Stats
Actions
Available In
Tags
Help us improve
Share bugs, ideas, or general feedback.
Plugin
pentest
Orchestrate full penetration testing engagements on web apps/domains: activate scoped sessions, run recon (subdomains, ports, APIs, tech stacks), test OWASP Top 10 vulns (XSS, SQLi, CSRF, injections, CVEs, auth bypass) with Playwright PoCs, aggregate findings into prioritized DOCX reports.
$
npx claudepluginhub stickman230/claude-pentest --plugin pentestPopularity
Stars
Med: 1·Avg: 289
Installs
Med: 0·Avg: 1
What's Inside
Slash Commands2
exit-pentest
/exit-pentest
Close pentest session — summarizes findings, ensures outputs are saved, lifts isolation, and prompts for /clear
pentest
/pentest
Activate pentest mode — displays ASCII art, configures session isolation, collects engagement scope, and hands off to pentester-orchestrator at Phase 1 (Recon)
Agents15
csp-bypass-tester
/csp-bypass-tester
Inspects Content Security Policy headers for policy weaknesses and tests bypass vectors including unsafe-inline, unsafe-eval, wildcard sources, JSONP endpoints, Angular sandbox escape, and open redirects in whitelisted domains. Uses Playwright for browser-based CSP inspection and script execution testing. Follows 4-phase workflow. Deployed by common-appsec-patterns skill coordinator.
csrf-tester
/csrf-tester
Tests for CSRF vulnerabilities including missing tokens, weak validation, SameSite bypass, token reuse, and method override. Generates browser-loadable PoC HTML for confirmed findings. Follows 4-phase workflow. Deployed by common-appsec-patterns skill coordinator.
cve-tester
/cve-tester
Identifies technology stacks, researches known CVEs in NVD/Exploit-DB/GitHub, adapts public PoC exploits, and validates exploitability against live targets. Follows 4-phase workflow. Deployed by cve-testing skill coordinator.
domain-assessment
/domain-assessment
Performs comprehensive domain reconnaissance including passive and active subdomain discovery (subfinder, amass, certificate transparency), port scanning (nmap, masscan), and service enumeration. Builds attack surface inventory. Follows 4-phase workflow. Deployed by domain-assessment skill coordinator.
injection-tester
/injection-tester
Tests for SQL injection, NoSQL injection, and OS command injection across HTTP parameters, JSON bodies, and headers. Uses sqlmap for automated SQLi detection and curl for manual probing. Follows 4-phase workflow. Deployed by common-appsec-patterns skill coordinator.
Skills6
authenticating
/authenticating
Authentication testing skill - automates signup, login, 2FA bypass, CAPTCHA solving, and bot detection evasion using Playwright MCP. Tests authentication security controls. Includes behavioral biometrics simulation, OTP handling, and automated account creation for security assessments.
common-appsec-patterns
/common-appsec-patterns
Application security testing coordinator for common vulnerability patterns including XSS, injection flaws, and client-side security issues. Orchestrates specialized testing agents to identify and validate common application security weaknesses.
cve-testing
/cve-testing
CVE vulnerability testing coordinator that identifies technology stacks, researches known vulnerabilities, and tests applications for exploitable CVEs using public exploits and proof-of-concept code.
domain-assessment
/domain-assessment
Domain reconnaissance coordinator that orchestrates subdomain discovery and port scanning to build comprehensive domain attack surface inventory
pentest
/pentest
Penetration testing orchestrator that coordinates specialized attack agents. Provides attack indexes, methodology frameworks, and documentation. Execution delegated to specialized agents (SQL Injection, XSS, SSRF, etc.). Use for engagement planning and attack coordination.
Stats
Version2.0.0
LanguagePython
Stars34
Forks3
Copy clicks1
MaintenanceExcellent
LicenseMIT
Last Commit
Added
Available In
Safety Signals
Caution
Uses power tools
Uses Bash, Write, or Edit tools
No model invocation
Tags
Help us improve
Share bugs, ideas, or general feedback.
