vuln-scanlisted

# /vuln-scan Static vulnerability review of a source tree. Produces `VULN-FINDINGS.json` (+ a human-readable `.md`) that `/triage` ingests directly. **This skill does not execute code.** It reads source and reasons about it. For execution-verified findings (sanitizer crashes, reproducing PoCs), point the user at an autonomous execution harness — see `HARNESS.md` in this skill directory for the reference C/C++ + AddressSanitizer pipeline this group was extracted from. **Tool fallbacks.** Prefer the dedicated Glob and Grep tools. Some sessions do not provision them — `allowed-tools` is a permission filter, not a loader, so listing them here does not make them appear. When Glob/Grep are unavailable, fall back to the read-only Bash commands whitelisted above: `rg --files <scope>` / `ls -R` for enumeration, `rg -n` / `grep -rn` for search, `wc` / `head` / `file` for sniffing. These are the ONLY permitted Bash commands; do not write helper scripts or pipe target content into a shell interpreter. ## Arguments - `<target-dir>` (required) — directory to scan. Relative or absolute. - `--focus <area>` — scan only this focus area (repeatable). Skips recon. - `--single` — no subagent fan-out; one sequential pass. Use on tiny targets or when debugging the prompt. - `--extra <file>` — append the contents of `<file>` to the review brief (after the category list). Use to add org-specific vulnerability classes, compliance checks, or stack-specific patterns. Plain text; same shape as