From caido
Use the official Caido SDK from Codex to search HTTP history, replay and edit authenticated requests, manage scopes, filters, environments, projects, findings, intercept, automate/fuzz sessions, export curl commands, and save local bug-bounty evidence. Prefer when a live request corpus already exists or auth-preserving replay is more valuable than broad scanner coverage.
How this skill is triggered — by the user, by Claude, or both
Slash command
/caido:caido-modeThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Use this skill when the target is web or API and the highest-value next step is
README.mdcaido-client.tslib/bundle.tslib/client.tslib/commands/evidence.tslib/commands/findings.tslib/commands/info.tslib/commands/intercept.tslib/commands/management.tslib/commands/replay.tslib/commands/requests.tslib/graphql.tslib/output.tslib/types.tspackage-lock.jsonpackage.jsonscripts/caidoscripts/caido.ps1tests/bundle.test.tstests/output.test.tsUse this skill when the target is web or API and the highest-value next step is to work from real captured traffic instead of rebuilding requests by hand.
This is the right tool when:
Treat Caido as a stateful traffic broker.
kage is better for recon, scanners, breadth, and unauthenticated discovery.caido is better for authenticated replay, request-corpus mining, intercept-driven workflows, and workflow-heavy API abuse.Preferred loop:
edit to change only what matters.Requires:
plugins/caido/skills/caido-mode/Authenticate once:
cd plugins/caido/skills/caido-mode
npm install
npx tsx caido-client.ts setup <your-pat> http://localhost:8080
Auth lookup order:
CAIDO_PAT and CAIDO_URL~/.codex/caido/secrets.jsonCAIDO_SECRETS_PATHDo not store PATs in the repo tree.
From repo-local development:
plugins/caido/skills/caido-mode/scripts/caido health
plugins/caido/skills/caido-mode/scripts/caido recent --limit 5
plugins/caido/skills/caido-mode/scripts/caido search 'req.path.cont:"/api/"' --limit 10
PowerShell:
& "$PWD/plugins/caido/skills/caido-mode/scripts/caido.ps1" health
| Category | Commands |
|---|---|
| HTTP history | search, recent, get, get-response, export-curl |
| Edit and replay | edit, replay, send-raw |
| Sessions | create-session, rename-session, replay-sessions, delete-sessions |
| Collections | replay-collections, create-collection, rename-collection, delete-collection |
| Automate and fuzzing | create-automate-session, fuzz |
| Scope | scopes, create-scope, update-scope, delete-scope |
| Filter presets | filters, create-filter, update-filter, delete-filter |
| Environments | envs, create-env, select-env, env-set, delete-env |
| Findings | findings, get-finding, create-finding, update-finding, sync-finding |
| Local evidence | export-evidence |
| Tasks | tasks, cancel-task |
| Projects | projects, select-project |
| Hosted files | hosted-files, delete-hosted-file |
| Intercept | intercept-status, intercept-enable, intercept-disable |
| Info and auth | viewer, plugins, health, setup, auth-status |
npx tsx caido-client.ts search 'req.method.eq:"POST" AND resp.code.eq:200'
npx tsx caido-client.ts search 'req.path.cont:"/admin"' --ids-only
npx tsx caido-client.ts recent --limit 20
Prefer edit before rebuilding a request from scratch.
npx tsx caido-client.ts edit 123 --path /api/users/999
npx tsx caido-client.ts edit 123 --method POST --body '{"role":"admin"}'
npx tsx caido-client.ts edit 123 --set-header "X-Forwarded-For: 127.0.0.1"
npx tsx caido-client.ts edit 123 --remove-header "X-CSRF-Token"
npx tsx caido-client.ts edit 123 --replace 'user123:::user999'
npx tsx caido-client.ts replay 123 --compact
npx tsx caido-client.ts export-curl 123
When a request matters for a finding bundle:
npx tsx caido-client.ts export-evidence 123 --out audit-targets/acme/findings/F001/artifacts/caido
This writes request metadata JSON, curl command, response raw when available,
and optional request raw when --include-request-raw is used.
npx tsx caido-client.ts sync-finding --bundle audit-targets/acme/findings/F001 --request-id 123
npx tsx caido-client.ts sync-finding --bundle audit-targets/acme/findings/F001 --finding-id 77
Use this for operator convenience only. Local finding bundles stay the reporting source of truth.
npx tsx caido-client.ts projects
npx tsx caido-client.ts select-project <project-id>
npx tsx caido-client.ts create-scope "Target" --allow "*.target.com,api.target.com"
npx tsx caido-client.ts create-filter "Target API 2xx" --query 'req.host.cont:"api.target.com" AND resp.code.lt:300'
npx tsx caido-client.ts create-env "IDOR-Test"
npx tsx caido-client.ts env-set <env-id> victim_id user_456
npx tsx caido-client.ts create-session 123
npx tsx caido-client.ts rename-session <session-id> "idor-user-profile"
npx tsx caido-client.ts create-collection "Auth Boundary Tests"
npx tsx caido-client.ts create-automate-session 123
npx tsx caido-client.ts fuzz <session-id>
Configure automate markers and payloads in the Caido UI before fuzz.
npx tsx caido-client.ts intercept-status
npx tsx caido-client.ts intercept-enable
npx tsx caido-client.ts intercept-disable
Use intercept only when the next browser action needs capture or manual workflow shaping. Disable it before broad automation to avoid blocking traffic.
Recommended flow for auth-heavy web/API hunting:
healthauth-statusprojects and select-project when multiple projects existscopes or create-scope to keep the corpus target-boundrecent --limit 5search <httpql> to locate a seed requestedit <id> ... for each hypothesisexport-curl <id> or export-evidence <id> --out <dir> when a result becomes relevantcreate-finding or sync-finding only after the behavior is concrete enough to keepCritical reminders:
NOT does not existne, ncont, nlike, nregexExamples:
req.method.eq:"POST" AND resp.code.eq:200
req.path.regex:"/(login|auth|oauth)/"
resp.len.gt:100000
req.path.ncont:"/static"
source:"replay" OR source:"automate"
When this skill is used inside the repo's web/API bounty pipeline:
kage for recon and broad surface discoverycaido for authenticated mutation, replay, and request-corpus miningprep/caido-plan.md before live replayprep/asset-inventory.mdartifacts/caido/sync-finding only as convenience; do not let the Caido UI become the only evidence storeprep/tried-and-ruled-out.md before falling back to kage or direct toolingWorks with get, get-response, replay, edit, and send-raw.
| Flag | Default | Purpose |
|---|---|---|
--max-body <n> | 200 | Max response body lines; 0 means unlimited |
--max-body-chars <n> | 5000 | Max response body characters; 0 means unlimited |
--no-request | off | Skip request raw in output |
--headers-only | off | Show only HTTP headers and no body |
--compact | off | Shorthand for small, token-friendly output |
Local helper tests:
npm test
Live E2E checks, when Caido is available:
npx tsx caido-client.ts health
npx tsx caido-client.ts recent --limit 1
Guides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Dispatches multiple subagents concurrently for independent tasks without shared state. Use when facing 2+ unrelated failures or subsystems that can be investigated in parallel.
npx claudepluginhub daothinh/spec-cdex --plugin caido