promptgraph-mcp 2.4.5 → 2.4.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/github-import.js +28 -0
- package/index.js +47 -14
- package/indexer.js +14 -7
- package/package.json +1 -1
- package/parser.js +21 -115
- package/registry/training/bad/accepts-HISTORY.md +250 -0
- package/registry/training/bad/argparse-CHANGELOG.md +185 -0
- package/registry/training/bad/balanced-match-LICENSE.md +23 -0
- package/registry/training/bad/better-sqlite3-README.md +99 -0
- package/registry/training/bad/bindings-LICENSE.md +22 -0
- package/registry/training/bad/bl-LICENSE.md +13 -0
- package/registry/training/bad/body-parser-README.md +494 -0
- package/registry/training/bad/bytes-HISTORY.md +97 -0
- package/registry/training/bad/camelcase-README.md +135 -0
- package/registry/training/bad/chai-README.md +162 -0
- package/registry/training/bad/cli-progress-LICENSE.md +24 -0
- package/registry/training/bad/content-type-HISTORY.md +29 -0
- package/registry/training/bad/cookie-SECURITY.md +25 -0
- package/registry/training/bad/cookie-signature-HISTORY.md +70 -0
- package/registry/training/bad/cors-README.md +277 -0
- package/registry/training/bad/cross-spawn-README.md +89 -0
- package/registry/training/bad/deep-extend-CHANGELOG.md +46 -0
- package/registry/training/bad/depd-HISTORY.md +103 -0
- package/registry/training/bad/esprima-README.md +46 -0
- package/registry/training/bad/etag-HISTORY.md +83 -0
- package/registry/training/bad/expect-type-SECURITY.md +14 -0
- package/registry/training/bad/finalhandler-HISTORY.md +239 -0
- package/registry/training/bad/fresh-HISTORY.md +80 -0
- package/registry/training/bad/glob-LICENSE.md +63 -0
- package/registry/training/bad/hono-README.md +85 -0
- package/registry/training/bad/http-errors-HISTORY.md +186 -0
- package/registry/training/bad/jose-LICENSE.md +21 -0
- package/registry/training/bad/jose-README.md +153 -0
- package/registry/training/bad/js-yaml-README.md +299 -0
- package/registry/training/bad/json-schema-typed-LICENSE.md +57 -0
- package/registry/training/bad/json-stringify-safe-CHANGELOG.md +14 -0
- package/registry/training/bad/lru-cache-LICENSE.md +55 -0
- package/registry/training/bad/media-typer-HISTORY.md +50 -0
- package/registry/training/bad/minimatch-LICENSE.md +55 -0
- package/registry/training/bad/minimist-CHANGELOG.md +298 -0
- package/registry/training/bad/minimist-README.md +121 -0
- package/registry/training/bad/ms-LICENSE.md +21 -0
- package/registry/training/bad/negotiator-HISTORY.md +114 -0
- package/registry/training/bad/on-finished-HISTORY.md +98 -0
- package/registry/training/bad/pkce-challenge-CHANGELOG.md +114 -0
- package/registry/training/bad/postcss-README.md +28 -0
- package/registry/training/bad/prebuild-install-CHANGELOG.md +131 -0
- package/registry/training/bad/proxy-addr-HISTORY.md +161 -0
- package/registry/training/bad/qs-CHANGELOG.md +822 -0
- package/registry/training/bad/rc-README.md +227 -0
- package/registry/training/bad/readable-stream-CONTRIBUTING.md +38 -0
- package/registry/training/bad/router-HISTORY.md +228 -0
- package/registry/training/bad/semver-README.md +680 -0
- package/registry/training/bad/send-README.md +317 -0
