From runzero
Lists, filters, and analyzes services discovered by RunZero, including open ports, protocols, software versions, and vulnerability indicators.
How this skill is triggered — by the user, by Claude, or both
Slash command
/runzero:servicesWhen to use
When listing discovered services, filtering by port or protocol, identifying vulnerabilities, and auditing exposed services across sites. Use when: runzero service, discovered service, service inventory, open port, service protocol, service vulnerability, port scan, exposed service, or service audit.
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
RunZero discovers services running on every asset -- open ports, protocols, software versions, and TLS configurations. Service data is critical for vulnerability assessment, compliance auditing, and attack surface management. This skill covers listing, filtering, and analyzing discovered services.
RunZero discovers services running on every asset -- open ports, protocols, software versions, and TLS configurations. Service data is critical for vulnerability assessment, compliance auditing, and attack surface management. This skill covers listing, filtering, and analyzing discovered services.
Each discovered service includes:
| Attribute | Description |
|---|---|
port | TCP/UDP port number |
protocol | Application protocol (HTTP, SSH, RDP, etc.) |
transport | Transport layer (TCP, UDP) |
summary | Service banner or description |
software | Detected software and version |
tls | TLS/SSL configuration details |
asset_id | The asset this service runs on |
first_seen | When the service was first discovered |
last_seen | When the service was last observed |
| Protocol | Default Port | Risk Considerations |
|---|---|---|
ssh | 22 | Check for weak ciphers, old versions |
rdp | 3389 | High-risk if exposed externally |
http | 80 | Check for unencrypted admin panels |
https | 443 | Verify TLS version and certificate |
smb | 445 | Ransomware vector if exposed |
snmp | 161 | Check for default community strings |
telnet | 23 | Unencrypted; should be disabled |
ftp | 21 | Unencrypted; check for anonymous access |
RunZero flags services with security concerns:
runzero_services_list
Parameters:
site_id -- Filter by sitesearch -- RunZero query stringcount -- Results per pageoffset -- Pagination offsetExample response:
{
"services": [
{
"id": "svc-uuid-123",
"asset_id": "asset-uuid-456",
"port": 3389,
"transport": "tcp",
"protocol": "rdp",
"summary": "Microsoft Terminal Services",
"software": "Windows RDP 10.0",
"first_seen": "2026-01-15T10:00:00Z",
"last_seen": "2026-03-27T08:30:00Z"
}
]
}
runzero_services_get
Parameters:
service_id -- The specific service UUIDrunzero_services_export
Parameters:
search -- RunZero query to filter servicessite_id -- Filter by siteUse for bulk service data retrieval.
protocol:rdp AND alive:true
port:445 AND NOT address:10.0.0.0/8
protocol:ssh AND software:OpenSSH AND software:<8
protocol:telnet
port:443 AND tls.version:TLSv1.0
protocol:rdp OR protocol:telnet OR protocol:ftpprotocol:httpsprotocol:rdp OR protocol:smbCause: Invalid service UUID or service no longer detected Solution: Search by port/protocol on the asset instead
Cause: Broad queries returning thousands of services Solution: Add site or protocol filters; use the Export API
npx claudepluginhub wyre-technology/msp-claude-plugins --plugin runzeroMaps internet-facing assets ranked by risk, exposed ports/services, and attacker's-eye view of the environment.
Searches and browses RunZero asset inventory, inspects OS fingerprinting, hardware details, network interfaces, and asset attributes.
Provides methodologies for Shodan-based reconnaissance during penetration testing: search filters, CLI, API, host scanning, and vulnerability discovery.