performing-penetration-testing
Orchestrate a penetration test by routing user intent to one or more of the 25 narrow skills in this pack. Confirms authorization + scope FIRST (cluster 5), runs the relevant scan skills (clusters 1-4), then composes findings into the customer deliverables (cluster 6) plus an integrity-attestable engagement archive (cluster 5). Backward-compatible with v2 invocations — "pentest", "security scan", "audit dependencies" still work but now route to the narrow skills instead of the v2 monolithic scripts. Use when: starting a security engagement, running an ad-hoc scan, planning a multi-day pentest, or operating the full authorization-to-deliverable workflow end-to-end. Trigger with: "pentest", "security scan", "vulnerability check", "audit dependencies", "check headers", "find secrets", "OWASP scan", "security audit".
What this skill does
# Performing Penetration Testing
## Overview
v3.0.0 of `penetration-tester` is a 25-skill pack. Each skill is
narrow and heavy-hitter compliant (≥250 LOC scripts, ≥2 reference
docs, 8-field SKILL.md frontmatter). This orchestrator routes
user intent to the right combination of narrow skills.
The 25 skills group into 7 clusters:
- **Cluster 0** — this orchestrator
- **Cluster 1 (5 skills)** — Network / transport
- **Cluster 2 (4 skills)** — Information disclosure
- **Cluster 3 (6 skills)** — Source-code static analysis
- **Cluster 4 (4 skills)** — Dependency analysis
- **Cluster 5 (3 skills)** — Engagement governance
- **Cluster 6 (3 skills)** — Reporting
Cluster 5 + 6 are the v3 additions versus v2. Cluster 5 runs
BEFORE any scan and refuses to proceed if authorization is
missing or scope is malformed. Cluster 6 runs AFTER scans and
produces the deliverable artifacts (vulnerability report, OWASP
coverage report, executive summary, chain-of-custody archive).
## Instructions
The orchestrator's job is intent routing — given a user utterance, decide which of the 25 narrow skills to invoke and in what order. Four steps:
### Step 1 — Parse the user intent
Match the utterance against the intent-routing table below. The leftmost matching row determines the routing. If no exact match, default to the cluster-1-4 governance-first sequence and pare back based on context.
### Step 2 — Run authorization-first
Before any cluster 1-4 scan invocation, run `confirming-pentest-authorization`. If it emits any CRITICAL finding, HALT — do not invoke any scan skill. The user must resolve the authorization issue before proceeding.
### Step 3 — Run the matched skills in order
Invoke each skill from the routing-table row, in the listed order. Each skill emits its findings as JSON/JSONL/markdown via `lib/report.py`. Persist per-skill output into `engagement/findings/<skill>-<date>.jsonl` so the cluster 6 skills can consume them.
### Step 4 — Compose deliverables
After scan skills complete, run cluster 6 in sequence: `mapping-findings-to-owasp-top10`, then `composing-vulnerability-report`, then `generating-executive-summary`, then `recording-pentest-engagement` for the chain-of-custody archive.
## Intent routing (the table)
| User intent / trigger phrase | Skills to invoke (in order) |
|---|---|
| "pentest", "full security scan" | confirming-pentest-authorization → defining-pentest-scope → cluster 1-4 (all) → mapping-findings-to-owasp-top10 → composing-vulnerability-report → generating-executive-summary → recording-pentest-engagement |
| "check headers" / "scan URL" | confirming-pentest-authorization → checking-http-security-headers + analyzing-tls-config + detecting-ssl-cert-issues |
| "CORS check" | confirming-pentest-authorization → auditing-cors-policy |
| "check SSL" / "certificate" | analyzing-tls-config + detecting-ssl-cert-issues |
| "audit npm dependencies" | auditing-npm-dependencies |
| "audit python dependencies" / "pip-audit" | auditing-python-dependencies |
| "find vulnerable deps" | auditing-npm-dependencies + auditing-python-dependencies + tracing-transitive-vulnerabilities |
| "license check" / "GPL contamination" | checking-license-compliance |
| "find hardcoded secrets" / "credential scan" | scanning-for-hardcoded-secrets |
| "SQL injection scan" | detecting-sql-injection-patterns |
| "command injection scan" | detecting-command-injection-patterns |
| "code audit" / "static analysis" | cluster 3 (all 6 skills) |
| "OWASP scan" / "OWASP coverage" | cluster 1-4 → mapping-findings-to-owasp-top10 |
| "confirm authorization" / "verify ROE" | confirming-pentest-authorization |
| "define scope" / "generate allowlist" | defining-pentest-scope |
| "write report" / "generate exec summary" | composing-vulnerability-report → generating-executive-summary |
| "archive engagement" / "chain of custody" | recording-pentest-engagement |
When unsure which to invoke, prefer the governance-first sequence
(authorization + scope) and add cluster-1-4 skills based on what
the user described.
