Posts

mantis: A Modular Toolkit of Security Review Skills for AI Coding Agents

This repository hosts Mantis, a modular and stack-agnostic toolkit developed by Google, designed for AI coding agents to autonomously find, reproduce, and patch vulnerabilities. It provides a sequential set of skills (e.g., `/mantis-plan`, `/mantis-researcher`, `/mantis-reproduce`, `/mantis-patch`) that can be adapted to various domains like hardware, infrastructure as code, or ML pipelines. The toolkit emphasizes a structured pipeline including repository history analysis, architecture summarization, threat modeling, multi-threaded security scanning, deduplication, review, critic validation, crash reproduction in sandboxes, exploit chaining, patching, risk calibration, reflection, and report generation. It comes with strong safety warnings, recommending use only in isolated environments and requiring manual verification of all findings. The project is not an official Google product and is intended for demonstration and adaptation, with future plans for skill self-improvement and integ...

Harnessing Harnesses - Climbing the LLM Hills

This blog post explores the concept of "harnesses" — the orchestration layer around large language models that controls inputs, tools, prompts, models, state, validation, and outputs. The author argues that while model selection and prompt engineering matter, the orchestration layer is where the biggest improvements in capability, cost, and reliability come from. The post reviews several open-source harness frameworks useful for offensive security research, including RAPTOR (which builds a structured pipeline with validation stages), Anthropic's Code Reference (for execution-verified C/C++ findings using ASAN), Baby Naptime (a runtime exploitation loop), Evil Socket's Audit Framework (an eight-stage pipeline), and Visa's Vulnerability Agentic Harness (focused on threat modeling). It also provides guidance on designing custom harnesses, emphasizing stage-specific prompts, context window management, model routing, and the importance of memory and retrieval-augmented...

datadog-saist: AI-Native Static Application Security Testing (SAST) Tool

This repository hosts datadog-saist, an AI-native Static Application Security Testing tool developed by Datadog. Unlike traditional SAST tools that rely on parsing and rule-based analysis, it uses large language models from Anthropic, OpenAI, or Google to detect security vulnerabilities in source code. Currently in preview, it supports Go, Java, Python, C#, JavaScript, TypeScript, and Kotlin. The tool can be used standalone on a laptop and requires an API key for one of the supported LLM providers, but does not require a Datadog account. It generates industry-standard SARIF reports, builds project context for accurate analysis, and offers features like cross-file indexing and configurable concurrency. The project is written in Go, uses Tree-sitter for parsing, and is available under an open-source license.  https://github.com/DataDog/datadog-saist

darknet-mcp-server: 66-Tool MCP Server for Dark Web Intelligence

This repository hosts the darknet-mcp-server, a Model Context Protocol server that unifies dark web and threat intelligence into a single platform for AI agents. It provides 66 tools across 16 data sources for breach data lookup, ransomware tracking, Tor .onion access, malware analysis, blockchain intelligence, exploit searching, and stealer log analysis. The server allows AI agents to query all sources in parallel and correlate data, replacing manual workflows across multiple platforms. It can be run with no install using npx, requires optional API keys for premium sources, and includes per-provider rate limiting and TTL caching. The project is part of a broader MCP security suite and is available under an MIT License.  https://github.com/badchars/darknet-mcp-server

Cloudflare Security Audit Skill: Multi-Phase AI-Powered Security Audits for Code Repositories

Cloudflare's security-audit-skill is an open-source skill for AI coding agents that performs structured, multi-phase security assessments of software repositories. Rather than relying on ad hoc vulnerability searches, it guides the agent through a six-phase workflow consisting of reconnaissance, parallel vulnerability hunting across multiple attack classes, adversarial validation by independent agents, deduplication, machine-readable report generation, and schema validation. The methodology emphasizes reporting only demonstrably exploitable vulnerabilities with concrete attack scenarios, while reducing false positives through independent verification. Designed as the foundation of Cloudflare's Vulnerability Discovery Harness (VDH), the skill supports coding agents capable of tool use and parallel sub-agents, producing actionable security findings instead of generic best-practice recommendations. https://github.com/cloudflare/security-audit-skill

GhostApproval: A Trust Boundary Gap in AI Coding Assistants

Wiz Research introduces GhostApproval , a category-wide vulnerability affecting multiple AI coding assistants, including Amazon Q Developer, Claude Code, Cursor, Google Antigravity, Augment, and Windsurf. The attack exploits symbolic links (CWE-61) to trick AI agents into writing to sensitive files outside the project workspace, while approval dialogs often display only the benign-looking workspace path rather than the actual target (CWE-451: User Interface Misrepresentation of Critical Information). In some cases, the agent internally recognizes the true destination but presents misleading information to the user, undermining the "human-in-the-loop" security model; in Windsurf, writes were observed to occur before user approval. The research recommends resolving canonical paths before prompting users, clearly displaying the real destination of file operations, enforcing workspace boundary validation, and ensuring that no filesystem changes occur until explicit authorization ...

GitLost: How We Tricked GitHub's AI Agent Into Leaking Private Repositories

Noma Security introduces GitLost , an indirect prompt injection attack against GitHub Agentic Workflows that can coerce AI-powered GitHub agents into disclosing data from private repositories. By embedding malicious instructions inside a seemingly legitimate public GitHub issue, an attacker can exploit agents that have overly broad repository permissions, causing them to retrieve confidential files and publish them in public comments. The research demonstrates that prompt-based guardrails can be bypassed with minor linguistic changes, highlighting that the root cause is architectural rather than a simple implementation bug. The authors recommend enforcing least-privilege permissions, isolating agents that process untrusted content from those with access to sensitive repositories, limiting public output channels, and treating all externally supplied content as untrusted input.  https://noma.security/blog/gitlost-how-we-tricked-githubs-ai-agent-into-leaking-private-repos