Valtik Studios
Open Source

The tools we built because nobody else did.

We publish open-source CLI tools that fill real gaps in the security-tooling ecosystem. No wrappers around nmap, no clones of nuclei, no reskinned subdomain enumerators. Each tool targets something a working pentester cannot solve today without writing the code themselves.

github.com/TreRBNeed a full audit?

What we open source, what we don't

Open source
  • Detection tooling for misconfigurations that public-disclosure has already documented
  • First-mover tooling for new ecosystems where nothing mature exists
  • Utility libraries that encode our research patterns
  • Every tool is MIT-licensed, CI-tested, self-contained
Paid service
  • Active exploitation + attack chain construction
  • Written reports with executive summary + remediation roadmap
  • Reproducible proof-of-concept against your environment
  • 30-day to 90-day retest windows + auditor-ready documentation
Featured projects

The three we're promoting.

Of the tools we've published, these are the three with the sharpest problem-market fit. If you're integrating Claude Desktop / Cursor / Windsurf via MCP, or if you're shipping AI-generated code to paying users, read these first.

SEC / Compliance (Python)

sec-item-1-05-tracker

FLAGSHIP

Tracks every SEC Form 8-K Item 1.05 (Material Cybersecurity Incident) filing via the EDGAR full-text search API. Outputs a normalized JSON feed and RSS 2.0 feed of filings with CIK, ticker, filing date, SIC industry, HQ and incorporation state. Zero API key required. Pair with cron for a live feed that SIEMs, vendor-risk platforms, and board-reporting tools can subscribe to.

Why this exists

Everyone cites the SEC 4-day rule but almost nobody monitors Item 1.05 filings at the source. SEC.gov's web UI is paginated and slow. The FTS JSON API is faster and returns 100 at a time. This wraps it, dedupes against a cache, and emits a clean feed. The public-company cyber-disclosure beat becomes a cron job. 14 tests, pure stdlib.

$ pipx install git+https://github.com/TreRB/sec-item-1-05-tracker
View on GitHub
Supabase Security (Python)

supabase-rpc-auth-scanner

FLAGSHIP

Audits a Supabase project's GraphQL Mutation surface for SECURITY DEFINER RPCs that accept caller-controlled tenant IDs (the horizontal-authz flaw class). Introspects the Mutation type, flags functions with UUID-shaped tenant params alongside value parameters, and optionally probes with a random UUID to confirm the gap. Zero third-party deps.

Why this exists

RLS gets all the Supabase security attention but SECURITY DEFINER functions bypass RLS by design. One RPC like increment_leads_used(p_account_id, p_count) can let any authenticated user manipulate any other tenant's data. We found this in production during a recent engagement. No tool existed to surface it automatically. Now there is one. 6 tests, pure stdlib.

$ pipx install git+https://github.com/TreRB/supabase-rpc-auth-scanner
View on GitHub
Next.js Security (Python)

nextjs-csrf-scanner

FLAGSHIP

Probes Next.js App Router /api/* route handlers for state-changing verbs (DELETE, PATCH, PUT, POST) that accept cross-origin requests with only a session cookie. Finds the DELETE /api/me class of flaw where one XSS or one subdomain compromise wipes an account. 22 default endpoints, configurable.

Why this exists

Next.js App Router does not enable CSRF protection on /api route handlers by default. Supabase SSR auth uses a Lax cookie, which most developers assume is a CSRF defense. It isn't against same-site XSS, malicious extensions, or compromised subdomains. 9 tests, zero runtime deps.

$ pipx install git+https://github.com/TreRB/nextjs-csrf-scanner
View on GitHub
AI Security (Node)

mcp-client-inspector

FLAGSHIP

An evil MCP server you point your IDE at. Tests whether Cursor, Claude Code, Windsurf, Cline, Zed, or any other MCP client defends itself against a malicious integration. 10 scenarios: tool name collision, 10MB responses, Unicode bidi, prompt injection in docstrings, schema races, config-file write (CVE-2026-30615 class), 10kHz notification flood, contradictory error states.

Why this exists

Every MCP security tool on GitHub scans servers. Nobody tests whether your client defends against a malicious server. This is the other half of the problem. 26 tests, hand-rolled JSON-RPC stdio with Content-Length framing.

