ghost-validate
Validate security findings by analyzing code flows, testing exploit conditions, and confirming true vs. false positives.
- Traces request flows from route registration through middleware to handler logic, identifying indirect protections scanners may miss
- Performs live validation against accessible application instances using proxy-based request replay and response comparison
- Classifies findings into True Positive, True Positive (Confirmed), False Positive, or Inconclusive with supporting evidence and confidence levels
- Outputs structured validation reports with code analysis, live test results, and specific remediation recommendations
- Optionally appends validation details back to the original finding file for persistent documentation
Security Finding Validation
Determine whether a security finding is a true positive or false positive. Produce a determination with supporting evidence.
Input
The user provides a finding as a file path or pasted text. If neither is provided, ask for one.
Extract: vulnerability class, specific claim, affected endpoint, code location, and any existing validation evidence.
Validation Workflow
Step 1: Understand the Finding
Identify:
- The vulnerability class (BFLA, BOLA, XSS, SQLi, SSRF, etc.)
- The specific claim being made (what authorization check is missing, what input is unsanitized, etc.)
- The affected endpoint and HTTP method
- The code location
More from ghostsecurity/skills
ghost-scan-code
Ghost Security - SAST code scanner. Finds security vulnerabilities in source code by planning and executing targeted scans for issues like SQL injection, XSS, BOLA, BFLA, SSRF, and other OWASP categories. Supports applications (backend, frontend, mobile) and libraries (prototype pollution, unsafe deserialization, ReDoS, path traversal, zip slip). Use when the user asks for a code security audit, SAST scan, vulnerability scan of source code, or wants to find security flaws in a codebase or library.
2.1Kghost-scan-secrets
|
1.7Kghost-scan-deps
|
1.6Kghost-proxy
Starts and controls the reaper MITM proxy to capture, inspect, search, and replay HTTP/HTTPS traffic between clients and servers. Capabilities include starting/stopping the proxy scoped to specific domains, viewing captured request/response logs, searching traffic by method/path/status/host, and inspecting full raw HTTP entries for security analysis. Use when the user asks to "start the proxy", "capture traffic", "intercept requests", "inspect HTTP traffic", "search captured requests", or "view request/response".
1.4Kghost-report
Ghost Security — combined security report. Aggregates findings from all scan skills (scan-deps, scan-secrets, scan-code) into a single prioritized report focused on the highest risk, highest confidence issues. Use when the user requests a security overview, vulnerability summary, full security audit, or combined scan results.
1.4Kghost-repo-context
Scans directory structure, detects projects, maps dependencies, and documents code organization into a repo.md file. Use when the user needs a codebase overview, project structure map, or repository context before security analysis.
1.4K