- package/registry/training/bad/serve-static-README.md +253 -0
- package/registry/training/bad/statuses-HISTORY.md +87 -0
- package/registry/training/bad/type-is-HISTORY.md +292 -0
- package/registry/training/bad/vary-HISTORY.md +39 -0
- package/registry/training/bad/vite-LICENSE.md +2230 -0
- package/registry/training/bad/which-CHANGELOG.md +166 -0
- package/registry/training/bad/zod-README.md +191 -0
- package/registry/training/good/skills-store-autopilot.md +85 -0
- package/registry/training/good/skills-store-bot-builder.md +70 -0
- package/registry/training/good/skills-store-chain.md +136 -0
- package/registry/training/good/skills-store-evolve.md +100 -0
- package/registry/training/good/skills-store-game.md +27 -0
- package/registry/training/good/skills-store-hunt.md +102 -0
- package/registry/training/good/skills-store-intel.md +56 -0
- package/registry/training/good/skills-store-memory-gc.md +58 -0
- package/registry/training/good/skills-store-pcsort.md +207 -0
- package/registry/training/good/skills-store-pickup.md +60 -0
- package/registry/training/good/skills-store-recon.md +141 -0
- package/registry/training/good/skills-store-remember.md +64 -0
- package/registry/training/good/skills-store-report.md +117 -0
- package/registry/training/good/skills-store-router.md +225 -0
- package/registry/training/good/skills-store-search.md +168 -0
- package/registry/training/good/skills-store-surface.md +53 -0
- package/registry/training/good/skills-store-token-scan.md +141 -0
- package/registry/training/good/skills-store-triage.md +97 -0
- package/registry/training/good/skills-store-unity.md +733 -0
- package/registry/training/good/skills-store-validate.md +135 -0
- package/registry/training/good/skills-store-web3-audit.md +217 -0
- package/src/filter/classifier.js +88 -0
- package/src/filter/cluster.js +52 -0
- package/src/filter/dedup.js +36 -0
- package/src/filter/hard-filter.js +57 -0
- package/src/filter/train.js +64 -0
|
@@ -0,0 +1,168 @@
|
|
|
1
|
+
# Global Information Search
|
|
2
|
+
Activated by: `/search`
|
|
3
|
+
|
|
4
|
+
You are the cognitive core of the Global Search System. OpenCode agents are research workers that fetch and extract. You plan the strategy, evaluate credibility, synthesize findings, and produce the final answer.
|
|
5
|
+
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## System Rules
|
|
9
|
+
|
|
10
|
+
1. **Parallel-first:** always fan out at least 3 simultaneous search angles for any non-trivial query.
|
|
11
|
+
2. **Source diversity:** never rely on a single domain. Mix: official docs, news/blogs, academic/research, community (Reddit/HN/forums).
|
|
12
|
+
3. **Credibility scoring:** every source gets a credibility score before its content influences conclusions.
|
|
13
|
+
4. **Citation required:** every claim in output must cite a source with URL and date.
|
|
14
|
+
5. **Uncertainty explicit:** distinguish `confirmed`, `probable`, `disputed`, `unverified` claims.
|
|
15
|
+
6. **Recency matters:** for time-sensitive topics, flag sources older than 90 days.
|
|
16
|
+
7. **Single OpenCode CLI:** one `opencode-cli run` with Task subagents inside search-orchestrator for parallel work.