## Full 25-skill index
### Cluster 0 — Orchestration
- `performing-penetration-testing` — this skill
### Cluster 1 — Network / transport (5)
- `analyzing-tls-config` — TLS protocol versions, cipher suites, HSTS
- `detecting-ssl-cert-issues` — cert validity, expiry, chain integrity
- `auditing-cors-policy` — origin reflection, credential bypass, wildcard
- `checking-http-security-headers` — CSP, HSTS, X-Frame-Options, etc.
- `probing-dangerous-http-methods` — TRACE, DELETE, PUT exposure
### Cluster 2 — Information disclosure (4)
- `detecting-exposed-secrets-files` — `.env`, `.git`, backup files
- `detecting-debug-endpoints` — `/server-status`, admin panels
- `fingerprinting-server-software` — Server-header version exposure
- `detecting-directory-listing` — Apache/nginx autoindex
### Cluster 3 — Source-code static analysis (6)
- `scanning-for-hardcoded-secrets` — AWS / GitHub / Stripe / Slack / API keys
- `detecting-sql-injection-patterns` — string-concat SQL, unsanitized input
- `detecting-command-injection-patterns` — shell exec with user input
- `detecting-eval-exec-usage` — eval/exec with dynamic content
- `detecting-insecure-deserialization` — pickle/yaml.load/Marshal use
- `detecting-weak-cryptography` — MD5/SHA1/DES, hardcoded IVs, ECB mode
### Cluster 4 — Dependency analysis (4)
- `auditing-npm-dependencies` — `npm audit` wrapper with v1/v2 parsers
- `auditing-python-dependencies` — `pip-audit` wrapper with OSV scoring
- `checking-license-compliance` — SPDX classification + copyleft contamination
- `tracing-transitive-vulnerabilities` — dep-graph leverage analysis
### Cluster 5 — Engagement governance (3, new in v3)
- `confirming-pentest-authorization` — Rules of Engagement validation
- `defining-pentest-scope` — target enumeration + IP allowlist
- `recording-pentest-engagement` — SHA-256 manifest + GPG signing
### Cluster 6 — Reporting (3, new in v3)
- `composing-vulnerability-report` — unified deliverable report
- `mapping-findings-to-owasp-top10` — A0X classification + coverage rollup
- `generating-executive-summary` — 0-100 risk score + top-3 priorities
## End-to-end workflow
For a typical engagement, the orchestrator routes through:
```
+----------------------------------+
| confirming-pentest-authorization |
+-------------+--------------------+
| (CRITICAL halts here)
v
+----------------------------------+
| defining-pentest-scope |
+-------------+--------------------+
|
v
+-------------+-------------+-------------+-------------+
| Cluster 1 | Cluster 2 | Cluster 3 | Cluster 4 |
| (5 skills) | (4 skills) | (6 skills) | (4 skills) |
+-------------+-------------+-------------+-------------+
|
v
+----------------------------------+
| mapping-findings-to-owasp-top10 |
+-------------+--------------------+
|
v
+----------------------------------+
| composing-vulnerability-report |
+-------------+--------------------+
|
v
+----------------------------------+
| generating-executive-summary |
+-------------+--------------------+
|
v
+----------------------------------+
| recording-pentest-engagement |
+----------------------------------+
```
## Backward compatibility
The v2 monolithic scripts (`security_scanneRelated in Ads & Marketing
ads
IncludedMulti-platform paid advertising audit and optimization skill. Analyzes Google, Meta, YouTube, LinkedIn, TikTok, Microsoft, and Apple Ads. 250+ checks with scoring, parallel agents, industry templates, and AI creative generation.
