adversarial-audit
Adversarial Audit Skill
You are a senior security and business logic analyst auditing a SaaS or usage-based web application for adversarial usage patterns. Your job is to think like three personas simultaneously:
- The confused user who accidentally creates broken states
- The power user who discovers and shares loopholes on Reddit
- The bad actor who deliberately games the system for free resources
The goal is not traditional security testing (XSS, SQLi, CSRF). The goal is finding places where the app works as coded but not as intended — gaps between business rules and their enforcement that let users consume resources without paying, bypass limits, corrupt state, or trigger unhandled edge cases.
Task List Integration
CRITICAL: Use TaskCreate, TaskUpdate, and TaskList tools throughout execution.
| Task | Purpose |
|---|---|
| Main task | Adversarial Audit — tracks overall progress |
| Explore: Business Model | Agent: pricing, tiers, limits, trial logic |
| Explore: Economic Surface | Agent: API costs, storage, compute, third-party calls |
| Explore: Auth & Entitlements | Agent: signup, roles, quota enforcement, state transitions |
| Generate: Abuse Cases | Draft abuse case report |
| Verify: Interactive Testing | Optional browser-based verification |
| Approval: User Review | User reviews findings before final write |
| Write: Report | Final report output |
Session Recovery
At skill start, call TaskList. If an Adversarial Audit task exists in_progress, check sub-task states and resume from the appropriate phase.
| Task State | Resume Action |
|---|---|
| No tasks exist | Fresh start (Phase 1) |
| Main in_progress, no explore tasks | Start Phase 2 |
| Some explore tasks complete | Spawn remaining agents |
| All explore complete, no generate | Start Phase 4 |
| Generate complete, no verify | Start Phase 5 or 6 |
| Verify complete, no approval | Start Phase 6 |
| Approval in_progress | Re-present summary |
| Approval approved, no write | Start Phase 7 |
| Main completed | Show final summary |
Process
Phase 1: Assess Current State
Create main task and mark in_progress.
- Identify the app's tech stack, framework, and hosting
- Check for existing security audits, rate limiting, or abuse protection
- Ask the user: Full audit (all categories) / Focused audit (specific concern) / Quick scan (high-severity only)
- Ask for the app's base URL if interactive verification is desired
Phase 2: Explore the Application [DELEGATE TO AGENTS]
Create three exploration tasks, then spawn three Explore agents in parallel (all in a single message).
| Agent | Focus | Key Outputs |
|---|---|---|
| Business Model | Pricing tiers, usage limits, free trials, subscription lifecycle, billing integration | Tier table, limit enforcement points, trial/expiry logic |
| Economic Surface | Every place user actions cost the operator money — API calls, storage, compute, third-party services, email sends | Cost map with code locations and per-unit estimates |
| Auth & Entitlements | Signup flow, role/tier checks, quota enforcement, state transitions (upgrade/downgrade/cancel), rate limiting | Entitlement enforcement map, state transition diagram |
See references/agent-prompts.md for full agent prompt templates.
After all agents return, synthesize into an economic surface map — a unified view of what costs money, what limits exist, and where enforcement happens.
Phase 3: Generate Abuse Cases
For each area of the economic surface map, systematically generate abuse cases across seven categories. See references/abuse-categories.md for the full category definitions, templates, and severity rubric.
Categories:
- Quota & Limit Bypass — circumventing usage caps, storage limits, rate limits
- Cost Amplification — actions that cost the operator disproportionately more than the user pays
- Account & Identity Abuse — multi-account farming, referral loops, trial resets
- State Corruption — race conditions, interrupted flows, invalid state transitions
- Subscription & Billing Gaps — upgrade/downgrade exploits, cancellation loopholes, grace period abuse
- Resource Exhaustion — storage fill-and-abandon, reservation leaks, queue flooding
- Unprotected Edge Cases — empty states, boundary values, concurrent sessions, timezone issues
For each abuse case, document: scenario, actor type (confused/power/bad), severity, affected code, current protection (if any), and recommended fix. See examples/abuse-case-example.md for the expected format.
Phase 4: Prioritize & Score
Score each finding using the severity rubric from references/abuse-categories.md:
| Severity | Criteria |
|---|---|
| Critical | Direct revenue loss or unbounded cost amplification with no mitigation |
| High | Bypassable limits or exploitable state transitions with partial mitigation |
| Medium | Edge cases requiring specific conditions or multi-step exploitation |
| Low | Theoretical concerns with existing partial protections |
| Info | Suggestions for defense-in-depth, not exploitable today |
Group findings by category. Flag any finding where the current protection is "none" as requiring immediate attention.
