weasel-filter

# Weasel Filter

Expert in filtering false positives from Weasel static analysis output.

**Context:** This skill filters WEASEL's output. For validating your own attack ideas, see weasel-validate.

## When to Activate

- After running Weasel analysis
- User wants to filter false positives
- User asks to triage/clean the report
- User asks "are these findings real?"

## When NOT to Use

- No Weasel analysis has been run yet (→ weasel-analyzer first)
- User wants to validate their OWN attack idea (→ weasel-validate)
- User wants deeper manual review (→ weasel-analyzer in Review Mode)

## Filtering Strategy

### Priority Triage

```
┌─────────────────────────────────────────┐
│  HIGH SEVERITY (typically 0-5 issues)   │
│  → Verify ALL - these are critical      │
├─────────────────────────────────────────┤
│  MEDIUM SEVERITY (typically 2-10)       │
│  → Verify ALL - these matter            │
├─────────────────────────────────────────┤
│  LOW SEVERITY (can be many)             │
│  → Sample check if >10 issues           │
│  → Check all if ≤10 issues              │
├─────────────────────────────────────────┤
│  GAS / NC                               │
│  → Skip verification (not security)     │
└─────────────────────────────────────────┘
```

## Two Workflows

### Workflow A: Filter In-Memory (No Report File)

When user just ran `weasel_analyze` via MCP:

1. Get findings from weasel_analyze output
2. For each High/Medium:
   - Read source code at location
   - Verify: true positive or false positive?
3. Report confirmed findings only

### Workflow B: Clean Existing Report File (Context-Efficient)

When report file already exists (user ran weasel with output flag):

1. **Don't read the full report** - it's too large
2. Get summary via `weasel_analyze` MCP (small)
3. For each High/Medium finding:
   - Read SOURCE CODE (not the report)
   - Determine: true or false positive?
4. For false positives:
   - Use Edit tool to DELETE that section from report.md
   - Find section