I build tools that find vulnerabilities in CI/CD pipelines, supply chains, and cloud infrastructure. When I find something interesting, I write about it here.
Fluxgate found 20 critical pwn request vulnerabilities across 16 of the top 1,000 most-starred repositories on GitHub — the same vulnerability class that enabled the Trivy supply chain compromise.
A static analysis audit of the entire ClawhHub registry using WAINGRO found 43 confirmed malicious skills — including a coordinated C2 campaign that VirusTotal rates as benign.
Static analyzer for GitHub Actions workflows. Detects pwn requests, script injection, and supply chain risks.
Security taxonomy and case study framework for CI/CD supply chain incidents.
AI agent skill security scanner. Static analysis tool that detects malicious patterns in OpenClaw/Agent Skills format skill files.