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## Phase 0: Query Analysis
|
|
21
|
+
|
|
22
|
+
Parse the user's request and classify:
|
|
23
|
+
|
|
24
|
+
| Type | Strategy | Agent count |
|
|
25
|
+
|------|----------|-------------|
|
|
26
|
+
| **Factual** — "what is X", "when did Y happen" | 3 sources confirming same fact | 3 researchers |
|
|
27
|
+
| **Technical** — "how to do X", "why does Y happen" | Official docs + community + examples | 4 researchers |
|
|
28
|
+
| **Comparative** — "X vs Y", "best tool for Z" | One researcher per option + synthesizer | 4-6 researchers |
|
|
29
|
+
| **Research/deep** — topic overview, current state | Broad first wave + deep second wave | 6-10 researchers |
|
|
30
|
+
| **News/current** — "latest on X", "what happened with Y" | Recency-filtered search | 4 researchers |
|
|
31
|
+
| **Person/company** — who/what is X | Official + news + community | 4 researchers |
|
|
32
|
+
|
|
33
|
+
Extract:
|
|
34
|
+
- **Core query:** the single most important question to answer
|
|
35
|
+
- **Sub-queries:** 2-5 distinct angles that together answer the core query
|
|
36
|
+
- **Required recency:** any time constraints ("latest", "2024", "current")
|
|
37
|
+
- **Output format:** quick answer, detailed report, comparison table, timeline
|
|
38
|
+
|
|
39
|
+
---
|
|
40
|
+
|
|
41
|
+
## Phase 1: Search Strategy
|
|
42
|
+
|
|
43
|
+
Expand core query into search tasks. Each task is an independent search angle:
|
|
44
|
+
|
|
45
|
+
```bash
|
|
46
|
+
opencode-cli run --attach http://localhost:4100 --agent search-planner \
|
|
47
|
+
"User query: '<query>'. Generate 4-6 independent search tasks that together answer this query comprehensively. Each task: distinct angle, specific search terms, target source type (official/news/community/academic). Output JSON array. Do NOT use the Task tool."
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
Read planner output. This is your research brief.
|
|
51
|
+
|
|
52
|
+
---
|
|
53
|
+
|
|
54
|
+
## Phase 2: Parallel Research Wave
|
|
55
|
+
|
|
56
|
+
Dispatch researchers in parallel via the web-researcher agent:
|
|
57
|
+
|
|
58
|
+
```bash
|
|
59
|
+
opencode-cli run --attach http://localhost:4100 --agent web-researcher \
|
|
60
|
+
"Research task: '<task>'. Search for relevant, recent, credible sources. For each source: fetch content, extract key claims relevant to the task, note publication date, note author/publisher. Write findings to .search-results/<task-id>.json. Do NOT use the Task tool."
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
For broad queries, dispatch all researchers simultaneously via unity-orchestrator:
|
|
64
|
+
|
|
65
|
+
```bash
|
|
66
|
+
opencode-cli run --attach http://localhost:4100 --agent unity-orchestrator \
|
|
67
|
+
"Dispatch these search tasks as independent parallel Task subagents, each using the web-researcher agent. Tasks: <JSON array>. Each researcher writes to .search-results/<task-id>.json. DEPTH GUARD: Do NOT use Task tool inside web-researcher."
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
---
|
|
71
|
+
|
|
72
|
+
## Phase 3: Source Credibility Ranking
|
|
73
|
+
|
|
74
|
+
For each source found, apply this credibility matrix:
|
|
75
|
+
|
|
76
|
+
| Source type | Base score | Modifiers |
|
|
77
|
+
|-------------|-----------|-----------|
|
|
78
|
+
| Official documentation | 90 | +5 if versioned, -10 if deprecated |
|
|
79
|
+
| Peer-reviewed paper | 85 | +5 if cited 100+, -15 if > 5 years old for fast-moving fields |
|
|
80
|
+
| Major news outlet | 70 | +10 if primary source cited, -15 if anonymous sources |
|
|
81
|
+
| Official company blog | 65 | -10 if promotional tone |
|
|
82
|
+
| GitHub README / source | 75 | +10 if actively maintained |
|
|
83
|
+
| Stack Overflow accepted answer | 60 | +15 if score > 100, -10 if > 3 years old for APIs |
|
|
84
|
+
| Forum/Reddit post | 40 | +20 if cited sources, +10 if highly upvoted |
|
|
85
|
+
| Personal blog | 35 | +15 if author is known expert |
|
|
86
|
+
| Unattributed / AI-generated | 10 | Discard for factual claims |
|
|
87
|
+
|
|
88
|
+
Credibility ≥ 60: use as evidence.
|
|
89
|
+
Credibility 40-59: use as corroboration only (must have ≥60 source agreeing).