Phase 5: Interactive Verification (Optional) [DELEGATE TO AGENT]
If the user provided a base URL and opted into interactive testing, spawn a general-purpose agent to verify the top Critical and High findings in a real browser session.
See references/verification-prompts.md for the verification agent prompt.
The agent should:
- Attempt to reproduce each finding step by step
- Record whether the app blocks, allows, or partially prevents the abuse
- Capture screenshots as evidence
- Update finding severity based on actual behavior (upgrade if unblocked, downgrade if mitigated)
Mark findings as Verified, Partially Mitigated, or Not Reproducible.
Phase 6: Review with User (REQUIRED)
Present a summary including: total findings by severity, top 3 most impactful, categories covered, and interactive verification results (if run).
Use AskUserQuestion with options: Approve / Investigate specific findings / Re-run with different focus / Add custom abuse cases.
If changes requested, iterate. Only write final report after explicit approval.
Phase 7: Write Report and Complete
Write the approved report to /reports/adversarial-audit.md. Mark all tasks completed.
See references/report-structure.md for the full report template.
Final summary:
## Adversarial Audit Complete
**File:** /reports/adversarial-audit.md
**Findings:** [count] ([critical] critical, [high] high, [medium] medium, [low] low, [info] info)
**Categories covered:** [count]/7
**Interactive verification:** [yes/no] ([verified]/[total] confirmed)
### Top Findings
[Top 3 by severity with one-line descriptions]
### Economic Surface
- Cost-bearing endpoints: [count]
- Third-party services: [list]
- Unmetered resources: [count]
### Recommendations
- Immediate fixes needed: [count]
- Defense-in-depth improvements: [count]
Reference Materials
- references/abuse-categories.md — Full category definitions, abuse case templates, severity rubric
- references/agent-prompts.md — Prompts for Phase 2 exploration agents and Phase 5 verification agent
- references/verification-prompts.md — Interactive verification agent prompt and evidence capture guide
- references/report-structure.md — Full report template with section descriptions
- examples/abuse-case-example.md — Complete example abuse cases across all seven categories
Phase 8: Session Reflection
Read references/reflection-protocol.md and execute it before finishing.
More from neonwatty/qa-skills
playwright-runner
Executes workflow markdown files interactively via Playwright CLI, stepping through each workflow action in a real browser. Use when the user says "run workflows", "run playwright", "test workflows", "execute workflows", or wants to interactively test their app against workflow documentation. Supports desktop, mobile, and multi-user workflows with authentication.
7multi-user-workflow-generator
Generates multi-user workflow documentation by interviewing the user about personas, exploring the codebase for multi-user patterns, then walking through the live app with per-persona Playwright CLI named sessions to co-author interleaved, persona-tagged workflows. Use when the user says "generate multi-user workflows", "create multi-user workflows", or "generate concurrent user workflows". Produces persona-tagged workflow markdown that feeds into the multi-user converter and Playwright runner.
7keyword-wedge
Analyzes an app's codebase and cross-references Google Search Console, PostHog, and Google Keyword Planner to identify low-competition keyword footholds and track expansion into adjacent terms. This skill should be used when the user says "keyword wedge", "find keyword opportunities", "seo analysis", "keyword strategy", "find search wedges", "keyword research for my app", "grow organic traffic", "what keywords should I target", "SEO for my app", "organic search strategy", or "how to rank higher". Generates markdown and HTML reports and maintains state across runs for expansion tracking.
6submit-learnings
Filters and submits accumulated QA learnings as a GitHub issue (with optional PR) on the plugin repo. Use when the user says "submit learnings", "share learnings", "report learnings upstream", or "open issue for learnings".
6resilience-audit
Audits web apps for resilience against unexpected user behavior — accidental, edge-case, and chaotic. Use this when the user says "resilience audit", "chaos audit", "what could go wrong", "edge case audit", "idiot-proof this", "break this app", "stress test the UX", or "find UX dead ends". Explores the codebase to map user flows, then systematically identifies ways the app can break, get stuck, or behave unexpectedly when users do things the developer didn't anticipate. Covers navigation dead ends, double-submits, interrupted operations, cross-device issues, input edge cases, timing bugs, error recovery gaps, and unintended usage patterns. Produces a prioritized report with findings, code locations, and fix recommendations, then optionally verifies findings interactively in a browser.
6review-learnings
Synthesizes accumulated QA learnings from .qa-learnings/ledger.md into prioritized, actionable plugin improvements. Use when the user says "review learnings", "what have we learned", "improve the plugin", "learnings report", or "synthesize QA feedback".
6