Penetration Testing Skill
Security testing toolkit with three specialized scanners for web applications, dependency chains, and source code.
Overview
This skill provides three real, working security scanners:
-
security_scanner.py -- HTTP security header analysis, SSL/TLS certificate checks, exposed endpoint probing, dangerous HTTP method detection, and CORS misconfiguration testing. Targets live URLs.
-
dependency_auditor.py -- Unified vulnerability scanner for project dependencies. Wraps
npm auditandpip-auditwith normalized severity output. Targets project directories. -
code_security_scanner.py -- Static analysis combining
bandit(Python) with custom regex patterns for hardcoded secrets, SQL injection, command injection, eval/exec usage, and insecure deserialization. Targets codebases.
Prerequisites
- Python 3.9+
requestslibrary (for security_scanner.py)- Optional:
bandit(for code scanning),pip-audit(for dependency auditing) - Optional:
npm(for JavaScript dependency auditing)
Run the setup script to install all dependencies:
bash ${CLAUDE_PLUGIN_ROOT}/skills/performing-penetration-testing/scripts/setup_pentest_env.sh
Or with a virtual environment (recommended):
bash ${CLAUDE_PLUGIN_ROOT}/skills/performing-penetration-testing/scripts/setup_pentest_env.sh --venv
Instructions
Step 1. Confirm Authorization
Before running any scan, verify the user has authorization to test the target. Ask explicitly:
"Do you have authorization to perform security testing on this target? I need confirmation before proceeding."
If testing a URL, confirm the user owns or has written permission to test it. If testing local code/dependencies, confirm it's the user's own project.
Never scan targets without explicit authorization.
Step 2. Define Scope
Determine what to scan based on the user's request:
| User says | Scanner to use | Target | |-----------|---------------|--------| | "check headers" / "scan URL" | security_scanner.py | URL | | "audit dependencies" / "check packages" | dependency_auditor.py | Directory | | "find secrets" / "code audit" | code_security_scanner.py | Directory | | "full security scan" | All three | URL + Directory | | "check SSL" / "certificate" | security_scanner.py --checks ssl | URL | | "CORS check" | security_scanner.py --checks cors | URL |
Step 3. Run Scans
Execute the appropriate scanner(s):
Web application scan:
python3 ${CLAUDE_PLUGIN_ROOT}/skills/performing-penetration-testing/scripts/security_scanner.py TARGET_URL
With specific checks:
python3 ${CLAUDE_PLUGIN_ROOT}/skills/performing-penetration-testing/scripts/security_scanner.py TARGET_URL --checks headers,ssl,endpoints,methods,cors
Dependency audit:
python3 ${CLAUDE_PLUGIN_ROOT}/skills/performing-penetration-testing/scripts/dependency_auditor.py /path/to/project
With severity filter:
python3 ${CLAUDE_PLUGIN_ROOT}/skills/performing-penetration-testing/scripts/dependency_auditor.py /path/to/project --min-severity high
Code security scan:
python3 ${CLAUDE_PLUGIN_ROOT}/skills/performing-penetration-testing/scripts/code_security_scanner.py /path/to/code
With specific tools:
python3 ${CLAUDE_PLUGIN_ROOT}/skills/performing-penetration-testing/scripts/code_security_scanner.py /path/to/code --tools bandit,regex --severity high
Step 4. Analyze Results
Review the scanner output. Each finding includes:
- Severity -- critical, high, medium, low, or info
- Title -- what was found
- Detail -- technical explanation
- Remediation -- how to fix it
Prioritize findings by severity: critical and high findings first.
