https://api.trello.com/1/members/me/boards?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN&fields=name,id" | jq
+
+# Find a specific board by name
+curl -s "https://api.trello.com/1/members/me/boards?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" | jq '.[] | select(.name | contains("Work"))'
+
+# Get all cards on a board
+curl -s "https://api.trello.com/1/boards/{boardId}/cards?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" | jq '.[] | {name, list: .idList}'
+```

package/skills/variant-analysis/.claude-plugin/plugin.json

@@ -0,0 +1,8 @@
+{
+  "name": "variant-analysis",
+  "version": "1.0.0",
+  "description": "Find similar vulnerabilities and bugs across codebases using pattern-based analysis",
+  "author": {
+    "name": "Axel Mierczuk"
+  }
+}

package/skills/variant-analysis/README.md

@@ -0,0 +1,41 @@
+# Variant Analysis
+
+Find similar vulnerabilities and bugs across codebases using pattern-based analysis.
+
+**Author:** Axel Mierczuk
+
+## When to Use
+
+Use this skill when you need to:
+- Hunt for bug variants after finding an initial vulnerability
+- Build CodeQL or Semgrep queries from a known bug pattern
+- Perform systematic code audits across large codebases
+- Analyze security vulnerabilities and find similar instances
+- Create reusable patterns for recurring vulnerability classes
+
+## What It Does
+
+This skill provides a systematic five-step process for variant analysis:
+1. **Understand the original issue** - Identify root cause, conditions, and exploitability
+2. **Create an exact match** - Start with a pattern matching only the known bug
+3. **Identify abstraction points** - Determine what can be generalized
+4. **Iteratively generalize** - Expand patterns one element at a time
+5. **Analyze and triage** - Document and prioritize findings
+
+Includes:
+- Tool selection guidance (ripgrep, Semgrep, CodeQL)
+- Critical pitfalls to avoid (narrow scope, over-specific patterns)
+- Ready-to-use templates for CodeQL and Semgrep in Python, JavaScript, Java, Go, and C++
+- Detailed methodology documentation
+
+## Installation
+
+```
+/plugin install trailofbits/skills/plugins/variant-analysis
+```
+
+## Related Skills
+
+- `codeql` - Primary tool for deep interprocedural variant analysis
+- `semgrep` - Fast pattern matching for simpler variants
+- `sarif-parsing` - Process variant analysis results