$ npx github:TreRB/mcp-client-inspector serve --scenario all
View on GitHub
AI-Generated Code (Node)

vibe-code-triage

FLAGSHIP

Static scanner for AI-generated Next.js + Supabase + Clerk apps. 70% of Lovable apps ship with Row Level Security disabled. 24.7% of AI-generated code carries exploitable flaws. This tool catches the ten specific anti-patterns those apps keep shipping: RLS off, service-role in client, Clerk unsafeMetadata for auth, unauthenticated route handlers, AI-hallucinated typosquats, committed .env, dangerous CORS, and more.

Why this exists

AquilaX + VibeAppScanner are SaaS, signup required. Checkmarx has advice but no tool. This is a CLI that runs locally in under a second, zero telemetry, 60 tests, zero-false-positive invariant on safe fixtures, SARIF 2.1.0 for GitHub code scanning.

$ npx github:TreRB/vibe-code-triage <path>
View on GitHub
AI Security (Node)

mcp-security-scanner

FLAGSHIP

The first static audit tool for Model Context Protocol servers. Catches 8 attack patterns (tool-arg validation, shell passthrough, FS scope, SSRF, credential exposure, plus supply-chain). Ran it against Anthropic's own reference server as a calibration test. It fired on server-memory with a real schema gap. TypeScript, JavaScript, and Python MCP servers supported.

Why this exists

MCP is the protocol every AI IDE uses. Every MCP server in production is infrastructure your LLM executes tool calls against. Nobody was shipping dedicated audit tooling for it. First-mover advantage, 26 tests, SARIF 2.1.0 for CI.

$ npx github:TreRB/mcp-security-scanner <path>
View on GitHub

More tools

28 total
AI Protocol Security (Go)

a2a-protocol-tester

LIVE

Black-box auditor for Google Agent-to-Agent (A2A) protocol endpoints. 10 attack probes (A1-A10): AgentCard disclosure, auth bypass, task injection, permission lateral, SSE streaming abuse, message-signature forgery, capability confusion, context poisoning, task cancellation race, push-notification SSRF (flags cloud metadata endpoints CRITICAL). Rate-limited client, per-probe budgets, SARIF 2.1.0 output.

Why this exists

A2A is Google's 2025 inter-agent protocol, barely any audit tooling exists. First-mover in a fast-growing ecosystem. 63 tests, smoke-tested against a local vulnerable fake agent (34 findings across severities, caught AWS + GCP metadata SSRF).

$ go install github.com/TreRB/a2a-protocol-tester/cmd/a2a-protocol-tester@latest
View Repo
AI Security (Python)

ai-agent-pii-auditor

LIVE

Tests LLM chatbot endpoints for PII memorization, echo, reflection, completion-driven extraction, jailbreak-bounded disclosure, and side-channel signals. 52 baseline probes across 6 techniques (P1-P6), grows with your own corpus. Detects name, email, SSN, phone, DOB, address, credit card (Luhn), ICD-10 codes, NPI (Luhn-80840), MRN. Vendor-neutral: OpenAI-compatible + Anthropic native. HIPAA-focused: prove your chatbot won't leak patient PHI.

Why this exists

Microsoft Presidio + AWS Comprehend detect PII in text. Neither tests whether an LLM endpoint actually leaks PII under a probe battery. garak covers jailbreaks but not PII-specific extraction patterns. 104 tests, terminal/JSON/HTML reports ready to attach to HIPAA deliverables.

$ pipx install git+https://github.com/TreRB/ai-agent-pii-auditor
View Repo
Email Security (Go)

email-auth-audit

LIVE

One-shot email authentication scorecard. 12 checks: SPF syntax + DNS-lookup cap, DKIM across common selectors, DMARC policy + alignment + reports, MTA-STS, TLS-RPT, BIMI + VMC, DNSSEC, MX reverse-DNS, 2024 Gmail/Outlook bulk-sender rules, SPF overreach. Per-check remediation snippets + A to F grade. Text, JSON, and SARIF output. Pure stdlib Go, zero third-party deps.

Why this exists

MXToolbox is SaaS with rate limits. dmarcian checker requires signup. easyDMARC is paywalled. No Go CLI ships a full scorecard including Gmail 2024 bulk-sender rules. 88 tests, smoke-tested against Valtik's own domain and correctly flagged our DMARC p=none as WARN.

