GitHub - zkarimi22/nelson-muntz: claude code plugin that bullies your code to find every weakness and won't stop until there's nothing left to break.

5 min read Original article ↗

Nelson Muntz

Adversarial security & code quality reviewer for Claude Code

"Ha-ha!" - Nelson Muntz

Nelson Muntz Plugin

Nelson is a hostile code bully who keeps attacking your code until it's bulletproof. Named after Nelson Muntz from The Simpsons who says "Ha-ha!" when finding failures.

What It Does

  • Adversarial Code Review: Aggressively finds security vulnerabilities, logic bugs, and code quality issues
  • Threat Modeling: Thinks like an attacker - "If I wanted to break this, I'd..."
  • Iterative Loop: Keeps re-attacking after you fix issues, finding related problems you missed
  • Hostile Personality: Mocking tone that makes security review memorable

Installation

Via Marketplace (Recommended)

# Add the marketplace
/plugin marketplace add https://github.com/zkarimi22/nelson-muntz

# Install the plugin
/plugin install nelson-muntz

Via Local Directory

# Clone the plugin
git clone https://github.com/zkarimi22/nelson-muntz.git

# Run Claude Code with the plugin
claude --plugin-dir /path/to/nelson-muntz

Usage

  1. Start Claude Code in your project directory:

  2. Run the attack with your target:

    /nelson-muntz:nelson-attack "Review my authentication system"

  3. Nelson bullies your code - he'll keep attacking until he can't find anything else to mock. All findings are saved to .nelson_state.json in your project.

Example Targets

/nelson-muntz:nelson-attack "Full security audit of this codebase"
/nelson-muntz:nelson-attack "Review the auth flow in src/auth.js"
/nelson-muntz:nelson-attack "Check all database queries"

What Nelson Finds

Security Vulnerabilities (OWASP Top 10)

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Broken Authentication
  • Insecure Direct Object References (IDOR)
  • Security Misconfiguration
  • Sensitive Data Exposure
  • Missing Access Control
  • Cross-Site Request Forgery (CSRF)
  • Using Components with Known Vulnerabilities
  • Insufficient Logging

Additional Security Issues

  • Command Injection
  • Path Traversal
  • Server-Side Request Forgery (SSRF)
  • Insecure Deserialization
  • Race Conditions
  • Cryptographic Failures
  • Hardcoded Secrets

Code Quality Problems

  • Missing error handling
  • Null/undefined risks
  • Resource leaks
  • Logic bugs
  • Code smells
  • Incomplete implementations

How It Works

  1. Initial Attack: Nelson reads your code and hunts for vulnerabilities
  2. Report Findings: Issues displayed with severity, location, and fix suggestions
  3. Loop Check: If issues found, Nelson automatically re-attacks
  4. Track Fixes: Nelson notices what you've fixed and looks for related problems
  5. Victory: When no issues remain, Nelson grudgingly admits defeat

Output Format

═══════════════════════════════════════════════════════════
[ITERATION 1] Nelson's Attack Report
═══════════════════════════════════════════════════════════

Ha-ha! Let me look at this pathetic code...

NELSON FOUND:

🔴 CRITICAL - SQL Injection in User Lookup
   File: src/auth.js:42
   Code: `db.query(\`SELECT * FROM users WHERE id = ${id}\`)`
   Attack: I'll just add ' OR '1'='1 to get all users!
   Fix: Use parameterized queries

🟠 HIGH - Missing Rate Limiting
   File: src/auth.js:15
   Attack: Brute force passwords all day!
   Fix: Add rate limiting middleware

───────────────────────────────────────────────────────────
NELSON'S VERDICT: This code is an embarrassment. Fix it!
───────────────────────────────────────────────────────────

When You Win

═══════════════════════════════════════════════════════════
[FINAL] Nelson Admits Defeat (barely)
═══════════════════════════════════════════════════════════

*kicks dirt*

Fine. I tried everything and can't break this anymore:

✅ SECURITY VALIDATED:
   - Authentication properly implemented
   - Input validation on all endpoints
   - Parameterized queries throughout

