Skill

offsec-lead

Orchestrates multi-agent teams for offensive security research: manages tasks, spawns CVE scouts/code analysts post-recon/shell, evaluates findings, deepens until exploitable.

security

npx claudepluginhub d0gesec/pownie

Tool Access

This skill uses the workspace's default tool permissions.

Preview

**Requires**: Agent Teams enabled (`CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1` in settings.json)

SKILL.md

Similar Skills

coordination

223

Orchestrates penetration testing workflow by spawning executor and validator agents, managing attack-chain.md, experiments.md, recon, and validation for security engagements.

9 files

communitytools

red-team

Provides methodology guidance for authorized penetration testing and red team engagements, routing to 11 specialized agents covering the full MITRE ATT&CK kill chain.

20 files10 tools

jerry

credteam

Performs goal-directed penetration testing on running systems with source code access. Simulates adversarial attacks targeting trust boundaries to identify exploitable seams.

10 tools

correctless

Stats

Stars17

Forks1

Last CommitMar 20, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Orchestrator — When and How to Spawn Teammates

Requires: Agent Teams enabled (CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1 in settings.json)

Three Rules

After recon, spawn teammates for each distinct attack surface (CVE research, source analysis, auth testing — in parallel, max 3)
After getting shell, spawn teammates immediately — system enum, local software CVE research, lateral movement — do NOT enumerate serially
After 3+ failures on same component, stop — assess if the attack CLASS is dead, not just the variant

When to Spawn

Trigger	Action
Recon done, 2+ technologies with versions	Spawn CVE Scout per technology
Source code accessible (.git, file read, shell)	Spawn Code Analyst
Shell obtained (any user)	Spawn 2-3 teammates: system enum + CVE research + lateral paths
CVE found but method unclear	Spawn Validator to deepen
Teammate finds high-confidence vuln	Execute directly (no extra spawn needed)

When NOT to Spawn

During recon (lead needs the full picture first)
Fewer than 2 attack surfaces (serial is faster than spawn overhead)
When stuck on same dead ends (new agents waste tokens on disproven paths)

Teammate Prompt Template

Every teammate prompt MUST include this bootstrap block:

MANDATORY FIRST STEPS — do these before ANY other work:

1. Read compact-state.md for target orientation
2. Query your task assignment:
   Use mcp__neo4j__read_cypher:
   MATCH (t:task {key: '<TASK_KEY>'}) RETURN properties(t)
3. Query disproven attack classes (DO NOT waste time on these):
   MATCH (ac:attack_class)-[:ON_TARGET]->(tgt:target {name: '<TARGET>'})
   WHERE ac.status = 'disproven'
   RETURN ac.key, ac.reason, ac.blocked_techniques
4. Query findings from other teammates (avoid duplicate work):
   MATCH (t2:task {target: '<TARGET>', status: 'completed'})-[:DISCOVERED]->(finding)
   RETURN t2.role, t2.findings_summary, labels(finding)[0] AS type, finding.key

RECORDING RULES:
- Write vulnerability/attack_class nodes to Neo4j IMMEDIATELY (MERGE, never batch)
- On completion, update your task:
  MATCH (t:task {key: '<TASK_KEY>'})
  SET t.status = 'completed', t.findings_summary = '<1-2 sentences>',
      t.completed_at = datetime()

CVE Scout Template

<bootstrap block>

YOUR ROLE: CVE Scout for <technology> <version>
ENTRY POINT: <how we reach this technology>

You MUST reach all 3 levels before marking complete:

Level 1 — FIND: Search CVEs for <technology> <= <version>
  Web search, GitHub Security Advisories, NVD, exploit-db

Level 2 — VALIDATE METHOD: For each CVE:
  - What EXACT function/code path is vulnerable?
  - What is the SPECIFIC mechanism? (not "command injection" — WHERE and HOW)
  - Is the code path reachable from our entry point?

Level 3 — CONFIRM PAYLOAD:
  - Exact payload structure
  - What WRONG approaches waste time? (document these)
  - Local test if possible (e.g., python3 -c 'os.path.join("/tmp", "/abs")')

Write to Neo4j:
  MERGE (v:vulnerability {key: '<CVE>'})
  SET v.exploitation_method = '<EXACT mechanism>',
      v.confidence = '<high|medium|low>',
      v.payload_format = '<structure>',
      v.wrong_approaches = '<what NOT to do>'

Code Analyst Template

<bootstrap block>

YOUR ROLE: Code Analyst for <component>
SOURCE: <where to get code>

Level 1 — READ all available source
Level 2 — ANALYZE each input handler:
  XML parser? subprocess call? input validation? template rendering? file ops?
Level 3 — VERDICT per attack class:
  MERGE (ac:attack_class {key: 'class:<type>@<component>'})
  SET ac.status = 'disproven' OR 'viable',
      ac.reason = '<specific reason with file:line>',
      ac.blocked_techniques = '<what this kills>'

Also look for: hardcoded creds, internal services, version info, cron jobs

Task Tracking

Create tasks when spawning, update on completion:

// Create
MERGE (t:task {key: 'task:<role>:<subject>'})
SET t.description = '...', t.status = 'in_progress',
    t.depth = <N>, t.role = '<role>', t.target = '<target>',
    t.spawned_at = datetime()

// Complete
MATCH (t:task {key: '<key>'})
SET t.status = 'completed', t.findings_summary = '...', t.completed_at = datetime()

Exploitation Threshold

Only exploit when: confidence = 'high' AND exploitation_method is specific AND wrong_approaches documented. If confidence is medium, spawn Validator to deepen first.