Stats
Actions
Tags
From pownie
Orchestrates multi-agent teams for offensive security research: manages tasks, spawns CVE scouts/code analysts post-recon/shell, evaluates findings, deepens until exploitable.
How this skill is triggered — by the user, by Claude, or both
Slash command
/pownie:offsec-leadThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**Requires**: Agent Teams enabled (`CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1` in settings.json)
Requires: Agent Teams enabled (CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1 in settings.json)
| Trigger | Action |
|---|---|
| Recon done, 2+ technologies with versions | Spawn CVE Scout per technology |
| Source code accessible (.git, file read, shell) | Spawn Code Analyst |
| Shell obtained (any user) | Spawn 2-3 teammates: system enum + CVE research + lateral paths |
| CVE found but method unclear | Spawn Validator to deepen |
| Teammate finds high-confidence vuln | Execute directly (no extra spawn needed) |
Every teammate prompt MUST include this bootstrap block:
MANDATORY FIRST STEPS — do these before ANY other work:
1. Read compact-state.md for target orientation
2. Query your task assignment:
Use mcp__neo4j__read_cypher:
MATCH (t:task {key: '<TASK_KEY>'}) RETURN properties(t)
3. Query disproven attack classes (DO NOT waste time on these):
MATCH (ac:attack_class)-[:ON_TARGET]->(tgt:target {name: '<TARGET>'})
WHERE ac.status = 'disproven'
RETURN ac.key, ac.reason, ac.blocked_techniques
4. Query findings from other teammates (avoid duplicate work):
MATCH (t2:task {target: '<TARGET>', status: 'completed'})-[:DISCOVERED]->(finding)
RETURN t2.role, t2.findings_summary, labels(finding)[0] AS type, finding.key
RECORDING RULES:
- Write vulnerability/attack_class nodes to Neo4j IMMEDIATELY (MERGE, never batch)
- On completion, update your task:
MATCH (t:task {key: '<TASK_KEY>'})
SET t.status = 'completed', t.findings_summary = '<1-2 sentences>',
t.completed_at = datetime()
<bootstrap block>
YOUR ROLE: CVE Scout for <technology> <version>
ENTRY POINT: <how we reach this technology>
You MUST reach all 3 levels before marking complete:
Level 1 — FIND: Search CVEs for <technology> <= <version>
Web search, GitHub Security Advisories, NVD, exploit-db
Level 2 — VALIDATE METHOD: For each CVE:
- What EXACT function/code path is vulnerable?
- What is the SPECIFIC mechanism? (not "command injection" — WHERE and HOW)
- Is the code path reachable from our entry point?
Level 3 — CONFIRM PAYLOAD:
- Exact payload structure
- What WRONG approaches waste time? (document these)
- Local test if possible (e.g., python3 -c 'os.path.join("/tmp", "/abs")')
Write to Neo4j:
MERGE (v:vulnerability {key: '<CVE>'})
SET v.exploitation_method = '<EXACT mechanism>',
v.confidence = '<high|medium|low>',
v.payload_format = '<structure>',
v.wrong_approaches = '<what NOT to do>'
<bootstrap block>
YOUR ROLE: Code Analyst for <component>
SOURCE: <where to get code>
Level 1 — READ all available source
Level 2 — ANALYZE each input handler:
XML parser? subprocess call? input validation? template rendering? file ops?
Level 3 — VERDICT per attack class:
MERGE (ac:attack_class {key: 'class:<type>@<component>'})
SET ac.status = 'disproven' OR 'viable',
ac.reason = '<specific reason with file:line>',
ac.blocked_techniques = '<what this kills>'
Also look for: hardcoded creds, internal services, version info, cron jobs
Create tasks when spawning, update on completion:
// Create
MERGE (t:task {key: 'task:<role>:<subject>'})
SET t.description = '...', t.status = 'in_progress',
t.depth = <N>, t.role = '<role>', t.target = '<target>',
t.spawned_at = datetime()
// Complete
MATCH (t:task {key: '<key>'})
SET t.status = 'completed', t.findings_summary = '...', t.completed_at = datetime()
Only exploit when: confidence = 'high' AND exploitation_method is specific AND wrong_approaches documented. If confidence is medium, spawn Validator to deepen first.
npx claudepluginhub d0gesec/pownie --plugin pownieOrchestrates pentest engagements by spawning executor and validator agents with context-controlled workflow. Entry point for all security testing.
Provides methodology guidance for authorized penetration testing and red team engagements, routing to 11 specialized agents covering the full MITRE ATT&CK kill chain.
Initializes pentesting or bug bounty engagements by extracting targets from messages, bootstrapping from memory.json, and generating 4-6 ranked probabilistic attack chain hypotheses.