Step 5. Report Findings
Present results to the user in a clear format: 5. Start with a summary (total findings by severity) 6. Group findings by severity 7. For each finding, explain the risk and provide the remediation steps 8. Reference the appropriate playbook entry from references/
Step 6. Suggest Remediations
For each finding, provide: 9. The specific code change or configuration needed 10. Reference to REMEDIATION_PLAYBOOK.md for copy-paste templates 11. Verification steps to confirm the fix works
Scanner Reference
security_scanner.py
Usage: python3 security_scanner.py URL [OPTIONS]
Options:
--checks CHECKS Comma-separated: headers,ssl,endpoints,methods,cors (default: all)
--output FILE Write JSON report to file
--timeout SECS Request timeout in seconds (default: 10)
--verbose Show detailed progress
--help Show help
Checks performed:
- Security headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
- SSL/TLS: certificate validity, expiry, protocol version
- Exposed endpoints: .git, .env, admin panels, server-status, directory listing
- HTTP methods: dangerous methods (PUT, DELETE, TRACE)
- CORS: wildcard origins, reflected origins, credentials misconfiguration
dependency_auditor.py
set -euo pipefail
Usage: python3 dependency_auditor.py DIRECTORY [OPTIONS]
Options:
--scanners SCANNERS Comma-separated: npm,pip (default: auto-detect)
--min-severity LEVEL Minimum severity: critical,high,moderate,low (default: low)
--output FILE Write JSON report to file
--verbose Show detailed progress
--help Show help
Auto-detects project type from package.json, requirements.txt, pyproject.toml, etc.
code_security_scanner.py
Usage: python3 code_security_scanner.py DIRECTORY [OPTIONS]
Options:
--tools TOOLS Comma-separated: bandit,regex (default: all available)
--output FILE Write JSON report to file
--severity LEVEL Minimum severity: critical,high,medium,low (default: low)
--exclude PATTERNS Comma-separated glob patterns to exclude
--verbose Show detailed progress
--help Show help
Detects: hardcoded secrets, SQL injection, command injection, eval/exec, insecure deserialization, weak cryptography, disabled SSL verification.
Examples
Quick header check
User: "Check the security headers on https://example.com"
python3 ${CLAUDE_PLUGIN_ROOT}/skills/performing-penetration-testing/scripts/security_scanner.py https://example.com --checks headers
Full project security audit
User: "Run a full security audit on my project"
# 1. Scan dependencies
python3 ${CLAUDE_PLUGIN_ROOT}/skills/performing-penetration-testing/scripts/dependency_auditor.py .
# 2. Scan code for security issues
python3 ${CLAUDE_PLUGIN_ROOT}/skills/performing-penetration-testing/scripts/code_security_scanner.py .
# 3. If the project has a deployed URL, scan it too
python3 ${CLAUDE_PLUGIN_ROOT}/skills/performing-penetration-testing/scripts/security_scanner.py https://the-deployed-url.com
Code-only audit for secrets
User: "Check this codebase for hardcoded secrets"
python3 ${CLAUDE_PLUGIN_ROOT}/skills/performing-penetration-testing/scripts/code_security_scanner.py . --tools regex --severity high
Output
All scanners produce structured security reports:
- Console report: Markdown-formatted findings with severity, description, and remediation
- JSON report: Machine-readable output via
--outputflag for CI integration - Exit codes: 0 = no critical/high findings, 1 = critical/high findings found
- Risk score: security_scanner.py provides a 0-100 score (100 = most secure)
- Severity levels: critical, high, medium, low, info for each finding
- Remediation guidance: Specific fix instructions for each finding
Error Handling
Missing dependencies: If a scanner fails because a tool isn't installed, run the setup script:
bash ${CLAUDE_PLUGIN_ROOT}/skills/performing-penetration-testing/scripts/setup_pentest_env.sh
Connection errors: If security_scanner.py can't reach the target URL:
- Verify the URL is correct and accessible
- Check if the site requires VPN or special network access
- Try with
--timeout 30for slow servers
Permission errors: If code_security_scanner.py can't read files:
- Check file permissions in the target directory
- Exclude protected directories with
--exclude
Resources
For detailed reference material, see:
references/OWASP_TOP_10.md-- OWASP Top 10 risks with scanner mappingreferences/SECURITY_HEADERS.md-- HTTP security header implementation guidereferences/REMEDIATION_PLAYBOOK.md-- Copy-paste fix templates