// the find
evilsocket/audit
An 8-stage vulnerability-discovery agent.
A Python-based vulnerability-discovery pipeline that reimplements Cloudflare's Project Glasswing architecture using the Claude Code Agent SDK. It runs 8 sequential stages — recon, hunt, validate, dedup, trace, feedback, report — with multiple narrow agents working in parallel and a dedicated adversarial validation step to filter out noise. Aimed at security researchers and pentesters who want a structured, repeatable audit harness rather than a one-shot 'find bugs' prompt.
The deliberate disagreement between Hunt (Sonnet) and Validate (Opus, different model) is genuinely clever — running a second model that's specifically trying to disprove findings cuts down on false positives in a way that a single-model chain can't. The reachability gate in Trace is the right call: most static-analysis findings are useless without proof an attacker-controlled input actually reaches the sink, and making that a hard gate rather than an afterthought separates this from toy scanners. Schema-validated output at every stage (JSON Schema in prompts/, repair turn on failure) means the orchestrator doesn't collapse when a model goes off-script. The git history mining in Recon — grepping for past security patches and seeding hunts against sibling files — is a practical trick that catches real cross-component bugs without adding much cost.
Hunt agents run Bash with no OS-level sandboxing, which the README buries in a 'Safety' section with 'use a VM.' That's a real danger: anyone pointed at a target with a malicious build script or a crafted README that social-engineers the agent gets code execution on the host. The cost model is unpredictable enough that a 30-USD cap and a concurrency flag feel like damage control rather than a solution — a production codebase with 50 Hunt tasks and Opus calls on Recon/Validate/Trace could burn through that fast, and there's no pre-run estimate. SQLite as the state store is fine for single-machine runs but means you can't distribute the Hunt fanout across machines without rearchitecting state.py. The live-target reproduction mode passes credentials as CLI flags (--target-creds email=admin@...) which lands them in shell history and process listings on any shared host.