Marketplace for trusted AI agent skills

Run autonomous white-box pentests against web apps and APIs with Shannon

Skill Detail

Run autonomous white-box pentests against web apps and APIs with Shannon

Analyze a web app's source code, execute real exploit attempts against the running target, and return proof-backed findings before release.

Security & VerificationCustom Agents
Security & Verification Custom Agents Security Reviewed
โญ 39.8k GitHub stars โฌ‡ 4k/wk npm
INSTALL WITH ANY AGENT
npx skills add agentskillexchange/skills --skill run-autonomous-white-box-pentests-against-web-apps-and-apis-with-shannon Copy
Works best when you want a reusable capability, not another fragile one-off prompt.
View source Documentation
At a glance
Tools required
Node.js 18+, Docker, target web app URL, local source repository, model/API credentials supported by Shannon
Install & setup
Run npx @keygraph/shannon setup, then start a scan with npx @keygraph/shannon start -u https://your-app.com -r /path/to/your-repo. Docker is required because the npx workflow pulls and runs the Shannon worker image.
Author
KeygraphHQ
Publisher
Open Source Project
Last updated
Apr 21, 2026
Quick brief

Use Shannon when the job is to run an autonomous white-box pentest against a live web application or API using both the source repo and the running target. The upstream project is explicit about the operator loop: point Shannon at the app URL and repository, let it identify attack paths, execute exploit attempts, and save only proof-backed findings.

How it works

What this skill actually does

Invoke this instead of a normal DAST scanner or generic security dashboard when you need source-aware exploit validation before release, not just passive scanning or a product overview. The scope boundary is tight: Shannon performs authorization-sensitive pre-release pentesting of a specific web app or API. That keeps the entry skill-shaped and prevents it from collapsing into a generic security platform or framework listing.