Shannon
Run an autonomous white-box pentest against your web app or API codebase with real exploit attempts before you ship or expose staging to the internet.
Overview
Shannon is an agent skill for the Ship phase that orchestrates Docker-based white-box pentesting with source analysis and executed exploits against authorized web apps and APIs.
Install
npx skills add https://github.com/unicodeveloper/shannon --skill shannonWhat is this skill?
- Docker-orchestrated Shannon pentester with white-box source analysis
- Identifies attack vectors then executes real exploits to prove impact
- Covers XSS, SQLi, SSRF, authentication, and authorization failure modes
- Triggered by shannon, pentest, security audit, or vuln scan intents
- Requires docker and git; primary env ANTHROPIC_API_KEY with optional cloud Claude routes
Adoption & trust: 2.1k installs on skills.sh; 39 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are about to ship a web app or API but lack time for a human pentester and do not trust passive scanners to show what attackers can actually do.
Who is it for?
Solo builders with Docker, a git-backed app, and explicit permission to attack staging or localhost who need fast white-box appsec proof.
Skip if: Unauthorized targets, mobile-native-only products without a web surface, or teams that cannot run Docker or supply API keys in a controlled environment.
When should I use this skill?
User says shannon, pentest, security audit, vuln scan, or requests autonomous web/API security assessment with Shannon against an authorized target.
What do I get? / Deliverables
You receive an evidence-backed vulnerability assessment with executed exploits against your target so you can patch confirmed issues before release.
- Pentest run against specified target
- Documented vulnerabilities with exploit evidence
- Prioritized remediation leads for Ship hardening
Recommended Skills
Journey fit
Security validation belongs in Ship immediately before or alongside release hardening—not as a substitute for idea-stage threat modeling alone. Security subphase fits OWASP-style assessments, authz/authn testing, and proven vulnerabilities via executed exploits.
How it compares
Autonomous exploit-proving pentest orchestration—not a passive dependency audit skill or a WAF configuration generator.
Common Questions / FAQ
Who is shannon for?
Indie and solo developers shipping web apps or APIs who want agent-driven pentesting with source-aware attack paths and live exploit validation on systems they control.
When should I use shannon?
Use it in Ship security before production launch, after large auth or API changes, or when you say shannon, pentest, security audit, or vuln scan against an authorized URL and repo.
Is shannon safe to install?
It runs active attacks via Docker and shell tools—only use on targets you own or have written permission to test; review the Security Audits panel on this page, AGPL obligations, and never point it at third-party production without consent.
SKILL.md
READMESKILL.md - Shannon
# Shannon: Autonomous AI Pentester for Web Apps & APIs > **Permissions overview:** This skill orchestrates Shannon, a Docker-based pentesting tool that actively executes attacks against a target application. It clones/updates the Shannon repo locally, runs Docker containers, and reads pentest reports. **Shannon performs real exploits — only run against apps you own or have explicit written authorization to test.** Never run against production systems. Shannon analyzes your source code, identifies attack vectors, and executes real exploits to prove vulnerabilities before they reach production. 96.15% exploit success rate on the XBOW security benchmark. Covers OWASP Top 10: Injection, XSS, SSRF, Broken Auth, Broken AuthZ, and more. --- ## CRITICAL: Safety Checks (ALWAYS run first) Before doing ANYTHING, you MUST confirm: 1. **Authorization**: Ask the user — "Do you have explicit authorization to pentest this target?" If they say no or are unsure, STOP and explain they need written permission from the system owner. 2. **Environment**: Confirm the target is a local, staging, or sandboxed environment — NEVER production. 3. **Scope**: Clarify what they want tested (full pentest vs specific category). ``` ⚠️ Shannon executes REAL ATTACKS with mutative effects. ├─ Only run on systems you OWN or have WRITTEN AUTHORIZATION to test ├─ Never target production environments ├─ Results require human review — LLM output may contain hallucinations └─ You are responsible for complying with all applicable laws ``` Display this warning BEFORE every pentest run. If the user has already confirmed authorization in this session, a brief reminder suffices. --- ## Parse User Intent Extract from the user's input: 1. **TARGET_URL**: The URL to pentest (e.g., `http://localhost:3000`, `http://staging.example.com`) 2. **REPO_NAME**: The source code folder name (placed in `./repos/` inside Shannon) 3. **SCOPE**: Full pentest (default) or specific categories (injection, xss, ssrf, auth, authz) 4. **WORKSPACE**: Named workspace for resume capability (optional) 5. **CONFIG**: Custom YAML config path (optional, for auth flows, focus/avoid rules) Common invocation patterns: - `/shannon http://localhost:3000 myapp` → Full pentest of local app - `/shannon --workspace=audit1 http://staging.example.com backend-api` → Named workspace for resuming - `/shannon --scope=xss,injection http://localhost:8080 frontend` → Targeted categories - `/shannon status` → Check running pentests - `/shannon results` → Show latest report - `/shannon stop` → Stop running pentest Display parsed intent: ``` 🔐 Shannon Pentest ├─ Target: {TARGET_URL} ├─ Source: repos/{REPO_NAME} ├─ Scope: {SCOPE