The most comprehensive single-prompt security auditor that exists.
Paste it into any LLM. Get an enterprise-grade security audit. No installation. No configuration. No dependencies.
ORÁCULO is a carefully engineered prompt that transforms any LLM (Claude, GPT, Gemini, Llama, or any other) into a full security auditor with:
- 5 simultaneous identities — Red Team attacker, Blue Team defender, QA engineer, Software Architect, and Purple Team chain analyst
- 8 sequential phases — Reconnaissance → Taint Analysis → State Machine → Cross-Dependencies → Crypto/Secrets/Timing → Triple OWASP → Tests → Attack Chains
- Triple OWASP coverage — the only prompt that checks all three simultaneously:
- OWASP Top 10 (web applications)
- OWASP LLM Top 10 (AI/ML systems)
- OWASP Agentic Top 10 ASI 2026 (autonomous AI agents)
- 14 unbreakable rules — anti-hallucination, zero trust, auto-fix with diff, self-verification
- Multi-language support — JavaScript/TypeScript, Python, Go, Rust
- Self-audited — 11 passes, 40 vulnerabilities found and fixed in itself
- Open
ORACULO-v2.1.md - Copy everything between
INICIOandFIN - Paste it into any LLM chat
- The LLM audits whatever code it has access to
That's it. No setup. No API keys. No tools to install.
| Category | Examples |
|---|---|
| Injection | SQL, NoSQL, XSS, SSTI, stored/second-order |
| Auth | Broken auth, missing authz, privilege escalation |
| Crypto | Weak algorithms, hardcoded secrets, timing attacks |
| Data Flow | Unsanitized taint, encoding bypasses, deserialization |
| File Uploads | Path traversal, MIME spoofing, zip bombs |
| Infrastructure | Dockerfile root, CI/CD secrets, missing TLS, CORS |
| Dependencies | Unpinned versions, CVEs, suspicious postinstall |
| Agent Security | Goal hijack, tool misuse, memory poisoning, rogue agents |
| Missing Controls | No rate limit, no CSRF, no headers, PII in logs |
| Logic Bugs | Off-by-one, race conditions, type coercion, overflow |
| Architecture | O(n²) complexity, ReDoS, shared mutable state |
| Attack Chains | Purple Team: two minor bugs = one catastrophic exploit |
The model adopts 5 identities and executes 8 phases:
- F1 — Recon (short): Classify project, map data flow
- F2 — Taint (long): Trace inputs source→sink, second-order, encoding, deserialization, uploads, SSTI
- F3 — States (short): Illegal transitions, race conditions
- F4 — Cross-Deps (short): Module interactions, error handlers
- F5 — Crypto+Secrets+Timing (long): Algorithms, hardcoded secrets, constant-time
- F6 — Triple OWASP+Infra+Missing (long): All 3 OWASP lists, deps, infra, absent controls
- F7 — Tests (long): Security coverage, malicious input, real assertions
- F8 — Attack Chains (long): Purple Team exploitation chains
Each finding includes: Root Cause → Exploit → Impact → Original Code → Golden Patch → Regression → Verification.
| Feature | ORÁCULO | Automated Scanners |
|---|---|---|
| Setup | None (paste) | Install + config |
| Any LLM | ✅ | Usually model-specific |
| Logic bugs | ✅ | Limited |
| Attack chains | ✅ Purple Team | Limited |
| CI/CD | ❌ | ✅ |
| Scale | Manual per file | ✅ |
| Triple OWASP | ✅ | Usually 1 list |
| Auto-fix | ✅ (with filesystem) | Varies |
Best approach: ORÁCULO for deep reasoning + automated tools for CI/CD.
23 prompt engineering techniques from a library of 276, including: Multi-Agent Debate, Tree of Thoughts, Chain-of-Thought, OODA Loop, Constitutional AI, Adversarial Evaluation, Red Teaming, Verification Chain, and more.
| Version | Changes |
|---|---|
| v1.0–v1.5 | Self-audit passes 1–5: core rules, anti-manipulation, auto-fix |
| v1.6 | Passes 6–9: deserialization, SSTI, file uploads, CORS, compression |
| v2.0 | Major compression, multi-language, self-verification |
| v2.1 | Triple OWASP: added Agentic Top 10 (ASI) 2026 |
11 self-audit passes. 40 vulnerabilities fixed in itself.
Apache-2.0