Principle: No Exploit, No Report. Only report vulnerabilities that have been practically exploited or validated.
Methodology derived from Shannon (AGPL-3.0, Keygraph), adapted for Kimi CLI.
Execute phases sequentially. Each phase saves a deliverable to .shannon/deliverables/. Do not skip phases unless the user explicitly requests a subset.
Pre-Recon → Recon → Vulnerability Analysis → Exploitation → Reporting
Goal: External footprinting + initial source-code mapping.
nmap, subfinder, whatweb via Bash.API_KEY, SECRET, password, token).python .claw/skills/shannon-pentest/scripts/save-deliverable.py --type PRE_RECON --content "..."Goal: Browser automation + attack-surface mapping.
--type RECONGoal: Identify concrete vulnerability hypotheses.
Agent subtasks (one per vulnerability class):injection-vuln (SQLi, Command Injection, SSTI, etc.)xss-vuln (Stored/Reflected/DOM XSS)auth-vuln (Broken Authentication, Session Management)ssrf-vuln (Server-Side Request Forgery)authz-vuln (Broken Access Control, IDOR)injection_analysis_deliverable.md, xss_analysis_deliverable.md, etc. (use --type INJECTION_ANALYSIS, XSS_ANALYSIS, etc.)Goal: Validate hypotheses from Phase 3.
Agent subtask to attempt practical exploitation.Bash to run exploit payloads (curl, playwright scripts, custom Python).unconfirmed and drop it from the report.*_exploitation_queue.json and exploitation_evidence/ folder.Goal: Compile only validated findings into a professional report.
.shannon/deliverables/.--type REPORT (saved as report.md).For 2FA/MFA login flows:
python .claw/skills/shannon-pentest/scripts/generate-totp.py --secret BASE32SECRET
Always use the provided script to persist phase outputs:
python .claw/skills/shannon-pentest/scripts/save-deliverable.py --type <TYPE> --content "..."
# Or from file:
python .claw/skills/shannon-pentest/scripts/save-deliverable.py --type <TYPE> --file-path /path/to/content.md
Valid types: PRE_RECON, RECON, INJECTION_ANALYSIS, XSS_ANALYSIS, AUTH_ANALYSIS, SSRF_ANALYSIS, AUTHZ_ANALYSIS, EXPLOITATION_EVIDENCE, REPORT
./.shannon/deliverables/ (created automatically).git init inside .shannon/deliverables/ if you want checkpoint/rollback support..shannon/scratchpad/ for temporary files, screenshots, and raw tool output.Agent subtask fails, retry once with a more focused prompt. If it still fails, note the failure in the deliverable and continue.共 2 个版本