Been working on a Claude Code skill called ctf-vuln-hunter that runs as an autonomous security scanner directly from your terminal. You point it at a GitHub repo or local directory and it comes back with a full vulnerability report — most critical finding first, PoC exploit, and a proposed fix. How it works: You just type /ctf-vuln-hunter <repo-url> and it:
- Clones the repo
- Reads and analyzes all source files
- Identifies ALL vulnerability classes — SSRF, injection, auth bypass, insecure crypto, header injection, etc.
- Picks the most critical one and writes a structured report with CWE ID, exact file/line, reproduction steps, and a code fix What it found on my own projects: Scanned two of my own repos as a test. One had a textbook SSRF-via-redirect-chain bypass (URL was validated as a string but the headless browser followed redirects to 169.254.254.169 — AWS IMDS). The other had zero URL validation across 7 API endpoints, full open SSRF proxy, unauthenticated, returning raw cloud metadata to any caller. Both were missed during normal code review. The skill caught them in seconds. Report format:
Vulnerability — name + CWE ID
Location — file, function, line number
Description — technical explanation
How to Replicate — step-by-step PoC / curl commands
Proposed Fix — corrected code snippet
Severity — CRITICAL / HIGH / MEDIUM / LOW
Additional Findings — full list of secondary issues
Built with: Claude Code skills (slash commands), runs via the Claude Code CLI. The skill itself is ~50 lines of prompt instructions that orchestrate the analysis session. The whole thing lives in a .claude/ skill file, no extra dependencies, no API keys beyond your existing Claude setup. Repo : https://github.com/arananet/ctf-vuln-hunter Any feedback is more than welcome 🤗 submitted by /u/arananet
Originally posted by u/arananet on r/ClaudeCode