finds.dev← search

// the find

evilsocket/audit

★ 705 · Python · MIT · updated Jun 2026

An 8-stage vulnerability-discovery agent.

A Python-based vulnerability-discovery pipeline that reimplements Cloudflare's Project Glasswing architecture using the Claude Code Agent SDK. It runs 8 sequential stages — recon, hunt, validate, dedup, trace, feedback, report — with multiple narrow agents working in parallel and a dedicated adversarial validation step to filter out noise. Aimed at security researchers and pentesters who want a structured, repeatable audit harness rather than a one-shot 'find bugs' prompt.

The deliberate disagreement between Hunt (Sonnet) and Validate (Opus, different model) is genuinely clever — running a second model that's specifically trying to disprove findings cuts down on false positives in a way that a single-model chain can't. The reachability gate in Trace is the right call: most static-analysis findings are useless without proof an attacker-controlled input actually reaches the sink, and making that a hard gate rather than an afterthought separates this from toy scanners. Schema-validated output at every stage (JSON Schema in prompts/, repair turn on failure) means the orchestrator doesn't collapse when a model goes off-script. The git history mining in Recon — grepping for past security patches and seeding hunts against sibling files — is a practical trick that catches real cross-component bugs without adding much cost.

Hunt agents run Bash with no OS-level sandboxing, which the README buries in a 'Safety' section with 'use a VM.' That's a real danger: anyone pointed at a target with a malicious build script or a crafted README that social-engineers the agent gets code execution on the host. The cost model is unpredictable enough that a 30-USD cap and a concurrency flag feel like damage control rather than a solution — a production codebase with 50 Hunt tasks and Opus calls on Recon/Validate/Trace could burn through that fast, and there's no pre-run estimate. SQLite as the state store is fine for single-machine runs but means you can't distribute the Hunt fanout across machines without rearchitecting state.py. The live-target reproduction mode passes credentials as CLI flags (--target-creds email=admin@...) which lands them in shell history and process listings on any shared host.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →