shannon

Autonomous AI security pen testing. Executes real exploits against web applications to find SQL injection, XSS, SSRF, authentication flaws, and IDOR vulnerabilities. Reports only confirmed, reproducible findings — no false positives.

Best use case

shannon is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Autonomous AI security pen testing. Executes real exploits against web applications to find SQL injection, XSS, SSRF, authentication flaws, and IDOR vulnerabilities. Reports only confirmed, reproducible findings — no false positives.

Teams using shannon should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/shannon/SKILL.md --create-dirs "https://raw.githubusercontent.com/nvdigitalsolutions/mcp-ai-wpoos/main/includes/bundled-skills/shannon/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/shannon/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How shannon Compares

Feature / AgentshannonStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Autonomous AI security pen testing. Executes real exploits against web applications to find SQL injection, XSS, SSRF, authentication flaws, and IDOR vulnerabilities. Reports only confirmed, reproducible findings — no false positives.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Shannon — Autonomous AI Pentester

Shannon is a white-box security testing framework that analyses source code, maps attack surfaces, and executes real attacks. Use it against **development and staging** environments before deploying to production.

> **IMPORTANT — Authorization Gate**: Shannon executes real attacks. You **must** have explicit written authorisation to test the target system. Shannon confirms this before every run. Never target production systems or systems you do not own.

## Install

```bash
npx skills add unicodeveloper/shannon
```

**Prerequisites**: Docker (all attack tools run in containers) and an Anthropic API key.

## Usage

```bash
# Full pentest of a local app
/shannon http://localhost:3000 myapp

# Target specific vulnerability categories
/shannon --scope=xss,injection http://localhost:8080 frontend

# Named workspace (allows resuming if interrupted)
/shannon --workspace=audit-q1 http://staging.example.com backend-api

# Check status of a running pentest
/shannon status

# View the latest report
/shannon results
```

## What Shannon Tests

Shannon covers **50+ specific vulnerability types** across 5 OWASP categories:

### Injection
- SQL injection (union-based, blind, time-based)
- Command injection
- Server-Side Template Injection (SSTI)
- NoSQL injection

### Cross-Site Scripting (XSS)
- Reflected XSS
- Stored XSS
- DOM-based XSS
- XSS via file upload
- Mutation XSS

### SSRF
- Internal service access
- Cloud metadata endpoints (AWS IMDSv1/v2, GCP, Azure)
- DNS rebinding
- Protocol smuggling

### Broken Authentication
- Default / weak credentials
- JWT algorithm confusion (`none` algorithm, weak signing)
- Session fixation
- CSRF
- MFA bypass patterns

### Broken Authorisation
- Insecure Direct Object References (IDOR)
- Privilege escalation
- Path traversal
- Forced browsing
- Mass assignment

## 5-Phase Pipeline

Shannon runs these phases automatically, in parallel where safe:

| Phase | What happens |
|-------|-------------|
| **Pre-Recon** | Static source code analysis + external scans (Nmap, Subfinder, WhatWeb) |
| **Recon** | Live attack surface mapping via headless browser |
| **Vulnerability Analysis** | 5 parallel specialist agents (injection, XSS, SSRF, auth, authorisation) |
| **Exploitation** | Each agent spawns a dedicated exploit agent; real attacks executed |
| **Reporting** | Executive summary + reproducible PoC for every confirmed finding |

## Runtime and Cost

- Full pentest: ~1–1.5 hours
- Cost: ~$50 using Claude Sonnet (varies with app complexity)
- Benchmark: **96.15% exploit success rate** on the XBOW security benchmark (100/104 exploits)

## Scope Controls

```bash
# Limit to specific vulnerability categories
/shannon --scope=xss,injection http://localhost:3000 app

# Exclude sensitive paths
/shannon --avoid=/logout,/admin/delete http://localhost:3000 app

# Test only authenticated endpoints (provide session cookie)
/shannon --cookie="session=abc123" http://localhost:3000 app
```

## Safety Gates Built In

- **Authorisation confirmation** at every invocation — Shannon will not proceed without explicit confirmation
- **Production warning** — warns loudly if the target looks like a production URL
- **Docker isolation** — all attack tools run inside containers; nothing executes on your host
- **Scope controls** — use `--avoid` to protect specific paths (e.g., `/logout`, data-deletion endpoints)

## Reading the Report

Shannon's report includes only **confirmed exploits** — if it can't prove a vulnerability, it doesn't report it.

