Search everything...

Stats

Actions

Available In

cc-fuzzer

Name: cc-fuzzer
Author: cloudripper

By cloudripper

LLM-in-the-loop coverage-guided fuzzing, concolic execution, and crash triage for C/C++. Model agents keep libFuzzer/AFL++ fed and steered over a schema-driven state machine, verify crashes through a multi-step pipeline, and render maintainer-ready reports. Supports multi-harness campaigns, CVE-pattern intelligence, LLM code review, and an opt-in self-looping mode.

npx claudepluginhub cloudripper/cc-fuzzer

Popularity

Stars

Above avg

Med: 0·Avg: 285

Installs

Med: 0·Avg: 1

What's Inside

Agents13

campaign-planner

/campaign-planner

Writes fuzz/state/plan.md, the campaign strategy document that every downstream specialist (harness-writer, seed-generator, coverage-analyst, concolic-executor) reads. Two write modes — fresh (COLD start, no prior plan) and revise (mid-campaign, folds in live coverage / findings / gap data; archives the prior plan to snapshots/plan-{ts}.md). Opus-only. Consult-mode invocations are handled by the planner-consult agent, not this one.

code-reviewer-deep

/code-reviewer-deep

Tier 3 of the code review pipeline. Reads code-reviewer (Sonnet)'s output, performs cross-file taint analysis on findings flagged with needs_deep_pass, refines high/medium findings with chain-fuel context, and ADDS new findings that emerge from deeper reading. Opus, cost-disciplined. Dispatched after code-reviewer completes, unless the user opted out via --no-deep.

code-reviewer

/code-reviewer

Tier 2 of the code review pipeline. Reads the deterministic prescan output + CVE-pattern guidance + target source. Emits structured findings + focus areas. Flags candidates that need Opus deep-pass attention. Runs on Sonnet for cost; the Opus deep pass is handled by the separate code-reviewer-deep agent.

concolic-executor

/concolic-executor

Drives SymCC to generate inputs that satisfy hard path constraints. Invoked by fuzz-orchestrator when the gap report contains `checksum_barrier` or `deep_path_condition` gaps. Modeled on Atlantis-Multilang's concolic_input_gen module. Haiku, cost-disciplined.

coverage-analyst

/coverage-analyst

Analyzes fuzzer coverage state and emits a strict gaps-report/v1 JSON to fuzz/state/snapshots/. The output bridges "fuzzer is stuck" and "LLM knows what to do next." Reads cmplog dictionary if present to ground gap classification in runtime evidence. Invoked by fuzz-orchestrator on coverage plateau.

Skills21

campaign

/campaign

Start, resume, or report a fuzzing campaign. Auto-detects state and does the right thing. — usage: <target-source-or-header> [entry-function] [--budget=20] [--reset] [--no-coverage]

concolic

/concolic

Manually invoke concolic execution (SymCC) against the current corpus and gap report. Targets checksum_barrier and deep_path_condition gaps. Auto-dispatched by the orchestrator; available standalone for forced runs. — usage: [gap-id | all] [--harness <name>]

coverage

/coverage

Take a coverage snapshot and analyze gaps. Emits a ranked gap report that downstream specialists consume. — usage: [path-to-coverage-snapshot] [--harness <name>] [natural-language guidance...]

delta

/delta

Compute git-diff-based delta targets for the campaign. Runs on demand only — the orchestrator does not call this automatically. Pure local tooling, no LLM, no fuzzer interruption. — usage: [--range <git-range>]

Hooks1

2 hooks across 2 events

Stats

Version0.21.0

LanguageShell

Stars1

MaintenanceExcellent

LicenseMIT

Last CommitMay 25, 2026

AddedMay 12, 2026

Actions

View on GitHub View README Plugin Marketplace JSON

Own this plugin?

Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).

Safety Signals

Caution

Executes bash commands

Hook triggers when Bash tool is used

Uses power tools

Uses Bash, Write, or Edit tools

README

cc-fuzzer

A Claude Code plugin for LLM-in-the-loop coverage-guided fuzzing, concolic execution, and crash triage of C/C++ source and binaries. It keeps a real fuzzer (libFuzzer / AFL++) fed and steered by model agents, then verifies and reports what it finds.

cc-fuzzer is not a Cyber Reasoning System. It covers the dynamic-analysis half of what a CRS does (fuzzing + concolic + triage + reporting) plus a static code-review pass; autonomous SAST is partial and patch generation is out of scope. The architecture reuses three named patterns from the DARPA AIxCC finalists — see AIxCC patterns and Scope.

