validate
$
npx mdskill add H-mmer/pentest-agents/validateValidate finding: $ARGUMENTS
SKILL.md
.github/skills/validateView on GitHub ↗
--- name: validate description: "Validate a finding through the 7-Question Gate + 4 gates. Kills weak findings FAST. Usage: /validate <finding description>" disable-model-invocation: false --- Validate finding: $ARGUMENTS This is the MOST IMPORTANT command. Run it BEFORE writing any report. It takes 30 seconds to kill a bad lead. A report takes 30 minutes. ## Step 1: Identify Read findings.md and brain data. Locate the finding matching "$ARGUMENTS". Show finding details and ask user to confirm. ## Step 2: Run 7-Question Gate Launch `validator` agent: "Validate this finding through the 7-Question Gate and 4-gate checklist: [finding details]. Check `rules/hunting.md` Rule 19 for the never-submit list AND `rules/mistakes.md` (REPORTING + METHODOLOGY sections) for lessons agents commonly miss — especially: (a) theoretical vs confirmed exploits, (b) file-path hallucinations, (c) CVSS-version mismatch per platform, (d) status-code asymmetry ≠ proven bug, (e) single-account IDOR ≠ cross-account leak. Output PASS, KILL, DOWNGRADE, or CHAIN REQUIRED with specific reason." ## Step 3: Act on Result **If PASS:** 1. Launch `poc-builder` agent to create minimal PoC 2. Capture evidence: `uv run python3 $CLAUDE_PROJECT_DIR/tools/capture.py screenshot` 3. Launch `report-writer` agent for platform-ready draft 4. Launch `quality-check` agent — block if score < 7 5. Show: score, draft path, PoC path, suggested title 6. Suggest: `/dupcheck <finding>` then `/submit <finding>` **If KILL:** 1. Record to brain: `uv run python3 $CLAUDE_PROJECT_DIR/tools/brain.py record <target> exhausted "<finding>" "<kill reason>"` 2. Tell user: "Finding killed at Q[N]: [reason]. Move on." 3. Suggest next action: `/hunt <target>` or `/surface <target>` **If DOWNGRADE:** 1. Tell user what's needed to prove higher impact 2. Suggest specific test to run **If CHAIN REQUIRED:** 1. Tell user what chain is needed 2. Suggest: `/chain` to build the chain 3. Record as partial in brain ## Top-Tier Validation Bar Validation is where mediocre hunters become expensive or elite. Apply these hard checks before PASS: - The finding demonstrates a capability, not just an anomaly. - The affected asset is in scope and policy allows the validation method. - The PoC is reproducible by another operator in under ten minutes. - Evidence includes request/response or browser proof and a clear readback marker. - Severity is based on achieved impact, not potential impact. - Duplicate and never-submit classes have been considered. - Chaining has been attempted for low standalone classes. If one check fails, prefer KILL or DOWNGRADE over "probably valid." Record the missing proof so the hunter can run one precise follow-up instead of re-litigating the whole bug.
More from H-mmer/pentest-agents
- analyzeAnalyze recon output with AI to suggest high-value targets and attack strategies. Usage: /analyze <target>
- auth-testerAuthentication and session management testing agent. Use for login bypass, session fixation, password reset flow abuse, MFA bypass, OAuth flaws, and privilege escalation testing. Provide the application URL and any credentials for testing.
- autopilotAutonomous hunt orchestrator. INSATIABLE in --autonomous mode: enforces an EXHAUSTION CONTRACT (26 canonical hunter classes, surface probe A-I, depth-engine ≥25 attempts/class, wall-clock floor 90 min/target, PRE-COMPLETION GATE before any summary). No early stops, no clarifying questions, no auxiliary-agent substitution. Usage: /autopilot target.com [--interactive|--autonomous] [--20m-off] [--resume]
- brainCentral knowledge coordinator. Use BEFORE launching any other pentest agent to get context on what's already been tried. Also use AFTER any agent completes to record findings, exhausted vectors, and learned patterns. The brain prevents redundant work across sessions and agents.
- browser-agentBrowser automation agent for interactive web testing. Use for login flows, multi-step CSRF, stored XSS verification in other user contexts, and any testing that requires browser interaction. Requires Claude in Chrome MCP.
- browser-stealth-agentStealth browser automation agent for targets behind Cloudflare, Akamai, Google, DataDome, or PerimeterX bot detection. Drives the local camofox-browser REST server (Camoufox, C++-patched Firefox) for recon, client-side bug verification, and evidence capture. Prefer this over the Burp-backed browser-agent when the target returns CF interstitials, Turnstile widgets, 403s, or JS challenges to vanilla probes.
- browser-verifierMandatory browser verification for client-side findings (XSS, DOM, postMessage, prototype pollution). Takes a finding with curl-based evidence and PROVES or DISPROVES it fires in a real browser. No finding ships without browser verification. Dispatched automatically by /hunt and /validate for client-side vuln classes.
- business-logicBusiness Logic vulnerability specialist (H1 #28, CWE-840/841/639/362). Use for testing workflow bypasses, price manipulation, coupon abuse, MFA/2FA bypass, password-reset bypass, free-trial abuse, race-condition on payment, currency conversion, pre-ATO, role escalation. Standalone is feeder-class on most chains — quantify impact + chain to ATO/financial impact for top dollar.
- chainBuild deep exploit chains — dispatches chain-builder agent. Given bug A, recursively walks the chain graph. Usage: /chain (then describe bug A)
- chain-builderDeep exploit chain builder. Given bug A, recursively walks the chain graph — each confirmed link becomes the new A. No depth limit. Supports 2-link to 10+ link chains. Use when you have any finding that needs escalation.