|
|
90
|
+
Credibility < 40: mention as "some sources suggest", never as fact.
|
|
91
|
+
|
|
92
|
+
---
|
|
93
|
+
|
|
94
|
+
## Phase 4: Synthesis
|
|
95
|
+
|
|
96
|
+
```bash
|
|
97
|
+
opencode-cli run --attach http://localhost:4100 --agent synthesizer \
|
|
98
|
+
"Synthesize research from these files: <list of .search-results/*.json>. Core question: '<query>'. Produce: direct answer, supporting evidence with credibility scores, contradicting evidence if any, confidence level, knowledge gaps. Apply credibility matrix. Do NOT use the Task tool."
|
|
99
|
+
```
|
|
100
|
+
|
|
101
|
+
Read synthesis. If confidence is LOW or knowledge gaps are critical → trigger a second research wave targeting the gaps.
|
|
102
|
+
|
|
103
|
+
---
|
|
104
|
+
|
|
105
|
+
## Phase 5: Output
|
|
106
|
+
|
|
107
|
+
Format based on query type:
|
|
108
|
+
|
|
109
|
+
### Quick answer:
|
|
110
|
+
```
|
|
111
|
+
**Answer:** <1-2 sentence direct response>
|
|
112
|
+
**Confidence:** High/Medium/Low
|
|
113
|
+
**Sources:** [1] URL (date), [2] URL (date)
|
|
114
|
+
```
|
|
115
|
+
|
|
116
|
+
### Detailed report:
|
|
117
|
+
```
|
|
118
|
+
## <Topic>
|
|
119
|
+
*Researched: <date> | Sources: <N> | Confidence: High/Medium/Low*
|
|
120
|
+
|
|
121
|
+
### Key Findings
|
|
122
|
+
1. <finding> [1]
|
|
123
|
+
2. <finding> [2,3]
|
|
124
|
+
|
|
125
|
+
### Technical Details
|
|
126
|
+
<structured content with citations>
|
|
127
|
+
|
|
128
|
+
### Contradictions / Disputes
|
|
129
|
+
<any conflicting information found>
|
|
130
|
+
|
|
131
|
+
### What's Unknown
|
|
132
|
+
<gaps in available information>
|
|
133
|
+
|
|
134
|
+
### Sources
|
|
135
|
+
| # | URL | Publisher | Date | Credibility |
|
|
136
|
+
|---|-----|-----------|------|-------------|
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
### Comparison table:
|
|
140
|
+
```
|
|
141
|
+
| Feature | Option A | Option B | Option C |
|
|
142
|
+
|---------|----------|----------|----------|
|
|
143
|
+
| X | ... | ... | ... |
|
|
144
|
+
Source: [1], [2], [3]
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
---
|
|
148
|
+
|
|
149
|
+
## Agent Routing Table
|
|
150
|
+
|
|
151
|
+
| Agent | Use for |
|
|
152
|
+
|-------|---------|
|
|
153
|
+
| `search-planner` | Expanding query into parallel search tasks |
|
|
154
|
+
| `web-researcher` | Searching + fetching + extracting from sources |
|
|
155
|
+
| `synthesizer` | Combining multi-source findings into coherent answer |
|
|
156
|
+
| `unity-orchestrator` | Dispatching parallel researcher wave |
|
|
157
|
+
|
|
158
|
+
---
|
|
159
|
+
|
|
160
|
+
## Core Rules (never violate)
|
|
161
|
+
|
|
162
|
+
1. No claim without citation. Never present unverified content as fact.
|
|
163
|
+
2. Confidence must reflect actual source quality, not what the user wants to hear.
|
|
164
|
+
3. If sources conflict — show the conflict, don't hide it.
|
|
165
|
+
4. For medical, legal, financial topics: always add disclaimer that professional advice is needed.
|
|
166
|
+
5. Recency: always check publication date. Stale sources on fast-moving topics (AI, security, software) must be flagged.
|
|
167
|
+
6. Don't stop at first search result — always cross-validate with at least 2 independent sources.
|
|
168
|
+
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: surface
|
|
3
|
+
description: Show ranked attack surface for a target based on recon output + hunt memory. Invokes recon-ranker agent. Usage: /surface target.com
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# /surface
|
|
7
|
+
|
|
8
|
+
View the prioritized attack surface for a target.
