Pentest Skill is a Python-based framework designed for black-box web penetration testing, structured as a series of automated phases callable via a standardized CLI interface. Hosted on GitHub at wudidike/pentest_skill, it has garnered 11 stars and targets Python 3.8+. The project exists to enable AI agents—such as Claude Code, Codex, Cursor, or WorkBuddy—to execute full pentest workflows from reconnaissance to report generation without custom integrations. Each phase runs as a standalone script, allowing modular invocation while maintaining output consistency across directories.
This setup addresses the gap in pentesting tools optimized for AI orchestration. Traditional tools like Nuclei or Subfinder require manual chaining, but Pentest Skill bundles them into a linear pipeline (phases 0 through 8) with built-in fallbacks for missing dependencies. A prominent legal disclaimer in the README stresses use only for authorized security testing: explicit written permission from system owners is mandatory, as unauthorized testing violates laws in most jurisdictions. The author disclaims liability for misuse.
Core features
The framework divides pentesting into eight phases, each with dedicated scripts in the scripts/ directory. These handle everything from initial fingerprinting to final reporting, using tools like Playwright, Nuclei, and SQLMap where available.
| Phase | Module | Description |
|---|---|---|
| 0 | Fingerprinting | Detects tech stack, WAF, security headers, and Cookie security. |
| 1 | Subdomain enumeration | Uses Subfinder, crt.sh, DNS brute-forcing, plus alive checks. |
| 2 | DNS resolution | Identifies CNAME chains, IP ownership, and cloud providers. |
| 3 | Port scanning | Finds open ports, identifies services, grabs banners. |
| 4 | Deep rendering | Employs Playwright for JS rendering, API discovery, form extraction. |
| 4B | Session capture | Detects logins, captures Cookies/JWT, supports multi-role sessions. |
| 5 | Directory enumeration | Discovers paths, clusters responses, filters SPAs. |
| 6 | JS analysis | Performs 14 types of analysis, endpoint validation, key detection. |
| 7 | Vulnerability scanning | Nuclei scans with Python fallbacks. |
| 7A | Auto-verification | Excludes false positives via baselines and confirmation. |
| 7B | Auth vulnerabilities | Checks IDOR, unauthorized access, privilege escalation, JWT issues. |
| 7F | Framework vulnerabilities | Targets Spring, Django, ThinkPHP, and similar. |
| 7M | Parameter fuzzing | Tests XSS, SQLi, SSTI, SSRF injections. |
| 7D | SQLi validation | Automates SQLMap for injection confirmation. |
| 7E | Evidence collection | Gathers Burp-style packets and HTML proofs. |
| 8 | Report generation | Produces HTML/Markdown pentest reports. |
Scripts share infrastructure from files like core.py, http_client.py, finding_manager.py, tool_manager.py, and evidence.py. The project includes wordlists/ for dictionaries, templates/ for reports, and config.yaml for settings like tool paths, proxies, and timeouts. A key strength is tool degradation: if Go binaries like Nuclei or FFUF are absent, Python equivalents take over—e.g., requests for scanning or socket-based port scans.
Getting it running
Start by cloning the repository:
git clone https://github.com/wudidike/pentest_skill.git
cd pentest-skill
Install core dependencies:
pip install requests beautifulsoup4 pyyaml dnspython
pip install playwright && python -m playwright install # Required for phase 4
Run setup.sh for one-click setup if on supported platforms (Windows, Linux, macOS). Check tool status:
python scripts/tool_manager.py status
Invoke phases individually or in loops. For a single URL (starting from phase 0, skipping subdomain steps):
for phase in phase0 phase4 phase4b phase5 phase6 phase7 phase7a phase7b phase7m phase7d phase7e phase8; do
python scripts/${phase}_*.py --target https://example.com --output-dir ./output --verbose
done
For a domain (full recon from subdomains):
for phase in phase0 phase1 phase2 phase3 phase4 phase4b phase5 phase6 phase7 phase7a phase7b phase7f phase7m phase7d phase7e phase8; do
python scripts/${phase}_*.py --target example.com --output-dir ./output --verbose
done
All scripts use a uniform CLI:
python scripts/phase_X.py --target URL --output-dir DIR [OPTIONS]
Options include --proxy http://127.0.0.1:8080, --timeout 15, and --verbose. Outputs land in ./recon-output by default, with evidence in Burp-like formats and final HTML/Markdown reports from phase 8.
Who this is for
Security researchers and teams with explicit authorization for web app testing will find it useful, especially those integrating AI agents into workflows. The CLI design suits automation scripts or agent calls, as detailed in SKILL.md. If you run pentests on your own infrastructure or client sites with permission, the phased structure speeds up black-box assessments without manual tool juggling.
It's not for beginners: familiarity with pentest concepts (e.g., IDOR, SQLi fuzzing) helps interpret outputs. AI users benefit most, as the framework exposes no complex APIs—just bash-callable phases. Legal constraints limit it to controlled environments; the README repeats that unauthorized use is illegal.
How it compares
Pentest Skill overlaps with standalone tools it integrates or emulates. Nuclei handles vuln scanning (phase 7) but lacks the full pipeline; here, it degrades to Python if missing. Subfinder (phase 1) and FFUF (phase 5) get Python replacements, making it lighter than requiring a full Go toolchain. For JS-heavy sites, phase 4's Playwright outshines basic crawlers like Katana.
Compared to broader frameworks like OWASP ZAP or Burp Suite extensions, it's narrower—focused on black-box web, no GUI, CLI-only. It's heavier than pure recon tools like Amass due to the full stack (rendering, fuzzing, reporting), but the 11-star count reflects its niche: AI-agent pentesting. No Docker support is mentioned, unlike containerized alternatives.
Small teams might prefer script chains from tools like bbot or nuclei workflows, but Pentest Skill's agent-ready phases and evidence collection (phase 7E) add value for automated reporting.
Pentest Skill suits authorized, AI-driven web pentests but skips white-box analysis or network pivots. Source code and details are at https://github.com/wudidike/pentest_skill.
Comments