Shannon AI渗透测试工具：Web应用与API自动化安全测试，覆盖OWASP Top 10漏洞

shannon by unicodeveloper/shannon

511 周安装量

8 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/unicodeveloper/shannon --skill shannon

自动化测试安全

🇨🇳中文介绍

Shannon：面向 Web 应用与 API 的自主 AI 渗透测试工具

权限概述： 此技能用于协调 Shannon，一个基于 Docker 的渗透测试工具，可对目标应用程序主动执行攻击。它会在本地克隆/更新 Shannon 代码库，运行 Docker 容器，并读取渗透测试报告。Shannon 会执行真实的漏洞利用——请仅针对您拥有或已获得明确书面授权进行测试的应用程序运行。 切勿针对生产系统运行。

Shannon 会分析您的源代码，识别攻击向量，并在漏洞进入生产环境之前执行真实的漏洞利用来证明其存在。在 XBOW 安全基准测试中达到 96.15% 的漏洞利用成功率。覆盖 OWASP Top 10：注入、XSS、SSRF、身份验证失效、授权失效等。

关键：安全检查（务必首先执行）

在执行任何操作之前，您必须确认：

授权：询问用户——“您是否有明确的授权对此目标进行渗透测试？” 如果他们回答没有或不确定，请立即停止并解释他们需要获得系统所有者的书面许可。
环境：确认目标是本地、预发布或沙盒环境——切勿是生产环境。
范围：明确他们希望测试的内容（完整渗透测试 vs 特定类别）。

⚠️  Shannon 会执行具有变更效果的真实攻击。

├─ 仅对您拥有或已获得书面授权进行测试的系统运行
├─ 切勿针对生产环境
├─ 结果需要人工审核——LLM 输出可能包含幻觉
└─ 您有责任遵守所有适用的法律

在每次渗透测试运行前显示此警告。如果用户已在此会话中确认授权，则简要提醒即可。

解析用户意图

从用户输入中提取：

TARGET_URL：要进行渗透测试的 URL（例如，http://localhost:3000，）

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

步骤 0：确保 Shannon 已安装

检查 Shannon 是否已在本地克隆：

SHANNON_HOME="${SHANNON_HOME:-$HOME/shannon}"

if [ -d "$SHANNON_HOME" ] && [ -f "$SHANNON_HOME/shannon" ]; then
  echo "Shannon 位于 $SHANNON_HOME"
  cd "$SHANNON_HOME" && git pull --ff-only 2>/dev/null || true
else
  echo "未找到 Shannon。正在克隆..."
  git clone https://github.com/KeygraphHQ/shannon.git "$SHANNON_HOME"
fi

# 验证 Docker 是否可用
if command -v docker &>/dev/null; then
  echo "Docker: $(docker --version)"
else
  echo "错误：需要 Docker。请安装 Docker Desktop：https://docker.com/products/docker-desktop"
  exit 1
fi

如果 Shannon 未安装，则克隆它并通知用户。如果缺少 Docker，则停止并告知他们安装。

SHANNON_HOME 默认为 ~/shannon。用户可以通过 SHANNON_HOME 环境变量覆盖。

步骤 1：准备源代码

Shannon 需要将目标的源代码放在 $SHANNON_HOME/repos/{REPO_NAME}/ 中。

询问用户其源代码的位置：

# 如果用户提供本地路径
REPO_PATH="/path/to/their/source"
REPO_NAME="myapp"

# 创建符号链接或复制到 Shannon 的 repos 目录
mkdir -p "$SHANNON_HOME/repos"
if [ ! -d "$SHANNON_HOME/repos/$REPO_NAME" ]; then
  ln -s "$(realpath "$REPO_PATH")" "$SHANNON_HOME/repos/$REPO_NAME"
  echo "已链接 $REPO_PATH → repos/$REPO_NAME"
fi

如果用户提供的是 GitHub URL：

cd "$SHANNON_HOME/repos"
git clone "$GITHUB_URL" "$REPO_NAME"

