Skill

pentest-discover

Performs passive discovery scans on web apps to uncover JS bundles, API endpoints, GraphQL schemas, exposed secrets, source maps, and BaaS backends like Firebase/Supabase.

Javascript

GraphQL

Firebase

Supabase

security

npx claudepluginhub sabania/pentest-cli --plugin pentest-framework

Tool Access

This skill is limited to using the following tools:

BashAgentRead

Preview

Analyze a target application to discover JavaScript bundles, API endpoints, GraphQL schemas, exposed secrets, source maps, and Backend-as-a-Service (BaaS) configurations.

SKILL.md

Similar Skills

reconnaissance

257

Maps attack surface via subdomain discovery, port scanning, endpoint enumeration, and API discovery. Useful for security assessments and penetration testing.

7 files

communitytools

performing-api-inventory-and-discovery

Performs API inventory and discovery to identify documented, undocumented, shadow, zombie, and deprecated endpoints using passive traffic analysis, active scanning, DNS enumeration, JavaScript analysis, and cloud inventory. For security audits and OWASP API9:2023 compliance.

asi

performing-api-inventory-and-discovery

5.9k

Inventories APIs including shadow, zombie, and undocumented endpoints via traffic analysis, active scanning, DNS, JS parsing, and cloud resources. For OWASP API9:2023 attack surface mapping.

3 files

cybersecurity-skills

Stats

Parent Repo Stars5

Parent Repo Forks0

Last CommitMar 20, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

/pentest-discover — Discovery Scan

Analyze a target application to discover JavaScript bundles, API endpoints, GraphQL schemas, exposed secrets, source maps, and Backend-as-a-Service (BaaS) configurations.

Input

The target URL is provided via $ARGUMENTS. If no URL is provided, ask the user for one.

Steps

Parse the target URL from $ARGUMENTS.

Delegate to discovery-agent using the Agent tool. The agent must run the following commands, collecting all JSON output:

pentest -k -j -o ./findings discover bundle <url>
pentest -k -j -o ./findings discover api <url>
pentest -k -j -o ./findings discover graphql <url>
pentest -k -j -o ./findings baas <url>

Read the JSON outputs from ./findings/ to gather all results.

Present findings to the user covering:

Exposed secrets: API keys, tokens, credentials found in JS bundles or source maps
Source maps: Whether .map files are publicly accessible (leaking original source code)
API endpoints: Discovered REST and GraphQL endpoints, including undocumented ones
GraphQL introspection: Whether introspection is enabled, schema details
API documentation: Swagger/OpenAPI specs, GraphQL playgrounds left exposed
BaaS backends: Firebase, Supabase, AWS Amplify misconfigurations (open databases, permissive rules)

Notes

All discover commands are passive and safe to run without explicit consent.

Bundle analysis is especially valuable for single-page applications (React, Vue, Angular).

Exposed BaaS credentials in JS bundles are a common critical finding.

Use -k to skip SSL verification for targets with self-signed certs.

Use -j for machine-readable JSON output.

Use -o ./findings to persist results for later reporting.