with one click
coldvault.dev
coldvault.dev contains 17 collected skills from rasata, with repository-level occupation coverage and site-owned skill detail pages.
Skills in this repository
Conduct a passive, read-only forensic analysis of a potentially malicious source-code tree. Use this skill when the user suspects a repository, archive, or directory contains hidden payloads, C2 code, obfuscated droppers, or compromised build configs (e.g. injected `tailwind.config.js`, trojaned `package.json` postinstall, suspicious base64 blobs). Produces a full report: attacker signature, payload location, statically decrypted IoCs (C2 IPs, ports, paths, XOR keys, drop paths, exfil endpoints).
Render reports/findings.json + reports/SUMMARY.md into a single-file, self-contained reports/SUMMARY.html whose visual quality matches the /reports/example-summary page on coldvault.dev. No external fonts, no JS framework, no network fetches — the user can double-click the file, email it, or host it anywhere.
Audit GitHub Actions / GitLab CI / CircleCI / Azure Pipelines workflows shipped in target/. Flags the high-risk patterns that have caused real-world supply-chain compromises (pwnrequest, pull_request_target, unpinned actions, secret exfiltration, script-injection via PR title/body).
Inventory the suspect repository (languages, frameworks, package managers, entry points, build system, CI) before any scan. Always run this first — subsequent skills depend on its output.
Inspect cryptographic code for timing leaks. Flags variable-time comparisons on secrets, early-exit loops, and library calls known to be variable-time. Limited static scope — the definitive check is micro-benchmarks on compiled binaries, but ~70% of timing bugs show up in source review.
Map the attack surface of target/ — HTTP routes, CLI commands, exported library symbols, message-queue consumers, GitHub Actions triggers, IPC sockets. Produces reports/entry-points.md.
Find default/weak/insecure configurations — weak crypto, TLS disabled, permissive CORS, debug mode in prod paths, unsafe deserialization switches, open S3 buckets, etc. These are the low-hanging fruit most noisy scanners miss.
Find credentials, API keys, tokens, private keys, and high-entropy strings in target/. Combines gitleaks, trufflehog, detect-secrets, ggshield, and manual entropy grep. Triages each hit for live vs. test vs. revoked.
Produce a PR-style security review of a diff (HEAD vs. base) inside target/, emitting findings in the Anthropic claude-code-security-review JSON schema. Use when the analyst only cares about what changed, not the whole repo.
Author custom Semgrep rules on the fly to hunt for patterns specific to the current audit. Drops the rule into rules/semgrep/ and runs it against target/. Useful for variant analysis and for codifying a manual finding.
Snyk Code-parity workflow for static application security testing. Uses Semgrep with curated rulesets plus language-native analyzers to produce findings equivalent to Snyk Code's categories (injection, crypto, authn, etc.).
Snyk Open Source-parity workflow for software composition analysis. Produces a dependency vulnerability report using open-source tooling (osv-scanner, trivy, grype) plus the bundled snyk CLI if authenticated. Use when the analyst is familiar with the Snyk workflow and wants a drop-in replacement.
Drives the per-language SAST fleet. Decides which analyzers to run based on audit-context-building output, merges SARIF, deduplicates, and produces a single ranked list in reports/sast-merged.sarif.
Evaluate third-party dependencies for known CVEs, typo-squats, malicious maintainers, install-time hooks, unusual registries, and git-URL dependencies. Combines lockfile parsing with OSV / Trivy / Snyk data.
Safety rails. Invoke whenever you are about to run a command that could execute code from target/. Enforces the zero-execution rule defined in CLAUDE.md §0.
Given a confirmed finding, search the whole target/ for semantically similar bugs. Applies the trailofbits variant-analysis approach — one root cause usually breeds siblings.
Scan target/ (source AND binaries/assets) with YARA / YARA-X against curated rulesets (Yara-Rules community + Neo23x0 signature-base) plus project-specific rules in rules/yara/. Also handles capa for binary capability extraction.