Copy the files into your repo, then run the prompt "open and run _look-kit/prompts/prompt-0.orchestrate.md" to get a low-cost first pass security audit of your app.
A no-code security research prompt collection. You'll find some markdown files that'll instruct your LLM or Agent to perform a security-focused code review of your app, without breaking the bank. It's not guaranteed to be comprehensive, but it might reveal some hidden issues in your codebase.
The aim of the repository is that it costs less than $25 in tokens to highlight the most obvious security issues in your app. When finished, there'll be a list of task.md files, which describe in a human-readable format what needs looked at as a priority.
Companion blog post: https://www.etive-mor.com/blog/carlini-style-vulnerability-hunting-on-a-budget/
- Copy the
./promptsdirectory into your target repository at./_look-kit/prompts/ - Prompt your agent with something like "open and run
_look-kit/prompts/prompt-0.orchestrate.md"
The results should be a directory at ./_look-kit something like the following:
_look-kit/
βββ codeql-results-javascript.sarif
βββ codeql-db-csharp/
βββ codeql-db-javascript/
βββ prompts/
βββ prompt-0.orchestrate.md
βββ prompt-1.origination.md
βββ prompt-2.vulnerability-ranker.md
βββ prompt-3.vulnerability-inspector.md
βββ prompt-prerequisite-0-0.codeql-phase.md
βββ _onboarding/
βββ _start.md
βββ agent-task-list.md
βββ api.md
βββ architecture.md
βββ database.md
βββ frontend.md
βββ ops.md
βββ providers.md
βββ search.md
βββ security.md
βββ _security/
βββ _ranking.md
βββ _ranking-files.md
βββ tasks/
βββ task-1.md
βββ task-2.md
βββ ...
βββ task-26.md
In the directories, the interesting stuff is all in ./look-kit/_onboarding/security/tasks/task-{n}.md
The files at ./_sample/ are a demonstration output for a faked C# application Bookstore.API.