$ go install github.com/TreRB/email-auth-audit/cmd/email-auth-audit@latest
View Repo
Email / DMARC (Python)

dmarc-report-parser

LIVE

Parses XML DMARC aggregate + forensic reports from the rua=mailto inbox. Handles Google, Yahoo, Microsoft, Mailhardener schema variants + .gz/.zip containers. SQLite dedup, IP-to-ASN lookup, HTML + TSV + JSON reports. IMAP ingest or file input. --fail-on new-spoofer for CI integration.

Why this exists

dmarcian + postmarkapp DMARC are SaaS. OnDMARC is enterprise-priced. Self-hostable parsers exist but none ship IMAP + ASN + HTML + alignment breakdown as one tool. 57 tests. Click-only deps.

$ pipx install git+https://github.com/TreRB/dmarc-report-parser
View Repo
Recon (Node)

subdomain-preview-hunter

LIVE

Finds indexed Vercel, Netlify, Cloudflare Pages, Render, Fly, Railway preview deployments exposing staging data. Queries certificate transparency, passive DNS, classifies preview type (PR vs branch vs deployment vs permalink), fetches root and flags exposed .env / .git / source maps / admin panels. SARIF 2.1.0 output. Zero runtime deps.

Why this exists

subfinder + amass enumerate subdomains but don't classify platform preview patterns or test for staging-data exposure. Every enterprise has 3-10 leaked previews; this is the tool that finds them. 84 tests, smoke-tested on vercel.com.

$ npx github:TreRB/subdomain-preview-hunter <domain>
View Repo
Supply Chain (Node)

npm-postinstall-audit

LIVE

Static analyzer for npm/pnpm/yarn lockfiles + node_modules trees. 10 checks (NPA1-NPA10) flag the real postinstall supply-chain attack patterns: external fetch in install script, env-var exfil, ssh/aws/.npmrc reads, obfuscated exec, base64 blobs, minified install scripts, top-1000 typosquat via Levenshtein, newly-published-with-lifecycle. Parses all three major lockfile formats with zero runtime deps.

Why this exists

npm-audit only flags CVEs. socket.dev is SaaS-gated. snyk-npm is Snyk-gated. This is stdlib-only, runs in CI, outputs SARIF 2.1.0 for GitHub code scanning. 82 tests, smoke-tested against live Valtik site lockfile.

$ npx github:TreRB/npm-postinstall-audit <path>
View Repo
AI Security (Python)

hf-model-integrity

LIVE

HuggingFace model integrity scanner. 7 checks: pickle opcode-walking with bypass-hardening (nested, base64-encoded, zip-hidden-entry per JFrog 2024 disclosures), safetensors header sanity, LoRA weight-outlier detection, HF signature + attestation, known-bad-model blocklist, model card red-flag regex (pastebin links, jailbreak phrases), size floor vs architecture.

Why this exists

ProtectAI ModelScan catches the easy cases but misses the 2024 bypass families. This tool never calls pickle.load, walks opcodes with pickletools instead. 46 tests, zero false positives on real tiny-random-gpt2, fires correctly on synthetic fixtures for every bypass class.

$ pipx install git+https://github.com/TreRB/hf-model-integrity
View Repo
Webhook Security (Node)

webhook-signature-audit

LIVE

Black-box HMAC signature auditor for webhook endpoints. 10 attack probes (unsigned, stale/future timestamp, body drift, alg-confusion, empty sig, multi-sig, verbose error, newline injection, method swap). Auto-fingerprints Stripe, Plaid, Twilio, GitHub, Shopify, Clerk, Svix, Linear, Vercel, SendGrid.

Why this exists

Every webhook-taking service in prod has this risk but tooling is fragmented. Each provider publishes their own test tool, nobody tests the receiver against all 10 forgery classes in one pass. 50 tests, works against any HTTP receiver.

