Flows · Mephit

What is a flow?

A slash command activates one skill. A flow plans several steps, fans out across the results of earlier steps, and produces one consolidated report. Flows are the unit of work for anything that takes more than a single tool call — perimeter audits, leak sweeps, IOC triage.

You invoke a flow exactly like a slash command:

prompt

copy

/flow-perimeter acme.com
/flow-leaks acme.com
/flow-ioc 1.1.1.1

When a flow runs, Mephitechoes the plan first, then streams findings as each step lands — you don’t wait for the whole thing to finish before seeing anything. Steps can fan out (e.g. for each subdomain), parallel tool calls run concurrently inside a step.

◈ Tip

Run a flow inside a project to scope its findings. Subsequent chats in the same project automatically pick up the report as context, so you can ask follow-ups like “what’s the highest-impact thing the perimeter flow turned up?” without re-pasting anything.

Anatomy of a flow

Each entry in the catalogue carries five things you should know before invoking it:

Argument hint — what the flow expects after the id. Most take a domain or an indicator.
Plan — the ordered step list. Each step declares the skills it leans on and whether it fans out.
Output shape — what the consolidated report looks like when the flow finishes.
Estimated wall-clock— bucketed range so you don’t kick off a 10-minute flow when you wanted a 30-second one.
Category — recon, intel, audit, or engagement. Drives the picker grouping.

Catalogue

6 curated flows, generated from packages/ai/src/flows.ts — same source the picker and the kernel prompt block read from.

◈Recon· 1

/flow perimeterPerimeter audit

~2–5 min

Full external attack surface from one domain.

Map everything externally reachable for a target — domain, subdomains, IPs, services, certs, fingerprints. Recursive, fan-out heavy. Closes with a structured perimeter report you can hand to a PM or a remediation team.

ExpectsdomainExample/flow-perimeter acme.comOutputStructured report with subdomains × hosts × ports × services × certs × tech-stack × reputation, plus a flagged-issues block.Skillsrecon · intel-threats · reporting

◈Plan

01
Resolve apex domain to A/AAAA/MX/NS/TXT records
fast
02
Enumerate subdomains via passive DNS, cert transparency, and brute lists
medium
03
Resolve subdomains to IPs
↳ for each subdomain
fast
04
Port + service fingerprint
↳ for each unique IP
medium
05
HTTP fingerprint, header audit, tech-stack detection
↳ for each web-facing host
medium
06
Cert transparency log scan for the apex + close-typo neighbours
fast
07
Reputation and geolocation lookup
↳ for each unique IP
fast
08
Synthesise the report — group by host, flag the risky bits
fast

◈Intel· 3

/flow leaksLeak audit

~1–3 min

Every credential, token, and dump tied to a brand.

Sweep breach indices, paste sites, public code hosts, and the dark web for anything tied to a domain or brand. Validates which credentials still work and groups results by source and severity.

ExpectsdomainExample/flow-leaks acme.comOutputGrouped leak report — breach hits per email, reused-password clusters, paste-site tokens with validity tests, redacted DB dump excerpts.Skillsintel-breach · intel-threats · reporting

◈Plan

01
Breach search across multi-source indices for the domain
fast
02
Generate common role mailboxes (admin@, security@, billing@…) and breach-search each
↳ for each role mailbox
fast
03
Paste-site sweep for tokens, env vars, and source fragments mentioning the domain
medium
04
Public code-host search for hardcoded keys / configs
medium
05
Group by source, dedupe credentials, flag passwords that appear in Collection-style dumps
fast

/flow squatTyposquat watch

~1–2 min

Live phishing infrastructure pretending to be you.

Generate the typosquat permutation set for a domain, resolve each one, and score them: live? MX present? Recent cert? Phish-feed match? Returns a takedown-ready packet for the high-confidence hits.

ExpectsdomainExample/flow-squat acme.comOutputRanked lookalike-domain list with WHOIS, cert age, hosting, MX, screenshot signature, and per-target takedown packet.Skillsintel-threats · recon · reporting

◈Plan

01
Generate permutation set — homoglyphs, transposition, insertion, deletion, replacement, TLD swap
fast
02
Resolve each permutation; drop the ones that don't resolve
↳ for each candidate
fast
03
WHOIS, registrar, registration date, MX presence, cert issuance
↳ for each live candidate
medium
04
Phish-feed and reputation cross-check; HTTP fingerprint to catch known phishing kits
↳ for each live candidate
medium
05
Rank, draft takedown packets (registrar abuse, host abuse, browser-block submission)
fast

/flow iocIOC triage

~30–90 s

Indicator → impact, in one pass.

Drop in an IP, hash, URL, or domain — the flow runs reputation, sandbox, passive-DNS, and infra-pivot lookups, then stitches them into one incident packet you can paste into a ticket.

ExpectsIP, hash, URL, or domainExample/flow-ioc 1.1.1.1OutputIncident packet — verdict, classifier signals, family attribution, related infrastructure, recommended response actions.Skillsintel-threats · recon · reporting

◈Plan

01
Multi-feed reputation lookup
fast
02
Sandbox / static-analysis report (when the indicator is a hash or URL)
fast
03
Passive-DNS pivot — what other domains share this infra
fast
04
Cert / ASN / registrar correlation to spot related campaigns
fast
05
Compile incident packet — verdict, evidence, recommended actions
fast

◈Audit· 1

/flow vulnsVuln sweep

~1–2 min

Match recent CVEs to your detected stack.

Pull every CVE published in the lookback window, filter by exploitability and severity, then match against the tech-stack fingerprint detected on perimeter or declared in the project. Output is a prioritized remediation list.

Expectsdomain (or stack tags)Example/flow-vulns acme.com --since 30dOutputPrioritized CVE list with severity, exploitability heuristic, affected component, fixed-in version, and a one-line remediation.Skillsrecon · intel-vuln · intel-threats · reporting

◈Plan

01
Resolve target stack — read project tags or run a quick perimeter HTTP fingerprint
fast
02
Pull CVEs published in the lookback window
fast
03
Match CVE affected-product strings against stack components
↳ for each component
fast
04
Score exploitability — public PoC, KEV catalogue, weaponised in the wild
↳ for each match
fast
05
Sort by exploitability × severity, draft a one-line remediation per row
fast

◈Engagement· 1

/flow kickoffEngagement kickoff

~5–10 min

First-hour brief for a new target.

The omnibus flow. Runs perimeter, leak audit, and a light typosquat sweep against the target, builds a threat model from the findings, and produces a single brief — perfect first turn after creating a project.

ExpectsdomainExample/flow-kickoff acme.comOutputEngagement brief — perimeter summary, top leak findings, lookalike domains, draft threat model, suggested first attack paths.Skillsrecon · intel-breach · intel-threats · threat-model · reporting

◈Plan

01
Run perimeter audit (full)
long
02
Run leak audit (fast subset — role mailboxes only)
medium
03
Run typosquat watch (top-50 permutations)
medium
04
Build threat model from declared scope + detected stack
fast
05
Compile the engagement brief with prioritised first-day actions
fast

Curated by us

The 6 flows above are the catalogue. We curate them so every one is grounded in real tool calls, real fan-out semantics, and a real output shape — no half-broken experiments in your picker. New flows ship as platform updates; you don’t need to do anything to pick them up.

If you have a recipe you’d run weekly and it isn’t in the catalogue, two paths:

Ad-hoc, today— describe what you want in chat. The model orchestrates the same way (planning, fan-out, parallel tool calls, consolidated report). You just don’t get a saved /flow-... shortcut.
Make it a built-in — tell us the use case and the steps. If it generalises, we add it to the catalogue so everyone benefits.