[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-772":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":8,"htmlUrl":8,"language":9,"languages":8,"totalLinesOfCode":8,"stars":10,"forks":11,"watchers":12,"openIssues":13,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":13,"stars7d":15,"stars30d":16,"stars90d":14,"forks30d":14,"starsTrendScore":17,"compositeScore":18,"rankGlobal":8,"rankLanguage":8,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":20,"topics":23,"createdAt":8,"pushedAt":8,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":14,"starSnapshotCount":14,"syncStatus":27,"lastSyncTime":28,"discoverSource":29},772,"clearwing","Lazarus-AI\u002Fclearwing","Lazarus-AI",null,"Python",1000,145,8,5,0,12,48,15,19.49,"MIT License",false,"main",true,[],"2026-06-12 02:00:18","# Clearwing\n\n\u003Cimg width=\"400\" alt=\"image\" src=\"https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002Fc0444f24-32d8-4d62-af66-f1b7d8a123ba\" \u002F>\n\nBy Eric Hartford, Lazarus AI\n\nInspired by Anthropic's Glasswing.  \n\nThe challenge:  Produce similar results as Glasswing - using models everyone has access to.\n\n**Autonomous vulnerability scanner and source-code hunter.** Built on\n`genai-pyo3`, a native Rust-backed LLM runtime speaking every major\nprovider (Anthropic, OpenAI, OpenRouter, Ollama, LM Studio, Together,\nGroq, DeepSeek, MiniMax, Gemini, any OpenAI-compatible endpoint).\n\nClearwing is a dual-mode offensive-security tool:\n\n- **Network-pentest agent** — a ReAct-loop agent with 63 bind-tools\n  that scans live targets, detects services and vulnerabilities,\n  runs sandboxed Kali tools, attempts exploits (gated through a\n  human-approval guardrail), and writes reports to a persistent\n  knowledge graph.\n- **Source-code hunter** — a file-parallel agent-driven\n  pipeline that ranks source files, fans out per-file hunter agents\n  (full-shell or constrained), uses ASan\u002FUBSan crashes as ground\n  truth, verifies findings with a 4-axis validator (REAL \u002F\n  TRIGGERABLE \u002F IMPACTFUL \u002F GENERAL), runs PoC stability checks\n  across fresh containers, optionally generates validated patches,\n  and emits SARIF\u002Fmarkdown\u002FJSON reports with explicit evidence levels\n  (`suspicion → static_corroboration → crash_reproduced →\n  root_cause_explained → exploit_demonstrated → patch_validated`).\n  Features three-band budget promotion, entry-point sharding for\n  large files, cross-subsystem hunting, a shared findings pool with\n  root-cause deduplication, multi-turn agentic exploit development,\n  and human-in-the-loop exploit elaboration.\n- **N-day exploit pipeline** — given CVE IDs, builds the\n  vulnerable version, develops working exploits, and validates\n  against the patched version to confirm the fix.\n- **Reverse engineering pipeline** — decompiles closed-source\n  ELF binaries via Ghidra, reconstructs plausible source with an\n  LLM, then hunts vulnerabilities using a hybrid source + binary\n  validation approach.\n- **Campaign orchestration** — runs sourcehunt across dozens or\n  hundreds of repositories from a single YAML config with shared\n  budget, checkpoint\u002Fresume, and aggregate reporting.\n- **Responsible disclosure** — human-in-the-loop validation\n  workflow with MITRE\u002FHackerOne template generation, SHA-3\n  cryptographic commitments for provable priority, timeline\n  tracking, and batched disclosure.