analyze
$
npx mdskill add H-mmer/pentest-agents/analyzeAI-powered analysis of recon data for: $ARGUMENTS
SKILL.md
.github/skills/analyzeView on GitHub ↗
--- name: analyze description: "Analyze recon output with AI to suggest high-value targets and attack strategies. Usage: /analyze <target>" disable-model-invocation: false --- AI-powered analysis of recon data for: $ARGUMENTS ## Process 1. Read all recon data: `ls recon/` and read key files 2. Read brain data: `uv run python3 $CLAUDE_PROJECT_DIR/tools/brain.py brief $ARGUMENTS` 3. Read tech stack intel: `uv run python3 $CLAUDE_PROJECT_DIR/tools/intel_engine.py suggest <detected-stack>` 4. Read hacktivity patterns: `uv run python3 $CLAUDE_PROJECT_DIR/tools/intel_engine.py analyze` ## Analysis Tasks (do all of these) ### Crown Jewel Mapping What's the most valuable thing an attacker could access on this target? - Financial data? → hunt IDOR on payment/billing endpoints - User PII? → hunt IDOR on profile/export endpoints - Admin access? → hunt auth bypass on admin endpoints - Infrastructure? → hunt SSRF → cloud metadata ### Attack Path Ranking Given the tech stack and recon output, rank the top 5 attack paths by: 1. Likelihood of vulnerability existing (based on tech stack patterns) 2. Impact if exploited (based on endpoint function) 3. Competition (based on hacktivity — avoid heavily-reported vuln classes) 4. Your past success (from brain patterns) ### Blind Spot Detection What has NOT been tested? What endpoints have no brain data? Cross-reference recon output against brain tested endpoints. Flag untested high-value endpoints. ### Output ``` ANALYSIS: target.com ═════════════════════ Crown Jewels: [what's most valuable] Top 5 Attack Paths: 1. [endpoint] × [vuln class] — likelihood: HIGH, impact: CRITICAL 2. ... Blind Spots (untested P1 surface): - /api/v2/payments/* — NO DATA in brain - /api/v2/admin/* — NO DATA in brain Recommendation: /hunt target.com --vuln-class [best bet] ``` ## Top-Tier Operator Addendum Treat `/analyze` as a thesis generator, not a summary command. The output must make the next hour of hunting obvious. 1. Build a weighted table before recommending anything: - `asset_value`: revenue, PII, admin, secrets, infrastructure, tenant boundary - `exploit_likelihood`: stack age, exposed methods, auth complexity, parser surface, prior bug class fit - `novelty`: low hacktivity overlap, new endpoint, changed JS, unusual integration, weak vendor pattern - `proof_path`: exact request needed to prove impact, required accounts, required evidence artifact - `policy_friction`: rate limits, forbidden data access, third-party scope, credential validation rules 2. Prefer attack paths with a short proof path over impressive theory. A boring IDOR with two accounts and a readback beats a speculative SSRF with no egress signal. 3. Include negative evidence. If `/api/admin/*` looks valuable but all routes are 403 with no differential, say that and explain what would change the ranking. 4. Separate `P1 now`, `P2 if time`, and `Kill for this session`. Top-tier analysis saves time by deleting tempting dead ends. 5. Every recommendation must name the next command and the exact first test: `/hunt target --vuln-class idor` plus the endpoint pair, account pair, and field to compare.
More from H-mmer/pentest-agents
- auth-testerAuthentication and session management testing agent. Use for login bypass, session fixation, password reset flow abuse, MFA bypass, OAuth flaws, and privilege escalation testing. Provide the application URL and any credentials for testing.
- autopilotAutonomous hunt orchestrator. INSATIABLE in --autonomous mode: enforces an EXHAUSTION CONTRACT (26 canonical hunter classes, surface probe A-I, depth-engine ≥25 attempts/class, wall-clock floor 90 min/target, PRE-COMPLETION GATE before any summary). No early stops, no clarifying questions, no auxiliary-agent substitution. Usage: /autopilot target.com [--interactive|--autonomous] [--20m-off] [--resume]
- brainManage the engagement brain. Subcommands: 'init' to set up, 'brief <target>' for pre-flight, 'status' for overview, 'exhausted [target]' to see dead ends.
- browser-agentBrowser automation agent for interactive web testing. Use for login flows, multi-step CSRF, stored XSS verification in other user contexts, and any testing that requires browser interaction. Requires Claude in Chrome MCP.
- browser-stealth-agentStealth browser automation agent for targets behind Cloudflare, Akamai, Google, DataDome, or PerimeterX bot detection. Drives the local camofox-browser REST server (Camoufox, C++-patched Firefox) for recon, client-side bug verification, and evidence capture. Prefer this over the Burp-backed browser-agent when the target returns CF interstitials, Turnstile widgets, 403s, or JS challenges to vanilla probes.
- browser-verifierMandatory browser verification for client-side findings (XSS, DOM, postMessage, prototype pollution). Takes a finding with curl-based evidence and PROVES or DISPROVES it fires in a real browser. No finding ships without browser verification. Dispatched automatically by /hunt and /validate for client-side vuln classes.
- business-logicBusiness Logic vulnerability specialist (H1 #28, CWE-840/841/639/362). Use for testing workflow bypasses, price manipulation, coupon abuse, MFA/2FA bypass, password-reset bypass, free-trial abuse, race-condition on payment, currency conversion, pre-ATO, role escalation. Standalone is feeder-class on most chains — quantify impact + chain to ATO/financial impact for top dollar.
- chainBuild deep exploit chains — dispatches chain-builder agent. Given bug A, recursively walks the chain graph. Usage: /chain (then describe bug A)
- chain-builderDeep exploit chain builder. Given bug A, recursively walks the chain graph — each confirmed link becomes the new A. No depth limit. Supports 2-link to 10+ link chains. Use when you have any finding that needs escalation.
- cloud-reconCloud misconfiguration scanner. Use for S3 bucket enumeration, Azure blob discovery, GCP storage checks, exposed cloud services, and cloud metadata analysis. Provide target domain or known cloud identifiers.