quickscan
$
npx mdskill add H-mmer/pentest-agents/quickscanALL agents dispatched by this command MUST use `model: "inherit"` in the Agent tool call.
SKILL.md
.github/skills/quickscanView on GitHub ↗
--- name: quickscan description: "Run a quick security scan on a target. Consults the Brain first, validates scope, runs passive recon + vuln scan in parallel." disable-model-invocation: false --- ALL agents dispatched by this command MUST use `model: "inherit"` in the Agent tool call. Run a quick security assessment on: $ARGUMENTS Workflow: 1. **Brain**: `uv run python3 $CLAUDE_PROJECT_DIR/tools/brain.py brief $ARGUMENTS` — check what we already know. Note exhausted areas. 2. **Scope**: `uv run python3 $CLAUDE_PROJECT_DIR/tools/scope_check.py $ARGUMENTS` — if out of scope, STOP. 3. Launch IN PARALLEL (skip areas the brain marks EXHAUSTED): - `recon` agent with passive-only depth, passing brain context about known subdomains/tech - `config-auditor` agent for headers, CSP, CORS, TLS, cookies 4. Record results: for each new finding, run `uv run python3 $CLAUDE_PROJECT_DIR/tools/brain.py record <target> <status> <technique> <details>` 5. Log session: `uv run python3 $CLAUDE_PROJECT_DIR/tools/brain.py log "quickscan completed on $ARGUMENTS"` 6. Summarize: separate NEW findings from KNOWN, recommend next steps. ## Top-Tier Quickscan Loop Quickscan should answer "is there obvious money or obvious risk here in 30 minutes?" 1. Spend the first five minutes on scope, policy headers, brain, and live host sanity. 2. Spend the next ten on high-signal passive recon: JS routes, exposed APIs, auth flows, cloud/storage names, source maps, security headers, and known vendor panels. 3. Spend ten on two targeted probes only: the best config/information leak candidate and the best auth/tenant-boundary candidate. 4. Spend five on triage: new, known, killed, or needs full hunt. Never report from quickscan alone unless the proof is already complete. Promote strong leads to `/hunt`, `/validate`, or `/chain`.
More from H-mmer/pentest-agents
- analyzeAnalyze recon output with AI to suggest high-value targets and attack strategies. Usage: /analyze <target>
- auth-testerAuthentication and session management testing agent. Use for login bypass, session fixation, password reset flow abuse, MFA bypass, OAuth flaws, and privilege escalation testing. Provide the application URL and any credentials for testing.
- autopilotAutonomous hunt orchestrator. INSATIABLE in --autonomous mode: enforces an EXHAUSTION CONTRACT (26 canonical hunter classes, surface probe A-I, depth-engine ≥25 attempts/class, wall-clock floor 90 min/target, PRE-COMPLETION GATE before any summary). No early stops, no clarifying questions, no auxiliary-agent substitution. Usage: /autopilot target.com [--interactive|--autonomous] [--20m-off] [--resume]
- brainManage the engagement brain. Subcommands: 'init' to set up, 'brief <target>' for pre-flight, 'status' for overview, 'exhausted [target]' to see dead ends.
- browser-agentBrowser automation agent for interactive web testing. Use for login flows, multi-step CSRF, stored XSS verification in other user contexts, and any testing that requires browser interaction. Requires Claude in Chrome MCP.
- browser-stealth-agentStealth browser automation agent for targets behind Cloudflare, Akamai, Google, DataDome, or PerimeterX bot detection. Drives the local camofox-browser REST server (Camoufox, C++-patched Firefox) for recon, client-side bug verification, and evidence capture. Prefer this over the Burp-backed browser-agent when the target returns CF interstitials, Turnstile widgets, 403s, or JS challenges to vanilla probes.
- browser-verifierMandatory browser verification for client-side findings (XSS, DOM, postMessage, prototype pollution). Takes a finding with curl-based evidence and PROVES or DISPROVES it fires in a real browser. No finding ships without browser verification. Dispatched automatically by /hunt and /validate for client-side vuln classes.
- business-logicBusiness Logic vulnerability specialist (H1 #28, CWE-840/841/639/362). Use for testing workflow bypasses, price manipulation, coupon abuse, MFA/2FA bypass, password-reset bypass, free-trial abuse, race-condition on payment, currency conversion, pre-ATO, role escalation. Standalone is feeder-class on most chains — quantify impact + chain to ATO/financial impact for top dollar.
- chainBuild deep exploit chains — dispatches chain-builder agent. Given bug A, recursively walks the chain graph. Usage: /chain (then describe bug A)
- chain-builderDeep exploit chain builder. Given bug A, recursively walks the chain graph — each confirmed link becomes the new A. No depth limit. Supports 2-link to 10+ link chains. Use when you have any finding that needs escalation.