|
|
9
|
+
|
|
10
|
+
## What This Does
|
|
11
|
+
|
|
12
|
+
1. Reads cached recon output from `recon/<target>/`
|
|
13
|
+
2. Reads hunt memory for patterns and previously tested endpoints
|
|
14
|
+
3. Invokes the `recon-ranker` agent to produce a prioritized ranking
|
|
15
|
+
4. Outputs P1 (start here), P2 (after P1), and Kill List (skip)
|
|
16
|
+
|
|
17
|
+
## Usage
|
|
18
|
+
|
|
19
|
+
```
|
|
20
|
+
/surface target.com
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
## Prerequisites
|
|
24
|
+
|
|
25
|
+
Run `/recon target.com` first. If no recon data exists, you'll be prompted to run recon.
|
|
26
|
+
|
|
27
|
+
## Output
|
|
28
|
+
|
|
29
|
+
```
|
|
30
|
+
ATTACK SURFACE: target.com
|
|
31
|
+
═══════════════════════════════════════
|
|
32
|
+
|
|
33
|
+
Priority 1 (start here):
|
|
34
|
+
1. api.target.com/v2/users/{id} — IDOR candidate
|
|
35
|
+
Tech: Express + PostgreSQL | First seen 12 days ago
|
|
36
|
+
Suggested: numeric ID swap on GET/PUT/DELETE
|
|
37
|
+
|
|
38
|
+
2. api.target.com/graphql — introspection enabled, 47 mutations
|
|
39
|
+
Suggested: field-level auth check on sensitive mutations
|
|
40
|
+
|
|
41
|
+
Priority 2 (after P1):
|
|
42
|
+
1. cdn.target.com:8443/upload — file upload endpoint
|
|
43
|
+
Suggested: extension bypass, magic bytes
|
|
44
|
+
|
|
45
|
+
Kill List (skip):
|
|
46
|
+
- static.target.com — CDN only
|
|
47
|
+
- docs.target.com — third-party hosted
|
|
48
|
+
|
|
49
|
+
Memory:
|
|
50
|
+
- Pattern from alpha.com (same tech): auth bypass via method override ($800)
|
|
51
|
+
- 3 endpoints tested in previous session, 5 remain
|
|
52
|
+
```
|
|
53
|
+
|
|
@@ -0,0 +1,141 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: token-scan
|
|
3
|
+
description: Meme coin and token security scan — checks for rug pull vectors (hidden mint, honeypot, fee manipulation, LP lock bypass, authority retention, bonding curve exploits, fake renounce, sandwich amplification). Runs automated token_scanner.py + manual 8-class audit. Usage: /token-scan <contract_path_or_dir> [--chain solana]
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# /token-scan
|
|
7
|
+
|
|
8
|
+
Fast rug pull detection for meme coins and token contracts. Covers EVM (Solidity) and Solana (Rust/Anchor).
|
|
9
|
+
|
|
10
|
+
## Usage
|
|
11
|
+
|
|
12
|
+
```
|
|
13
|
+
/token-scan contracts/Token.sol # Single EVM contract
|
|
14
|
+
/token-scan src/ --recursive # Scan entire directory
|
|
15
|
+
/token-scan programs/token/ --chain solana --recursive # Solana program
|
|
16
|
+
/token-scan contracts/Token.sol --output findings/report.md # Save report
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
## Step 0: Quick Kill Signals
|
|
20
|
+
|
|
21
|
+
Before scanning code, check:
|
|
22
|
+
|
|
23
|
+
```
|
|
24
|
+
[ ] Contract is verified (source code available)?
|
|
25
|
+
[ ] Deployer has no rug history?
|
|
26
|
+
[ ] Token has been trading > 1 hour?
|
|
27
|
+
[ ] Liquidity > $5K?
|
|
28
|
+
[ ] Not a proxy with retained admin?
