verify-finding

Drive a single finding through CPG verification and false-positive triage.

14 stars

Best use case

verify-finding is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Drive a single finding through CPG verification and false-positive triage.

Teams using verify-finding should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/verify-finding/SKILL.md --create-dirs "https://raw.githubusercontent.com/allsmog/vuln-scout/main/vuln-scout/skills/tasks/verify-finding/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/verify-finding/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How verify-finding Compares

Feature / Agentverify-findingStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Drive a single finding through CPG verification and false-positive triage.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Verify Finding

Use this task skill when the user asks to verify `VSCOUT-*`, asks whether a finding is exploitable, or asks to confirm a specific finding.

## Workflow

1. Locate the finding by ID, stable key, or `file:line` in `.claude/findings.json`.
2. Run `/vuln-scout:trace` on the source-to-sink path.
3. Run `/vuln-scout:verify` for CPG-backed confirmation.
4. Call `false-positive-verifier` when controls, sanitizers, or reachability are unclear.
5. Call `local-tester` only when dynamic validation is explicitly safe and useful.
6. Run `/vuln-scout:propagate` when a confirmed pattern may repeat.
7. Update `.claude/review-ledger.json` with the final verification state.

## Produces

- Updated `.claude/review-ledger.json` entry
- optional trace artifact

## When NOT To Trigger

Do not trigger for broad scans, PR review, generic exploitability education, dangerous-function lists, or CPG query syntax questions that do not name a finding.

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.