Add: /pentest skill — active penetration testing for live targets

[shuvonsec]

What this adds

A new /pentest skill that covers the gap between /cso (static code + config audit) and actual live surface testing.

/cso reviews your code and config files. /pentest hits the running app.

How it works

Four phases:

1. Recon — subdomain enum (subfinder/amass), live host check (httpx), port scan (nmap)
2. Fingerprint — tech stack, security headers, robots.txt, sitemap
3. Vuln scan — 20+ checks: SQLi, XSS, SSRF, IDOR, open redirect, CORS misconfiguration, sensitive file exposure, insecure cookies, missing rate limits
4. Report — structured Markdown report with severity table and per-finding remediation

Design decisions

• Degrades gracefully — uses subfinder/nuclei/nmap when available, falls back to curl-based probes when not. The scan always runs.
• Authorization gate — requires explicit confirmation before any scan starts. Hard stop otherwise.
• Critical finding interrupt — if RCE, auth bypass, confirmed SQLi, or SSRF to metadata endpoint is found mid-scan, it stops and surfaces it immediately rather than burying it in the final report.
• Complements /cso, does not replace it — /cso is your daily static audit; /pentest is what you run before launch or after a major feature ships.

Usage

/pentest --target app.example.com
/pentest --target app.example.com --quick
/pentest --target app.example.com --phase recon
/pentest --report

Test plan

• Run against a local app (e.g. localhost:3000) — confirm authorization gate fires when target is provided without confirmation
• Confirm graceful degradation when subfinder/nuclei are not installed
• Confirm report generates at /tmp/pentest-<slug>/report.md
• Confirm /pentest --report opens the latest report

🤖 Generated with Claude Code