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
If ANY answer is NO → flag and proceed with extreme caution.
|
|
32
|
+
|
|
33
|
+
## Step 1: Run Automated Scanner
|
|
34
|
+
|
|
35
|
+
```bash
|
|
36
|
+
# EVM
|
|
37
|
+
python3 tools/token_scanner.py <contract_path>
|
|
38
|
+
|
|
39
|
+
# Solana
|
|
40
|
+
python3 tools/token_scanner.py <program_dir> --chain solana --recursive
|
|
41
|
+
|
|
42
|
+
# JSON output for piping
|
|
43
|
+
python3 tools/token_scanner.py <path> --json
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
The scanner checks all 8 bug classes via regex and returns a risk score + verdict.
|
|
47
|
+
|
|
48
|
+
## Step 2: Hidden Mint Check
|
|
49
|
+
|
|
50
|
+
```bash
|
|
51
|
+
grep -rn "function mint\|_mint(\|_balances\[.*\] +=" src/ --include="*.sol" | grep -v "test\|lib"
|
|
52
|
+
grep -rn "delegatecall" src/ --include="*.sol"
|
|
53
|
+
# Solana:
|
|
54
|
+
grep -rn "MintTo\|mint_to\|mint_authority" src/ --include="*.rs"
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
Look for: mint without MAX_SUPPLY cap, direct balance manipulation, delegatecall to unknown targets.
|
|
58
|
+
|
|
59
|
+
## Step 3: Honeypot Check
|
|
60
|
+
|
|
61
|
+
```bash
|
|
62
|
+
grep -rn "blacklist\|isBlacklisted\|_bots\|maxTxAmount\|approve.*override" src/ --include="*.sol"
|
|
63
|
+
# Solana:
|
|
64
|
+
grep -rn "freeze_authority\|transfer_hook\|permanent_delegate" src/ --include="*.rs"
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
Look for: blacklist mappings, max tx setters without minimum bound, approve overrides that don't call super.
|
|
68
|
+
|
|
69
|
+
## Step 4: Fee Manipulation Check
|
|
70
|
+
|
|
71
|
+
```bash
|
|
72
|
+
grep -rn "setFee\|setSellFee\|_taxFee\|_sellFee" src/ --include="*.sol"
|
|
73
|
+
grep -rn "function set.*Fee" -A5 src/ --include="*.sol" | grep -v "require\|MAX"
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
Look for: fee setters without upper bound, fee exclusion for owner.
|
|
77
|
+
|
|
78
|
+
## Step 5: LP Drain Check
|
|
79
|
+
|
|
80
|
+
```bash
|
|
81
|
+
grep -rn "migrateLP\|emergencyWithdraw\|\.sync()\|setPair\|setRouter" src/ --include="*.sol"
|
|
82
|
+
grep -rn "addLiquidityETH" -A5 src/ --include="*.sol" | grep "owner\|msg.sender"
|
|
83
|
+
```
|
|
84
|
+
|
|
85
|
+
Look for: LP migration functions, emergency withdraw, auto-LP to owner wallet.
|
|
86
|
+
|
|
87
|
+
## Step 6: Bonding Curve Check
|
|
88
|
+
|
|
89
|
+
```bash
|
|
90
|
+
grep -rn "virtualReserve\|setCurve\|graduate\|bonding_curve" src/ --include="*.sol" --include="*.rs"
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
Look for: mutable curve parameters, manipulable graduation threshold.
