CLI Flags¶
All /pentest flags: --bug-bounty, --fast, --hwg, --llm, --mobile, --tokens_optimizer, --proxy, --eval, --api-spec. Default behavior is stealth ON.
Flag Categories & Combinations¶
graph TB
PENTEST["/pentest URL"]
PENTEST --> MODE{Execution Mode}
MODE -->|Default| DEFAULT["✓ Full Pentest<br/>✓ Stealth ON<br/>✓ All 6 phases"]
MODE -->|--fast| FAST["✓ Fast Mode<br/>✓ Skip Phase 1<br/>✗ Stealth OFF"]
MODE -->|--bug-bounty| BB["✓ Aggressive Mode<br/>✗ Skip Phase 1<br/>✗ Stealth OFF"]
MODE -->|--eval| EVAL["✓ Lab Mode<br/>✓ Auto-score<br/>✓ Skip prompts"]
PENTEST --> OPTIONAL{Optional Flags}
OPTIONAL -->|--api-spec auto| SPEC["API Direct Testing<br/>Auto-detect endpoints"]
OPTIONAL -->|--api-spec ./file| SPECFILE["API Direct Testing<br/>Custom spec"]
OPTIONAL -->|--llm| LLM["Enable LLM Tests<br/>Prompt injection, MCP"]
OPTIONAL -->|--mobile ios/android| MOBILE["Enable Mobile Tests<br/>APK/IPA analysis"]
OPTIONAL -->|--hwg| HWG["HWG Report Format<br/>Italian compliance"]
OPTIONAL -->|--proxy ip:port| PROXY["Burp/Caido Integration<br/>MITM proxy"]
style PENTEST fill:#9b30ff,color:#fff,stroke:#00e5ff,stroke-width:2px
style DEFAULT fill:#4a148c,color:#fff
style FAST fill:#6a1b9a,color:#fff
style BB fill:#7b1fa2,color:#fff
style EVAL fill:#8e24aa,color:#fff
style SPEC fill:#9c27b0,color:#fff
style SPECFILE fill:#9c27b0,color:#fff
style LLM fill:#ab47bc,color:#fff
style MOBILE fill:#ab47bc,color:#fff
style HWG fill:#0277bd,color:#fff
style PROXY fill:#0277bd,color:#fffComplete Flag Reference¶
Execution Mode Flags¶
These flags control how the pentest runs. --fast and --bug-bounty are mutually exclusive.
--fast¶
Skips Phase 1 (recon) and disables all stealth measures. Designed for defined-scope pentests where the target is already known and subdomain/DNS/port discovery is unnecessary.
| Setting | Value |
|---|---|
| Stealth | OFF |
| Rate limit | 50 req/sec |
| Threads | 25 |
| Phase 1 (Recon) | Skipped |
| All other phases | Mandatory |
Mutually exclusive with --bug-bounty
--bug-bounty¶
Expanded reconnaissance with aggressive scanning. Adds bug-bounty-specific tools (asnmap, alterx, puredns, uncover) and recon Wave C. Disables stealth for maximum coverage.
| Setting | Value |
|---|---|
| Stealth | OFF |
| Rate limit | 50 req/sec |
| Threads | 25 |
| Recon scope | Expanded (all tools + Wave C) |
| Nuclei templates | All (including aggressive) |
Mutually exclusive with --fast
--eval¶
Lab evaluation mode for testing against known-vulnerable applications. Skips brief.json and authorization prompts. Implies --fast. After the report is generated, reminds the user to score with python evals/lab-scorer.py.
For known-vulnerable labs only
This flag should only be used against lab environments with answer keys in evals/labs/.
Default (no mode flag)¶
Full pentest with stealth enabled. All 6 phases execute. Rate-limited to avoid detection.
| Setting | Value |
|---|---|
| Stealth | ON |
| User-Agent | Chrome (latest) |
| Rate limit | 1-3 req/sec |
| Jitter | Random delays between requests |
| Wordlists | Shuffled |
| TLS | 1.3 only |
| Nuclei | DoS templates excluded |
Optional Flags¶
These flags can be combined with any execution mode.
--api-spec <path|auto>¶
Enables API direct testing mode. Skips recon and discovery phases, going straight to testing the API endpoints defined in the specification.
--api-spec ./swagger.json-- use a local OpenAPI/Swagger specification file--api-spec auto-- auto-detect specification endpoints (tries common paths like/swagger.json,/openapi.json,/api-docs)
/pentest https://api.target.com --api-spec ./swagger.json
/pentest https://api.target.com --api-spec auto
--llm¶
Enables the /test-llm skill for LLM-specific vulnerability testing (prompt injection, MCP attacks). This skill never runs by default because it requires an LLM-powered target.
--mobile ios|android¶
Enables the /test-mobile skill for mobile application testing. Requires either ios or android as a value. This skill never runs by default.
--hwg¶
Generates the final report in HWG compliance format: Italian language, ASVS categories, #[Field]# placeholders for template integration.
--proxy <ip:port>¶
Routes all traffic through an intercepting proxy (Burp Suite or Caido). Automatically disables TLS certificate verification (-k flag on curl).
--tokens_optimizer¶
Legacy flag. Runs Phases 1-3 via a Sonnet subprocess and Phases 4-6 on Opus. This is superseded by the wave model routing in agent-dispatch.md, which handles per-agent Opus/Sonnet/Haiku routing automatically.
Superseded
Wave model routing in agent-dispatch.md now handles per-agent model selection automatically. This flag is retained for backward compatibility.
Flag Combinations¶
Common flag combinations for different scenarios:
| Scenario | Command |
|---|---|
| Standard pentest (stealth) | /pentest https://target.com |
| Fast internal assessment | /pentest https://target.com --fast |
| Bug bounty hunting | /pentest https://target.com --bug-bounty |
| API-only with proxy | /pentest https://api.target.com --api-spec ./spec.json --proxy 127.0.0.1:8080 |
| Full pentest + LLM + mobile | /pentest https://target.com --llm --mobile android |
| Lab evaluation | /pentest https://vulnlab.local --eval |
| Italian compliance report | /pentest https://target.com --hwg |
| Fast with proxy | /pentest https://target.com --fast --proxy 127.0.0.1:8080 |
Stealth Configuration Details¶
When stealth is ON (default mode), the following settings apply:
| Parameter | Value |
|---|---|
| User-Agent | Chrome latest (rotated) |
| Request rate | 1-3 req/sec |
| Jitter | Random delay between requests, scaled by JITTER_MULT |
| Wordlists | Shuffled before use |
| TLS version | 1.3 only |
| Nuclei templates | DoS templates excluded |
JITTER_MULT=N |
Scales jitter by N concurrent agents to maintain stealth rate |
Full stealth configuration: .claude/skills/pentest/helpers/stealth-config.md
Advanced OPSEC: .claude/skills/pentest/helpers/advanced-opsec.md