Dangerous Functions

This skill should be used when the user asks about "dangerous functions", "security sinks", "what functions are dangerous in PHP/Java/Python", "find vulnerable functions", "code execution functions", "command injection sinks", "SQL injection functions", or needs to identify security-sensitive functions in source code during whitebox security review.

14 stars

Best use case

Dangerous Functions is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

This skill should be used when the user asks about "dangerous functions", "security sinks", "what functions are dangerous in PHP/Java/Python", "find vulnerable functions", "code execution functions", "command injection sinks", "SQL injection functions", or needs to identify security-sensitive functions in source code during whitebox security review.

Teams using Dangerous Functions should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/dangerous-functions/SKILL.md --create-dirs "https://raw.githubusercontent.com/allsmog/vuln-scout/main/vuln-scout/skills/dangerous-functions/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/dangerous-functions/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Dangerous Functions Compares

Feature / AgentDangerous FunctionsStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

This skill should be used when the user asks about "dangerous functions", "security sinks", "what functions are dangerous in PHP/Java/Python", "find vulnerable functions", "code execution functions", "command injection sinks", "SQL injection functions", or needs to identify security-sensitive functions in source code during whitebox security review.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Dangerous Functions Reference

## Purpose

Provide comprehensive knowledge of security-sensitive functions (sinks) across programming languages for whitebox penetration testing. These functions are common targets during code review because improper use leads to critical vulnerabilities.

## When to Use

Activate this skill during:
- Code review phase of whitebox security review
- Searching for potential vulnerability entry points
- Building grep patterns for sink identification
- Understanding language-specific security risks

## Core Concepts

### Sources vs Sinks

**Sources**: Entry points where user input enters the application
- HTTP parameters, headers, cookies
- File uploads, database reads
- Environment variables, command-line arguments

**Sinks**: Functions where malicious input causes damage
- Command execution, SQL queries
- File operations, deserialization
- Code evaluation, template rendering

### Risk Categories

| Category | Impact | Common Languages |
|----------|--------|------------------|
| Command Injection | Remote Code Execution | All |
| Code Injection | Remote Code Execution | PHP, Python, JS |
| SQL Injection | Data breach | All with databases |
| Deserialization | Remote Code Execution | Java, PHP, Python, .NET |
| File Operations | LFI/RFI/Arbitrary Write | All |
| SSRF | Internal network access | All |
| Template Injection | Remote Code Execution | Python, Java, JS |
| Reentrancy | Fund theft | Solidity |
| Flash Loan Attacks | Price/state manipulation | Solidity |
| Access Control | Privilege escalation | Solidity |

## Methodology

### Step 1: Identify Application Language

Determine the primary language(s) used:
- Check file extensions (.php, .java, .py, .js, .cs, .go, .rb)
- Review package managers (composer.json, pom.xml, requirements.txt, package.json)
- Check framework indicators

### Step 2: Load Language-Specific Reference

Consult the appropriate reference file for comprehensive sink lists:
- `references/php-sinks.md` for PHP applications
- `references/java-sinks.md` for Java applications
- `references/python-sinks.md` for Python applications
- `references/javascript-sinks.md` for Node.js/JavaScript
- `references/dotnet-sinks.md` for .NET/C# applications
- `references/go-ruby-sinks.md` for Go and Ruby
- `references/rust-sinks.md` for Rust applications
- `references/kotlin-sinks.md` for Kotlin/Android applications *(preview -- not in supported language list)*
- `references/swift-sinks.md` for Swift/iOS applications *(preview -- not in supported language list)*
- `references/solidity-sinks.md` for Solidity smart contracts

### Step 3: Search for Sinks

Use Grep tool to search for dangerous functions:
- Search one category at a time (command, code, SQL, file, etc.)
- Use case-insensitive search for better coverage
- Include all relevant file extensions

### Step 4: Catalog Findings

For each identified sink, document:
- File path and line number
- Function name and context
- Input sources (if visible)
- Initial risk assessment

### Step 5: Prioritize for Testing

Rank findings using this framework:

| Priority | Criteria |
|----------|----------|
| Critical | Direct user input reaches sink |
| High | Database/file data (user-controlled) reaches sink |
| Medium | Authenticated user input reaches sink |
| Low | Admin-only input reaches sink |
| Info | Hardcoded values only |

## Prioritization Framework

When reviewing identified sinks, consider:

1. **Input Proximity**: How close is user input to the sink?
2. **Authentication**: Does exploitation require authentication?
3. **Privilege Level**: What access level is needed?
4. **Impact**: What can an attacker achieve?
5. **Exploitability**: Are there filters or sanitization?

## Additional Resources

### Reference Files

For comprehensive function lists by language, consult:
- **`references/php-sinks.md`** - PHP dangerous functions with grep patterns
- **`references/java-sinks.md`** - Java dangerous functions with grep patterns
- **`references/python-sinks.md`** - Python dangerous functions with grep patterns
- **`references/javascript-sinks.md`** - JavaScript/Node.js dangerous functions
- **`references/dotnet-sinks.md`** - .NET/C# dangerous functions
- **`references/go-ruby-sinks.md`** - Go and Ruby dangerous functions
- **`references/rust-sinks.md`** - Rust dangerous functions (unsafe, FFI, etc.)
- **`references/kotlin-sinks.md`** - Kotlin/Android dangerous functions *(preview -- not in supported language list)*
- **`references/swift-sinks.md`** - Swift/iOS dangerous functions *(preview -- not in supported language list)*
- **`references/solidity-sinks.md`** - Solidity smart contract sinks (reentrancy, access control, flash loans)

### Integration with Other Skills

- Use **vuln-patterns** skill for exploitation techniques per vulnerability type
- Use **data-flow-tracing** skill to trace input from sources to identified sinks
- Use **exploit-techniques** skill to develop PoC for confirmed vulnerabilities

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.