步骤 2：配置身份验证（如果需要）

如果目标需要登录，帮助用户创建 YAML 配置文件：

# $SHANNON_HOME/configs/target-config.yaml
authentication:
  type: form            # "form" 或 "sso"
  login_url: "http://localhost:3000/login"
  credentials:
    username: "admin"
    password: "password123"
  flow: "Navigate to login page, enter username and password, click Sign In"
  success_condition:
    url_contains: "/dashboard"

rules:
  avoid:
    - "/logout"
    - "/admin/delete"
  focus:
    - "/api/"
    - "/auth/"

pipeline:
  max_concurrent_pipelines: 5  # 1-5，默认 5

仅当目标需要身份验证或有特定范围规则时才创建配置文件。 对于开放/无需身份验证的目标，则不需要配置。

步骤 3：验证 API 凭据

检查 AI 提供商凭据是否可用：

cd "$SHANNON_HOME"

# 检查 Anthropic API 密钥（主要）
if [ -n "${ANTHROPIC_API_KEY:-}" ]; then
  echo "✅ ANTHROPIC_API_KEY 已设置"
elif [ -n "${CLAUDE_CODE_OAUTH_TOKEN:-}" ]; then
  echo "✅ CLAUDE_CODE_OAUTH_TOKEN 已设置"
elif [ "${CLAUDE_CODE_USE_BEDROCK:-}" = "1" ]; then
  echo "✅ AWS Bedrock 模式已启用"
elif [ "${CLAUDE_CODE_USE_VERTEX:-}" = "1" ]; then
  echo "✅ Google Vertex AI 模式已启用"
else
  echo "❌ 未找到 AI 凭据。"
  echo "请设置以下之一：ANTHROPIC_API_KEY、CLAUDE_CODE_OAUTH_TOKEN，或启用 Bedrock/Vertex"
  exit 1
fi

如果未找到凭据，请解释选项：

直接 API（推荐）：export ANTHROPIC_API_KEY=sk-ant-...
OAuth：export CLAUDE_CODE_OAUTH_TOKEN=...
AWS Bedrock：export CLAUDE_CODE_USE_BEDROCK=1 + AWS 凭据
Google Vertex：export CLAUDE_CODE_USE_VERTEX=1 + ./credentials/ 中的服务账户

同时建议：export CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000

步骤 4：启动渗透测试

关键：在启动前与用户确认。 显示完整命令并等待批准。

cd "$SHANNON_HOME"

# 构建命令
CMD="./shannon start URL={TARGET_URL} REPO={REPO_NAME}"

# 添加可选标志
# CONFIG=configs/target-config.yaml  （如果存在身份验证配置）
# WORKSPACE={WORKSPACE}              （如果用户指定）
# OUTPUT=./audit-logs/               （默认）

echo "准备启动："
echo "  $CMD"
echo ""
echo "这将启动 Docker 容器并开始渗透测试。"
echo "运行时间：约 1-1.5 小时 │ 成本：约 \$50 (Claude Sonnet)"

用户确认后，在后台运行：

cd "$SHANNON_HOME" && ./shannon start URL={TARGET_URL} REPO={REPO_NAME} {EXTRA_FLAGS}

使用 run_in_background: true 并设置 600000 毫秒的超时（初始设置 10 分钟）。渗透测试本身在 Docker 中运行，并将独立继续。

步骤 5：监控进度

在渗透测试运行时，用户可以检查状态：

cd "$SHANNON_HOME"

# 列出活动的工作空间
./shannon workspaces

# 查看特定工作流的日志
./shannon logs ID={workflow-id}

解释 5 阶段流水线：

Shannon 流水线（5 个阶段，尽可能并行）：
├─ 阶段 1：预侦察 — 源代码分析 + 外部扫描（Nmap, Subfinder, WhatWeb）
├─ 阶段 2：侦察 — 通过浏览器自动化进行实时攻击面映射
├─ 阶段 3：漏洞分析 — 5 个并行代理（注入、XSS、SSRF、身份验证、授权）
├─ 阶段 4：漏洞利用 — 专用代理执行真实攻击以验证发现
└─ 阶段 5：报告 — 包含可复现 PoC 的执行摘要

