chief-wiggum-marketplace

Chief Wiggum

A Claude Code plugin for iterative vulnerability hunting. Uses a Ralph Wiggum-style self-referential loop with four-phase methodology: map the attack surface, explore for patterns, deep-dive into candidates, and scrutinize with PoC generation.

Built on Ralph Wiggum's self-referential loop pattern.

Install

From GitHub (marketplace)

# In Claude Code:
/plugin marketplace add ant4g0nist/ChiefWiggum
/plugin install chief-wiggum@ant4g0nist-ChiefWiggum

Local development

claude --plugin-dir /path/to/ChiefWiggum/plugins/chief-wiggum

Quick Start

# Start a vulnerability hunt
/chief-wiggum:vuln-hunt --profile ./profiles/chrome-sandbox-escape.yaml \
                        --target /path/to/chromium/src \
                        --max-iterations 50

# Team mode (parallel agents)
CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1 \
/chief-wiggum:vuln-hunt --profile ./profiles/chrome-sandbox-escape.yaml \
                        --target /path/to/chromium/src \
                        --team 3

Commands

Command	Description
/chief-wiggum:vuln-hunt	Start a vulnerability hunt
/chief-wiggum:hunt-status	Show status of active hunts
/chief-wiggum:resume-hunt	Resume an interrupted hunt
/chief-wiggum:review-hunt	Review findings and candidates
/chief-wiggum:cancel-hunt	Stop a hunt (preserves data)
/chief-wiggum:restore-hunt	Restore an archived hunt
/chief-wiggum:hunt-help	Show detailed help

How It Works

CONTEXT-BUILD ──> EXPLORE ──> DEEP-DIVE ──> SCRUTINIZE ──> (loop)
     |                                           |
     |        Filesystem memory persists         |
     |     candidates/ findings/ rejected/       |
     └───────────────────────────────────────────┘

1. CONTEXT-BUILD — Map codebase, identify attack surfaces, create hunt plan
2. EXPLORE — Pick highest-priority area, search for vulnerability patterns
3. DEEP-DIVE — Validate candidates with guided questions and code evidence
4. SCRUTINIZE — Devil's advocate analysis, PoC generation, vulnerability reports

The stop hook keeps the loop running across iterations. State is persisted to disk so hunts survive session restarts.

Profiles

Profiles define what to hunt for. A sample is included at plugins/chief-wiggum/profiles/chrome-sandbox-escape.yaml.

name: "My Hunt"
description: "What vulnerabilities to look for..."
language: "rust"

scope:
  include_paths: ["src/**/*"]
  exclude_paths: ["tests/**/*"]
  focus_keywords: ["unsafe", "transmute"]

constraints:
  - "REJECT: False positive pattern"
  - "REQUIRE: Must be reachable from attack surface"

checklist:
  - "Is input validated?"
  - "Are bounds checked?"

Tests

./tests/run-hook-tests.sh

Runs the hook test suite (requires jq).

License

MIT