edercnj/x-security-pentest
java/src/main/resources/targets/claude/skills/conditional/security/x-security-pentest/SKILL.md
Multi-phase penetration test orchestrator: reconnaissance, vulnerability scanning, exploitation validation, and consolidated reporting with environment-based restrictions.
testing
Updated Apr 21, 2026
$ install --global
skillsauthnpx skillsauth add edercnj/ia-dev-environment x-security-pentestInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 21, 2026, 8:47 AM62.9s2 files scanned
SKILL.md
- name:
- x-security-pentest
- description:
- Multi-phase penetration test orchestrator: reconnaissance, vulnerability scanning, exploitation validation, and consolidated reporting with environment-based restrictions.
- user-invocable:
- true
- allowed-tools:
- Read, Write, Edit, Bash, Grep, Glob, Agent
- argument-hint:
- [--env local|dev|homolog|prod] [--phase 1|2|3|4|all] [--scope full|quick] [--target URL] [--confirm-prod]
Global Output Policy
- Language: English ONLY.
- Tone: Technical, Direct, and Concise.
- Efficiency: Remove all conversational fillers and greetings to save tokens.
Skill: Pentest Orchestrator
Purpose
Multi-phase penetration test framework for {{PROJECT_NAME}} that orchestrates all scanning skills and the pentest-engineer agent in a methodical sequence. Ensure pentests are complete, repeatable, and executed with appropriate environment restrictions.
RULE-011 (Composability): This skill delegates to existing scanning skills as subagents. It NEVER duplicates scanning logic -- it orchestrates.
Activation Condition
Include this skill when security.pentest_readiness = true in the project configuration.
Triggers
/x-security-pentest --env local --target http://localhost:8080-- full pentest in local/x-security-pentest --env homolog --scope quick --target https://app.staging.example.com-- quick pentest in homolog/x-security-pentest --env prod --confirm-prod --target https://app.example.com-- production (passive only)/x-security-pentest --phase 2 --target http://localhost:8080-- vulnerability scanning phase only
Parameters
| Parameter | Type | Required | Default | Description |
|-----------|------|----------|---------|-------------|
| --env | String | No | local | Environment: local, dev, homolog, prod |
| --phase | String | No | all | Phase: 1, 2, 3, 4, all |
| --scope | String | No | full | Scope: full, quick |
| --target | String | Yes* | -- | Valid URL (* required for Phases 2-3) |
| --confirm-prod | Boolean | No | false | Required when --env=prod |
Workflow
Step 1 — Pre-Execution Validation
Before any phase executes, validate:
- Production guard: If
--env=prodand--confirm-prodNOT provided, halt immediately - Target validation: If
--phaseincludes 2 or 3 (orall),--targetmust be a valid URL - Environment restrictions: Apply restrictions per environment table
Step 2 — Phase 1: Reconnaissance (Parallel)
Launch as parallel subagents via the Agent tool:
Full Scope:
| Subagent | Skill | Purpose |
|----------|-------|---------|
| Codebase Audit | /x-code-audit security | Map attack surface from source code |
| Threat Model | /x-threat-model | Generate STRIDE threat model |
Quick Scope: /x-threat-model only.
Step 3 — Phase 2: Vulnerability Scanning (Parallel)
Launch as parallel subagents via the Agent tool:
Full Scope:
| Subagent | Skill | Env Adjustment |
|----------|-------|----------------|
| SAST | /x-security-sast | None |
| DAST | /x-security-dast | --mode=passive if homolog or prod |
| Container | /x-security-container | None |
| Infra | /x-security-infra | None |
| Secret | /x-security-secrets | None |
Quick Scope: /x-security-sast + /x-security-secrets only.
If a skill fails, mark it in skillsFailed, set phase status to PARTIAL, and continue.
Step 4 — Phase 3: Exploitation Validation (Sequential)
Blocked in production. If --env=prod, set status to SKIPPED.
Blocked in quick scope. Set status to SKIPPED.
Homolog restriction: No destructive tests.
Invoke pentest-engineer agent for exploitability assessment of CRITICAL and HIGH findings. Then invoke appsec-engineer agent for design-level security review.
Step 5 — Phase 4: Report Consolidation
Generate the consolidated pentest report at results/security/pentest-report.md.
Scoring Algorithm
| Condition | Score Deduction | |-----------|----------------| | Each CRITICAL finding | -15 points | | Each HIGH finding | -8 points | | Each MEDIUM finding | -3 points | | Each LOW finding | -1 point | | Base score | 100 |
| Score Range | Grade | |-------------|-------| | 90-100 | A | | 80-89 | B | | 70-79 | C | | 50-69 | D | | 0-49 | F |
Environment Restrictions (RULE-004)
| Environment | Phase 1 | Phase 2 | Phase 3 | Phase 4 | Restrictions |
|-------------|---------|---------|---------|---------|-------------|
| local | Yes | Yes | Yes | Yes | None |
| dev | Yes | Yes | Yes | Yes | None |
| homolog | Yes | Yes (DAST passive) | Yes (no destructive) | Yes | DAST passive mode, no destructive tests |
| prod | Yes | Yes (DAST passive only) | BLOCKED | Yes | --confirm-prod required, passive scanning only |
Scope Modes
Full Scope (default)
All 4 phases execute with all available skills.
Quick Scope
- Phase 1:
/x-threat-modelonly (skip/x-code-audit) - Phase 2:
/x-security-sast+/x-security-secretsonly - Phase 3: SKIPPED
- Phase 4: Report with partial results
Error Handling
| Scenario | Action |
|----------|--------|
| --env=prod without --confirm-prod | Error: halt immediately, no phases execute |
| Missing --target for Phases 2-3 | Error: halt before Phase 2 |
| Individual skill failure in Phase 2 | Mark as PARTIAL, continue other skills |
| All skills fail in a phase | Mark phase as FAILED, continue to next phase |
| pentest-engineer agent failure | Mark Phase 3 as FAILED, proceed to Phase 4 |
| No CRITICAL/HIGH findings for Phase 3 | Skip exploitation validation, note in report |
Integration Notes
| Skill | Relationship | Context | |-------|-------------|---------| | x-code-audit | calls | Phase 1 reconnaissance | | x-threat-model | calls | Phase 1 STRIDE threat model | | x-security-sast | calls | Phase 2 static analysis | | x-security-dast | calls | Phase 2 dynamic testing | | x-security-container | calls | Phase 2 container security | | x-security-infra | calls | Phase 2 infrastructure security | | x-security-secrets | calls | Phase 2 secret detection |
Related Skills
edercnj/helidon-scaffold
testing
VerifiedTrustedCommunity
Scaffolds a Helidon SE/MP service with routing, health, config, Dockerfile, and tests.
SKILL.mdUpdated May 17, 2026
edercnj/picocli-command
tools
VerifiedTrustedCommunity
Generates a Picocli @Command with subcommands, options, converters, and unit tests.
SKILL.mdUpdated May 15, 2026
edercnj/micronaut-scaffold
testing
VerifiedTrustedCommunity
Scaffolds a Micronaut service with @Controller, DI, health, Dockerfile, and tests.
SKILL.mdUpdated May 12, 2026
edercnj/helidon-scaffold
testing
VerifiedTrustedCommunity
Scaffolds a Helidon SE/MP service with routing, health, config, Dockerfile, and tests.
SKILL.mdUpdated May 9, 2026