步骤 6：读取和解释结果

报告保存在 $SHANNON_HOME/audit-logs/{hostname}_{sessionId}/。

cd "$SHANNON_HOME"

# 查找最新报告
LATEST=$(ls -td audit-logs/*/ 2>/dev/null | head -1)
if [ -n "$LATEST" ]; then
  echo "最新报告：$LATEST"
  # 查找主报告文件
  find "$LATEST" -name "*.md" -type f | head -5
fi

读取报告并呈现摘要：

🔐 Shannon 渗透测试报告：{TARGET}
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

🔴 严重：{N} 个漏洞
🟠 高危：{N} 个漏洞
🟡 中危：{N} 个漏洞
🔵 低危：{N} 个漏洞

主要发现：
1. [严重] {漏洞类型} — {位置} — PoC：{简要描述}
2. [高危] {漏洞类型} — {位置} — PoC：{简要描述}
3. ...

每个发现都包含一个可复现的概念验证漏洞利用。

重要：Shannon 的“无漏洞利用，无报告”策略意味着每个发现都有一个可工作的 PoC。 但提醒用户，LLM 生成的内容需要人工审核。

cd "$SHANNON_HOME" && ./shannon workspaces

cd "$SHANNON_HOME" && ./shannon logs ID={workflow-id}

cd "$SHANNON_HOME" && ./shannon stop

停止并清理所有数据

# 破坏性操作 — 请先与用户确认
cd "$SHANNON_HOME" && ./shannon stop CLEAN=true

恢复之前的工作空间

cd "$SHANNON_HOME" && ./shannon start URL={URL} REPO={REPO} WORKSPACE={name}

如果用户的应用运行在 localhost 上，请解释：

Shannon 在 Docker 内部运行。要访问您的本地应用：
├─ 使用 http://host.docker.internal:{PORT} 代替 http://localhost:{PORT}
├─ macOS/Windows：使用 Docker Desktop 可自动工作
└─ Linux：在 docker run 命令中添加 --add-host=host.docker.internal:host-gateway

在命令中自动将 localhost URL 转换为 host.docker.internal。

变量	是否必需	描述
`ANTHROPIC_API_KEY`	其中之一	直接的 Anthropic API 密钥
`CLAUDE_CODE_OAUTH_TOKEN`	必需	Anthropic OAuth 令牌
`CLAUDE_CODE_USE_BEDROCK`		设置为 `1` 以使用 AWS Bedrock
`CLAUDE_CODE_USE_VERTEX`		设置为 `1` 以使用 Google Vertex AI
`CLAUDE_CODE_MAX_OUTPUT_TOKENS`	推荐	设置为 `64000`
`SHANNON_HOME`	可选	Shannon 安装目录（默认：`~/shannon`）

部分	字段	描述
`authentication.type`	`form` / `sso`	登录方法
`authentication.login_url`	URL	登录页面
`authentication.credentials`	object	username, password, totp_secret
`authentication.flow`	string	自然语言登录说明
`authentication.success_condition`	object	`url_contains` 或 `element_present`
`rules.avoid`	list	要跳过的路径/子域名
`rules.focus`	list	要优先处理的路径/子域名
`pipeline.retry_preset`	`subscription`	针对受速率限制计划的扩展退避
`pipeline.max_concurrent_pipelines`	1-5	并行代理数量（默认：5）

Shannon 测试 5 个 OWASP 类别下的 50 多个特定案例：

类别	示例
注入	SQL 注入、命令注入、SSTI、NoSQL 注入
XSS	反射型、存储型、DOM 型、通过文件上传
SSRF	内部服务访问、云元数据、协议走私
身份验证失效	默认凭据、JWT 缺陷、会话固定、MFA 绕过、CSRF
授权失效	IDOR、权限提升、路径遍历、强制浏览

