shannon-ai-pentester
Autonomous white-box AI pentester for web applications and APIs using source code analysis and live exploit execution
Best use case
shannon-ai-pentester is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Autonomous white-box AI pentester for web applications and APIs using source code analysis and live exploit execution
Teams using shannon-ai-pentester should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/shannon-ai-pentester/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How shannon-ai-pentester Compares
| Feature / Agent | shannon-ai-pentester | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Autonomous white-box AI pentester for web applications and APIs using source code analysis and live exploit execution
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for ChatGPT
Find the best AI skills to adapt into ChatGPT workflows for research, writing, summarization, planning, and repeatable assistant tasks.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
SKILL.md Source
# Shannon AI Pentester
> Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection.
Shannon is an autonomous, white-box AI pentester for web applications and APIs. It reads your source code to identify attack vectors, then executes real exploits (SQLi, XSS, SSRF, auth bypass, authorization flaws) against a live running application — only reporting vulnerabilities with a working proof-of-concept.
## How It Works
1. **Reconnaissance** — Nmap, Subfinder, WhatWeb, and Schemathesis scan the target
2. **Code Analysis** — Shannon reads your repository to map attack surfaces
3. **Parallel Exploitation** — Concurrent agents attempt live exploits across all vulnerability categories
4. **Report Generation** — Only confirmed, reproducible findings with copy-paste PoCs are included
## Installation & Prerequisites
- Docker (required — Shannon runs entirely in containers)
- An Anthropic API key, Claude Code OAuth token, AWS Bedrock credentials, or Google Vertex AI credentials
```bash
git clone https://github.com/KeygraphHQ/shannon.git
cd shannon
```
## Quick Start
```bash
# Option A: Export credentials
export ANTHROPIC_API_KEY="sk-ant-..."
export CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000
# Option B: .env file
cat > .env << 'EOF'
ANTHROPIC_API_KEY=sk-ant-...
CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000
EOF
# Run a pentest
./shannon start URL=https://your-app.example.com REPO=/path/to/your/repo
```
Shannon builds containers, starts the workflow in the background, and returns a workflow ID.
## Key CLI Commands
```bash
# Start a pentest
./shannon start URL=https://target.example.com REPO=/path/to/repo
# Start with explicit workspace name (for resuming)
./shannon start URL=https://target.example.com REPO=/path/to/repo WORKSPACE=my-audit-2024
# Monitor live progress (tail logs)
./shannon logs <workflow-id>
# Check status of a running pentest
./shannon status <workflow-id>
# Resume an interrupted pentest
./shannon resume WORKSPACE=my-audit-2024
# Stop a running pentest
./shannon stop <workflow-id>
# View the final report
./shannon report <workflow-id>
```
## Configuration
### Environment Variables
```bash
# Required (choose one auth method)
ANTHROPIC_API_KEY=sk-ant-... # Anthropic direct
CLAUDE_CODE_OAUTH_TOKEN=... # Claude Code OAuth
# Recommended
CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000 # Increase output window for large reports
# AWS Bedrock (alternative to Anthropic direct)
AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...
AWS_DEFAULT_REGION=us-east-1
SHANNON_AI_PROVIDER=bedrock
SHANNON_BEDROCK_MODEL=anthropic.claude-3-7-sonnet-20250219-v1:0
# Google Vertex AI (alternative to Anthropic direct)
GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
SHANNON_AI_PROVIDER=vertex
SHANNON_VERTEX_PROJECT=your-gcp-project
SHANNON_VERTEX_REGION=us-east5
```
### .env File Example
```bash
# .env (place in the shannon project root)
ANTHROPIC_API_KEY=sk-ant-...
CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000
# Optional: target credentials for authenticated testing
TARGET_USERNAME=admin@example.com
TARGET_PASSWORD=supersecret
TARGET_TOTP_SECRET=BASE32TOTPSECRET # Shannon handles 2FA automatically
```
## Usage Examples
### Basic Web App Pentest
```bash
# Point Shannon at a running local app with its source code
./shannon start \
URL=http://localhost:3000 \
REPO=$(pwd)/../my-express-app
```
### Testing Against OWASP Juice Shop (Demo)
```bash
# Pull and run Juice Shop
docker run -d -p 3000:3000 bkimminich/juice-shop
# Run Shannon against it
./shannon start \
URL=http://localhost:3000 \
REPO=/path/to/juice-shop
```
### Authenticated Testing with 2FA
```bash
export TARGET_USERNAME="admin@yourapp.com"
export TARGET_PASSWORD="$ADMIN_PASSWORD"
export TARGET_TOTP_SECRET="$TOTP_BASE32_SECRET"
./shannon start URL=https://staging.yourapp.com REPO=/path/to/repo
```
### AWS Bedrock Provider
```bash
export AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID"
export AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY"
export AWS_DEFAULT_REGION=us-east-1
export SHANNON_AI_PROVIDER=bedrock
export SHANNON_BEDROCK_MODEL=anthropic.claude-3-7-sonnet-20250219-v1:0
./shannon start URL=https://target.example.com REPO=/path/to/repo
```
### Google Vertex AI Provider
```bash
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json
export SHANNON_AI_PROVIDER=vertex
export SHANNON_VERTEX_PROJECT=my-gcp-project
export SHANNON_VERTEX_REGION=us-east5
./shannon start URL=https://target.example.com REPO=/path/to/repo
```
## Workspace and Resume Pattern
Workspaces allow you to pause and resume long-running pentests:
```bash
# Start with a named workspace
./shannon start \
URL=https://target.example.com \
REPO=/path/to/repo \
WORKSPACE=sprint-42-audit
# Later, resume from where it stopped
./shannon resume WORKSPACE=sprint-42-audit
# Workspaces persist results so you can re-run reports
./shannon report WORKSPACE=sprint-42-audit
```
## Output and Reports
Reports are written to the workspace directory (default: `./workspaces/<workflow-id>/`):
```
workspaces/
└── my-audit-2024/
├── report.md # Final pentest report with PoC exploits
├── findings.json # Machine-readable findings
└── logs/ # Per-agent execution logs
```
The report includes:
- Vulnerability title and CVSS-style severity
- Affected endpoint and parameter
- Root cause with source code reference
- Step-by-step reproduction instructions
- Copy-paste curl/HTTP PoC
## Vulnerability Coverage
Shannon currently tests for:
| Category | Examples |
|---|---|
| **Injection** | SQL injection, command injection, LDAP injection |
| **XSS** | Reflected, stored, DOM-based |
| **SSRF** | Internal network access, cloud metadata endpoints |
| **Broken Authentication** | Weak tokens, session fixation, auth bypass |
| **Broken Authorization** | IDOR, privilege escalation, missing access controls |
## CI/CD Integration Pattern
```yaml
# .github/workflows/pentest.yml
name: Shannon Pentest
on:
push:
branches: [staging]
jobs:
pentest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
path: app
- name: Clone Shannon
run: git clone https://github.com/KeygraphHQ/shannon.git
- name: Start Application
run: |
cd app
docker compose up -d
# Wait for app to be healthy
sleep 30
- name: Run Shannon
working-directory: shannon
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
CLAUDE_CODE_MAX_OUTPUT_TOKENS: 64000
run: |
./shannon start \
URL=http://localhost:3000 \
REPO=${{ github.workspace }}/app \
WORKSPACE=ci-${{ github.sha }}
# Wait for completion and get report
./shannon wait ci-${{ github.sha }}
./shannon report ci-${{ github.sha }} > pentest-report.md
- name: Upload Report
uses: actions/upload-artifact@v4
with:
name: pentest-report
path: shannon/pentest-report.md
```
## Troubleshooting
### Docker not found or permission denied
```bash
# Ensure Docker daemon is running
docker info
# Add your user to the docker group (Linux)
sudo usermod -aG docker $USER
newgrp docker
```
### Shannon containers fail to build
```bash
# Force a clean rebuild
docker compose -f shannon/docker-compose.yml build --no-cache
```
### Pentest stalls / no progress
```bash
# Check live logs for the blocking agent
./shannon logs <workflow-id>
# Common causes:
# - Target app is not reachable from inside the Shannon container
# - ANTHROPIC_API_KEY is missing or rate-limited
# - CLAUDE_CODE_MAX_OUTPUT_TOKENS not set (model hits default limit)
```
### Target app not reachable from Shannon containers
```bash
# Use host.docker.internal instead of localhost
./shannon start \
URL=http://host.docker.internal:3000 \
REPO=/path/to/repo
# Or put both on the same Docker network
docker network create pentest-net
docker run --network pentest-net ... # your app
# Then set SHANNON_DOCKER_NETWORK=pentest-net in .env
```
### Rate limit errors from Anthropic
```bash
# Use AWS Bedrock or Vertex AI to avoid shared rate limits
export SHANNON_AI_PROVIDER=bedrock
export AWS_DEFAULT_REGION=us-east-1
```
### Resume after crash
```bash
# Always use WORKSPACE= when starting to enable resumability
./shannon start URL=... REPO=... WORKSPACE=named-session
# Resume
./shannon resume WORKSPACE=named-session
```
## Important Disclaimers
- **Only test applications you own or have explicit written permission to test.**
- Shannon Lite is AGPL-3.0 licensed — any modifications must be open-sourced under the same license.
