aiskillstore/onvifscan
skills/brownfinesecurity/onvifscan/SKILL.md
ONVIF device security scanner for testing authentication and brute-forcing credentials. Use when you need to assess security of IP cameras or ONVIF-enabled devices.
$ install --global
skillsauthnpx skillsauth add aiskillstore/marketplace onvifscanInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 31, 2026, 1:22 PM78.4s2 files scanned
SKILL.md
- name:
- onvifscan
- description:
- ONVIF device security scanner for testing authentication and brute-forcing credentials. Use when you need to assess security of IP cameras or ONVIF-enabled devices.
Onvifscan - ONVIF Security Scanner
You are helping the user scan ONVIF devices for security issues including authentication bypasses and weak credentials using the onvifscan tool.
Tool Overview
Onvifscan is an ONVIF device security scanner that can:
- Test for unauthenticated access to ONVIF endpoints
- Perform credential brute-forcing attacks
Instructions
When the user asks to scan ONVIF devices, test IP cameras, or assess IoT device security:
-
Determine scan type:
auth: Authentication and access control testing (recommended to start)brute: Credential brute-forcing on password-protected endpoints
-
Get target information:
- Ask for the device URL/IP
- Determine which scan type to run
- Check if they have custom wordlists
-
Execute the scan:
- Use the onvifscan command from the iothackbot bin directory
- Format:
onvifscan <subcommand> <url> [options]
Subcommands
Auth Scan
Tests ONVIF endpoints for authentication requirements:
onvifscan auth http://192.168.1.100
Options:
-v, --verbose: Show full XML responses-a, --all: Test ALL endpoints including potentially destructive ones--format text|json|quiet: Output format
Brute Force
Attempts credential brute-forcing on protected endpoints:
onvifscan brute http://192.168.1.100
Options:
--usernames <file>: Custom usernames wordlist (default: built-in onvif-usernames.txt)--passwords <file>: Custom passwords wordlist (default: built-in onvif-passwords.txt)--format text|json|quiet: Output format
Examples
Quick auth check on a device:
onvifscan auth 192.168.1.100
Auth check with verbose output:
onvifscan auth http://192.168.1.100:8080 -v
Brute force with custom wordlists:
onvifscan brute 192.168.1.100 --usernames custom-users.txt --passwords custom-pass.txt
Important Notes
- URLs can omit
http://- it will be added automatically - Auth scan is non-destructive and safe to run
- Use
-aflag with caution - may test destructive endpoints - Brute force is rate-limited to prevent device overload (max 20 attempts by default)
- Built-in wordlists located in
wordlists/directory
Related Skills
aiskillstore/hig-components-content
development
VerifiedTrustedCommunity
Apple Human Interface Guidelines for content display components. Use this skill when the user asks about charts component, collection view, image view, web view, color well, image well, activity view, lockup, data visualization, content display, displaying images, rendering web content, color pickers, or presenting collections of items in Apple apps. Also use when the user says how should I display charts, what's the best way to show images, should I use a web view, how do I build a grid of items, what component shows media, or how do I present a share sheet. Cross-references: hig-foundations for color/typography/accessibility, hig-patterns for data visualization patterns, hig-components-layout for structural containers, hig-platforms for platform-specific component behavior.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/helpdesk-automation
tools
VerifiedTrustedCommunity
Automate HelpDesk tasks via Rube MCP (Composio): list tickets, manage views, use canned responses, and configure custom fields. Always search tools first for current schemas.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/haskell-pro
testing
VerifiedTrustedCommunity
Expert Haskell engineer specializing in advanced type systems, pure functional design, and high-reliability software. Use PROACTIVELY for type-level programming, concurrency, and architecture guidance.
244SKILL.mdUpdated Apr 10, 2026
aiskillstore/graphql
tools
VerifiedTrustedCommunity
GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully.
244SKILL.mdUpdated Apr 10, 2026