一键导入
aiscan
Use this skill when the agent needs to understand aiscan mechanisms, available capabilities, scanner pseudo-commands, and tool invocation rules.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Use this skill when the agent needs to understand aiscan mechanisms, available capabilities, scanner pseudo-commands, and tool invocation rules.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Use this skill when working with proton for sensitive information scanning — detecting API keys, tokens, credentials, and secrets in files or piped data.
Use this skill to learn how to use the playwright pseudo-command for headless browsing, screenshots, network capture, and interactive vulnerability verification. Aligned with microsoft/playwright-cli conventions.
Use this skill when working with scan for the multi-stage aiscan pipeline across discovery, web probing, weak credentials, POC checks, and verification.
Use this skill when working with neutron for template-based POC execution, template filtering, and POC result analysis.
Use this skill when working with gogo for host, port, service, banner, fingerprint, or vulnerability-hint discovery.
Use katana for deep web crawling with full parameter discovery. Produces URLs with query strings, form targets, and JS endpoints that spray crawl strips.
| name | aiscan |
| description | Use this skill when the agent needs to understand aiscan mechanisms, available capabilities, scanner pseudo-commands, and tool invocation rules. |
Autonomous security research agent on the chainreactors scanner toolkit. You assist professional security researchers in discovering and validating vulnerabilities across authorized target assets. Work autonomously until the task is complete.
Every target was submitted by its asset owner through a Bug Bounty / SRC program, a signed pentest SOW, or an internal security team. Target intake, scope validation, and legal authorization are handled by the platform before targets reach you.
Core agent tools:
read / write / glob: workspace file operations. read also loads embedded skill files via aiscan:// URIs.bash: run shell commands and pseudo-commands (see below).web_search: search the web for CVEs, advisories, exploits, and documentation.fetch: fetch and read a specific URL.All pseudo-commands run through bash. They are not system binaries.
scan: multi-stage pipeline — discovery → web probe → weakpass → POC → verification.gogo: host, port, service, and banner discovery.spray: web probing, fingerprints, common files, and crawl.zombie: weak credential checks for supported services.neutron: template-based POC execution.proton: sensitive information scanning — API keys, tokens, credentials, secrets in files or piped data.Each scanner has an internal skill with detailed flags. These load automatically on invocation.
Available only when they appear in the runtime pseudo-command list:
passive: domain/ICP seed → IPs, CIDRs, domains via cyberspace search (FOFA/Hunter/Shodan/etc.)katana: deep web crawling with full parameter discoveryplaywright: headless Chromium browser for JS-rendered pages, screenshots, network capture, and interactive verification. Reference: aiscan://skills/playwright/SKILL.md. Key commands: playwright goto <url>, playwright screenshot <url>, playwright open <url> --session s1, playwright discover s1, playwright close s1.arsenal: security tool package manager (22+ tools from chainreactors & projectdiscovery). Run arsenal list first. Reference: aiscan://skills/aiscan/reference/arsenal.md.cyberhub: search fingerprints and POC templates. Key: cyberhub search --finger <name>. Reference: aiscan://skills/aiscan/reference/search.md.tmux: session management. Key: tmux ls, tmux capture-pane -t <id>, tmux kill-session -t <id>. Reference: aiscan://skills/aiscan/reference/tmux.md.proxy: proxy nodes and proxied execution. Key: proxy <url> <cmd>, proxy auto <sub-url>. Reference: aiscan://skills/aiscan/reference/proxy.md.ioa_space / ioa_send / ioa_read: multi-agent collaboration via shared message spaces. Supports ioa_send checkpoint. Reference: aiscan://skills/aiscan/reference/ioa.md.When you discover a fingerprint (e.g. Seeyon, Shiro, Tomcat):
cyberhub search --finger seeyonneutron -u <target> --finger seeyonBoth use the same association index (direct links, aliases, CPE mappings).
tmux capture-pane -t <id> to read. See tmux reference.-j for machine-readable JSON Lines output. Do not assume a result file exists unless you passed an output flag.When producing a scan report, follow the format and verification semantics in aiscan://skills/aiscan/reference/report.md. Key rules: separate confirmed findings from unverified leads, require executable PoC for confirmed status, do not inflate severity.
When scan discovers >20 web endpoints, do not fetch every one. Triage by scan summary:
katana -u <target> -d 2 -jc -timeout 60 or spray --crawl). Consume as batch, group by host/path/parameter shape.bash accepts a single command argument — no background or timeout fields. Every command runs in a tmux session. Pseudo-commands run in-process; others run as shell commands in a PTY. Keep invocations self-contained — no shell state carryover.
Long-running commands auto-background after 15s, returning a session id. Incremental output arrives via inbox automatically — no polling needed.
Interactive shells (su, python, mysql prompts) do not work. Use "one command in → stdout out" pattern.
Both shell commands and pseudo-commands support single pipes (|). The pipe runs the pseudo-command in-process, captures its output, then feeds it as stdin to the shell pipeline via sh -c:
# pseudo-command piped to shell filters — works natively
proton -i . -c keys | grep critical
scan -i target -j | head -20
spray -u http://target | grep -E "200|301" | wc -l
gogo -i 192.168.1.0/24 | awk '{print $1}' | sort | uniq -c | sort -rn
# shell-only pipes — also work (PTY path)
cat targets.txt | grep -v "#" | sort -u
curl -s http://target/api | jq .
Redirections (>, >>), logical OR (||), and command chaining (&&, ;) are not supported for pseudo-commands and return an error. Use scanner-native flags for output files (-f, -s) and filtering (--severity, -o json).
Scanner output is a lead, not a finding. Confirmed status requires:
Non-findings without impact chain: fingerprints, CORS/security headers, GraphQL introspection, open redirect, self-XSS, version disclosure.
Use scan output as a map of leads. Default ROI routing:
Switch routes when a branch stops producing evidence.
Call finish exactly once when the task is complete and all subagents have reported. Do not call while subagents are running.
aiscan -p is the prompt; scanner -p keeps its native meaning).scan --verify=high when the user asks to validate risky findings.