- Shannon is a **white-box tool**: it expects access to your application's source code.
- It is not a black-box scanner. Running it against third-party targets without authorization is illegal.
## Key Links
- **GitHub**: https://github.com/KeygraphHQ/shannon
- **Keygraph Platform (Pro)**: https://keygraph.io
- **Sample Report (Juice Shop)**: `sample-reports/shannon-report-juice-shop.md` in the repo
- **Shannon Pro Architecture**: `SHANNON-PRO.md` in the repo
- **Announcements**: https://github.com/KeygraphHQ/shannon/discussions/categories/announcements
- **Discord**: https://discord.gg/9ZqQPuhJB7Related Skills
---
name: article-factory-wechat
humanizer
Remove signs of AI-generated writing from text. Use when editing or reviewing text to make it sound more natural and human-written. Based on Wikipedia's comprehensive "Signs of AI writing" guide. Detects and fixes patterns including: inflated symbolism, promotional language, superficial -ing analyses, vague attributions, em dash overuse, rule of three, AI vocabulary words, negative parallelisms, and excessive conjunctive phrases.
find-skills
Helps users discover and install agent skills when they ask questions like "how do I do X", "find a skill for X", "is there a skill that can...", or express interest in extending capabilities. This skill should be used when the user is looking for functionality that might exist as an installable skill.
tavily-search
Use Tavily API for real-time web search and content extraction. Use when: user needs real-time web search results, research, or current information from the web. Requires Tavily API key.
baidu-search
Search the web using Baidu AI Search Engine (BDSE). Use for live information, documentation, or research topics.
agent-autonomy-kit
Stop waiting for prompts. Keep working.
Meeting Prep
Never walk into a meeting unprepared again. Your agent researches all attendees before calendar events—pulling LinkedIn profiles, recent company news, mutual connections, and conversation starters. Generates a briefing doc with talking points, icebreakers, and context so you show up informed and confident. Triggered automatically before meetings or on-demand. Configure research depth, advance timing, and output format. Walking into meetings blind is amateur hour—missed connections, generic small talk, zero leverage. Use when setting up meeting intelligence, researching specific attendees, generating pre-meeting briefs, or automating your prep workflow.
self-improvement
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.
botlearn-healthcheck
botlearn-healthcheck — BotLearn autonomous health inspector for OpenClaw instances across 5 domains (hardware, config, security, skills, autonomy); triggers on system check, health report, diagnostics, or scheduled heartbeat inspection.
linkedin-cli
A bird-like LinkedIn CLI for searching profiles, checking messages, and summarizing your feed using session cookies.
notebooklm
Google NotebookLM 非官方 Python API 的 OpenClaw Skill。支持内容生成(播客、视频、幻灯片、测验、思维导图等)、文档管理和研究自动化。当用户需要使用 NotebookLM 生成音频概述、视频、学习材料或管理知识库时触发。
小红书长图文发布 Skill
## 概述