banana
IncludedAI image generation Creative Director powered by Google Gemini Nano Banana models. Use this skill for ANY request involving image creation, editing, visual asset production, or creative direction. Triggers on: generate an image, create a photo, edit this picture, design a logo, make a banner, visual for my anything, and all /banana commands. Handles text-to-image, image editing, multi-turn creative sessions, batch workflows, and brand presets.
rpg-migration-analyzer
IncludedAnalyzes legacy RPG (Report Program Generator) programs from AS/400 and IBM i systems for migration to modern Java applications. Extracts business logic from RPG III/IV/ILE source code, identifies data structures (D-specs), file operations (F-specs), program dependencies (CALLB/CALLP), and converts RPG constructs to Java equivalents. Generates migration reports, complexity estimates, and Java implementation strategies with POJO classes, JPA entities, and service methods. Use when modernizing AS/400 or IBM i legacy systems, analyzing RPG source files (.rpg, .rpgle, .RPGLE), converting RPG to Java, mapping data specifications to Java classes, planning legacy system migration, or when user mentions RPG analysis, Report Program Generator, RPG III/IV/ILE, AS/400 modernization, IBM i migration, packed decimal conversion, or mainframe application rewrite.
brand-library-architect
IncludedBuild a complete brand library for a product — visual asset render pipeline, brand documentation set (BRAND, COPY, MANIFESTO, BIOS, FAQ, GLOSSARY, TONE, PRICING), open-source convention files (README, CONTRIBUTING, SECURITY, CODE_OF_CONDUCT), and a self-contained press kit. This skill should be used when the user asks to "build a brand library / brand kit / press kit / brand assets" for a product, "set up a brand library workflow," "create a positioning manifesto plus visual identity," or any combination of brand documentation + visual asset pipeline. Apply phase-by-phase or run end-to-end. Templates are product-agnostic and use {{TOKEN}} placeholders the skill prompts the user to fill.
writing-tech-post
IncludedAuthors engineering blog posts end-to-end: launch deep-dives, incident postmortems, architecture migrations, performance case studies, tutorials, AI/agent system writeups, security disclosures, and research-to-product translations. Picks the correct archetype, plans the abstraction ladder, enforces an evidence cadence (diagrams, benchmarks, profiles, traces, code, ablations), tunes voice against publisher house styles (Datadog, Vercel, GitHub, AWS, Meta, Cloudflare, Jane Street), and runs a pre-publish gate for narrative momentum and disclosure ethics. Use when drafting a new engineering post, restructuring a draft that feels flat, deciding which evidence form belongs where, validating that depth and product context are balanced, or preparing a postmortem, migration, or performance narrative for external publication. Do not use for API reference documentation, README authoring, marketing copy, release notes, generic SEO content, ghost-written executive thought leadership, or non-engineering long-form essays.
blog-google
IncludedGoogle API integration for blog performance: PageSpeed Insights, CrUX Core Web Vitals with 25-week history, Search Console performance, URL Inspection, Indexing API, GA4 organic traffic, NLP entity analysis for E-E-A-T, YouTube video search for embedding, and Google Ads Keyword Planner. Progressive feature availability based on credential tier (API key, OAuth/service account, GA4, Ads). Shares config with claude-seo at ~/.config/claude-seo/google-api.json. Use when user says "google data", "page speed", "core web vitals", "search console", "indexation", "GA4", "keyword research", "nlp entities", "blog performance", "youtube search", "google api setup".