|
|
94
|
+
|
|
95
|
+
## Step 7: Authority Check (Solana)
|
|
96
|
+
|
|
97
|
+
```bash
|
|
98
|
+
grep -rn "mint_authority\|freeze_authority\|update_authority\|close_authority" src/ --include="*.rs"
|
|
99
|
+
grep -rn "set_authority.*None" src/ --include="*.rs"
|
|
100
|
+
grep -rn "upgrade_authority" src/ --include="*.rs"
|
|
101
|
+
```
|
|
102
|
+
|
|
103
|
+
Look for: retained authorities that should be None, upgradeable programs.
|
|
104
|
+
|
|
105
|
+
## Step 8: Fake Renounce Check
|
|
106
|
+
|
|
107
|
+
```bash
|
|
108
|
+
grep -rn "renounceOwnership.*override" src/ --include="*.sol"
|
|
109
|
+
grep -rn "_shadowAdmin\|_backupOwner" src/ --include="*.sol"
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
Look for: overridden renounce without actual transfer, secondary admin roles.
|
|
113
|
+
|
|
114
|
+
## Step 9: Sandwich Amplification Check
|
|
115
|
+
|
|
116
|
+
```bash
|
|
117
|
+
grep -rn "swapExactTokensForETH" -A5 src/ --include="*.sol" | grep "0,"
|
|
118
|
+
grep -rn "swapThreshold\|_rebase\|reflect()" src/ --include="*.sol"
|
|
119
|
+
```
|
|
120
|
+
|
|
121
|
+
Look for: auto-swap with amountOutMin=0, rebase on every transfer.
|
|
122
|
+
|
|
123
|
+
## Output
|
|
124
|
+
|
|
125
|
+
The scanner produces:
|
|
126
|
+
- **Risk score** (0-100) based on finding severity
|
|
127
|
+
- **Verdict** (CLEAN / LOW RISK / MEDIUM RISK / HIGH RISK / CRITICAL RISK)
|
|
128
|
+
- **Individual findings** with file:line, code snippet, and recommendation
|
|
129
|
+
- **Exit code** 1 if CRITICAL/HIGH findings (for CI integration)
|
|
130
|
+
|
|
131
|
+
## What to Do Next
|
|
132
|
+
|
|
133
|
+
- If CRITICAL findings → **DO NOT INTERACT**. Report if on Immunefi/Code4rena.
|
|
134
|
+
- If HIGH findings → Manual deep review. May be intentional design. Check deployer history.
|
|
135
|
+
- If MEDIUM findings → Flag for awareness. Likely not rug but worth monitoring.
|
|
136
|
+
- If CLEAN → Token passes automated checks. Still verify on-chain state manually.
|
|
137
|
+
|
|
138
|
+
## 5-Minute Rule
|
|
139
|
+
|
|
140
|
+
If you've been scanning for 5 minutes and found no red flags across all 8 classes + automated scan → the token is likely clean. Move on. Don't hunt for phantom bugs.
|
|
141
|
+
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: triage
|
|
3
|
+
description: Quick 7-Question Gate triage on a finding before writing a report. Kills N/A submissions before they happen. Faster than /validate — for quick go/no-go decisions. Usage: /triage
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# /triage
|
|
7
|
+
|
|
8
|
+
Quick triage to decide: submit or kill?
|
|
9
|
+
|
|
10
|
+
## When to Use
|
|
11
|
+
|
|
12
|
+
Use this before spending time writing a full report. If triage passes, run `/validate` for the full 4-gate check, then `/report`.
|
|
13
|
+
|
|
14
|
+
## Usage
|
|
15
|
+
|
|
16
|
+
```
|
|
17
|
+
/triage
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
Describe the finding in one sentence. Example:
|
|
21
|
+
- "I can read other users' orders by changing user_id in /api/orders/{id}"
|
|
22
|
+
- "The /api/export endpoint returns 200 with data even with no auth header"
|
|
23
|
+
- "I found X-Forwarded-Host is reflected in the password reset email"
|
|
24
|
+
|
|
25
|
+
## The 7 Questions (Fast Version)
|
|
26
|
+
|
|
27
|
+
Answer YES or NO to each. First NO = kill it immediately.
