Skip to content

Utility Skills

Utility skills support the pentest workflow with pre-engagement setup, monitoring, resumption, and post-engagement analysis. They are not part of the core 6-phase methodology but integrate with it.

/intake

Pre-engagement questionnaire that collects business context, tech stack, compliance requirements, and rules of engagement. Outputs brief.json at the project root.

Modes

Mode Command Description
Guided /intake Interactive interview with approximately 25 questions covering business context, tech stack, compliance, features, and engagement rules
Paste /intake --paste Paste mode -- provide a block of text (email, SOW, scope document) and the skill extracts structured data from it

Output

brief.json with _version: "1.0" containing:

  • Business context and application purpose
  • Known tech stack and frameworks
  • Compliance requirements (PCI-DSS, HIPAA, SOC2, etc.)
  • Key features and functionality to test
  • Rules of engagement and restrictions
  • Credentials and access information

Integration

/pentest auto-detects brief.json and merges it into context.json. Fingerprinting results from Phase 0 take priority over brief data when there are conflicts.

Tip

While optional, /intake significantly improves test targeting by providing context that automated fingerprinting cannot discover (e.g., business logic priorities, compliance requirements).

/preflight

Pre-check skill that validates the testing environment before starting a pentest. Verifies:

  • Docker image pentest-tools is built and accessible
  • Target URL is reachable
  • Scope file (scope.txt) exists and is valid
  • Credentials file exists (if multi-user testing is planned)
  • Required tools are available inside the Docker container
  • Proxy connectivity (if --proxy is specified)
  • VPN routing (if VPN is configured)
/preflight

/resume

Checkpoint-based resume that continues a pentest from where it left off. Reads checkpoint.json to determine the last completed phase, wave, and agent state.

/resume

How It Works

  1. Reads checkpoint.json for current phase and wave state
  2. Reads waves/agent-*.json for per-agent completion status
  3. Skips completed phases and waves
  4. Resumes from the exact point of interruption
  5. Re-validates context before continuing (target reachable, tokens valid)

Checkpoint Data

checkpoint.json tracks:

  • Current phase number and name
  • Completed waves within the current phase
  • Agent states (running, completed, failed)
  • Elapsed time and request counts
  • Kill switch status

/dashboard

Status overview of the current engagement. Displays:

  • Current phase and wave
  • Findings count by severity (Critical/High/Medium/Low/Info)
  • Endpoint coverage statistics
  • Request count and rate
  • Time elapsed
  • Kill switch proximity (time and request limits)
  • Agent status (if wave dispatch is active)
/dashboard

/retest

Re-tests specific findings to verify they are still present (e.g., after remediation). Takes finding IDs as input and re-runs the verification PoC for each.

/retest FINDING-001 FINDING-003 FINDING-007

Output

For each finding, reports:

  • Still vulnerable -- PoC still works, finding confirmed
  • Fixed -- PoC no longer works, remediation verified
  • Changed -- Behavior differs from original finding, manual review needed

/diff-engagements

Compares two engagement directories to identify new, fixed, and persistent findings. Useful for tracking remediation progress across multiple assessments.

/diff-engagements <old-engagement-dir> <new-engagement-dir>

Output

  • New findings -- present in new engagement but not old
  • Fixed findings -- present in old engagement but not new
  • Persistent findings -- present in both engagements
  • Regression analysis -- findings that were fixed but reappeared
  • Summary statistics and trend analysis

/chain-findings

Correlates individual findings into multi-step attack chains. Runs after Phase 5 (verification) to discover compound vulnerabilities with higher combined impact than their individual severity suggests.

/chain-findings

Chain Patterns Detected

Pattern Example
SSRF to cloud credentials SSRF + metadata endpoint access + IAM role theft
XSS to account takeover Stored XSS + session token theft + admin access
SQLi to data exfiltration SQL injection + UNION-based extraction + PII exposure
CMDi + LFI Command injection + local file read for source code
LFI + SSRF Local file inclusion + internal service access
XXE + JAR XML external entity + Java archive protocol
JWT + BAC JWT weakness + broken access control escalation
UserEnum + NoRateLimit Username enumeration + unrestricted brute force
XSS + CORS Cross-site scripting + CORS misconfiguration

Output

Each chain produces a CHAIN-NNN.md file in findings/ containing:

  • Chain title and combined severity
  • Component findings with individual severity
  • Step-by-step attack flow narrative
  • Mermaid diagram of the attack chain
  • Combined business impact assessment

/walkthrough

Standalone browser crawl using Playwright in headless Chromium. Navigates every user role from credentials.json to discover SPA routes, dynamic menus, JS-rendered content, and API calls.

