一键导入
nuclei
Exact Nuclei command structure, template selection, staged scanning workflow, and bounded high-throughput execution controls with timeout backoff.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Exact Nuclei command structure, template selection, staged scanning workflow, and bounded high-throughput execution controls with timeout backoff.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
| name | nuclei |
| description | Exact Nuclei command structure, template selection, staged scanning workflow, and bounded high-throughput execution controls with timeout backoff. |
Official docs:
Nuclei scans MUST follow a staged escalation pattern. NEVER run an unscoped broad template sweep on the first call.
Goal: Find the most impactful vulnerabilities with minimal noise and time.
-s critical,high.-as (automatic-scan) combined with severity filter.-rl 30 -c 10 -bs 10.-timeout 10 -retries 1.-ni.nuclei -u <target> -s critical,high -ni -rl 30 -c 10 -bs 10 -timeout 10 -retries 1 -silent -j -o nuclei_stage1.jsonlGoal: Add medium-severity findings and tech-mapped templates.
-s critical,high,medium.-as.-rl 50 -c 20 -bs 20.nuclei -u <target> -as -s critical,high,medium -ni -rl 50 -c 20 -bs 20 -timeout 10 -retries 1 -j -o nuclei_stage2.jsonlGoal: Run all applicable templates for comprehensive assessment.
-s info,low,medium,high,critical).nuclei -u <target> -as -rl 50 -c 20 -bs 20 -timeout 10 -retries 1 -stats -j -o nuclei_stage3.jsonlIf ANY nuclei invocation runs longer than expected or appears hung:
First timeout / excessive duration (>5m for Stage 1, >15m for Stage 2):
-rl 30 -> -rl 15.-c 10 -bs 10 -> -c 5 -bs 5.-as, switch to explicit template tags or severity-only filtering to reduce template count.Second timeout / excessive duration:
-s critical only, -rl 10 -c 3 -bs 3.Never retry the exact same command after a timeout. Each retry MUST have reduced -rl, -c, -bs, or stricter template filters.
-u, -target <url> single target-l, -list <file> targets file-im, -input-mode <mode> list/burp/jsonl/yaml/openapi/swagger-t, -templates <path|tag> explicit template path(s)-tags <tag1,tag2> run by tag-s, -severity <critical,high,...> severity filter-as, -automatic-scan tech-mapped automatic scan-ni, -no-interactsh disable OAST/interactsh requests-rl, -rate-limit <n> global request rate cap-c, -concurrency <n> template concurrency-bs, -bulk-size <n> hosts in parallel per template-timeout <seconds> request timeout-retries <n> retries-stats periodic scan stats output-silent findings-only output-j, -jsonl JSONL output-o <file> output filenuclei -u https://target.tld -s critical,high -ni -silent -j -o nuclei_s1.jsonlnuclei -u https://target.tld -as -s critical,high,medium -ni -rl 50 -c 20 -bs 20 -timeout 10 -retries 1 -j -o nuclei_s2.jsonlnuclei -u https://target.tld -tags cve -s critical,high -ni -silent -j -o nuclei_cve.jsonlnuclei -u https://target.tld -t http/cves/ -t http/misconfiguration/ -rl 30 -c 10 -bs 10 -j -o nuclei_tech.jsonl-s critical,high). An unscoped -as alone on the first call is a protocol violation.-s, -tags, or -t); avoid unscoped broad runs.-rl, -c, and -bs explicit for predictable resource use.-ni when outbound interactsh/OAST traffic is not expected or not allowed.-j -o <file>) for automation.-c/-bs before lowering -rl.-as vs explicit -t/-tags) and that the target is reachable.If uncertain, query web_search with:
site:docs.projectdiscovery.io nuclei <flag> running
Automated tool-assisted strategies for blind injection attacks (SQL, NoSQL, command, XPath). Covers when and how to use sqlmap, custom scripting, and binary search optimization to minimize token consumption and execution time. Use when manual blind injection would require >20 sequential requests.
HTTP Request Smuggling (HRS) / Desync attack detection and exploitation. Covers CL.TE, TE.CL, TE.TE detection, payload crafting, and chaining with SSRF/cache poisoning. Use when front-end/back-end architecture is suspected or when HTTP parsing discrepancies exist.
Race condition vulnerability detection and exploitation. Covers time-of-check to time-of-use (TOCTOU), limit bypass, coupon abuse, and multi-endpoint race chains. Use when state-dependent logic (credits, inventory, votes, transfers) exists or CTF challenge involves concurrent operations.
Canonical Nmap CLI syntax, strict staged scanning workflow, and sandbox-safe bounded scan patterns with timeout backoff.
Common CTF exploitation patterns, quick wins, and time-saving tricks for web, crypto, pwn, and misc challenges. Use when you are stuck on a CTF challenge or want to rapidly test known patterns.
Linux and Windows privilege escalation techniques, enumeration scripts, and common misconfigurations. Use when you have obtained a low-privilege shell and need to escalate to root or SYSTEM.