Agent-Skills.md

Agent Skills: pentest

Penetration testing orchestrator that coordinates specialized attack agents. Provides attack indexes, methodology frameworks, and documentation. Execution delegated to specialized agents (SQL Injection, XSS, SSRF, etc.). Use for engagement planning and attack coordination.

UncategorizedID: transilienceai/communitytools/pentest

Repository

transilienceai/communitytools
transilienceaiLicense: MIT
488

Install this agent skill to your local

pnpm dlx add-skill https://github.com/transilienceai/communitytools/tree/HEAD/projects/pentest/.claude/skills/pentest

Skill Files

Browse the full folder contents for pentest.

Download Skill

Loading file tree…

projects/pentest/.claude/skills/pentest/SKILL.md

Skill Metadata

Name
pentest
Description
Penetration testing orchestrator that coordinates specialized attack agents. Provides attack indexes, methodology frameworks, and documentation. Execution delegated to specialized agents (SQL Injection, XSS, SSRF, etc.). Use for engagement planning and attack coordination.

Coordinate penetration testing. Deploy executors, aggregate results, generate reports. Use it when user requests pentesting, security assessment, vulnerability testing, bug bounty hunting.

Workflow

Phase 1: Initialization

  1. Gather scope: Target URL, restrictions, testing window
  2. Create engagement folder: outputs/{engagement-name}/

Phase 2: Reconnaissance (Read reference/RECONNAISSANCE_OUTPUT.md to get outputs format)

  1. Select reconnaissance tools based on asset type (domains, web apps, APIs, network, cloud)
  2. Run tools in parallel using pentest-executor agents
  3. Generate asset-specific inventory files (JSON format per asset type) using the defined output format
  4. Generate the final reconnaissance_report.md file using the defined output format

Phase 3: Planning & Approval (MANDATORY)

  1. Analyze reconnaissance findings from the outputs/{engagement}/reconnaissance/ and the reports.md files
  2. Create test plan: Executors to deploy, attack surface justification, testing approach
  3. Present plan to user via AskUserQuestion
  4. Get explicit approval if not already approved in the first phase: "Approve plan?", "Modify executors?", "Cancel?"
  5. CRITICAL: Do NOT proceed to Phase 4 without user approval

Phase 4: Vulnerability Testing

  1. Deploy approved executors in parallel (single Task call with run_in_background=True)
  2. Monitor progress: Periodic TaskOutput(block=False)
  3. Recursive spawning: New discoveries trigger new executors (ask approval if major change)

Phase 5: Aggregation

  1. Collect findings from all executors
  2. Deduplicate (same vuln + location = duplicate)
  3. Identify exploit chains
  4. Calculate severity metrics

Phase 6: Reporting (Read reference/FINAL_REPORT.md - includes DOCX conversion)

  1. CRITICAL: Create folder structure FIRST: report/ and processed/ with subdirectories
  2. Move ALL working files to processed/: reconnaissance/, findings/, activity/ → processed/
  3. Move ALL intermediate files: ANY .md files, drafts, analysis → processed/intermediate-reports/
  4. Generate markdown report: Use reference/FINAL_REPORT.md template → processed/intermediate-reports/pentest-final-report.md
  5. REQUIRED: Generate .docx: Run pandoc command → report/Penetration-Test-Report.docx (cover page, TOC, body, appendix section)
  6. Optional: Generate PDF: If LaTeX available → report/Penetration-Test-Report.pdf, else skip (DOCX is primary deliverable)
  7. Copy referenced evidence: Organize by finding → report/appendix/finding-{id}/
  8. Create report README: Document deliverables in report/README.md
  9. VERIFY CLEAN STRUCTURE: ls -la outputs/{engagement}/ shows ONLY report/ and processed/
  10. CRITICAL: NO intermediate files in root or report/ - Everything goes to processed/ except final deliverables (.docx, .json, README, appendix/)

What This Skill Does

  1. Attack Index - References 50+ attack types with documentation paths
  2. Methodology Frameworks - PTES, OWASP WSTG, MITRE ATT&CK, Flaw Hypothesis
  3. Coordination - Guides pentester agent to deploy specialized attack agents
  4. Documentation - PortSwigger labs, cheat sheets, quickstarts per attack

Execution: Delegated to specialized agents (SQL Injection Agent, XSS Agent, SSRF Agent, etc.)

