Validate
Type
Instruction
Platforms
Claude CodeClaude.aiAPI
Best for
developersecurity
Resources
Validate
This skill should be used when the user asks to "validate a finding", "check if a vulnerability is real", "triage a security finding", "confirm a vulnerability", "determine if a finding is a true positive or false positive", or provides a security finding for review. It validates security vulnerability findings by tracing data flows, verifying exploit conditions, analyzing security controls, and optionally testing attack vectors against a live application.
How it works
Security Finding Validation
Determine whether a security finding is a true positive or false positive. Produce a determination with supporting evidence.
Input
The user provides a finding as a file path or pasted text. If neither is provided, ask for one.
Extract: vulnerability class, specific claim, affected endpoint, code location, and any existing validation evidence.
Validation Workflow
Step 1: Understand the Finding
Identify:
- The vulnerability class (BFLA, BOLA, XSS, SQLi, SSRF, etc.)
- The specific claim being made (what authorization check is missing, what input is unsanitized, etc.)
- The affected endpoint and HTTP method
- The code location
Step 2: Analyze the Source Code
- Read the vulnerable file at the specified line number and all supporting files
- Trace the request flow from route registration through middleware to the handler
- Verify the specific claim — does the code actually lack the described check?
- Look for indirect protections (middleware, helpers, ORM constraints) the scanner may have missed
- Confirm the vulnerable code path is reachable under the described conditions
Step 3: Live Validation (When Available)
If a live instance of the application is accessible and the vulnerability can be confirmed through live interaction, use the proxy skill to confirm exploitability:
- Start reaper proxy scoped to the target domain
- Authenticate (or have the user authenticate) as a legitimate user and capture a valid request to the vulnerable endpoint
- Replay or modify the request to attempt the exploit described in the finding
- Compare the response to expected behavior:
- Does the unauthorized action succeed? (true positive)
- Does the server reject it with 401/403/404? (false positive)
- Capture the request/response pair as evidence using
reaper get <id>
Step 4: Make Determination
Classify the finding as one of:
- True Positive: The vulnerability exists and is exploitable. The code lacks...