verify-finding
Drive a single finding through CPG verification and false-positive triage.
14 stars
byallsmog
Best use case
verify-finding is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Drive a single finding through CPG verification and false-positive triage.
Teams using verify-finding should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
$curl -o ~/.claude/skills/verify-finding/SKILL.md --create-dirs "https://raw.githubusercontent.com/allsmog/vuln-scout/main/vuln-scout/skills/tasks/verify-finding/SKILL.md"
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/verify-finding/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How verify-finding Compares
| Feature / Agent | verify-finding | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Drive a single finding through CPG verification and false-positive triage.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Verify Finding Use this task skill when the user asks to verify `VSCOUT-*`, asks whether a finding is exploitable, or asks to confirm a specific finding. ## Workflow 1. Locate the finding by ID, stable key, or `file:line` in `.claude/findings.json`. 2. Run `/vuln-scout:trace` on the source-to-sink path. 3. Run `/vuln-scout:verify` for CPG-backed confirmation. 4. Call `false-positive-verifier` when controls, sanitizers, or reachability are unclear. 5. Call `local-tester` only when dynamic validation is explicitly safe and useful. 6. Run `/vuln-scout:propagate` when a confirmed pattern may repeat. 7. Update `.claude/review-ledger.json` with the final verification state. ## Produces - Updated `.claude/review-ledger.json` entry - optional trace artifact ## When NOT To Trigger Do not trigger for broad scans, PR review, generic exploitability education, dangerous-function lists, or CPG query syntax questions that do not name a finding.
Related Skills
We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.