Attack Categories

9 categories, 50+ attack types:

  • Injection (6) | Client-Side (6) | Server-Side (6)
  • Authentication (4) | API Security (4) | Web Applications (6)
  • Cloud & Containers (5) | System (3) | IP Infrastructure (8) | Physical & Social (1)

See reference/ATTACK_INDEX.md for complete list with agent mappings.

Reconnaissance Asset Types

Five asset-specific output formats:

  • Domains - Subdomains, DNS records, tech stack per subdomain
  • Web Applications - Endpoints, forms, tech stack, cookies, JS analysis
  • APIs - REST/GraphQL/WebSocket, auth methods, Swagger docs
  • Network Services - Port scans, service versions, CVE candidates
  • Cloud Infrastructure - S3 buckets, EC2 instances, security groups

See reference/RECONNAISSANCE_OUTPUT.md for complete format specifications and JSON schemas.

Final report

See reference/FINAL_REPORT.md for complete format specifications of the final report.

Output Structure

Complete folder organization (See reference/OUTPUT_STRUCTURE.md for details):

outputs/{engagement-name}/
├── report/                         # Complete deliverable package (3 files + appendix)
│   ├── Penetration-Test-Report.docx     # Main report (includes Referenced Files section)
│   ├── Penetration-Test-Report.pdf      # Optional PDF export
│   ├── pentest-report.json              # Machine-readable export
│   └── appendix/                        # Referenced evidence only
│       ├── finding-001/
│       ├── finding-002/
│       └── reconnaissance-summary.json
└── processed/                      # All working/testing artifacts
    ├── reconnaissance/             # Phase 2 outputs
    │   ├── inventory/
    │   ├── analysis/
    │   └── reconnaissance_report.md
    ├── findings/                   # Phase 4 raw findings
    │   └── {finding-id}/
    ├── activity/                   # NDJSON logs
    │   └── {executor-name}.log
    ├── helpers/                    # Testing utilities
    ├── test-frameworks/            # Testing scripts
    └── intermediate-reports/       # Drafts, markdown source, etc.

Critical: report/ = 3 files max + appendix/ subfolder. ALL intermediate files go to processed/.

Methodologies

PTES - 7-phase engagement lifecycle OWASP WSTG - 11 testing categories MITRE ATT&CK - TTP mapping across 14 phases Flaw Hypothesis - Stack analysis → Predict → Test → Generalize → Correlate

Integration

  • /authenticating - Authentication testing workflows
  • /ai-threat-testing - LLM vulnerability testing
  • /domain-assessment - Domain reconnaissance
  • /web-application-mapping - Web app reconnaissance
  • /cve-testing - CVE vulnerability testing

Critical Rules

Testing Rules

  • Orchestration only - Never execute attacks directly
  • Delegate execution - Deploy specialized agents for testing
  • Documentation index - Reference attack folders for techniques
  • Working PoCs required - Specialized agents must provide evidence
  • Activity logging - All agents log actions to NDJSON activity logs

Output Organization Rules (PHASE 6 - CRITICAL)

  • Two-folder structure ONLY: report/ (final deliverables) and processed/ (working files)
  • NO files in engagement root: Everything must be in report/ or processed/
  • Report folder contents: ONLY pentest-report.json, README.md, appendix/ folder (max 2-3 files + 1 folder)
  • ALL intermediate files → processed/: .md files, drafts, analysis, summaries, checklists
  • Reconnaissance → processed/reconnaissance/: ALL recon outputs
  • Findings → processed/findings/: ALL raw finding details
  • Activity logs → processed/activity/: ALL NDJSON logs
  • Test frameworks → processed/test-frameworks/: SQL injection, command injection scripts
  • Markdown reports → processed/intermediate-reports/: pentest-final-report.md, executive-summary.md, etc.
  • VERIFY CLEAN: Before completing Phase 6, run ls -la outputs/{engagement}/ - must show ONLY report/ and processed/