From pentest-framework
Orchestrates full web app security audit: passive recon, config scans, discovery, business logic tests, optional active exploits, generates PDF report.
npx claudepluginhub sabania/pentest-cli --plugin pentest-frameworkThis skill is limited to using the following tools:
Run a full-spectrum security audit against a target application. This is the main entry point that orchestrates all other pentest skills sequentially, from passive reconnaissance through active exploitation testing, and generates a final PDF report.
Runs self-contained security audits for web apps and APIs: scoping, reconnaissance, manual testing (XSS/injection/IDOR), API review, hardening, reporting.
Conducts OWASP-based penetration testing: reconnaissance, Top 10 vulnerabilities (access control, injection, misconfig), API security, PoCs, code remediations, reports. For security audits.
Orchestrates security auditing workflow for web apps, APIs, and infrastructure, covering reconnaissance, vulnerability scanning, pentesting, and hardening phases.
Share bugs, ideas, or general feedback.
Run a full-spectrum security audit against a target application. This is the main entry point that orchestrates all other pentest skills sequentially, from passive reconnaissance through active exploitation testing, and generates a final PDF report.
The target URL is provided via $ARGUMENTS. If no URL is provided, ask the user for one.
Parse the target URL from $ARGUMENTS.
Create the findings directory:
mkdir -p ./findings
Phase 1 — Passive Reconnaissance (no consent needed):
Delegate to recon-agent. Run all recon commands:
pentest -k -j -o ./findings recon subdomains <url>
pentest -k -j -o ./findings recon dns <url>
pentest -k -j -o ./findings recon ports <url>
pentest -k -j -o ./findings recon osint <url>
pentest -k -j -o ./findings discover tech <url>
pentest -k -j -o ./findings cloud email <url>
Present a brief summary of recon results before proceeding.
Phase 2 — Security Configuration Scanning (no consent needed):
Delegate to scanner-agent. Run all scan commands:
pentest -k -j -o ./findings scan headers <url>
pentest -k -j -o ./findings scan ssl <url>
pentest -k -j -o ./findings scan cors <url>
pentest -k -j -o ./findings cloud waf <url>
Present a brief summary of configuration findings.
Phase 3 — Discovery (no consent needed):
Delegate to discovery-agent. Run all discovery commands:
pentest -k -j -o ./findings discover bundle <url>
pentest -k -j -o ./findings discover api <url>
pentest -k -j -o ./findings discover graphql <url>
pentest -k -j -o ./findings baas <url>
Present a brief summary of discovered assets.
Phase 4 — Business Logic Analysis (no consent needed):
Delegate to logic-agent. The agent crawls the application and tests for:
Phase 5 — Active Testing Decision Point:
Ask the user:
Phases 1-4 (passive testing) are complete. The following active tests send real attack payloads to the target:
- Injection testing: SQLi, XSS, SSTI, SSRF, command injection, LFI, open redirect
- Advanced attacks: Request smuggling, race conditions, cache poisoning, subdomain takeover
- Auth brute force: Login brute force attempts
Only proceed if you own the target or have written authorization.
Do you want to run active tests? (yes/no)
Phase 6 — Active Testing (only if user consents):
Run in parallel:
injection-agent with all inject commands using --active --yesadvanced-agent with all advanced commands using --active --yes
Present combined active testing results.Phase 7 — Report Generation:
Delegate to report-agent:
pentest report ./findings/
Present Executive Summary to the user:
./findings/ for the final report.-k to skip SSL verification for targets with self-signed certs.-j for machine-readable JSON output.