Provides complete reference for pentest-cli commands, global flags, and JSON output shapes. Guides Bash invocation for web recon, vulnerability scanning, discovery, and injection testing.
npx claudepluginhub sabania/pentest-cli --plugin pentest-cli-referenceThis skill is limited to using the following tools:
Complete command reference for `pentest-cli`. Always use `--json` for machine-readable output. Always use `-k` to disable SSL verification warnings.
Conducts OWASP-based penetration testing: reconnaissance, Top 10 vulnerabilities (access control, injection, misconfig), API security, PoCs, code remediations, reports. For security audits.
Guides configuration and usage of security scanning tools like Nmap for network discovery, vulnerability assessment, web app testing, wireless security, and compliance validation.
Conducts automated penetration testing on web apps, APIs, browsers, GitHub repos, and local code with zero false positives and proof for every vulnerability.
Share bugs, ideas, or general feedback.
Complete command reference for pentest-cli. Always use --json for machine-readable output. Always use -k to disable SSL verification warnings.
pentest --version # Should print "pentest-cli v1.0.0"
If not installed:
curl -fsSL https://raw.githubusercontent.com/sabania/pentest-cli/main/install.sh | bash
export PATH="$HOME/.local/bin:$PATH"
pentest [GLOBAL FLAGS] <group> <command> <url>
| Flag | Short | Description |
|---|---|---|
--json | -j | JSON output to stdout (for parsing) |
--verbose | -v | Verbose output |
--active | Enable active testing (sends payloads) | |
--yes | -y | Auto-confirm active testing consent |
--output-dir DIR | -o | Save findings to directory |
--timeout N | -t | HTTP timeout seconds (default: 30) |
--insecure | -k | Disable SSL verification |
--rate-limit N | Seconds between requests | |
--threads N | Max concurrent threads (default: 10) |
pentest -k -j recon subdomains <domain> # crt.sh + DNS brute + dnsrecon
pentest -k -j recon ports <domain> # nmap port scan (top 1000)
pentest -k -j recon dns <domain> # DNS records, zone transfer, SPF/DMARC
pentest -k -j recon whois <domain> # WHOIS lookup
pentest -k -j recon crawl <url> # Web crawling, URL discovery
pentest -k -j recon osint <domain> # Google dorks, Wayback, emails
pentest -k -j scan headers <url> # Security headers (CSP, HSTS, SRI)
pentest -k -j scan ssl <domain> # TLS protocols, certs, ciphers
pentest -k -j scan cors <url> # CORS misconfiguration
pentest -k -j scan nikto <url> # Nikto web server scanner
pentest -k -j scan nuclei <url> # Nuclei (9000+ templates)
pentest -k -j discover bundle <url> # JS bundles: source maps, API keys, secrets
pentest -k -j discover api <url> # API docs, GraphQL, error disclosure
pentest -k -j discover graphql <url> # GraphQL introspection + attacks
pentest -k -j discover fuzz <url> # Content discovery (requires --active)
pentest -k -j discover tech <url> # Technology fingerprinting (whatweb)
pentest -k -j --active --yes inject sqli <url> # SQL injection (+ sqlmap)
pentest -k -j --active --yes inject xss <url> # Cross-site scripting
pentest -k -j --active --yes inject ssti <url> # Server-side template injection
pentest -k -j --active --yes inject cmdi <url> # OS command injection
pentest -k -j --active --yes inject ssrf <url> # Server-side request forgery
pentest -k -j --active --yes inject xxe <url> # XML external entity
pentest -k -j --active --yes inject nosql <url> # NoSQL injection
pentest -k -j --active --yes inject lfi <url> # Local file inclusion / path traversal
pentest -k -j auth jwt <token> # JWT token analysis (no URL needed)
pentest -k -j auth oauth <url> # OAuth/OIDC vulnerability testing
pentest -k -j auth session <url> # Session management testing
pentest -k -j --active --yes auth brute <url> # Credential brute force (hydra)
pentest -k -j --active --yes advanced smuggle <url> # HTTP request smuggling
pentest -k -j --active --yes advanced race <url> # Race conditions
pentest -k -j advanced cache <url> # Cache poisoning
pentest -k -j advanced takeover <domain> # Subdomain takeover
pentest -k -j advanced websocket <url> # WebSocket security
pentest -k -j --active --yes advanced redirect <url> # Open redirect
pentest -k -j cloud storage <url> # S3/Azure/GCS misconfiguration
pentest -k -j cloud waf <url> # WAF detection
pentest -k -j cloud email <domain> # SPF, DKIM, DMARC
pentest -k -j baas <url> # Supabase/Firebase/Convex probing
pentest -k -j -o ./findings full <url> # Full pentest (all commands)
pentest report ./findings/ # Generate PDF report
Every command returns this structure on stdout when --json is used:
{
"target": "https://example.com",
"scan_type": "headers",
"timestamp": "2026-03-20T01:37:27.836758+00:00",
"duration_seconds": 0.29,
"summary": {
"critical": 0, "high": 2, "medium": 3, "low": 1, "info": 0, "total": 6
},
"findings": [
{
"id": "HDR-CONTENT_SECURITY_POLICY-MISSING",
"title": "Missing Content-Security-Policy Header",
"severity": "high",
"confidence": "confirmed",
"category": "headers",
"description": "No CSP header found...",
"evidence": "Header 'content-security-policy' not found in response",
"remediation": "Add Content-Security-Policy header...",
"url": "https://example.com",
"owasp_id": "WSTG-CONF-12",
"cwe": "CWE-693"
}
],
"metadata": {}
}
| Code | Meaning |
|---|---|
| 0 | Clean - no critical/high findings |
| 1 | CRITICAL findings found |
| 2 | HIGH findings found |
| 3 | Error (connection failed, tool missing) |
| 4 | Active testing consent denied |
The CLI auto-detects these tools when available:
| Tool | Used by | Fallback |
|---|---|---|
| nmap | recon ports | Python socket scan |
| sqlmap | inject sqli | Built-in probes |
| hydra | auth brute | Not available |
| nikto | scan nikto | Not available |
| nuclei | scan nuclei | Not available |
| whatweb | discover tech | Built-in fingerprinting |
| dnsrecon | recon subdomains | Built-in DNS brute |