\n- **Benchmarking & evaluation** — OSS-Fuzz crash severity\n  ladder for model comparison, and an A\u002FB testing framework for\n  measuring whether preprocessing helps or hurts finding quality.\n\n**Authorized use only.** Clearwing is a dual-use offensive-security\ntool. Run it only against targets you own or have explicit written\nauthorization to test. Operators are responsible for scope, legal\nauthorization, and disclosure. See `SECURITY.md`.\n\n## Install\n\n**End users** — install the tagged release straight from GitHub:\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FLazarus-AI\u002Fclearwing.git\ncd clearwing\n\n# uv sync is recommended because Clearwing pins genai-pyo3 through\n# tool.uv.sources in pyproject.toml.\nuv sync --all-extras\nsource .venv\u002Fbin\u002Factivate  # fish: source .venv\u002Fbin\u002Factivate.fish\n\n# Interactive setup wizard — menu-driven provider selection,\n# credential entry, optional live test, persists to ~\u002F.clearwing\u002Fconfig.yaml\nclearwing setup\n\n# Environment check — verifies Python, credentials, Docker daemon,\n# external tools, optional extras, and network reachability\nclearwing doctor\n\nclearwing --version   # 1.0.0\nclearwing --help\n```\n\nOr skip the wizard and configure directly:\n\n```bash\n# Anthropic direct\nexport ANTHROPIC_API_KEY=sk-ant-...\n\n# Or any OpenAI-compatible endpoint — OpenRouter, Ollama, LM Studio,\n# vLLM, Together, Groq, DeepSeek, OpenAI:\nexport CLEARWING_BASE_URL=https:\u002F\u002Fopenrouter.ai\u002Fapi\u002Fv1\nexport CLEARWING_API_KEY=sk-or-...\nexport CLEARWING_MODEL=anthropic\u002Fclaude-opus-4\n```\n\nSee [`docs\u002Fproviders.md`](docs\u002Fproviders.md) for provider-specific\nrecipes and per-task routing.\n\n**Developers** — clone and install the locked development environment:\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FLazarus-AI\u002Fclearwing.git\ncd clearwing\nuv sync --all-extras\nsource .venv\u002Fbin\u002Factivate  # fish: source .venv\u002Fbin\u002Factivate.fish\nclearwing --help\n```\n\nRequirements: Python 3.10+ and optionally Docker for the Kali container\nand sanitizer-image sandbox features. `genai-pyo3` ships as prebuilt\nwheels on PyPI (linux x86_64\u002Faarch64, macOS universal2, windows x86_64,\nPython 3.9–3.13), so no Rust toolchain is needed for installation.\n\n## Quickstart\n\n```bash\n# Network scan a single target\nclearwing scan 192.168.1.10 -p 22,80,443 --detect-services\n\n# Source-code hunt a repo (standard depth — sandboxed LLM hunters,\n# adversarial verifier, mechanism memory, variant loop)\nclearwing sourcehunt https:\u002F\u002Fgithub.com\u002Fexample\u002Fproject \\\n    --depth standard\n\n# N-day exploit pipeline — build and exploit known CVEs\nclearwing sourcehunt https:\u002F\u002Fgithub.com\u002Fexample\u002Fproject \\\n    --nday --cve-list CVE-2024-1234,CVE-2024-5678\n\n# Reverse engineering — hunt vulnerabilities in closed-source binaries\nclearwing sourcehunt \u002Fpath\u002Fto\u002Fbinary --reveng --arch x86_64\n\n# Campaign-scale orchestration across multiple projects\nclearwing campaign run campaign.yaml\n\n# Responsible disclosure workflow\nclearwing disclose queue .\u002Fresults\u002Fsourcehunt\u002Fsh-*\u002F\nclearwing disclose review\n\n# OSS-Fuzz crash severity benchmark\nclearwing bench ossfuzz --corpus-dir .