集成的安全工具（捆绑在 Docker 中）

Nmap — 端口扫描和服务检测
Subfinder — 子域名枚举
WhatWeb — Web 技术指纹识别
Schemathesis — 基于 API 模式的模糊测试
Chromium — 用于自动化漏洞利用的无头浏览器（Playwright）

在本次对话的其余部分，请记住：

SHANNON_HOME：Shannon 安装路径
TARGET_URL：正在测试的 URL
REPO_NAME：源代码文件夹名称
WORKSPACE：工作空间名称（如果有）
PENTEST_STATUS：运行中 / 已完成 / 已停止

当用户提出后续问题时：

检查渗透测试状态并报告进度
从 audit-logs 中读取并解释新的发现
帮助修复已发现的漏洞并提供代码修复方案
解释 PoC 漏洞利用及其影响

此技能的功能：

从 GitHub 克隆/更新 Shannon 代码库到 ~/shannon（或 $SHANNON_HOME）
将用户的源代码创建符号链接到 ~/shannon/repos/
通过 ./shannon CLI 启动 Docker 容器（Temporal 服务器、工作器、可选路由器）
从 ~/shannon/audit-logs/ 读取渗透测试报告
可选地在 ~/shannon/configs/ 中创建 YAML 配置文件

Shannon 的功能（在 Docker 内部）：

对目标 URL 执行真实的漏洞利用（SQL 注入、XSS、SSRF 等）
使用 Nmap、Subfinder、WhatWeb、Schemathesis 进行扫描
通过无头 Chromium 自动化浏览器交互
向 Anthropic API（或 Bedrock/Vertex）发送提示以进行推理
将报告写入 audit-logs/ 目录

此技能不执行的操作：

未经用户确认，不针对任何系统
不存储或传输超出已配置提供商的 API 密钥
不修改用户的源代码
除非明确指示（它会发出警告），否则不访问生产系统
没有 Docker 无法运行——所有攻击工具都已容器化

首次使用前请查看 Shannon 源代码： https://github.com/KeygraphHQ/shannon

🇺🇸English

Shannon: Autonomous AI Pentester for Web Apps & APIs

Permissions overview: This skill orchestrates Shannon, a Docker-based pentesting tool that actively executes attacks against a target application. It clones/updates the Shannon repo locally, runs Docker containers, and reads pentest reports. Shannon performs real exploits — only run against apps you own or have explicit written authorization to test. Never run against production systems.

Shannon analyzes your source code, identifies attack vectors, and executes real exploits to prove vulnerabilities before they reach production. 96.15% exploit success rate on the XBOW security benchmark. Covers OWASP Top 10: Injection, XSS, SSRF, Broken Auth, Broken AuthZ, and more.

CRITICAL: Safety Checks (ALWAYS run first)

Before doing ANYTHING, you MUST confirm:

Authorization : Ask the user — "Do you have explicit authorization to pentest this target?" If they say no or are unsure, STOP and explain they need written permission from the system owner.
Environment : Confirm the target is a local, staging, or sandboxed environment — NEVER production.
Scope : Clarify what they want tested (full pentest vs specific category).

⚠️  Shannon executes REAL ATTACKS with mutative effects.

├─ Only run on systems you OWN or have WRITTEN AUTHORIZATION to test
├─ Never target production environments
├─ Results require human review — LLM output may contain hallucinations
└─ You are responsible for complying with all applicable laws

Display this warning BEFORE every pentest run. If the user has already confirmed authorization in this session, a brief reminder suffices.

