pipeline

$npx mdskill add H-mmer/pentest-agents/pipeline

Prepare the battlefield for: $ARGUMENTS

SKILL.md

.github/skills/pipelineView on GitHub ↗
---
name: pipeline
description: "Prepare the battlefield — recon, scanning, and surface ranking. Stops before hunting. Run /hunt or /autopilot after. Usage: /pipeline or /pipeline <target>"
disable-model-invocation: false
---
Prepare the battlefield for: $ARGUMENTS

This command runs recon, scanning, and surface ranking — everything needed BEFORE hunting.
It does NOT hunt, validate, or report. Use `/hunt` or `/autopilot` for that.

## Phase 0: SETUP

1. Read `scope.yaml` — resolve and verify targets
   - If `$ARGUMENTS` is empty: `uv run python3 $CLAUDE_PROJECT_DIR/tools/scope_check.py --list`
   - If `$ARGUMENTS` is a domain: `uv run python3 $CLAUDE_PROJECT_DIR/tools/scope_check.py $ARGUMENTS`
2. Read `policy.md` — extract policy preamble for all agent dispatches
3. Brain init or brief:
   - If no brain exists: `uv run python3 $CLAUDE_PROJECT_DIR/tools/brain.py init`
   - If brain exists: `uv run python3 $CLAUDE_PROJECT_DIR/tools/brain.py brief <target>`

## Phase 1: RECON

4. Dispatch `recon` agent (model: inherit) with policy preamble and scope
5. After recon: dispatch `config-auditor` agent (model: inherit) for header/TLS/cookie review
6. After config: dispatch `js-analyzer` agent (model: inherit) for JavaScript analysis
7. Brain update: `uv run python3 $CLAUDE_PROJECT_DIR/tools/brain.py record <target> recon "<results summary>"`

## Phase 2: SCANNING (parallel, max 3)

8. Dispatch in parallel (all model: inherit, all with policy preamble):
   - `vuln-scanner` agent with nuclei on discovered hosts
   - `waf-profiler` agent on primary targets
9. Brain update with scan results

## Phase 3: RANK

10. Dispatch `recon-ranker` agent (model: inherit) with recon data + brain knowledge
11. Output P1/P2/Kill list

## Complete

```
Battlefield ready.

P1 targets: [list]
P2 targets: [list]
Kill list:  [list]

Next steps:
  /hunt <target>     — manual hunting on a specific target
  /autopilot         — autonomous hunting across all P1 targets
  /surface           — re-rank surface with current brain knowledge
```

Sync brain: `uv run python3 $CLAUDE_PROJECT_DIR/tools/global_brain.py sync-from-local`

## Top-Tier Pipeline Standard

The pipeline prepares a battlefield, not a folder of scan files.

1. Scope first: every generated target must be in-scope or tagged `out-of-scope` with reason.
2. Normalize assets into stable inventories: hosts, endpoints, JS files, APIs, auth flows, cloud buckets, repos, mobile packages, and third-party integrations.
3. Rank during collection. Do not wait until the end to identify crown jewels.
4. Preserve raw evidence and parsed summaries. A hunter should be able to replay the exact source of every target.
5. End with `P1`, `P2`, and `Kill` lists plus the best first vuln class for each P1. If no P1 exists, say why and recommend monitoring or a different program.

More from H-mmer/pentest-agents

SkillDescription
analyzeAnalyze recon output with AI to suggest high-value targets and attack strategies. Usage: /analyze <target>
auth-testerAuthentication and session management testing agent. Use for login bypass, session fixation, password reset flow abuse, MFA bypass, OAuth flaws, and privilege escalation testing. Provide the application URL and any credentials for testing.
autopilotAutonomous hunt orchestrator. INSATIABLE in --autonomous mode: enforces an EXHAUSTION CONTRACT (26 canonical hunter classes, surface probe A-I, depth-engine ≥25 attempts/class, wall-clock floor 90 min/target, PRE-COMPLETION GATE before any summary). No early stops, no clarifying questions, no auxiliary-agent substitution. Usage: /autopilot target.com [--interactive|--autonomous] [--20m-off] [--resume]
brainCentral knowledge coordinator. Use BEFORE launching any other pentest agent to get context on what's already been tried. Also use AFTER any agent completes to record findings, exhausted vectors, and learned patterns. The brain prevents redundant work across sessions and agents.
browser-agentBrowser automation agent for interactive web testing. Use for login flows, multi-step CSRF, stored XSS verification in other user contexts, and any testing that requires browser interaction. Requires Claude in Chrome MCP.
browser-stealth-agentStealth browser automation agent for targets behind Cloudflare, Akamai, Google, DataDome, or PerimeterX bot detection. Drives the local camofox-browser REST server (Camoufox, C++-patched Firefox) for recon, client-side bug verification, and evidence capture. Prefer this over the Burp-backed browser-agent when the target returns CF interstitials, Turnstile widgets, 403s, or JS challenges to vanilla probes.
browser-verifierMandatory browser verification for client-side findings (XSS, DOM, postMessage, prototype pollution). Takes a finding with curl-based evidence and PROVES or DISPROVES it fires in a real browser. No finding ships without browser verification. Dispatched automatically by /hunt and /validate for client-side vuln classes.
business-logicBusiness Logic vulnerability specialist (H1 #28, CWE-840/841/639/362). Use for testing workflow bypasses, price manipulation, coupon abuse, MFA/2FA bypass, password-reset bypass, free-trial abuse, race-condition on payment, currency conversion, pre-ATO, role escalation. Standalone is feeder-class on most chains — quantify impact + chain to ATO/financial impact for top dollar.
chainBuild deep exploit chains — dispatches chain-builder agent. Given bug A, recursively walks the chain graph. Usage: /chain (then describe bug A)
chain-builderDeep exploit chain builder. Given bug A, recursively walks the chain graph — each confirmed link becomes the new A. No depth limit. Supports 2-link to 10+ link chains. Use when you have any finding that needs escalation.