Each finding includes:
- Vulnerability type and OWASP category
- Severity (Critical / High / Medium / Low)
- Affected endpoint and parameter
- Reproducible proof-of-concept (PoC) steps
- Recommended remediation

## Tips

- Run Shannon against every staging deployment before merging to main
- Focus first on the API layer (`/api/*`) — most exploitable surface for web apps
- Use `--workspace` to name runs so you can compare results across deployments
- Fix Critical and High findings before shipping; schedule Medium/Low for the next sprint
- Re-run Shannon after fixing findings to confirm remediation is effective

Related Skills

webapp-testing

5
from nvdigitalsolutions/mcp-ai-wpoos

Toolkit for interacting with and testing local web applications using Playwright. Supports verifying frontend functionality, debugging UI behavior, capturing browser screenshots, and viewing browser logs.

web-artifacts-builder

5
from nvdigitalsolutions/mcp-ai-wpoos

Suite of tools for creating elaborate, multi-component claude.ai HTML artifacts using modern frontend web technologies (React, Tailwind CSS, shadcn/ui). Use for complex artifacts requiring state management, routing, or shadcn/ui components - not for simple single-file HTML/JSX artifacts.

valyu

5
from nvdigitalsolutions/mcp-ai-wpoos

Search the live web and 36+ specialised data sources including SEC filings, PubMed, ChEMBL, clinical trials, FRED economic indicators, and patent databases. Use when current, authoritative, or paywalled data is required.

ui-ux-pro-max

5
from nvdigitalsolutions/mcp-ai-wpoos

AI-powered design intelligence with 67 UI styles, 161 color palettes, 57 font pairings, 99 UX guidelines, and 25 chart types across 15+ tech stacks. Generates complete design systems for any product type with industry-specific reasoning rules.

theme-factory

5
from nvdigitalsolutions/mcp-ai-wpoos

Toolkit for styling artifacts with a theme. These artifacts can be slides, docs, reportings, HTML landing pages, etc. There are 10 pre-set themes with colors/fonts that you can apply to any artifact that has been creating, or can generate a new theme on-the-fly.

slack-gif-creator

5
from nvdigitalsolutions/mcp-ai-wpoos

Knowledge and utilities for creating animated GIFs optimized for Slack. Provides constraints, validation tools, and animation concepts. Use when users request animated GIFs for Slack like "make me a GIF of X doing Y for Slack."

skill-creator

5
from nvdigitalsolutions/mcp-ai-wpoos

Create new skills, modify and improve existing skills, and measure skill performance. Use when users want to create a skill from scratch, update or optimize an existing skill, run evals to test a skill, benchmark skill performance with variance analysis, or optimize a skill's description for better triggering accuracy.

remotion

5
from nvdigitalsolutions/mcp-ai-wpoos

Create programmatic videos using React and Remotion. Translate natural language descriptions into working Remotion components for product demos, release announcements, explainer videos, and animated content.

planetscale

5
from nvdigitalsolutions/mcp-ai-wpoos

Design schemas and write queries for PlanetScale serverless MySQL using branch-based workflows. Ensures index coverage, avoids foreign key anti-patterns, and treats every schema change as a reviewable, reversible deploy request.

mcp-builder

5
from nvdigitalsolutions/mcp-ai-wpoos

Guide for creating high-quality MCP (Model Context Protocol) servers that enable LLMs to interact with external services through well-designed tools. Use when building MCP servers to integrate external APIs or services, whether in Python (FastMCP) or Node/TypeScript (MCP SDK).

karpathy-coding-principles

5
from nvdigitalsolutions/mcp-ai-wpoos

Apply Karpathy-inspired coding behavior guidelines — think before coding, prefer simplicity, make surgical changes, and execute toward verifiable goals. Reduces wrong assumptions, overengineering, and unintended side-effects.

internal-comms

5
from nvdigitalsolutions/mcp-ai-wpoos

A set of resources to help me write all kinds of internal communications, using the formats that my company likes to use. Claude should use this skill whenever asked to write some sort of internal communications (status reports, leadership updates, 3P updates, company newsletters, FAQs, incident reports, project updates, etc.).