Parse User Intent

Extract from the user's input:

TARGET_URL : The URL to pentest (e.g., http://localhost:3000, http://staging.example.com)
REPO_NAME : The source code folder name (placed in ./repos/ inside Shannon)
SCOPE : Full pentest (default) or specific categories (injection, xss, ssrf, auth, authz)
WORKSPACE : Named workspace for resume capability (optional)
CONFIG : Custom YAML config path (optional, for auth flows, focus/avoid rules)

Common invocation patterns:

/shannon http://localhost:3000 myapp → Full pentest of local app
/shannon --workspace=audit1 http://staging.example.com backend-api → Named workspace for resuming
/shannon --scope=xss,injection http://localhost:8080 frontend → Targeted categories
/shannon status → Check running pentests
/shannon results → Show latest report
/shannon stop → Stop running pentest

Display parsed intent:

🔐 Shannon Pentest
├─ Target: {TARGET_URL}
├─ Source: repos/{REPO_NAME}
├─ Scope: {SCOPE or "Full (all 5 OWASP categories)"}
├─ Workspace: {WORKSPACE or "auto-generated"}
└─ Config: {CONFIG or "default"}

Estimated runtime: 1–1.5 hours │ Estimated cost: ~$50 (Claude Sonnet)

Step 0: Ensure Shannon is Installed

Check if Shannon is cloned locally:

SHANNON_HOME="${SHANNON_HOME:-$HOME/shannon}"

if [ -d "$SHANNON_HOME" ] && [ -f "$SHANNON_HOME/shannon" ]; then
  echo "Shannon found at $SHANNON_HOME"
  cd "$SHANNON_HOME" && git pull --ff-only 2>/dev/null || true
else
  echo "Shannon not found. Cloning..."
  git clone https://github.com/KeygraphHQ/shannon.git "$SHANNON_HOME"
fi

# Verify Docker is available
if command -v docker &>/dev/null; then
  echo "Docker: $(docker --version)"
else
  echo "ERROR: Docker is required. Install Docker Desktop: https://docker.com/products/docker-desktop"
  exit 1
fi

If Shannon is not installed, clone it and inform the user. If Docker is missing, stop and tell them to install it.

SHANNON_HOME defaults to ~/shannon. Users can override with SHANNON_HOME env var.

Step 1: Prepare Source Code

Shannon needs the target's source code in $SHANNON_HOME/repos/{REPO_NAME}/.

Ask the user where their source code is:

# If user provides a local path
REPO_PATH="/path/to/their/source"
REPO_NAME="myapp"

# Create symlink or copy into Shannon's repos directory
mkdir -p "$SHANNON_HOME/repos"
if [ ! -d "$SHANNON_HOME/repos/$REPO_NAME" ]; then
  ln -s "$(realpath "$REPO_PATH")" "$SHANNON_HOME/repos/$REPO_NAME"
  echo "Linked $REPO_PATH → repos/$REPO_NAME"
fi

If the user provides a GitHub URL instead:

cd "$SHANNON_HOME/repos"
git clone "$GITHUB_URL" "$REPO_NAME"

Step 2: Configure Authentication (if needed)

If the target requires login, help the user create a YAML config:

# $SHANNON_HOME/configs/target-config.yaml
authentication:
  type: form            # "form" or "sso"
  login_url: "http://localhost:3000/login"
  credentials:
    username: "admin"
    password: "password123"
  flow: "Navigate to login page, enter username and password, click Sign In"
  success_condition:
    url_contains: "/dashboard"

rules:
  avoid:
    - "/logout"
    - "/admin/delete"
  focus:
    - "/api/"
    - "/auth/"

pipeline:
  max_concurrent_pipelines: 5  # 1-5, default 5

Only create a config if the target requires authentication or has specific scope rules. For open/unauthenticated targets, no config is needed.

Step 3: Verify API Credentials

Check that AI provider credentials are available:

cd "$SHANNON_HOME"

# Check for Anthropic API key (primary)
if [ -n "${ANTHROPIC_API_KEY:-}" ]; then
  echo "✅ ANTHROPIC_API_KEY is set"
elif [ -n "${CLAUDE_CODE_OAUTH_TOKEN:-}" ]; then
  echo "✅ CLAUDE_CODE_OAUTH_TOKEN is set"
elif [ "${CLAUDE_CODE_USE_BEDROCK:-}" = "1" ]; then
  echo "✅ AWS Bedrock mode enabled"
elif [ "${CLAUDE_CODE_USE_VERTEX:-}" = "1" ]; then
  echo "✅ Google Vertex AI mode enabled"
else
  echo "❌ No AI credentials found."
  echo "Set one of: ANTHROPIC_API_KEY, CLAUDE_CODE_OAUTH_TOKEN, or enable Bedrock/Vertex"
  exit 1
fi

