Agent-driven security audits
Install the skill once. Ask Codex, Claude Code, or another skills-aware agent to prepare the target, audit the code, run proof tests, and collect the report.
npx skills add adshao/flounder -g
The installed skill triggers from Flounder audit requests, daemon/provider setup, suspected-finding verification, real-finding confirmation, and report collection.
agent owns strategy · Flounder owns safety and evidence
No custom scenario pipeline
Ask for an authorized audit, verification, confirmation, or report package. The Flounder skill gives the agent the operating manual and keeps it on the workflow.
The source of truth is skills/flounder/SKILL.md, not a marketing-only prompt.
Prep → audit → proof → report
Flounder can prepare the workspace, read source and corpus, map attack surface, dig promising regions, construct exploit paths, run proof tests, and collect reports.
The framework supplies sandboxing, command policy, durable state, gates, daemon execution, and reporting.
flounder ui gives operators a localhost control plane for projects,
daemons, provider profiles, runs, scopes, findings, live activity, and reports.
Flounder is not a scanner, checklist runner, or set of hand-written bug rules. The model decides how to reason; Flounder makes the result usable.
Install the skill once. Codex, Claude Code, or another skills-aware agent can drive the workflow from a plain request.
Source, corpus, and optional profiles are inputs. The audit strategy comes from the model, not a stack-specific scanner.
A finding is not real because the model says so. It must cite command evidence from a passing local proof test.
Discovery runs network-sealed. Reproduction can use real-world ground truth under white-hat no-broadcast rules.
Model-written tests, PoCs, dependencies, and commands run in a copied workspace away from the host checkout.
The UI is a control plane. Audits run on a daemon, so target code and provider credentials stay on the executor host.
Choose the path by what you already have: a clean target, a factual clue, a public bounty scope, local source, a suspected finding, or confirmed evidence.
Start with an authorized project, repo, package, source tree, or project link and no bug hint.
Input: target only, no incident writeupUse Prepare to collect chain facts, deployed source, official material, and reproduction requirements.
Input: transaction, address, exploit linkLet Flounder gather bounty scope, docs, deployments, provenance, and package metadata before sealed audit.
Input: public program, repo, deploymentProvide source paths, build root, and optional corpus to enter sealed map/dig directly.
Input: source, build root, docsVerify suspected findings, dig selected scopes, confirm a run, or continue from prior project state.
Output: confirmed, refuted, or narrowedConsolidate duplicates, run real-target confirmation when needed, and regenerate selected reports.
Output: reports, decisions, command evidenceA candidate stays suspected until it cites a passing confirmation-eligible command. The status is a framework verdict from command evidence, not the model's assertion.
The claim failed reproduction or skeptic review.
Credible, but no passing cited test yet.
A real local test/build runner passed.
The same exploit is blocked by its own minimal fix.
Flounder is not a stack scanner or checklist runner. Source, corpus, and optional profiles are inputs, not conclusions.
Commands run in a copied workspace. The default OCI backend fails closed if the sandbox image is missing.
Inspection commands cannot mint proof. Confirmation needs a command like cargo test, forge test, or pytest.
The control plane queues work; the daemon executes it. Target code and provider credentials stay on the executor host.
The Flounder skill is the product interface for Codex, Claude Code, and other skills-aware agents.
# add Flounder to your agent once
$ npx skills add adshao/flounder -gInstalls the operating manual, safety boundary, and workflow contract.
# use plain language from Codex or Claude Code
› Audit this repository with Flounder.
› Verify this suspected finding with Flounder.
› Collect the execution-backed bug report package.The agent handles setup, audit planning, proof runs, and report collection.
Dashboard, CLI, and REST API remain available when you want direct control.
Flounder is for authorized auditing only — your own code or public bug-bounty scope. Discovery is network-sealed; reproduction may fork and read live networks but never broadcasts, moves funds, or writes to any live system — exploits replay against a local fork only. Build the smallest proof needed, report privately, coordinate disclosure.
Read the security policy →Answers for operators setting up their first agent-driven audit.
Flounder is local-first. The dashboard and control plane run on localhost by default, and audits execute on a daemon you control. That daemon can be on your machine or another executor host you connect; Flounder does not require uploading targets to a hosted Flounder cloud.
Yes. Flounder is open source under the GNU AGPL v3. The repository includes the full license text.
Install the Flounder skill once, then ask a skills-aware coding agent to audit an authorized target, verify a suspected finding, confirm a real finding, or collect the final report package. The dashboard, CLI, and REST API are control surfaces; the skill is the recommended way to drive the workflow.
No. The agent owns the audit strategy and target-specific reasoning. Flounder supplies the sandbox, command policy, durable state, execution gates, daemon control plane, and report package so the agent's work can be resumed, checked, and proven.
High-quality audits can be token-heavy. You can cap map, dig, and confirm budgets, but hard caps can stop a productive investigation. The default is unbounded: the agent stops when the work is done, and interrupted runs can resume. For serious use, plan around high-cap subscriptions such as ChatGPT Pro or Claude Max 20x, or set explicit budgets for API/pay-as-you-go usage.
Flounder keeps its database, artifacts, workspaces, and provider auth under local control,
with default state under ~/.flounder. Provider credentials stay on the executor
host. Your chosen model provider still receives the prompts and context your agent sends,
so keep sensitive material out of scope unless that provider and account are approved for it.
Node.js 24.13 or newer on the current 24 LTS line, a skills-aware agent, the Flounder skill, a configured model provider on the daemon, and a sandbox backend. For execution-backed audits, use Docker or a Docker-compatible runtime with the Flounder sandbox image or a target-specific image. Host mode is for trusted local smoke tests.
Flounder fits source audits where claims can be proven locally: repositories, packages, smart contracts, Solidity/EVM projects, ZK/proof systems, suspected findings, transactions, addresses, and prior reports. It is strongest when the target has tests, forks, fixtures, or harnesses that can turn a vulnerability claim into command evidence.
Model-written files and commands run in a copied workspace. The default OCI sandbox fails closed if the sandbox image is missing, instead of silently falling back to the host. Use host execution only when you explicitly trust the target and the command environment.
Only with authorization. Discovery stays sealed and local. Confirmation may fetch, search, fork, or read real-world ground truth, but it must never broadcast, move funds, submit writes, persist access, or go outside the approved scope.
Flounder turns the request into a sandboxed, evidence-gated audit workflow.
npx skills add adshao/flounder -g