ワンクリックで
investigate-from-scan
Use after Immunefi scan to deep-dive top-ranked programs. Reads latest.json and runs full NSS pipeline per target.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Use after Immunefi scan to deep-dive top-ranked programs. Reads latest.json and runs full NSS pipeline per target.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Practitioner-elevated asset tracing patterns from SlowMist Crypto-Asset-Tracing-Handbook. Provides canonical property tables for obfuscation patterns (peel chains, mixers, bridge hops), address behavior clustering/risk profiling, cross-chain reconstruction workflows. Hard-first on behavioral + flow invariants. Integrates with codegraph-x-ray, deep-dive-handoff, and bounty forensics. Includes reference implementation for mixer deposit/withdrawal clustering. Trigger: alpha-miner on tracing handbook or similar.
Drop-in skill adapted from Glider query engine for static analysis, taint tracking, CFG/DFG traversal in bug bounty. Supports lazy reference loading, creativity layer for audited targets, integrates with bounty-loop. EVM priority with Solana compatibility.
Use for mining validator/runtime/cache/storage-key coherence bugs in blockchain clients, VMs, program loaders, bridge runtimes, and execution harnesses. Hard-first on stale cache, recycled identifier, partial flush, epoch/generation drift, mempool/order-dependent runtime state, and storage-key confusion. Trigger on runtime cache invariant, stale cache bug, VM storage confusion, client cache coherence, Aptos-style hijack, validator-local state, epoch-boundary bug, or when alpha-miner extracts runtime/client exploit engineering.
Cross-references a graphified target codebase (codegraph-x-ray output) against the local AuditVault corpus to surface structurally analogous historical vulnerabilities. Run after codegraph-x-ray has completed and produced invariants.md and property_candidates.md. Produces ranked pattern-match hits with per-finding graph anchor evidence. Pattern matches are advisory signals only — never evidence of exploitability and never a substitute for live reproduction or submission-gate validation.
Combines structured codegraph intelligence with rigorous invariant synthesis. Enforces high-quality usage of codegraph to identify the Primary Target Subsystem, then applies ordered structural invariant discovery with strict verification gates. Produces categorized invariants and high-quality property candidates ready for ultrafuzz-discovery. Trigger on codegraph-x-ray, x-ray with codegraph, invariant synthesis, primary subsystem invariants.
Optional accelerator and scaffolder for ultrafuzz-discovery. Brings parallel specialized invariant discovery agents, automated harness/handler scaffolding, coverage-driven refinement loops, property tagging, and reproducible test generation helpers from high-quality EVM fuzz patterns. Designed to speed up property fan-in and executable attempts phases while preserving NSS rigor, fresh-context pass@k, adjudication, and Crucible usage. Trigger on fuzz-scaffolder, accelerate invariant discovery, generate fuzz harness, scaffold handlers.
| name | investigate-from-scan |
| description | Use after Immunefi scan to deep-dive top-ranked programs. Reads latest.json and runs full NSS pipeline per target. |
Manual/ad-hoc path: scan ranks programs → top N get full investigation via Immunefi-only investigate CLI. Autonomous cross-platform hunt: use bounty-loop skill instead.
.venv/bin/python -m night_shift_security.cli.main scan --platform all --min-bounty 250000
Output: data/security_results/bounty_scan/latest.json (preferred) or legacy immunefi_scan/latest.json
.venv/bin/python -m night_shift_security.cli.main investigate \
--scan data/security_results/bounty_scan/latest.json \
--dry-run --top 3 --ecosystem all
# Cross-target (skip Kamino if already deep-dived):
.venv/bin/python -m night_shift_security.cli.main investigate --dry-run --top 2 --exclude kamino --ecosystem solana
Selects by: scan_grade3_plus (legacy: submission_ready) → best_evidence_grade → solana_reproduced → max_bounty_usd.
For each selected slug, run hypothesis-expansion skill OR parametric cross-target writer:
.venv/bin/python hermes/scripts/nss-write-scan-proposals.py --slug raydium
# --proposals is a GLOBAL flag (before the subcommand)
.venv/bin/python -m night_shift_security.cli.main \
--proposals data/security_results/hermes_proposals/latest.json \
investigate --scan data/security_results/bounty_scan/latest.json \
--top 2 --exclude kamino --ecosystem all
Runs full pipeline per program (dynamic config from kamino_shoestring.json base). Use --exclude kamino after Kamino coordinator campaign. Kamino only runs if scan ranks it in top N and not excluded.
Per run output under data/security_results/: triage grade ≥3, export shoestring pack for grade ≥4.
Required. Follow lab-notebook skill — MEMORY.md + data/security_results/lab_notebook/YYYY-MM-DD-<slug>.md.
--proposals must come before investigate on the CLI (main.py --proposals PATH investigate …). Placing it after the subcommand fails with "unrecognized arguments".--top more than 2-3 per cron tick.targets/<slug>.json use catalogue analogue states only — Kamino has richer recon in sources/kamino/recon.json.--ecosystem evm or all; Solana cron should keep ecosystem solana.