If no credentials are found, explain the options:

Direct API (recommended): export ANTHROPIC_API_KEY=sk-ant-...
OAuth : export CLAUDE_CODE_OAUTH_TOKEN=...
AWS Bedrock : export CLAUDE_CODE_USE_BEDROCK=1 + AWS credentials
Google Vertex : export CLAUDE_CODE_USE_VERTEX=1 + service account in ./credentials/

Also recommend: export CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000

Step 4: Launch the Pentest

CRITICAL: Confirm with the user before launching. Display the full command and wait for approval.

cd "$SHANNON_HOME"

# Build the command
CMD="./shannon start URL={TARGET_URL} REPO={REPO_NAME}"

# Add optional flags
# CONFIG=configs/target-config.yaml  (if auth config exists)
# WORKSPACE={WORKSPACE}              (if user specified)
# OUTPUT=./audit-logs/               (default)

echo "Ready to launch:"
echo "  $CMD"
echo ""
echo "This will start Docker containers and begin the pentest."
echo "Runtime: ~1-1.5 hours │ Cost: ~\$50 (Claude Sonnet)"

After user confirms, run in background:

cd "$SHANNON_HOME" && ./shannon start URL={TARGET_URL} REPO={REPO_NAME} {EXTRA_FLAGS}

Use run_in_background: true with a timeout of 600000ms (10 minutes for initial setup). The pentest itself runs in Docker and will continue independently.

Step 5: Monitor Progress

While the pentest runs, the user can check status:

cd "$SHANNON_HOME"

# List active workspaces
./shannon workspaces

# View logs for a specific workflow
./shannon logs ID={workflow-id}

Explain the 5-phase pipeline:

Shannon Pipeline (5 phases, parallel where possible):
├─ Phase 1: Pre-Recon — Source code analysis + external scans (Nmap, Subfinder, WhatWeb)
├─ Phase 2: Recon — Live attack surface mapping via browser automation
├─ Phase 3: Vulnerability Analysis — 5 parallel agents (Injection, XSS, SSRF, Auth, AuthZ)
├─ Phase 4: Exploitation — Dedicated agents execute real attacks to validate findings
└─ Phase 5: Reporting — Executive summary with reproducible PoCs

Step 6: Read and Interpret Results

Reports are saved to $SHANNON_HOME/audit-logs/{hostname}_{sessionId}/.

cd "$SHANNON_HOME"

# Find the latest report
LATEST=$(ls -td audit-logs/*/ 2>/dev/null | head -1)
if [ -n "$LATEST" ]; then
  echo "Latest report: $LATEST"
  # Find the main report file
  find "$LATEST" -name "*.md" -type f | head -5
fi

Read the report and present a summary:

🔐 Shannon Pentest Report: {TARGET}
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

🔴 Critical: {N} vulnerabilities
🟠 High:     {N} vulnerabilities
🟡 Medium:   {N} vulnerabilities
🔵 Low:      {N} vulnerabilities

Top Findings:
1. [CRITICAL] {Vuln type} — {location} — PoC: {brief description}
2. [HIGH] {Vuln type} — {location} — PoC: {brief description}
3. ...

Each finding includes a reproducible proof-of-concept exploit.

IMPORTANT: Shannon's "no exploit, no report" policy means every finding has a working PoC. But remind the user that LLM-generated content requires human review.