\u002Foss-fuzz-projects --mode standard\n\n# A\u002FB test whether preprocessing helps or hurts\nclearwing eval preprocessing --project https:\u002F\u002Fgithub.com\u002Fexample\u002Fproject \\\n    --configs glasswing_minimal,sourcehunt_full --runs 3\n\n# Interactive ReAct chat with the full tool set\nclearwing interactive\n\n# Non-interactive CI mode with SARIF output for GitHub Code Scanning\nclearwing ci --config .clearwing.ci.yaml --sarif results.sarif\n```\n\nSee [`docs\u002Fquickstart.md`](docs\u002Fquickstart.md) for a fuller walkthrough\nincluding credentials, session resume, and mission-mode operation.\n\n## Running sourcehunt on a local repo (FFmpeg example)\n\nThe `clearwing sourcehunt \u003Curl>` CLI clones a remote URL. To hunt an\nalready-cloned tree (e.g. FFmpeg) with the native-async pipeline and a\nself-hosted OpenAI-compatible backend, drive `SourceHuntRunner` directly:\n\n```bash\n# 1. Clone the target once\ngit clone https:\u002F\u002Fgithub.com\u002FFFmpeg\u002FFFmpeg.git\n\n# 2. Run sourcehunt against the local checkout\nuv run python -u - \u003C\u003C'PY'\nimport logging\nfrom clearwing.llm.native import AsyncLLMClient\nfrom clearwing.sourcehunt.runner import SourceHuntRunner\n\nlogging.basicConfig(level=logging.INFO, format='%(asctime)s %(levelname)s %(name)s: %(message)s')\n\nREPO = '.\u002FFFmpeg'\nRUN_DIR = '.\u002Fresults\u002Fsourcehunt'\nCOMMON = dict(\n    provider_name='openai_resp',            # or 'openai' for \u002Fv1\u002Fchat\u002Fcompletions\n    api_key='YOUR_KEY',\n    base_url='http:\u002F\u002Flocalhost:8183\u002Fv1',    # any OpenAI-compatible endpoint\n    max_concurrency=15,\n)\n\n# One client per stage — routes each stage to a different model\nranker_llm    = AsyncLLMClient(model_name='gpt-5.4-mini',  **COMMON)\nhunter_llm    = AsyncLLMClient(model_name='gpt-5.4',       **COMMON)\nverifier_llm  = AsyncLLMClient(model_name='gpt-5.4-mini',  **COMMON)\nexploiter_llm = AsyncLLMClient(model_name='gpt-5.3-codex', **COMMON)\n\nrunner = SourceHuntRunner(\n    repo_url=REPO, local_path=REPO,\n    depth='standard',\n    budget_usd=1000.0,\n    max_parallel=15,\n    output_dir=RUN_DIR,\n    output_formats=['json', 'markdown'],\n    ranker_llm=ranker_llm,\n    hunter_llm=hunter_llm,\n    verifier_llm=verifier_llm,\n    exploiter_llm=exploiter_llm,\n    enable_patch_oracle=True,\n)\n\nprint(runner.run())   # sync wrapper; internally drives SourceHuntRunner.arun()\nPY\n```\n\nFindings land in `.\u002Fresults\u002Fsourcehunt\u002Fsh-\u003Csession-id>\u002F` as JSON +\nmarkdown once the run completes. FFmpeg is ~10k source files, so expect the\nlarge-repo ranker to preselect candidates and the tier-A hunter pool to run for hours.\nRedirect stdout\u002Fstderr to a file if you plan to detach the process — the\nrunner's own artifacts are only written at the end.\n\n`AsyncLLMClient` accepts `provider_name` values `openai_resp` (the streaming\n`\u002Fv1\u002Fresponses` shape) or `openai` (standard `\u002Fv1\u002Fchat\u002Fcompletions`); point\n`base_url` at any OpenAI-compatible server. See\n[`docs\u002Fproviders.md`](docs\u002Fproviders.md) for the managed-provider paths.\n\n## Architecture at a glance\n\n```\n┌──────────────────────┐      ┌────────────────────────────────┐\n│ Network-pentest agent│      │ Source-code hunter             │\n│ clearwing.agent.graph│      │ clearwing.sourcehunt.runner    │\n│  (63 tools, ReAct)   │      │                                │\n│                      │      │ preprocess → rank → pool →     │\n│                      │      │   hunter → verify → exploit →  │\n│                      │      │   variant loop → auto-patch →  │\n│                      │      │   report                       │\n└─────────┬────────────┘      └────────┬───────────────────────┘\n          │                             │\n          └───────────┬─────────────────┘\n                      ▼\n┌───────────────────────────────────────────────────────────────┐\n│ N-day pipeline │ Reveng pipeline │ Campaign orchestrator      │\n│ Disclosure workflow + SHA-3 commitments                       │\n├───────────────────────────────────────────────────────────────┤\n│                    Shared substrate                          │\n│  Finding dataclass  │  capabilities probe  │  sandbox layer  │\n│  knowledge graph    │  episodic memory     │  event bus      │\n│  telemetry          │  guardrails + audit  │  CVSS scoring   │\n│  artifact store     │  behavior monitor    │  seccomp        │\n├───────────────────────────────────────────────────────────────┤\n│  Bench: OSS-Fuzz severity ladder  │  Eval: preprocessing A\u002FB │\n└───────────────────────────────────────────────────────────────┘\n```\n\nDeep dives live in [`docs\u002F`](docs\u002F):\n\n| Doc | What it covers |\n|---|---|\n| [`docs\u002Findex.md`](docs\u002Findex.md) | Landing page + table of contents |\n| [`docs\u002Fquickstart.md`](docs\u002Fquickstart.md) | Full install + first run walkthrough |\n| [`docs\u002Fproviders.md`](docs\u002Fproviders.md) | OpenRouter \u002F Ollama \u002F LM Studio \u002F vLLM \u002F Together \u002F Groq recipes, per-task routing, env-var precedence |\n| [`docs\u002Farchitecture.md`](docs\u002Farchitecture.md) | Both pipelines, substrate, capability gating, tool layout |\n| [`docs\u002Fcli.md`](docs\u002Fcli.md) | Every subcommand flag, grouped by workflow |\n| [`docs\u002Fapi.md`](docs\u002Fapi.md) | API reference (mkdocstrings autogen) |\n\nOnce the GitHub Pages workflow ships, docs will be hosted at\n\u003Chttps:\u002F\u002Flazarus-ai.github.io\u002Fclearwing\u002F>.\n\n## Development\n\n```bash\nuv sync --all-extras\nsource .venv\u002Fbin\u002Factivate  # fish: source .venv\u002Fbin\u002Factivate.fish\npytest -q\nruff check clearwing\u002F tests\u002F\nruff format --check clearwing\u002F tests\u002F\nmypy --follow-imports=silent \\\n  clearwing\u002Ffindings \\\n  clearwing\u002Fsourcehunt \\\n  clearwing\u002Fcapabilities.py \\\n  clearwing\u002Fagent\u002Ftools \\\n  clearwing\u002Fcore\npython -m mkdocs serve --dev-addr 127.0.0.1:8000\n```\n\nSee [`CONTRIBUTING.md`](CONTRIBUTING.md) for the full dev-setup guide and PR\nchecklist.\n\n## Reporting vulnerabilities\n\nThere are two lanes, and they go to different places:\n\n- **Vulnerabilities *in* Clearwing** → GitHub Security Advisories\n  (\u003Chttps:\u002F\u002Fgithub.com\u002FLazarus-AI\u002Fclearwing\u002Fsecurity\u002Fadvisories\u002Fnew>).\n  See [`SECURITY.md`](SECURITY.md) for scope, SLA, and safe-harbor.\n- **Vulnerabilities Clearwing *finds* in someone else's software** →\n  that vendor's disclosure channel. `clearwing sourcehunt\n  --export-disclosures` generates pre-filled MITRE CVE-request and\n  HackerOne templates for every finding at\n  `evidence_level >= root_cause_explained`.\n\n## License\n\nMIT. See [`LICENSE`](LICENSE).\n","Clearwing 是一个自主漏洞扫描器和源代码猎手工具，旨在使用大众可访问的模型实现与Anthropic's Glasswing相似的结果。它基于`genai-pyo3`构建，支持多种主流AI提供商。该工具具备网络渗透测试代理和源代码狩猎两大核心功能，前者通过63种绑定工具扫描目标、检测服务与漏洞，并在人工批准后尝试利用；后者则并行处理文件，评估潜在漏洞的真实性及影响，并生成详细的报告。此外，还提供N日漏洞开发、逆向工程、活动编排、负责任披露以及基准测试等功能。Clearwing适用于需要进行深度安全审查和漏洞挖掘的专业场景，但强调仅限授权使用。",2,"2026-06-11 02:39:11","CREATED_QUERY"]