$ npx github:TreRB/webhook-signature-audit <endpoint>
View Repo
AI Security (Python)

llm-system-prompt-xray

LIVE

System-prompt leak test harness for LLM apps. 78 payloads across 9 techniques (direct, translation, roleplay, encoding, completion, repeat-role, instruction-hijack, social-engineering, boundary). Vendor-neutral: OpenAI, Anthropic, OpenRouter, LiteLLM, Azure, Groq. Heuristic scorer + optional LLM-as-judge. Terminal, JSON, and HTML reports.

Why this exists

garak + promptfoo exist but are heavyweight harnesses. Nothing ships a focused system-prompt-leak battery with a scoring model you can cite in a pentest report. 77 tests, HTML report ready to attach to deliverables.

$ pipx install git+https://github.com/TreRB/llm-system-prompt-xray
View Repo
Threat Intel (Python)

pastebin-gist-monitor

LIVE

Watch public paste sources (GitHub Gist timeline, GitLab Snippets, optional Pastebin via API key) for your company's domains, internal codenames, email prefixes, or secret-shaped strings. SQLite dedup, entropy-near-term detection, HMAC-signed webhook alerts. Stdlib-only Python.

Why this exists

Flashpoint and Recorded Future charge enterprise prices for this. HIBP Paste is not real-time and only covers Pastebin. Self-hostable, no API key needed for default sources, runs as a daemon or one-shot. 53 tests.

$ pipx install git+https://github.com/TreRB/pastebin-gist-monitor
View Repo
Dark Web / Credential (Python)

combolist-check

LIVE

Check whether an email or domain appears in known combolist dumps. Ingest your own (legally-obtained) dumps, store SHA-256 hashes only, query by email/domain with severity tiering. Persistent Bloom filter + SQLite. Streams 50GB+ files.

Why this exists

HIBP Pwned Passwords is k-anonymity single-password checks. Flare + BreachSense write about combolists but don't ship tooling. No OSS tool for per-email / per-domain corpus checks. Plaintext passwords never persisted. 47 tests.

$ pipx install git+https://github.com/TreRB/combolist-check
View Repo
Threat Intel / Forensics (Python)

stealerlogs

LIVE

Unified Python library + CLI for parsing infostealer log dumps. 8 families in one schema: Redline, Vidar, LummaC2, StealC, Raccoon, ACRStealer, Rhadamanthys, MetaStealer. Stops every researcher from re-writing the same 600 lines of parser per engagement.

Why this exists

Single-family parsers exist scattered across GitHub. milxss/universal_stealer_log_parser is single-dump only, no DB, no search. Nobody ships a unified pip package with SQLite + JSONL + search. 40 tests, 82% coverage, synthetic fixtures only (zero real victim data).

$ pipx install git+https://github.com/TreRB/stealerlogs
View Repo
Dark Web / Reporting (Python)

domain-exposure-report

LIVE

Generate a client-ready PDF exposure report for a single domain. Wraps HIBP domain search + paste API + optional stealer-log and combo-list plugins into a 13-page branded deliverable. For MSPs and consultancies who resell dark-web monitoring and need a report customers can actually read.

Why this exists

HIBP returns JSON, not a report. SpyCloud + Kaseya Dark Web ID are paid + MSP-gated. 1Password's report is customer-gated. Nobody ships a CLI that produces a brandable PDF. 29 tests, WeasyPrint + Jinja, fixture mode for demos.

$ pipx install git+https://github.com/TreRB/domain-exposure-report
View Repo
Threat Intelligence (Python)

ransomware-victim-alerter

LIVE

Per-customer ransomware leak-site alerting. Polls ransomware.live's public feed, fuzzy-matches victim names against a customer watchlist, fires tiered alerts (webhook, SMTP, Twilio, log). HIGH/MEDIUM/LOW confidence gating prevents false-positive noise.

Why this exists

ransomwatch + ransomware.live + RansomwareMonitor track the feed. None do per-customer alerting. Commercial CTI (Flashpoint, DarkOwl, Recorded Future) does. Zero OSS equivalent. 29 tests. Live feed: 333 groups tracked.

$ pipx install git+https://github.com/TreRB/ransomware-victim-alerter
View Repo
AI Security / Exfil

markdown-exfil-tester

LIVE

Black-box test whether an LLM chatbot is vulnerable to markdown/HTML exfil (the Copilot CVE-2025-32711 / Feb 2026 ChatGPT / ForcedLeak class). Spins up a local sink, sends 36 exfil payloads, renders each LLM response in headless Chromium, correlates via network to confirm real exfil vs CSP-blocked.