Quick start

Install the plugin once, inside Claude Code:

/plugin marketplace add ./cc-fuzzer
/plugin install cc-fuzzer

With nix (recommended): clone → bootstrap → set-and-forget

# 1. Clone the target you want to fuzz
git clone https://github.com/<owner>/<target> && cd <target>

# 2. Bootstrap the campaign shell. Builds cc-fuzzer's pinned toolchain + this
#    target's build deps (auto-detected by a headless scan) and locks the flake.
#    It does NOT launch Claude — it prints the launch commands when done.
nix run github:cloudripper/cc-fuzzer#init

# 3. Launch Claude into that shell and go full autonomous — ONE command.
#    The prompt arg fires the campaign the moment Claude starts; self_loop
#    auto-selects a target, builds the harness, and self-drives ticks unattended
#    (each schedules the next via ScheduleWakeup) until a hard halt or yolo off.
nix run .#claude -- --dangerously-skip-permissions "/cc-fuzzer:yolo on --mode self_loop --no-cap"
#    Then walk away. Check in any time with /cc-fuzzer:status or /cc-fuzzer:report.

#init flags: --dep <nixpkgs-attr> (seed a build dep, repeatable — suppresses the scan), --no-scan (skip dep auto-detect), --force (regenerate the flake and re-scan deps). It writes a project flake.nix + fuzz/nix-deps.nix; if a build later needs another system library, the harness-writer appends it and you re-run #init. An empty nix-deps.nix is fine for a self-contained target; re-run with --force to re-scan, or hand-edit it.

nix run .#claude launches Claude in the campaign shell: plain nix run .#claude, or nix run .#claude -- <claude args> (nix needs the -- before any --flag). nix develop (or nix run .#default) opens the shell without Claude.

Campaign-local Claude settings (optional). Drop a settings.json at ./.claude-work/settings.json and nix run .#claude layers it on automatically (claude --settings). Your system ~/.claude is left untouched — the cc-fuzzer plugin, MCP servers, and your login all carry over; the file only overlays campaign-specific settings. To authenticate the campaign instance with an API key instead of your login, export it first: export ANTHROPIC_API_KEY=sk-… ; nix run .#claude (it's inherited into the sandbox). There's deliberately no separate config dir — that would orphan the plugin itself.

Resuming a campaign — skip #init. #init is a one-time bootstrap; re-running it re-resolves the plugin flake every time. To come back to an existing campaign, re-enter the shell directly — it uses the committed flake.lock + cached FHS env and is fast:

cd ~/projects/<target>
nix run .#claude -- --dangerously-skip-permissions   # launch Claude in the campaign shell
# plain:  nix run .#claude            interactive shell:  nix develop  (then run `claude`)

Only re-run #init to change build deps (--force re-scans) or bump the plugin version.

Without nix: host tools

You provide the toolchain — clang + compiler-rt, AFL++, llvm-cov/llvm-profdata, gdb (SymCC optional). The SessionStart hook reports what's missing. Then:

git clone https://github.com/<owner>/<target> && cd <target>
claude --dangerously-skip-permissions            # unattended; or plain `claude`
/cc-fuzzer:yolo on --mode self_loop --no-cap      # autonomous: picks a target, fuzzes, self-drives

There's no composed dep shell off-nix, so if a harness build needs a system library, install it on the host — the harness-writer names the exact one.

Drive it yourself (with or without nix)

Prefer to approve each step over full autonomy? Skip YOLO and run the loop by hand:

/cc-fuzzer:campaign src/parser.c parse_message   # COLD: plan → harness (3 binaries) → seed → launch
/cc-fuzzer:tick                                   # one LLM decision; repeat, or wrap in: /loop 10m /cc-fuzzer:tick
/cc-fuzzer:status      # progress — pure shell, no LLM call
/cc-fuzzer:report      # re-verify reproducers → fuzz/state/FINDINGS-REPORT.md
/cc-fuzzer:stop        # stop the fuzzer (also disables YOLO)

/cc-fuzzer:campaign runs COLD setup once (analyze → harness → 3 binaries → seed corpus → launch). To pick a stopped campaign back up without re-analyzing: /cc-fuzzer:resume-campaign. The full self-driving model is in YOLO.

View full README on GitHub

cc-fuzzer

Popularity

What's Inside

Confidence

README

cc-fuzzer

Quick start

With nix (recommended): clone → bootstrap → set-and-forget

Without nix: host tools

Drive it yourself (with or without nix)

Similar Plugins

ecc

fullstack-dev-skills

octo

reverse-engineering

context7-plugin

startup-business-analyst

More by cloudripper

ctxctl: Context Control

cc-fuzzer

Quick start

With nix (recommended): clone → bootstrap → set-and-forget

Without nix: host tools

Drive it yourself (with or without nix)

Popularity

Health & Quality

More by cloudripper

ctxctl: Context Control

Similar Plugins

ecc

fullstack-dev-skills

octo

reverse-engineering

context7-plugin

startup-business-analyst