Utility Commands

Check status

cd "$SHANNON_HOME" && ./shannon workspaces

View logs

cd "$SHANNON_HOME" && ./shannon logs ID={workflow-id}

Stop pentest

cd "$SHANNON_HOME" && ./shannon stop

Stop and clean up all data

# DESTRUCTIVE — confirm with user first
cd "$SHANNON_HOME" && ./shannon stop CLEAN=true

Resume a previous workspace

cd "$SHANNON_HOME" && ./shannon start URL={URL} REPO={REPO} WORKSPACE={name}

Targeting Local Apps

If the user's app runs on localhost, explain:

Shannon runs inside Docker. To reach your local app:
├─ Use http://host.docker.internal:{PORT} instead of http://localhost:{PORT}
├─ macOS/Windows: works automatically with Docker Desktop
└─ Linux: add --add-host=host.docker.internal:host-gateway to docker run

Automatically translate localhost URLs to host.docker.internal in the command.

Configuration Reference

Environment Variables

Variable	Required	Description
`ANTHROPIC_API_KEY`	One of these	Direct Anthropic API key
`CLAUDE_CODE_OAUTH_TOKEN`	required	Anthropic OAuth token
`CLAUDE_CODE_USE_BEDROCK`		Set to `1` for AWS Bedrock
`CLAUDE_CODE_USE_VERTEX`		Set to `1` for Google Vertex AI

YAML Config Options

Section	Field	Description
`authentication.type`	`form` / `sso`	Login method
`authentication.login_url`	URL	Login page
`authentication.credentials`	object	username, password, totp_secret
`authentication.flow`	string

Vulnerability Coverage

Shannon tests 50+ specific cases across 5 OWASP categories:

Category	Examples
Injection	SQL injection, command injection, SSTI, NoSQL injection
XSS	Reflected, stored, DOM-based, via file upload
SSRF	Internal service access, cloud metadata, protocol smuggling
Broken Auth	Default creds, JWT flaws, session fixation, MFA bypass, CSRF
Broken AuthZ	IDOR, privilege escalation, path traversal, forced browsing

Integrated Security Tools (bundled in Docker)

Nmap — port scanning and service detection
Subfinder — subdomain enumeration
WhatWeb — web technology fingerprinting
Schemathesis — API schema-based fuzzing
Chromium — headless browser for automated exploitation (Playwright)

Context Memory

For the rest of this conversation, remember:

SHANNON_HOME : Path to Shannon installation
TARGET_URL : The URL being tested
REPO_NAME : Source code folder name
WORKSPACE : Workspace name (if any)
PENTEST_STATUS : running / completed / stopped

When the user asks follow-up questions:

Check pentest status and report on progress
Read and interpret new findings from audit-logs
Help remediate discovered vulnerabilities with code fixes
Explain PoC exploits and their impact

Security & Permissions

What this skill does:

Clones/updates the Shannon repo from GitHub to ~/shannon (or $SHANNON_HOME)
Creates symlinks from user's source code into ~/shannon/repos/
Starts Docker containers (Temporal server, worker, optional router) via ./shannon CLI
Reads pentest reports from ~/shannon/audit-logs/
Optionally creates YAML config files in ~/shannon/configs/

What Shannon does (inside Docker):

Executes real exploits against the target URL (SQL injection, XSS, SSRF, etc.)
Scans with Nmap, Subfinder, WhatWeb, Schemathesis
Automates browser interactions via headless Chromium
Sends prompts to Anthropic API (or Bedrock/Vertex) for reasoning
Writes reports to audit-logs/ directory

What this skill does NOT do:

Does not target any system without user confirmation
Does not store or transmit API keys beyond the configured provider
Does not modify the user's source code
Does not access production systems unless explicitly directed (which it warns against)
Does not run without Docker — all attack tools are containerized

Review the Shannon source code before first use: https://github.com/KeygraphHQ/shannon

Weekly Installs

511

Repository

unicodeveloper/shannon

GitHub Stars

First Seen

Mar 9, 2026

Security Audits

Gen Agent Trust HubWarn SocketPass SnykWarn

Installed on

codex492

cursor492

opencode491

github-copilot490

gemini-cli490

kimi-cli490

Better Auth 身份验证技能指南：为 TypeScript/JavaScript 应用添加认证

11,500 周安装