CipherClaw: Using a Security Persona to Audit Code with Claude

CipherClaw is a tool that applies a security-focused persona to Claude Code, transforming it from a code writer into a security auditor. The persona, named TALON, is loaded via a CLAUDE.md file and includes security knowledge bases.

How It Works

The architecture consists of three main components:

• SOUL.md: Defines the persona identity
• MEMORY.md: Contains security knowledge including OWASP Top 10, CWE Top 25, and 20+ secret patterns
• 7 skill files: Loaded via @import in CLAUDE.md

Commands and Usage

TALON responds to several security audit commands:

• TALON: full security audit
• scan for secrets
• threat model this
• compliance check SOC2
• IaC security review

Example Findings

When run on a Next.js app without any hints about bug locations, TALON identified 17 security issues including:

• [CRITICAL] Unauthenticated endpoint returning passwordHash + role:ADMIN to any caller with no token required
• [CRITICAL] DELETE endpoint with zero ownership check — allowing any user to delete anyone else's data (BOLA/IDOR vulnerability)
• [CRITICAL] Hardcoded auth token in source code
• [HIGH] File upload accepting user-controlled filename — potential path traversal vulnerability
• [MEDIUM] Phone numbers stored without encryption (GDPR Article 32 violation)

Each finding included:

• Exact line numbers
• curl exploit commands to reproduce the vulnerability
• Specific fixes
• Compliance control mapping for SOC2, HIPAA, and GDPR

The tool is designed for developers using Claude Code who want to integrate security auditing into their development workflow without switching contexts or tools.