npx claudepluginhub ghostsecurity/skills --plugin ghostThis skill uses the workspace's default tool permissions.
Reaper is a CLI-based MITM HTTPS proxy for application security testing. It intercepts, logs, and allows inspection of HTTP/HTTPS traffic flowing through it. Use it to capture live request/response pairs for security validation.
Intercepts, modifies, and replays HTTPS API traffic for security testing using mitmproxy. Supports HTTP/1-3, WebSockets, Python scripting, HAR export, and mobile app debugging.
Captures HTTP traffic from web apps using Playwright CLI with site fingerprinting for frameworks, protections, iframes, auth, APIs, plus tracing and HAR export. For API discovery and site analysis.
Guides Burp Suite usage for web app security testing: intercept/modify HTTP traffic, replay requests, run vulnerability scans, and execute manual workflows.
Share bugs, ideas, or general feedback.
Reaper is a CLI-based MITM HTTPS proxy for application security testing. It intercepts, logs, and allows inspection of HTTP/HTTPS traffic flowing through it. Use it to capture live request/response pairs for security validation.
Before using any reaper command, make sure the latest version of the binary is installed:
curl -sfL https://raw.githubusercontent.com/ghostsecurity/reaper/main/scripts/install.sh | bash
All reaper commands in this document should be invoked as ~/.ghost/bin/reaper unless ~/.ghost/bin is on PATH.
| Command | Purpose |
|---|---|
reaper start --domains example.com | Start proxy (foreground) |
reaper start --domains example.com -d | Start proxy (daemon) |
reaper logs | Show recent captured entries |
reaper search --method POST --path /api/* | Search captured traffic |
reaper get <id> | Show full request + response |
reaper req <id> | Show raw HTTP request only |
reaper res <id> | Show raw HTTP response only |
reaper stop | Stop the daemon |
Start reaper scoped to the target domain(s). At least one --domains or --hosts flag is required.
# Intercept all traffic to example.com and its subdomains
reaper start --domains example.com
# Multiple domains
reaper start --domains example.com,api.internal.co
# Exact hostname matching
reaper start --hosts api.example.com
# Both domain suffix and exact host matching
reaper start --domains example.com --hosts special.internal.co
# Custom port (default: 8443)
reaper start --domains example.com --port 9090
# Run as background daemon
reaper start --domains example.com -d
Scope behavior:
--domains: Suffix match. example.com matches example.com, api.example.com, sub.api.example.com--hosts: Exact match. api.example.com matches only api.example.comConfigure the HTTP client to use the proxy. The default listen address is localhost:8443.
# curl
curl -x http://localhost:8443 -k https://api.example.com/endpoint
# Environment variables (works with many tools)
export http_proxy=http://localhost:8443
export https_proxy=http://localhost:8443
# Python requests
import requests
requests.get("https://api.example.com/endpoint",
proxies={"http": "http://localhost:8443", "https": "http://localhost:8443"},
verify=False)
The -k / verify=False flag is needed because reaper generates its own CA certificate at startup for MITM TLS interception.
# Show last 50 entries (default)
reaper logs
# Show last 200 entries
reaper logs -n 200
Output columns: ID, METHOD, HOST, PATH, STATUS, MS, REQ (request body size), RES (response body size).
# By HTTP method
reaper search --method POST
# By host (supports * wildcard)
reaper search --host *.api.example.com
# By domain suffix
reaper search --domains example.com
# By path prefix (supports * wildcard)
reaper search --path /api/v3/transfer
# By status code
reaper search --status 200
# Combined filters
reaper search --method POST --path /api/v3/* --status 200 -n 50
# Full request and response (raw HTTP)
reaper get 42
# Request only
reaper req 42
# Response only
reaper res 42
Output is raw HTTP/1.1 format including headers and body, suitable for analysis or replay.
reaper stop
When used with the validate skill (may need to collaborate with the user to setup the test environment):
reaper logs — at least one entry should appear after routing a test request through the proxyreaper get <id> to capture the full request/response as evidenceAll data is stored in ~/.reaper/:
reaper.db - SQLite database with captured entriesreaper.sock - Unix socket for CLI-to-daemon IPCreaper.pid - Daemon process IDThe CA certificate is generated fresh in memory on each start and is not persisted.