package/skills/variant-analysis/SKILL.md

@@ -0,0 +1,142 @@
+---
+name: variant-analysis
+description: Find similar vulnerabilities and bugs across codebases using pattern-based analysis. Use when hunting bug variants, building CodeQL/Semgrep queries, analyzing security vulnerabilities, or performing systematic code audits after finding an initial issue.
+---
+
+# Variant Analysis
+
+You are a variant analysis expert. Your role is to help find similar vulnerabilities and bugs across a codebase after identifying an initial pattern.
+
+## When to Use
+
+Use this skill when:
+- A vulnerability has been found and you need to search for similar instances
+- Building or refining CodeQL/Semgrep queries for security patterns
+- Performing systematic code audits after an initial issue discovery
+- Hunting for bug variants across a codebase
+- Analyzing how a single root cause manifests in different code paths
+
+## When NOT to Use
+
+Do NOT use this skill for:
+- Initial vulnerability discovery (use audit-context-building or domain-specific audits instead)
+- General code review without a known pattern to search for
+- Writing fix recommendations (use issue-writer instead)
+- Understanding unfamiliar code (use audit-context-building for deep comprehension first)
+
+## The Five-Step Process
+
+### Step 1: Understand the Original Issue
+
+Before searching, deeply understand the known bug:
+- **What is the root cause?** Not the symptom, but WHY it's vulnerable
+- **What conditions are required?** Control flow, data flow, state
+- **What makes it exploitable?** User control, missing validation, etc.
+
+### Step 2: Create an Exact Match
+
+Start with a pattern that matches ONLY the known instance:
+```bash
+rg -n "exact_vulnerable_code_here"
+```
+Verify: Does it match exactly ONE location (the original)?
+
+### Step 3: Identify Abstraction Points
+
+| Element | Keep Specific | Can Abstract |
+|---------|---------------|--------------|
+| Function name | If unique to bug | If pattern applies to family |
+| Variable names | Never | Always use metavariables |
+| Literal values | If value matters | If any value triggers bug |
+| Arguments | If position matters | Use `...` wildcards |
+
+### Step 4: Iteratively Generalize
+
+**Change ONE element at a time:**
+1. Run the pattern
+2. Review ALL new matches
+3. Classify: true positive or false positive?
+4. If FP rate acceptable, generalize next element
+5. If FP rate too high, revert and try different abstraction
+
+**Stop when false positive rate exceeds ~50%**
+
+### Step 5: Analyze and Triage Results
+
+For each match, document:
+- **Location**: File, line, function
+- **Confidence**: High/Medium/Low
+- **Exploitability**: Reachable? Controllable inputs?
+- **Priority**: Based on impact and exploitability
+
+For deeper strategic guidance, see [METHODOLOGY.md](skills/variant-analysis/METHODOLOGY.md).
+
+## Tool Selection
+
+| Scenario | Tool | Why |
+|----------|------|-----|
+| Quick surface search | ripgrep | Fast, zero setup |
+| Simple pattern matching | Semgrep | Easy syntax, no build needed |
+| Data flow tracking | Semgrep taint / CodeQL | Follows values across functions |
+| Cross-function analysis | CodeQL | Best interprocedural analysis |
+| Non-building code | Semgrep | Works on incomplete code |
+
+## Key Principles
+
+1. **Root cause first**: Understand WHY before searching for WHERE
+2. **Start specific**: First pattern should match exactly the known bug
+3. **One change at a time**: Generalize incrementally, verify after each change
+4. **Know when to stop**: 50%+ FP rate means you've gone too generic
+5. **Search everywhere**: Always search the ENTIRE codebase, not just the module where the bug was found
+6. **Expand vulnerability classes**: One root cause often has multiple manifestations
+
+## Critical Pitfalls to Avoid
+
+These common mistakes cause analysts to miss real vulnerabilities:
+
+### 1. Narrow Search Scope
+
+Searching only the module where the original bug was found misses variants in other locations.
+
+**Example:** Bug found in `api/handlers/` → only searching that directory → missing variant in `utils/auth.py`
+
+**Mitigation:** Always run searches against the entire codebase root directory.
+
+### 2. Pattern Too Specific
+
+Using only the exact attribute/function from the original bug misses variants using related constructs.
+
+**Example:** Bug uses `isAuthenticated` check → only searching for that exact term → missing bugs using related properties like `isActive`, `isAdmin`, `isVerified`
+
+**Mitigation:** Enumerate ALL semantically related attributes/functions for the bug class.
+
+### 3. Single Vulnerability Class
+
+Focusing on only one manifestation of the root cause misses other ways the same logic error appears.
+
+**Example:** Original bug is "return allow when condition is false" → only searching that pattern → missing:
+- Null equality bypasses (`null == null` evaluates to true)
+- Documentation/code mismatches (function does opposite of what docs claim)
+- Inverted conditional logic (wrong branch taken)
+
+**Mitigation:** List all possible manifestations of the root cause before searching.
+
+### 4. Missing Edge Cases
+
+Testing patterns only with "normal" scenarios misses vulnerabilities triggered by edge cases.
+
+**Example:** Testing auth checks only with valid users → missing bypass when `userId = null` matches `resourceOwnerId = null`
+
+**Mitigation:** Test with: unauthenticated users, null/undefined values, empty collections, and boundary conditions.
+
+## Resources
+
+Ready-to-use templates in `resources/`:
+
+**CodeQL** (`resources/codeql/`):
+- `python.ql`, `javascript.ql`, `java.ql`, `go.ql`, `cpp.ql`
+
+**Semgrep** (`resources/semgrep/`):
+- `python.yaml`, `javascript.yaml`, `java.yaml`, `go.yaml`, `cpp.yaml`
+
+**Report**: `resources/variant-report-template.md`

package/skills/variant-analysis/commands/variants.md

@@ -0,0 +1,23 @@
+---
+name: trailofbits:variants
+description: Finds similar vulnerabilities using pattern-based analysis
+argument-hint: "(uses conversation context for bug pattern)"
+allowed-tools:
+  - Read
+  - Grep
+  - Glob
+  - Bash
+  - Task
+---
+
+# Find Vulnerability Variants
+
+**Arguments:** $ARGUMENTS
+
+This command is context-driven. Use conversation context to understand:
+1. The original bug/vulnerability that was found
+2. The codebase to search
+
+If context is unclear, ask for a description of the original vulnerability.
+
+Invoke the `variant-analysis` skill for the full workflow.