القائمة
Web application enumeration hub — directory/file fuzzing, vhost discovery, API enumeration, CMS scanning, WAF detection, auth surface mapping, cookie audit.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
Drive Decepticon — an autonomous multi-agent red-team framework — over MCP to run authorized penetration tests and bug-bounty engagements end to end, then watch and steer them live from chat. Launch an engagement against a target, poll its transcript to narrate progress, send messages to refocus it, and pull findings as SARIF. Use when the user asks to run a pentest/red-team engagement, hunt a bug bounty, do recon, exploit/scan a host, web app, API, network, cloud, Active Directory, mobile app, or smart contract WITH Decepticon — or to check/resume a running engagement or report what Decepticon found. Triggers: run a decepticon engagement, pentest this with decepticon, bug bounty, recon this target, red team this, scan this host, resume the engagement, what did decepticon find, decepticon status. Do NOT use for ad-hoc local tool runs (running nmap/sqlmap/ffuf directly) when no Decepticon server is involved — this drives the Decepticon orchestrator, not raw tools.
IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting.
Mobile application security reconnaissance — APK/IPA analysis, permission enumeration, certificate validation, hardcoded secret detection, insecure storage identification, network security analysis.
Wireless network security reconnaissance — WiFi analysis, Bluetooth assessment, RFID/NFC evaluation, signal capture, protocol analysis, encryption testing, rogue device detection.
Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.
Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.
| name | web-recon |
| description | Web application enumeration hub — directory/file fuzzing, vhost discovery, API enumeration, CMS scanning, WAF detection, auth surface mapping, cookie audit. |
| allowed-tools | Read |
| metadata | {"subdomain":"reconnaissance","when_to_use":"web recon, web application enumeration, web app fingerprint","tags":"web-recon","mitre_attack":"T1595.003, T1592.004"} |
Sub-skills under this directory:
| Sub-skill | Path | When to load |
|---|---|---|
| Discovery | load_skill("/skills/standard/recon/web-recon/discovery/SKILL.md") | directory/file fuzzing, vhost, JS analysis |
| API enumeration | load_skill("/skills/standard/recon/web-recon/api-enumeration/SKILL.md") | REST/GraphQL/parameter fuzzing |
| CMS scanning | load_skill("/skills/standard/recon/web-recon/cms-scanning/SKILL.md") | WordPress/Joomla/Drupal detected |
| WAF detection | load_skill("/skills/standard/recon/web-recon/waf-detection/SKILL.md") | proxy/CDN suspected |
| Auth mapping | load_skill("/skills/standard/recon/web-recon/auth-mapping/SKILL.md") | login flow analysis |
| Cookie audit | load_skill("/skills/standard/recon/web-recon/cookie-audit/SKILL.md") | sink behind session, race-condition recon |
Overall recon workflow, scope rules, and handoff format are loaded into your system prompt at agent boot — no load_skill call needed for them.
When the orchestrator passes challenge tags, skip straight to the matching sub-skill:
| Tag | First action | Sub-skill to load |
|---|---|---|
sqli | Fire a single error-triggering payload on every form/param | /skills/standard/exploit/web/sqli/SKILL.md recon section |
ssti | Probe every reflection point with {{7*7}} | /skills/standard/exploit/web/ssti/SKILL.md recon section |
lfi | Path-traversal probe on every file/path param | discovery.md |
idor | Enumerate object IDs on every user-data endpoint | api-enumeration.md |
auth | Map the full auth flow before other recon | auth-mapping.md |
When iterating parameters (IDs, pages, paths), always deduplicate via recon/probed.txt to avoid re-probing the same URLs after context summarization:
URL="http://<TARGET>/api/resource/$ID"
if grep -Fxq "$URL" recon/probed.txt 2>/dev/null; then
echo "SKIP: $URL"
else
echo "$URL" >> recon/probed.txt
curl -sS "$URL" -o /tmp/probe.html -w '%{http_code}\n'
head -10 /tmp/probe.html
fi
Resume rule: Before any scan loop, check tail -1 recon/probed.txt to find the last probed item and continue from there — not from the beginning.
Stop rule: If 5 consecutive probes return the same status code + same response size (±50 bytes), stop that enumeration axis and pivot to a different surface.
./
├── ffuf_<target>_dirs.json # Directory fuzzing results
├── ffuf_<target>_vhosts.json # Virtual host discovery
├── ffuf_<target>_api.json # API endpoint fuzzing
├── web_sensitive_<target>.txt # Sensitive file check results
├── js_endpoints_<target>.txt # Extracted JS endpoints
├── wpscan_<target>.json # WordPress scan (if applicable)
└── web_recon_<target>_summary.md # Consolidated web findings