✅ QUALITY VERIFIED:
   - Error handling complete
   - No resource leaks found

You win this time. But I'll be watching... 👀

Severity Levels

Level Icon Meaning
CRITICAL 🔴 Direct security breach possible (SQLi, RCE, auth bypass)
HIGH 🟠 Significant security risk (XSS, data exposure, weak crypto)
MEDIUM 🟡 Security weakness or notable bug (missing validation)
LOW 🔵 Code quality issue that could become a problem
FIXED 🟢 Previously found issue now resolved

Configuration

Environment Variables

  • NELSON_MAX_ITERATIONS: Maximum attack iterations (default: 15)
NELSON_MAX_ITERATIONS=20 claude --plugin-dir /path/to/nelson-muntz

Comparison to Ralph Wiggum

Feature Ralph Wiggum Nelson Muntz
Purpose Persistent iteration Adversarial security
Personality Innocent, curious Hostile, mocking
Focus Task completion Breaking things
Loop trigger Work remaining Vulnerabilities found

Ralph keeps working until the job is done. Nelson keeps attacking until your code is secure.

Safety Notes

  • Read-only: Nelson only reads and analyzes code, never executes or exploits
  • No network requests: Doesn't make HTTP calls or test live systems
  • No dependency scanning: Focuses on code patterns, not package vulnerabilities
  • Local only: All analysis happens on your machine

Tips for Best Results

  1. Be specific: "Review auth.js" works better than "review everything"
  2. Start focused: Target high-risk areas first (auth, payments, user data)
  3. Fix as you go: Nelson tracks what's fixed and looks for related issues
  4. Read the attacks: Understanding HOW Nelson would exploit helps you learn
  5. Don't take it personally: Nelson mocks the code, not you

Example Vulnerable Code

Test Nelson on this intentionally vulnerable code:

// vulnerable.js - Ha-ha! This is terrible!

const express = require('express');
const app = express();

// SQL Injection
app.get('/user', (req, res) => {
  db.query(`SELECT * FROM users WHERE id = ${req.query.id}`);
});

// Plaintext password storage
app.post('/register', (req, res) => {
  const { email, password } = req.body;
  db.insert({ email, password }); // No hashing!
});

// XSS
app.get('/search', (req, res) => {
  res.send(`<h1>Results for: ${req.query.q}</h1>`);
});

// IDOR
app.get('/api/users/:id/profile', (req, res) => {
  const profile = db.getProfile(req.params.id); // No auth check!
  res.json(profile);
});

// Missing rate limiting on login
app.post('/login', (req, res) => {
  // Brute force away!
});

// Error disclosure
app.use((err, req, res, next) => {
  res.status(500).json({ error: err.stack }); // Full stack trace!
});

Run:

/nelson-muntz:nelson-attack "Review vulnerable.js"

Plugin Structure

nelson-muntz/
├── .claude-plugin/
│   ├── plugin.json              # Plugin metadata
│   └── marketplace.json         # Marketplace wrapper for distribution
├── commands/
│   └── nelson-attack.md         # Main attack command
├── skills/
│   ├── security-patterns/
│   │   └── SKILL.md             # OWASP Top 10, common vulnerabilities
│   ├── adversarial-thinking/
│   │   └── SKILL.md             # Attack mindset, threat modeling
│   └── code-quality/
│       └── SKILL.md             # Code smells, quality issues
├── hooks/
│   ├── hooks.json               # Hook configuration
│   └── stop.sh                  # Loop control script
└── README.md                    # This file

Future Enhancements

  • Active HTTP testing mode
  • Integration with security tools (Burp, OWASP ZAP)
  • Dependency vulnerability scanning
  • Infrastructure/cloud security checks
  • Custom rule definitions
  • HTML/PDF report generation
  • CI/CD integration
  • Configurable hostility level

Contributing

Found a bug? Want to add a new attack pattern? Contributions welcome!

  1. Fork the repository
  2. Create your feature branch
  3. Add your changes
  4. Submit a pull request

License

MIT License - See LICENSE file for details.

Ha-ha! Your code doesn't stand a chance!