Why this exists

Garak, Augustus, and Promptfoo test text-layer injection but never answer 'did the frontend actually fetch the attacker URL?' Lakera + Protect AI have this behind paywall. 36 payloads, 27 tests, E2E verified.

$ npx github:TreRB/markdown-exfil-tester <chatbot-url>
View Repo
AI Security (Python)

rag-poison-detector

LIVE

Read-only vector DB poison detector. Connect to Pinecone / Weaviate / Chroma / Qdrant / pgvector, scan for embedding outliers, prompt-injection patterns in chunks, invisible Unicode smuggling, and AgentPoison-style backdoor triggers. Live-tested against chromadb with planted poison: all 6 check classes surfaced at expected severities.

Why this exists

OWASP LLM Top 10 2025 added 'Vector and Embedding Weaknesses'. AgentPoison paper showed >80% attack success. Existing OSS is PoC-only (prompt-security/RAG_Poisoning_POC) or attack-only (AI-secure/AgentPoison). Valtik's first Python tool. 25 tests.

$ pipx install git+https://github.com/TreRB/rag-poison-detector
View Repo
CI/CD Supply Chain (Go)

gh-actions-pwn-hunter

LIVE

Static scanner for GitHub Actions workflows targeting the pwn-request RCE class that hit Microsoft, DataDog, CNCF, and hundreds of OSS projects Feb-April 2026. 8 checks, embedded compromised-SHA feed (tj-actions March 2025, Ultralytics Dec 2024). First run on our own repos caught PW4 (default permissions) + PW5 (secret interpolation). We fixed ours before shipping.

Why this exists

nikitastupin/pwnhub is a PoC. Step Security Harden-Runner is SaaS. rapidfort/gh-action-security-audit only does 3 checks. zizmor misses compromised-hash intel. This combines live compromised-SHA feed + org-wide scanner + SARIF + zero-false-positive safe-fixture invariant.

$ go install github.com/TreRB/gh-actions-pwn-hunter@latest
View Repo
AI IDE Security

ai-ide-config-guard

LIVE

Scan a repo for AI-IDE configuration that triggers RCE: Claude Code SessionStart hooks, Cursor/Windsurf rules-file Unicode smuggling, MCP auto-registration, ANTHROPIC_BASE_URL redirect, VS Code folderOpen tasks. Addresses CVE-2025-59536, CVE-2026-21852, CVE-2026-30615, and Pillar Rules File Backdoor.

Why this exists

Snyk agent-scan + Cisco skill-scanner target MCP servers. Nobody scans the repo-side IDE trust boundary. Mend has this behind paywall. 8 checks, 57 tests, SARIF output for GitHub code scanning.

$ npx github:TreRB/ai-ide-config-guard <path>
View Repo
AI Gateway (Go)

ai-gateway-audit

LIVE

Audit AI gateway deployments (LiteLLM, OpenRouter, Portkey, Vercel AI Gateway) for master-key exposure, virtual-key cross-tenant leak, missing per-key budgets, provider fallback cost-DoS, PII masker bypass, rate-limit bypass via X-Forwarded-For rotation, and known-vulnerable LiteLLM versions.

Why this exists

LiteLLM has 17k stars + CVEs. Every ChatGPT-Enterprise replacement in 2026 runs on a gateway. No OSS scanner exists. Valtik's first Go tool — single 7.7MB static binary.

$ go install github.com/TreRB/ai-gateway-audit@latest
View Repo
AI Security

ai-endpoint-discovery

LIVE

Find AI/LLM endpoints on a target domain. Static-fingerprints 18 AI SDKs in JS bundles, extracts gateway base URLs, probes common endpoint paths with one benign completion to classify auth posture. Smoke test on vercel.com picked up Vercel AI SDK + OpenAI + Replicate + 8 hinted paths.

Why this exists

Garak tests LLM safety if you have the endpoint. Nobody discovers AI endpoints as an attack surface. Shadow-AI recon tool for the 2026 era of undisclosed LLM features.

