A Claude Code plugin that enforces systematic false positive verification when verifying suspected security bugs.
When Claude is asked to verify suspected security bugs, this plugin activates a rigorous per-bug verification process. Bugs are routed through one of two paths:
- Standard verification — a linear single-pass checklist for straightforward bugs (clear claim, single component, well-understood bug class). No task creation overhead.
- Deep verification — full task-based orchestration with parallel sub-phases for complex bugs (cross-component, race conditions, ambiguous claims, logic bugs without spec).
Both paths end with six mandatory gate reviews. Each bug receives a TRUE POSITIVE or FALSE POSITIVE verdict with documented evidence.
/plugin install fp-check
| Skill | Description |
|---|---|
| fp-check | Systematic false positive verification for security bug analysis |
| Agent | Phases | Description |
|---|---|---|
| data-flow-analyzer | 1.1–1.4 | Traces data flow from source to sink, maps trust boundaries, checks API contracts and environment protections |
| exploitability-verifier | 2.1–2.4 | Proves attacker control, creates mathematical bounds proofs, assesses race condition feasibility |
| poc-builder | 4.1–4.5 | Creates pseudocode, executable, unit test, and negative PoCs |
| Hook | Event | Purpose |
|---|---|---|
| Verification completeness | Stop | Blocks the agent from stopping until all bugs have completed all 5 phases, gate reviews, and verdicts |
| Agent output completeness | SubagentStop | Blocks agents from stopping until they produce complete structured output for their assigned phases |
| File | Purpose |
|---|---|
| standard-verification.md | Linear single-pass checklist for straightforward bugs |
| deep-verification.md | Full task-based orchestration with parallel sub-phases for complex bugs |
| gate-reviews.md | Six mandatory gates and verdict format |
| false-positive-patterns.md | 13-item checklist of common false positive patterns and red flags |
| evidence-templates.md | Documentation templates for verification evidence |
| bug-class-verification.md | Bug-class-specific verification requirements (memory corruption, logic bugs, race conditions, etc.) |
The skill activates when the user asks to verify a suspected bug:
- "Is this bug real?" / "Is this a true positive?"
- "Is this a false positive?" / "Verify this finding"
- "Check if this vulnerability is exploitable"
The skill does not activate for bug hunting ("find bugs", "security analysis", "audit code").
Each bug is routed based on complexity:
For bugs with a clear claim, single component, and well-understood bug class:
- Data flow — trace source to sink, check API contracts and protections
- Exploitability — prove attacker control, bounds proofs, race feasibility
- Impact — real security impact vs operational robustness
- PoC sketch — pseudocode PoC required
- Devil's advocate spot-check — 5+2 targeted questions
- Gate review — six mandatory gates
Standard verification escalates to deep at two checkpoints if complexity warrants it.
For bugs with ambiguous claims, cross-component paths, concurrency, or logic bugs:
- Claim analysis — restate the vulnerability claim precisely, classify the bug class
- Context extraction — execution context, caller analysis, architectural and historical context
- Phase 1: Data flow analysis — trust boundary mapping, API contracts, environment protections, cross-references
- Phase 2: Exploitability verification — attacker control, mathematical bounds proofs, race condition proof, adversarial analysis
- Phase 3: Impact assessment — real security impact vs operational robustness, primary controls vs defense-in-depth
- Phase 4: PoC creation — pseudocode with data flow diagrams, executable PoC, unit test PoC, negative PoC
- Phase 5: Devil's advocate review — 13-question challenge with LLM hallucination self-check
- Gate reviews — six mandatory gates before any verdict