|
|
28
|
+
|
|
29
|
+
```
|
|
30
|
+
Q1: Can I demonstrate this with a real HTTP request RIGHT NOW?
|
|
31
|
+
YES: I have the request/response already
|
|
32
|
+
NO: I need to look at more code first → KILL
|
|
33
|
+
|
|
34
|
+
Q2: Is this impact type accepted by the program?
|
|
35
|
+
YES: Bug class is on their accepted list
|
|
36
|
+
NO: They explicitly exclude this type → KILL
|
|
37
|
+
|
|
38
|
+
Q3: Is the vulnerable asset owned by and in scope for the program?
|
|
39
|
+
YES: Domain confirmed in-scope, not third-party
|
|
40
|
+
NO: Third-party service or excluded domain → KILL
|
|
41
|
+
|
|
42
|
+
Q4: Does this work without admin/privileged access?
|
|
43
|
+
YES: Regular user account is enough
|
|
44
|
+
NO: Requires admin → KILL (99% of programs)
|
|
45
|
+
|
|
46
|
+
Q5: Is this NOT already known/disclosed/documented behavior?
|
|
47
|
+
YES: Not in changelogs, not in disclosed reports
|
|
48
|
+
NO: It's documented as intended → KILL
|
|
49
|
+
|
|
50
|
+
Q6: Can I prove impact beyond "technically possible"?
|
|
51
|
+
YES: I have actual data in the response / action completed
|
|
52
|
+
NO: I only have a 200 status or error message → DOWNGRADE
|
|
53
|
+
|
|
54
|
+
Q7: Is this NOT on the never-submit list?
|
|
55
|
+
YES: It's a real bug class
|
|
56
|
+
NO: Missing headers, self-XSS, open redirect alone, etc. → KILL or CHAIN
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
## Fast Kill Checklist
|
|
60
|
+
|
|
61
|
+
Kill immediately if ANY of these are true:
|
|
62
|
+
```
|
|
63
|
+
[ ] "Admin can do X" = not a bug
|
|
64
|
+
[ ] "Could theoretically lead to..." = no PoC = not a bug
|
|
65
|
+
[ ] Bug requires 3+ preconditions simultaneously
|
|
66
|
+
[ ] Finding is a missing header, missing flag, missing DMARC
|
|
67
|
+
[ ] SSRF with DNS callback only, no data returned
|
|
68
|
+
[ ] Open redirect with no OAuth chain or ATO path
|
|
69
|
+
[ ] Self-XSS (only affects your own account)
|
|
70
|
+
[ ] Introspection only (no IDOR, no auth bypass shown)
|
|
71
|
+
[ ] Rate limit on login/contact/search (Cloudflare covers it)
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
## Conditional Kill (chain required)
|
|
75
|
+
|
|
76
|
+
If it's on the never-submit list BUT you can chain it:
|
|
77
|
+
```
|
|
78
|
+
Open redirect → OAuth code theft → ATO = report the chain
|
|
79
|
+
SSRF DNS → internal service access = data = report the chain
|
|
80
|
+
CORS → credentialed data exfil PoC = report the chain
|
|
81
|
+
Prompt injection → IDOR via chatbot = report the chain
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
If you can't build the chain today → KILL IT.
|
|
85
|
+
|
|
86
|
+
## Output
|
|
87
|
+
|
|
88
|
+
**GO:** "All 7 pass. Run /validate for full check, then /report."
|
|
89
|
+
|
|
90
|
+
**KILL [reason]:**
|
|
91
|
+
- "Q1 fails — no HTTP request yet"
|
|
92
|
+
- "Q4 fails — requires admin access"
|
|
93
|
+
- "Q7 fails — open redirect alone is not submittable. Chain it with OAuth theft first."
|
|
94
|
+
|
|
95
|
+
**DOWNGRADE:**
|
|
96
|
+
- "Q6 — you have 200 status but not actual other-user data. Reproduce with two accounts and show victim's PII in the response before reporting."
|
|
97
|
+
|