$ npx github:TreRB/ai-endpoint-discovery <url>
View Repo
Identity

oidc-discovery-audit

LIVE

Audit OIDC / OAuth 2.0 authorization-server metadata for weak algorithms, PKCE downgrade, algorithm confusion (RSA + HMAC mix), SSRF via request_uri, JWKS quality, and issuer-mismatch attacks. First run on accounts.google.com caught a real PKCE 'plain' method advertisement. Microsoft's multi-tenant issuer placeholder ({tenantid}) flagged too.

Why this exists

jwt_tool works on tokens, not IdP metadata. Doyensec + PortSwigger write about these attack patterns; nobody ships the scanner. 11 check IDs, 63 tests, live tested against Google, Microsoft, GitHub Actions OIDC, Auth0.

$ npx github:TreRB/oidc-discovery-audit <issuer>
View Repo
BaaS / Tenant Isolation

rls-tester

LIVE

Black-box test that Row-Level Security actually enforces tenant isolation on Supabase / PostgREST / Hasura / PocketBase. Give it two tenant JWTs, it probes every table and flags where tenant A can read tenant B's rows.

Why this exists

Ship-Safe is static analysis on your own repo. Nothing black-box tests tenant isolation from the outside. This is the primitive pentesters rebuild every BaaS engagement. 43 tests, 4 backends, read-only default + opt-in write probes.

$ npx github:TreRB/rls-tester <url>
View Repo
Web / Supply Chain

source-map-sentinel

LIVE

Detect exposed source maps on production websites, reconstruct the original TypeScript sources, and grep for leaked Stripe keys, internal API routes, unreleased feature flags, and design-intent TODO comments. Built after the March 2026 Claude Code source-map leak (59.8MB to prod, 16-21M views).

Why this exists

Sentry sourcemap-unmapper is paid + hosted. No CLI reconstructs + greps in one shot. 21 secret patterns including Stripe live/test/restricted, AWS, Anthropic, OpenAI, Supabase service_role JWT validation.

$ npx github:TreRB/source-map-sentinel <url>
View Repo
Recon / Compliance

well-known-audit

LIVE

Enumerate every /.well-known/ resource on a domain and score it for compliance + oversharing. First run on github.com found they're leaking an internal-dev Android package name via assetlinks.json.

Why this exists

22 resources in the IANA registry, 40+ variants in the wild. Nobody had a unified auditor. securitytxt.org validates one endpoint. Optional OIDC chain for auth server deep-dives.

$ npx github:TreRB/well-known-audit <domain>
View Repo
Cloud / Platform

vercel-env-audit

LIVE

Enumerate every environment variable across a Vercel team and flag which aren't marked Sensitive. Built in response to the April 2026 Vercel security incident.

Why this exists

Vercel UI shows Sensitive flag per-project, not at team level. No existing tool for team-wide posture review.

$ npx github:TreRB/vercel-env-audit
View Repo
Application Security

baas-audit

LIVE

Detect Supabase, Convex, Clerk, Firebase, Auth0, Appwrite, Hasura, and PocketBase on a live website. Flag the platform-specific misconfigurations each one is prone to. Read-only, no exploit traffic.

Why this exists

No unified detection tool. Pentesters build this for every engagement. Open-sourcing the detection + known-misconfig database. 32 tests, 8 detectors, zero exploit code.

$ npx github:TreRB/baas-audit <url>
View Repo
SaaS Security

salesforce-guest-audit

COMING SOON

Enumerate what Salesforce Experience Cloud guest users can see. Reproduces the read-only half of the ShinyHunters attack pattern that hit McGraw-Hill, AT&T, Ticketmaster, Santander.

Why this exists

Salesforce admins cannot test this easily today. Existing tools require licensed Event Monitoring. This is detection-only, no exploitation.

Repo pending
Identity

oauth-grant-audit

COMING SOON

Given a Google Workspace / GitHub / Slack / Vercel admin token, enumerate every OAuth grant (installed apps, third-party integrations) with a scope-breadth risk score.

Why this exists

Workspace admin UI is terrible for this. Post-Vercel incident, every team needs this visibility.

Repo pending

Got a tool idea?

We're always looking for gaps in the tooling ecosystem we can fill. If you run into a security problem you cannot solve today with existing public tools, tell us. We might open source the answer.

Tell us about it