MCP HubMCP Hub
Back to Skills

Static Vulnerability Analysis

macaugh
Updated Yesterday
72 views
2
2
View on GitHub
Developmentgeneral

About

This skill performs static vulnerability analysis by examining source code without execution to identify security flaws. It combines automated pattern matching with manual code review to find issues like memory safety problems and logic flaws. Use it when source code is available, before dynamic testing, or during security code reviews for languages including C/C++, Java, Python, JavaScript, and PHP.

Quick Install

Claude Code

Recommended
Plugin CommandRecommended
/plugin add https://github.com/macaugh/super-rouge-hunter-skills
Git CloneAlternative
git clone https://github.com/macaugh/super-rouge-hunter-skills.git ~/.claude/skills/Static Vulnerability Analysis

Copy and paste this command in Claude Code to install this skill

Documentation

Static Vulnerability Analysis

Overview

Static analysis examines source code without executing it, identifying security vulnerabilities through pattern matching, data flow analysis, and manual code review. This technique is essential for finding logic flaws, authentication bypasses, and subtle vulnerabilities that automated tools might miss.

Core principle: Combine automated tools with manual review. Tools find patterns; humans find logic flaws.

Common Vulnerability Patterns

Memory Safety Issues (C/C++)

// Buffer Overflow
char buffer[256];
strcpy(buffer, user_input);  // ❌ Unsafe
strncpy(buffer, user_input, sizeof(buffer)-1);  // ✓ Safer

// Integer Overflow
size_t alloc = user_count * item_size;  // ❌ Can overflow
void *ptr = malloc(alloc);

// Use After Free
free(ptr);
ptr->field = value;  // ❌ Use after free

// Double Free
free(ptr);
free(ptr);  // ❌ Double free

Injection Vulnerabilities

# SQL Injection
query = f"SELECT * FROM users WHERE name = '{user_input}'"  # ❌
cursor.execute(query)

# Safe: Parameterized queries
cursor.execute("SELECT * FROM users WHERE name = ?", (user_input,))  # ✓

# Command Injection
os.system(f"ping {user_input}")  # ❌

# Safe: Use subprocess with list
subprocess.run(["ping", user_input])  # ✓

# Path Traversal
filepath = f"/data/{user_filename}"  # ❌ ../../../etc/passwd
open(filepath, 'r')

# Safe: Validate and use os.path.join with validation

Authentication and Authorization

# Broken Authentication
if username == "admin" and password == config.ADMIN_PASSWORD:  # ❌ Timing attack
    grant_access()

# Better: Use constant-time comparison
import hmac
if hmac.compare_digest(username, "admin") and \
   hmac.compare_digest(password, config.ADMIN_PASSWORD):
    grant_access()

# Authorization Bypass
def get_user_data(user_id):
    # ❌ No authorization check
    return database.get_user(user_id)

# Better: Check authorization
def get_user_data(user_id):
    if current_user.id != user_id and not current_user.is_admin:
        raise UnauthorizedException()
    return database.get_user(user_id)

Automated Tools

# Semgrep - Pattern-based analysis
semgrep --config=auto /path/to/source

# Bandit - Python security linter
bandit -r /path/to/python/code

# ESLint with security plugins - JavaScript
eslint --plugin security /path/to/js

# Brakeman - Ruby on Rails
brakeman /path/to/rails/app

# FindSecBugs - Java
# SpotBugs with FindSecBugs plugin

# SonarQube - Multi-language
sonar-scanner

Manual Review Checklist

  • Input validation on all user-controlled data
  • Authentication mechanisms (session management, password storage)
  • Authorization checks (IDOR, privilege escalation)
  • Cryptographic implementations (weak algorithms, hardcoded keys)
  • Error handling (information disclosure)
  • Business logic flaws
  • Race conditions and time-of-check-time-of-use
  • Sensitive data exposure (logs, error messages)

Data Flow Analysis

# Trace tainted data from source to sink
# SOURCE: User input
# SINK: Dangerous operation

# Example:
user_input = request.GET['file']  # SOURCE
# ... no validation ...
content = open(user_input).read()  # SINK

# Finding: Path traversal vulnerability
# No validation between source and sink

Integration with Other Skills

  • skills/analysis/zero-day-hunting - Comprehensive vulnerability research
  • skills/exploitation/exploit-dev-workflow - Exploitation of found vulnerabilities
  • skills/documentation/* - Document findings

GitHub Repository

macaugh/super-rouge-hunter-skills
Path: skills/analysis/static-vuln-analysis

Related Skills

subagent-driven-development

Development

This skill executes implementation plans by dispatching a fresh subagent for each independent task, with code review between tasks. It enables fast iteration while maintaining quality gates through this review process. Use it when working on mostly independent tasks within the same session to ensure continuous progress with built-in quality checks.

View skill

algorithmic-art

Meta

This Claude Skill creates original algorithmic art using p5.js with seeded randomness and interactive parameters. It generates .md files for algorithmic philosophies, plus .html and .js files for interactive generative art implementations. Use it when developers need to create flow fields, particle systems, or other computational art while avoiding copyright issues.

View skill

executing-plans

Design

Use the executing-plans skill when you have a complete implementation plan to execute in controlled batches with review checkpoints. It loads and critically reviews the plan, then executes tasks in small batches (default 3 tasks) while reporting progress between each batch for architect review. This ensures systematic implementation with built-in quality control checkpoints.

View skill

cost-optimization

Other

This Claude Skill helps developers optimize cloud costs through resource rightsizing, tagging strategies, and spending analysis. It provides a framework for reducing cloud expenses and implementing cost governance across AWS, Azure, and GCP. Use it when you need to analyze infrastructure costs, right-size resources, or meet budget constraints.

View skill