fullscan

$npx mdskill add H-mmer/pentest-agents/fullscan

ALL agents dispatched by this command MUST use `model: "inherit"` in the Agent tool call.

SKILL.md

.github/skills/fullscanView on GitHub ↗
---
name: fullscan
description: "Full security assessment with brain coordination. Multi-phase, skips known-exhausted areas, builds on prior knowledge."
disable-model-invocation: false
---

ALL agents dispatched by this command MUST use `model: "inherit"` in the Agent tool call.

Full security assessment on: $ARGUMENTS

## Phase 0: Brain Briefing
1. `uv run python3 $CLAUDE_PROJECT_DIR/tools/brain.py init` (if first run)
2. `uv run python3 $CLAUDE_PROJECT_DIR/tools/brain.py brief $ARGUMENTS`
3. `uv run python3 $CLAUDE_PROJECT_DIR/tools/scope_check.py $ARGUMENTS`

## Phase 1: Recon (skip already-discovered assets)
Launch `recon` agent with brain context. Focus on discovering NEW subdomains and services beyond what's already known.

## Phase 2: Scanning (skip exhausted areas)
Launch IN PARALLEL, each with brain context about what's been scanned before:
- `vuln-scanner` — skip known false positives, focus new hosts
- `config-auditor` — check if previously noted misconfigs are fixed
- `js-analyzer` — focus on new/changed JS files

Record all results to the brain after each agent returns.

## Phase 3: Targeted Testing (brain-guided)
Based on Phase 2 + brain knowledge, selectively launch ONLY agents targeting UNTESTED or ACTIVE vectors:
- `xss-hunter` ONLY on endpoints not marked exhausted
- `api-audit` ONLY on newly discovered or untested endpoints  
- `auth-tester` ONLY if new auth flows found

Record all results to the brain.

## Phase 4: Reporting
1. `uv run python3 $CLAUDE_PROJECT_DIR/tools/dedup_findings.py --scan-dir scans/ --db findings.json --stats`
2. `uv run python3 $CLAUDE_PROJECT_DIR/tools/brain.py status`
3. Launch `poc-builder` for each confirmed finding
4. Launch `report-writer` with full brain context
5. `uv run python3 $CLAUDE_PROJECT_DIR/tools/brain.py log "Full scan completed on $ARGUMENTS"`

## Top-Tier Fullscan Standard

A full scan must leave a defensible coverage ledger.

1. Start with the crown jewels: auth, tenant data, billing, admin, integrations, uploads, webhooks, exports, AI/tool surfaces, and source/repo exposure.
2. For each phase, record both positives and negatives. "Scanned" is invalid unless it names tools, targets, timestamps, and skipped areas.
3. Do not let scanner output dominate. Use scanners to find leads, then spend human-grade effort on state changes, authorization boundaries, and parser differentials.
4. Before reporting, run `/correlate` or `/chain` on all confirmed and partial findings. Single low bugs should not escape the scan if a plausible chain remains.
5. Final output must contain: confirmed findings, killed false positives, exhausted high-value paths, untested residual risk, and the next best command.

More from H-mmer/pentest-agents

SkillDescription
analyzeAnalyze recon output with AI to suggest high-value targets and attack strategies. Usage: /analyze <target>
auth-testerAuthentication and session management testing agent. Use for login bypass, session fixation, password reset flow abuse, MFA bypass, OAuth flaws, and privilege escalation testing. Provide the application URL and any credentials for testing.
autopilotAutonomous hunt orchestrator. INSATIABLE in --autonomous mode: enforces an EXHAUSTION CONTRACT (26 canonical hunter classes, surface probe A-I, depth-engine ≥25 attempts/class, wall-clock floor 90 min/target, PRE-COMPLETION GATE before any summary). No early stops, no clarifying questions, no auxiliary-agent substitution. Usage: /autopilot target.com [--interactive|--autonomous] [--20m-off] [--resume]
brainCentral knowledge coordinator. Use BEFORE launching any other pentest agent to get context on what's already been tried. Also use AFTER any agent completes to record findings, exhausted vectors, and learned patterns. The brain prevents redundant work across sessions and agents.
browser-agentBrowser automation agent for interactive web testing. Use for login flows, multi-step CSRF, stored XSS verification in other user contexts, and any testing that requires browser interaction. Requires Claude in Chrome MCP.
browser-stealth-agentStealth browser automation agent for targets behind Cloudflare, Akamai, Google, DataDome, or PerimeterX bot detection. Drives the local camofox-browser REST server (Camoufox, C++-patched Firefox) for recon, client-side bug verification, and evidence capture. Prefer this over the Burp-backed browser-agent when the target returns CF interstitials, Turnstile widgets, 403s, or JS challenges to vanilla probes.
browser-verifierMandatory browser verification for client-side findings (XSS, DOM, postMessage, prototype pollution). Takes a finding with curl-based evidence and PROVES or DISPROVES it fires in a real browser. No finding ships without browser verification. Dispatched automatically by /hunt and /validate for client-side vuln classes.
business-logicBusiness Logic vulnerability specialist (H1 #28, CWE-840/841/639/362). Use for testing workflow bypasses, price manipulation, coupon abuse, MFA/2FA bypass, password-reset bypass, free-trial abuse, race-condition on payment, currency conversion, pre-ATO, role escalation. Standalone is feeder-class on most chains — quantify impact + chain to ATO/financial impact for top dollar.
chainBuild deep exploit chains — dispatches chain-builder agent. Given bug A, recursively walks the chain graph. Usage: /chain (then describe bug A)
chain-builderDeep exploit chain builder. Given bug A, recursively walks the chain graph — each confirmed link becomes the new A. No depth limit. Supports 2-link to 10+ link chains. Use when you have any finding that needs escalation.