Skill

pentest-inject

Tests target web apps for injection vulnerabilities like SQLi, XSS, SSTI, SSRF, LFI, command injection via active payloads after explicit user consent.

Bash

security

npx claudepluginhub sabania/pentest-cli --plugin pentest-framework

Tool Access

This skill is limited to using the following tools:

BashAgentRead

Preview

Test a target application for injection vulnerabilities including SQL injection, cross-site scripting (XSS), server-side template injection (SSTI), server-side request forgery (SSRF), and more.

SKILL.md

Similar Skills

injection

257

Tests for injection vulnerabilities across all input vectors: SQL, NoSQL, OS Command, SSTI, XXE, and LDAP/XPath techniques.

20 files

communitytools

xss-html-injection

37.1k

Tests web apps for XSS and HTML injection vulnerabilities using payloads like script tags and event handlers, demos session hijacking, validates encoding. For authorized security audits.

antigravity-awesome-skills

pentest

Conducts OWASP-based penetration testing: reconnaissance, Top 10 vulnerabilities (access control, injection, misconfig), API security, PoCs, code remediations, reports. For security audits.

godmode

Stats

Parent Repo Stars5

Parent Repo Forks0

Last CommitMar 20, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

/pentest-inject — Injection Testing

Test a target application for injection vulnerabilities including SQL injection, cross-site scripting (XSS), server-side template injection (SSTI), server-side request forgery (SSRF), and more.

Input

The target URL is provided via $ARGUMENTS. If no URL is provided, ask the user for one.

Steps

Parse the target URL from $ARGUMENTS.

WARN the user before proceeding:

WARNING: Active Testing Mode

This skill sends actual attack payloads to the target application. This includes SQL injection strings, XSS payloads, SSTI probes, and SSRF attempts.

Only run this against applications you own or have explicit written authorization to test.

These payloads may trigger WAF alerts, logging, or IDS/IPS notifications.

Some payloads could potentially cause application errors or data corruption.

Do you want to proceed? (yes/no)

Wait for explicit user confirmation. Do NOT proceed without a clear "yes."

Delegate to injection-agent using the Agent tool. The agent must run all injection commands with --active --yes flags:

pentest -k -j -o ./findings inject sqli --active --yes <url>
pentest -k -j -o ./findings inject xss --active --yes <url>
pentest -k -j -o ./findings inject ssti --active --yes <url>
pentest -k -j -o ./findings inject ssrf --active --yes <url>
pentest -k -j -o ./findings inject cmdi --active --yes <url>
pentest -k -j -o ./findings inject lfi --active --yes <url>
pentest -k -j -o ./findings inject redirect --active --yes <url>

Read the JSON outputs from ./findings/ to gather all results.

Present confirmed vulnerabilities organized by severity:

For each finding: vulnerability type, affected endpoint, payload used, evidence of exploitation
Include remediation recommendations for each vulnerability class

Notes

This skill performs active testing that sends real payloads. User consent is mandatory.

The --active flag enables payload delivery. The --yes flag skips interactive prompts.

Use -k to skip SSL verification for targets with self-signed certs.

Use -j for machine-readable JSON output.

Use -o ./findings to persist results for later reporting.

/pentest-inject — Injection Testing

Test a target application for injection vulnerabilities including SQL injection, cross-site scripting (XSS), server-side template injection (SSTI), server-side request forgery (SSRF), and more.

Input

The target URL is provided via $ARGUMENTS. If no URL is provided, ask the user for one.

Steps

Parse the target URL from $ARGUMENTS.

WARN the user before proceeding:

WARNING: Active Testing Mode

This skill sends actual attack payloads to the target application. This includes SQL injection strings, XSS payloads, SSTI probes, and SSRF attempts.

Only run this against applications you own or have explicit written authorization to test.

These payloads may trigger WAF alerts, logging, or IDS/IPS notifications.

Some payloads could potentially cause application errors or data corruption.

Do you want to proceed? (yes/no)

Wait for explicit user confirmation. Do NOT proceed without a clear "yes."

Delegate to injection-agent using the Agent tool. The agent must run all injection commands with --active --yes flags:

pentest -k -j -o ./findings inject sqli --active --yes <url>
pentest -k -j -o ./findings inject xss --active --yes <url>
pentest -k -j -o ./findings inject ssti --active --yes <url>
pentest -k -j -o ./findings inject ssrf --active --yes <url>
pentest -k -j -o ./findings inject cmdi --active --yes <url>
pentest -k -j -o ./findings inject lfi --active --yes <url>
pentest -k -j -o ./findings inject redirect --active --yes <url>

Read the JSON outputs from ./findings/ to gather all results.

Present confirmed vulnerabilities organized by severity:

For each finding: vulnerability type, affected endpoint, payload used, evidence of exploitation
Include remediation recommendations for each vulnerability class

Notes

This skill performs active testing that sends real payloads. User consent is mandatory.

The --active flag enables payload delivery. The --yes flag skips interactive prompts.

Use -k to skip SSL verification for targets with self-signed certs.

Use -j for machine-readable JSON output.

Use -o ./findings to persist results for later reporting.