Agent skill

analyzing-taint-flow

Tracks untrusted input propagation from sources to sinks in binary code to identify injection vulnerabilities. Use when analyzing data flow, tracing user input to dangerous functions, or detecting command/SQL injection.

View SKILL.md on GitHub Repository
Stars 163
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/analyzing-taint-flow

SKILL.md

Taint Analysis

Detection Workflow

  1. Identify sources: Find recv, read, getenv, fgets, scanf, argv (input functions)
  2. Identify sinks: Find system, popen, strcpy, sprintf, execve, malloc (dangerous functions)
  3. Find taint paths: Use xrefs_to to trace from sources to sinks
  4. Analyze sanitization: Check for input validation, length checks, character filtering, encoding/escaping
  5. Assess risk: Determine reachability, check if attacker controls critical parts, evaluate exploitability

Key Patterns

  • Direct command injection: recv() -> buffer -> sprintf(cmd, "echo %s", buffer) -> system(cmd)
  • Path traversal: fgets() -> filename -> fopen(filename, "r")
  • Buffer overflow via tainted size: recv() -> size_buffer -> atoi(size_buffer) -> malloc(size)

Output Format

Report taint paths with: source (function, address, context), sink (function, address, context), path (list of functions), sanitizers_found, is_vulnerable, confidence, vulnerability_type.

Severity Guidelines

  • CRITICAL: Direct injection with no sanitization (command injection, SQL injection)
  • HIGH: Path traversal, buffer overflow via tainted size
  • MEDIUM: Potential injection with partial sanitization
  • LOW: Tainted data with limited impact

See Also

  • patterns.md - Detailed detection patterns and exploitation scenarios
  • examples.md - Example analysis cases and code samples
  • references.md - CWE references and mitigation strategies

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

majiayu000/claude-skill-registry

agent-ops-spec

Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.

163 31
Explore
majiayu000/claude-skill-registry

agent-ops-state

Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.

163 31
Explore
majiayu000/claude-skill-registry

agent-ops-spec

Manage specification documents in .agent/specs/. Use when user provides requirements, acceptance criteria, or feature descriptions that need to be tracked and validated against implementation.

163 31
Explore
majiayu000/claude-skill-registry

agent-ops-testing

Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.

163 31
Explore
majiayu000/claude-skill-registry

agent-ops-testing

Test strategy, execution, and coverage analysis. Use when designing tests, running test suites, or analyzing test results beyond baseline checks.

163 31
Explore
majiayu000/claude-skill-registry

agent-ops-state

Maintain .agent state files. Use at session start, after meaningful steps, and before concluding: read/update constitution/memory/focus/issues/baseline consistently.

163 31
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results