shannon
Autonomous AI pentester that analyzes source code, identifies vulnerabilities, and executes real exploits to prove security flaws.
- Covers OWASP Top 10 categories: injection, XSS, SSRF, broken authentication, and broken authorization with 96.15% exploit success rate on security benchmarks
- Requires explicit written authorization before testing; includes mandatory safety checks to prevent accidental targeting of production systems
- Runs in Docker with integrated security tools (Nmap, Subfinder, WhatWeb, Schemathesis, headless Chromium) and supports authentication configuration via YAML for login flows
- Generates detailed reports with reproducible proof-of-concept exploits for each finding; every reported vulnerability includes a working PoC
Shannon: Autonomous AI Pentester for Web Apps & APIs
Permissions overview: This skill orchestrates Shannon, a Docker-based pentesting tool that actively executes attacks against a target application. It clones/updates the Shannon repo locally, runs Docker containers, and reads pentest reports. Shannon performs real exploits — only run against apps you own or have explicit written authorization to test. Never run against production systems.
Shannon analyzes your source code, identifies attack vectors, and executes real exploits to prove vulnerabilities before they reach production. 96.15% exploit success rate on the XBOW security benchmark. Covers OWASP Top 10: Injection, XSS, SSRF, Broken Auth, Broken AuthZ, and more.
CRITICAL: Safety Checks (ALWAYS run first)
Before doing ANYTHING, you MUST confirm:
- Authorization: Ask the user — "Do you have explicit authorization to pentest this target?" If they say no or are unsure, STOP and explain they need written permission from the system owner.
- Environment: Confirm the target is a local, staging, or sandboxed environment — NEVER production.
- Scope: Clarify what they want tested (full pentest vs specific category).