/walkthrough

Features

  • Headless Chromium via Playwright inside Docker
  • Authenticates each role using credentials.json login configuration
  • BFS (breadth-first search) crawling strategy
  • Captures network requests (API calls, XHR, fetch)
  • Diagnoses 403/500/timeout/JS errors instead of skipping
  • Parallel crawling with 2+ roles

Parallel Crawling

With multiple roles, launches parallel Docker processes per role:

# Per-role crawling (parallel)
docker run --rm -v $(pwd):/work pentest-tools /opt/pentest-venv/bin/python3 /work/browser/crawler.py --role admin
docker run --rm -v $(pwd):/work pentest-tools /opt/pentest-venv/bin/python3 /work/browser/crawler.py --role user

# Merge results
docker run --rm -v $(pwd):/work pentest-tools /opt/pentest-venv/bin/python3 /work/browser/crawler.py --merge

Max 3 users per batch

When crawling 4+ users, split into batches of max 3 users. Crawling too many users in a single process causes timeouts and internal errors.

Output

File Description
app-map.json Complete application map with routes, parameters, and role access
walkthrough-report.md Human-readable crawl report
crawled-urls.txt All discovered URLs
api-endpoints.txt API endpoints captured from network traffic

Credentials Requirement

credentials.json MUST include a login section so the crawler can authenticate each role:

{
  "login": {
    "url": "http://target/login",
    "method": "form"
  },
  "users": [
    {"username": "admin", "password": "admin123", "role": "admin"},
    {"username": "user", "password": "user123", "role": "user"}
  ]
}

Without the login field, the crawler runs unauthenticated and misses all protected pages.

/route

Smart router that analyzes discovery output and maps endpoints to specific test scopes. Runs after Phase 3 (scanning) and before Phase 4 (manual testing).

/route

Input

  • resource-map.json -- discovered resource types
  • injectable-params.json -- parameter inventory
  • Scan results from Phase 3 (nuclei, nikto)

Analysis

Performs signal analysis on each endpoint to determine which test skills are applicable:

  • Parameter types and names suggest injection vectors
  • Response patterns indicate technology-specific tests
  • Scan findings highlight confirmed attack surfaces
  • Resource types map to access control tests

Output

discovery/test-plan.json mapping each endpoint to its relevant test scopes. This enables targeted, per-endpoint testing in Phase 4 instead of running every test against every endpoint.

{
  "/api/v1/users": ["injection", "access", "api"],
  "/api/v1/users/{id}": ["injection", "access", "ssrf", "api"],
  "/login": ["injection", "auth", "client"],
  "/upload": ["injection", "logic", "ssrf"]
}

/pentest_suggestions

Generates targeted manual testing suggestions after automated testing is complete. Analyzes:

  • Anomalous behaviors observed during testing
  • Promising attack surfaces that warrant deeper investigation
  • Technology-specific attack vectors based on fingerprinted stack
  • Areas where automated tools had limited coverage
/pentest_suggestions

Provides actionable recommendations for manual follow-up, prioritized by likelihood of finding vulnerabilities.

/update-wordlists

Updates all wordlists and nuclei templates. Uses a smart 24-hour cache to avoid redundant downloads.

/update-wordlists          # Smart update (skips if updated within 24h)
/update-wordlists --force  # Force update regardless of last run time

What Gets Updated

  • SecLists -- comprehensive wordlist collection for fuzzing and discovery
  • Nuclei templates -- vulnerability detection templates (9000+)
  • Technology-specific wordlists based on current engagement context
  • Custom wordlists from community sources

Cache Behavior

  • Checks last update timestamp before downloading
  • Skips update if last run was within 24 hours
  • --force flag bypasses the cache check
  • Cache state stored locally to avoid redundant network requests