exploit-huntlisted

Use when hunting for actually-exploitable vulnerabilities — reachable, user-controlled paths into a real sink (SSRF, SQLi, command injection, RCE, deserialization, path traversal, XSS), discarding theoretical or local-only noise. Offensive triage, the counterpart to security-bar's defensive checklist.
Endika/eskills · ★ 0 · AI & Automation · score 75

Install: claude install-skill Endika/eskills

# exploit-hunt ## Overview The offensive counterpart to `eskills:security-bar`. security-bar asks _"is this built right?"_; this asks _"can an attacker actually reach a sink?"_. Use it for a deeper, on-demand pass on a codebase — not as a per-task lens. It is **not** in the default `eskills:task-flow` quality stage; reach for it when a change touches a real boundary, or when auditing an app end-to-end. ## The principle **Unreachable is not a finding.** A theoretically-unsafe call that no external input can reach is a note, not a vulnerability. Prove that user-controlled input travels from a real boundary to a meaningful sink — or drop it. Bias hard toward remotely reachable, user-driven paths; throw away the rest. ## In scope — prove user control reaches the sink | Pattern | CWE | Impact | | ------------------------------------------------------------- | ------- | ----------------------------------------- | | SSRF via user-controlled URL | 918 | internal network, cloud metadata theft | | Auth bypass in middleware / API guards | 287 | unauthorized account or data access | | Remote deserialization / upload→RCE | 502 | code execution | | SQL injection in a reachable endpoint | 89 | exfiltration, auth bypass, data loss |