ワンクリックで
operator-recon
Discovery alpha — file triage, git patch mining, recon invariant tests before deep analysis.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Discovery alpha — file triage, git patch mining, recon invariant tests before deep analysis.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Practitioner-elevated asset tracing patterns from SlowMist Crypto-Asset-Tracing-Handbook. Provides canonical property tables for obfuscation patterns (peel chains, mixers, bridge hops), address behavior clustering/risk profiling, cross-chain reconstruction workflows. Hard-first on behavioral + flow invariants. Integrates with codegraph-x-ray, deep-dive-handoff, and bounty forensics. Includes reference implementation for mixer deposit/withdrawal clustering. Trigger: alpha-miner on tracing handbook or similar.
Drop-in skill adapted from Glider query engine for static analysis, taint tracking, CFG/DFG traversal in bug bounty. Supports lazy reference loading, creativity layer for audited targets, integrates with bounty-loop. EVM priority with Solana compatibility.
Use for mining validator/runtime/cache/storage-key coherence bugs in blockchain clients, VMs, program loaders, bridge runtimes, and execution harnesses. Hard-first on stale cache, recycled identifier, partial flush, epoch/generation drift, mempool/order-dependent runtime state, and storage-key confusion. Trigger on runtime cache invariant, stale cache bug, VM storage confusion, client cache coherence, Aptos-style hijack, validator-local state, epoch-boundary bug, or when alpha-miner extracts runtime/client exploit engineering.
Cross-references a graphified target codebase (codegraph-x-ray output) against the local AuditVault corpus to surface structurally analogous historical vulnerabilities. Run after codegraph-x-ray has completed and produced invariants.md and property_candidates.md. Produces ranked pattern-match hits with per-finding graph anchor evidence. Pattern matches are advisory signals only — never evidence of exploitability and never a substitute for live reproduction or submission-gate validation.
Combines structured codegraph intelligence with rigorous invariant synthesis. Enforces high-quality usage of codegraph to identify the Primary Target Subsystem, then applies ordered structural invariant discovery with strict verification gates. Produces categorized invariants and high-quality property candidates ready for ultrafuzz-discovery. Trigger on codegraph-x-ray, x-ray with codegraph, invariant synthesis, primary subsystem invariants.
Optional accelerator and scaffolder for ultrafuzz-discovery. Brings parallel specialized invariant discovery agents, automated harness/handler scaffolding, coverage-driven refinement loops, property tagging, and reproducible test generation helpers from high-quality EVM fuzz patterns. Designed to speed up property fan-in and executable attempts phases while preserving NSS rigor, fresh-context pass@k, adjudication, and Crucible usage. Trigger on fuzz-scaffolder, accelerate invariant discovery, generate fuzz harness, scaffold handlers.
| name | operator-recon |
| description | Discovery alpha — file triage, git patch mining, recon invariant tests before deep analysis. |
Phase B discovery workflow. Run before hypothesis-expansion on a cloned target repo.
cd /home/kt/projects/rtp/night-shift-security
.venv/bin/python -m night_shift_security.cli.main semantic map \
--slug <slug> \
--repo /path/to/repo
For Wormhole:
.venv/bin/python -m night_shift_security.cli.main semantic map \
--slug wormhole \
--repo sources/wormhole/repo \
--kind bridge
Artifacts land under data/security_results/semantic/<slug>/; concrete candidates are upserted into data/security_results/knowledge/concrete_candidates.jsonl.
cd /home/kt/projects/rtp/night-shift-security
.venv/bin/python -m night_shift_security.cli.main triage files \
--repo /path/to/klend-repo \
--slug kamino \
--min-score 4 \
--output data/security_results/triage/kamino_files.json
.venv/bin/python -m night_shift_security.cli.main triage patches \
--repo /path/to/klend-repo \
--slug kamino \
--output data/security_results/triage/kamino_patch_shapes.jsonl
Pass ranked paths for analogue hints:
--ranked-file programs/klend/src/oracle.rs \
--ranked-file programs/klend/src/borrow.rs
.venv/bin/python -m night_shift_security.cli.main invariants test \
--from-recon sources/kamino/recon.json \
--output-dir data/security_results/invariants
Failures → refinement_seeds for RSI / hypothesis-expansion context.
For Wormhole targets (not Nomad proxy analogue):
# One-time clone (sparse solana + ethereum):
git clone --depth 1 --filter=blob:none --sparse https://github.com/wormhole-foundation/wormhole.git sources/wormhole/repo
cd sources/wormhole/repo && git sparse-checkout set solana ethereum
.venv/bin/python -m night_shift_security.cli.main triage files \
--repo sources/wormhole/repo --slug wormhole --min-score 4 \
--output data/security_results/triage/wormhole_files.json
.venv/bin/python -m night_shift_security.cli.main triage wormhole-map \
--repo sources/wormhole/repo \
--output data/security_results/triage/wormhole_program_map.json
Canonical IDs land in sources/wormhole/recon.json. Catalogue analogue remains validation-only.
Scoped proposals (no delegate required for parametric pass):
.venv/bin/python hermes/scripts/nss-write-wormhole-triage-proposals.py --min-score 5
.venv/bin/python -m night_shift_security.cli.main --config src/night_shift_security/config/wormhole_shoestring.json \
--proposals data/security_results/hermes_proposals/latest.json run
.venv/bin/python -m night_shift_security.cli.main tools opengrep \
--slug <slug> --repo /path/to/repo
If opengrep/semgrep is absent, tool_missing is non-fatal. SARIF findings never bypass validation.
Write operator-checkpoint with ranked_files from triage output, then scoped hypothesis-expansion on files ≥4 only.
patches (not bare sources/ JSON)NSS_KLEND_FIXTURE=1 in CI; live validator needs RPC + human gate per SOULsources/kamino/recon.json are expected — they feed refinement, not submission