mindmap

Name: mindmap
Author: H-mmer/pentest-agents

$npx mdskill add H-mmer/pentest-agents/mindmap

Generate attack surface mindmap for: $ARGUMENTS

SKILL.md

---
name: mindmap
description: "Generate a text-based attack surface mindmap. Shows tech stack → vuln class → endpoint relationships. Usage: /mindmap <target>"
disable-model-invocation: false
---
Generate attack surface mindmap for: $ARGUMENTS

## Process
1. Read brain data: `uv run python3 $CLAUDE_PROJECT_DIR/tools/brain.py brief $ARGUMENTS`
2. Read recon data from recon/ directory
3. Read intel data: `uv run python3 $CLAUDE_PROJECT_DIR/tools/intel_engine.py suggest <tech-stack>`
4. Generate a tree-format mindmap:

```
target.com
├── Tech Stack
│   ├── Next.js 14 → SSRF (Server Actions), Open Redirect
│   ├── GraphQL → Introspection, IDOR via node(), Mutation Auth
│   └── PostgreSQL → SQL Injection
├── Auth
│   ├── Okta SSO → SAML bypass, OAuth redirect_uri
│   └── JWT → Secret brute-force, Algorithm confusion
├── API Surface
│   ├── /api/v2/users/{id}/* → IDOR (P1)
│   │   ├── /orders — TESTED: exhausted
│   │   ├── /export — UNTESTED
│   │   └── /settings — UNTESTED
│   ├── /api/v2/payments/* → Race conditions, price manipulation (P1)
│   └── /graphql → Auth bypass on mutations (P1)
├── File Handling
│   └── /upload → Extension bypass, SVG XSS (P2)
└── Findings
    ├── [CONFIRMED] IDOR on /api/v2/users/{id}/orders
    └── [EXHAUSTED] XSS on /search — CloudFront blocks all payloads
```

5. Mark each endpoint as TESTED, UNTESTED, CONFIRMED, or EXHAUSTED from brain data
6. Suggest: "Start with UNTESTED P1 endpoints. Run /hunt $ARGUMENTS --vuln-class <suggested>"

## Top-Tier Mindmap Standard

The mindmap should expose attack decisions at a glance.

- Group by trust boundary first: unauth, user, tenant, admin, integration, internal, CI/CD, AI/tool.
- Mark every node with one of: `P1`, `P2`, `Kill`, `Confirmed`, `Partial`, `Exhausted`, `Chain`.
- Draw capability edges, not just URL hierarchy: export reads data, webhook sends server-side request, template renders attacker input, OAuth callback grants token.
- Surface blind spots explicitly: "no second-account test", "no browser verification", "no sibling replay", "no chain attempt".
- End with the top three routes where one more test could change severity or reportability.

More from H-mmer/pentest-agents

Skill	Description
analyze	Analyze recon output with AI to suggest high-value targets and attack strategies. Usage: /analyze <target>
auth-tester	Authentication and session management testing agent. Use for login bypass, session fixation, password reset flow abuse, MFA bypass, OAuth flaws, and privilege escalation testing. Provide the application URL and any credentials for testing.
autopilot	Autonomous hunt orchestrator. INSATIABLE in --autonomous mode: enforces an EXHAUSTION CONTRACT (26 canonical hunter classes, surface probe A-I, depth-engine ≥25 attempts/class, wall-clock floor 90 min/target, PRE-COMPLETION GATE before any summary). No early stops, no clarifying questions, no auxiliary-agent substitution. Usage: /autopilot target.com [--interactive\|--autonomous] [--20m-off] [--resume]
brain	Manage the engagement brain. Subcommands: 'init' to set up, 'brief <target>' for pre-flight, 'status' for overview, 'exhausted [target]' to see dead ends.
browser-agent	Browser automation agent for interactive web testing. Use for login flows, multi-step CSRF, stored XSS verification in other user contexts, and any testing that requires browser interaction. Requires Claude in Chrome MCP.
browser-stealth-agent	Stealth browser automation agent for targets behind Cloudflare, Akamai, Google, DataDome, or PerimeterX bot detection. Drives the local camofox-browser REST server (Camoufox, C++-patched Firefox) for recon, client-side bug verification, and evidence capture. Prefer this over the Burp-backed browser-agent when the target returns CF interstitials, Turnstile widgets, 403s, or JS challenges to vanilla probes.
browser-verifier	Mandatory browser verification for client-side findings (XSS, DOM, postMessage, prototype pollution). Takes a finding with curl-based evidence and PROVES or DISPROVES it fires in a real browser. No finding ships without browser verification. Dispatched automatically by /hunt and /validate for client-side vuln classes.
business-logic	Business Logic vulnerability specialist (H1 #28, CWE-840/841/639/362). Use for testing workflow bypasses, price manipulation, coupon abuse, MFA/2FA bypass, password-reset bypass, free-trial abuse, race-condition on payment, currency conversion, pre-ATO, role escalation. Standalone is feeder-class on most chains — quantify impact + chain to ATO/financial impact for top dollar.
chain	Build deep exploit chains — dispatches chain-builder agent. Given bug A, recursively walks the chain graph. Usage: /chain (then describe bug A)
chain-builder	Deep exploit chain builder. Given bug A, recursively walks the chain graph — each confirmed link becomes the new A. No depth limit. Supports 2-link to 10+ link chains. Use when you have any finding that needs escalation.