Stats
Actions
Tags
From grimoire
Guides writing structured security findings with title conventions, sections, and severity classification. Helps format standalone vulnerability reports.
How this skill is triggered — by the user, by Claude, or both
Slash command
/grimoire:findingThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Security findings are the core deliverable of security research — structured markdown files
Security findings are the core deliverable of security research — structured markdown files that prove a vulnerability exists and tell the recipient what to fix.
A finding is not a code review comment or a chat message. It is a standalone document that must be understandable by someone who has never seen the codebase. Every finding must be self-contained, fact-checked, and verifiable.
A finding should never suggest non-trivial code changes. Security researchers are external, unbiased reviewers. By suggesting complex implementations we become biased. If the fix requires architectural redesign, say so and move on. The recommendation states what to fix, not how to rewrite the code.
You are responsible for your findings. Agents make mistakes. Always perform thorough review of references, proof of concepts, and claims before submitting.
Every finding is a markdown file with YAML frontmatter:
---
title: Theft of deposited funds via reentrancy in Vault.withdraw()
severity: High
type: reentrancy
context:
- src/Vault.sol:142-158
- src/interfaces/IVault.sol:23
---
| Field | Required | Description |
|---|---|---|
title | yes | Concise title following the where/how/what rule |
severity | yes | Critical, High, Medium, Low, or Informational |
type | yes | Flaw classification (reentrancy, access-control, dos, etc.) |
context | yes | YAML list of affected files with optional line numbers/ranges |
| Section | Required | Purpose |
|---|---|---|
## Description | yes | Explains the vulnerability and its impact |
## Details | no | Technical deep dive for complex mechanisms |
## Proof of Concept | no | References the PoC artifact via @path/to/poc |
## Recommendation | yes | Concise, objective fix direction |
## References | no | Numbered citations to standards, prior art, docs |
For complete format specification see references/finding-format.md.
The title must convey where (component), how (mechanism), and what (impact):
Good: "Theft of deposited funds via reentrancy in Vault.withdraw() due to state update after external call"
Bad: "Missing check", "Reentrancy", "Incorrect implementation"
For detailed guidelines with more examples see references/finding-best-practices.md.
grimoire/findings/<slug>.mdgrimoire/sigil-findings/<slug>.md.md extension, max 60 characters-2, -3)For directory layout details see references/finding-structure.md.
| Level | Criteria |
|---|---|
| Critical | Direct path to fund loss, RCE, or full compromise. Minimal preconditions. |
| High | Significant impact, exploitable with moderate effort or conditions. |
| Medium | Real but conditional impact. Requires chaining or elevated privileges. |
| Low | Minor or theoretical impact. Worth documenting for defense in depth. |
| Informational | Best-practice deviation with no direct exploitable impact. |
Severity is always an estimate, not a formal CVSS score. Justify with one sentence.
alert(1), sleep(), id — never destructive.@path for PoC references. Never inline large code blocks. Reference the file.scripts/validate-finding.sh on every new or modified finding.examples/reentrancy-finding.md — complete finding with all sections (smart contract)examples/access-control-finding.md — minimal valid finding (web app, no Details section)examples/dedup-scenario.md — duplicate vs similar classification walkthroughUse the specific workflow skills for finding operations:
/finding-draft — create a new finding from a vulnerability observation/finding-review — review an existing finding against best practices/finding-dedup — identify and resolve duplicate or overlapping findingsnpx claudepluginhub joranhonig/grimoireDrafts structured security findings from vulnerability observations using grimoire conventions and familiar agent triage context. Guides title construction, severity estimation, and section drafting.
Triages a single security finding to a defensible disposition with mitigation, false positive, or accepted-risk writeup. Use for scanner, audit, or advisory results needing a decision.
Guides writing impact-first bug bounty reports for HackerOne, Bugcrowd, Intigriti, and Immunefi with templates, CVSS 3.1 scoring, title formulas, and downgrade counters.