WebAssessment
Customization
Before executing, check for user customizations at:
~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/WebAssessment/
If this directory exists, load and apply any PREFERENCES.md, configurations, or resources found there. These override default behavior. If the directory does not exist, proceed with skill defaults.
🚨 MANDATORY: Voice Notification (REQUIRED BEFORE ANY ACTION)
You MUST send this notification BEFORE doing anything else when this skill is invoked.
-
Send voice notification:
curl -s -X POST http://localhost:8888/notify \ -H "Content-Type: application/json" \ -d '{"message": "Running the WORKFLOWNAME workflow in the WebAssessment skill to ACTION"}' \ > /dev/null 2>&1 & -
Output text notification:
Running the **WorkflowName** workflow in the **WebAssessment** skill to ACTION...
This is not optional. Execute this curl command immediately upon skill invocation.
WebAssessment Skill
Security assessment infrastructure integrating reconnaissance, threat modeling, and vulnerability testing.
Workflow Routing
| Trigger | Workflow |
|---|---|
| "understand application", "what does this app do", "map the application" | UnderstandApplication |
| "threat model", "attack scenarios", "how would I attack" | CreateThreatModel |
| "pentest", "security assessment", "test for vulnerabilities" | Pentest/MasterMethodology |
| "fuzz with ffuf", "directory fuzzing", "content discovery" | ffuf/FfufGuide |
| "OSINT", "reconnaissance", "open source intelligence" | osint/MasterGuide |
| "test web app", "Playwright", "browser automation" | webapp/TestingGuide |
| "bug bounty", "bounty programs" | bug-bounty/Programs |
| "vulnerability analysis with AI", "Gemini analysis" | VulnerabilityAnalysisGemini3 |
Skill Integration
WebAssessment coordinates with specialized skills:
| Phase | Skill | Purpose |
|---|---|---|
| Scope Definition | Recon | Corporate structure, domain enumeration |
| Target Discovery | Recon | Subdomains, endpoints, ports |
| Understanding | WebAssessment | App narrative, user flows, sensitive data |
| Threat Modeling | WebAssessment | Attack scenarios, test prioritization |
| Injection Testing | PromptInjection | LLM-specific attacks |
| Intelligence | OSINT | People, companies, social media |
Assessment Workflow
1. Corporate Structure (Recon) → Define scope and targets
2. Subdomain Enumeration (Recon) → Find all domains
3. Endpoint Discovery (Recon) → Extract JS endpoints
4. Understand Application → Build app narrative
5. Create Threat Model → Prioritize attack scenarios
6. Execute Testing → Test against identified threats
7. Report Findings → Document with PoCs
Recon Skill Tools
WebAssessment uses tools from the Recon skill:
# Corporate structure for scope
bun ~/.claude/skills/Security/Recon/Tools/CorporateStructure.ts target.com
# Subdomain enumeration
bun ~/.claude/skills/Security/Recon/Tools/SubdomainEnum.ts target.com
# Endpoint discovery from JavaScript
bun ~/.claude/skills/Security/Recon/Tools/EndpointDiscovery.ts https://target.com
# Port scanning
bun ~/.claude/skills/Security/Recon/Tools/PortScan.ts target.com
# Path discovery
bun ~/.claude/skills/Security/Recon/Tools/PathDiscovery.ts https://target.com
UnderstandApplication Output
Produces structured narrative including:
- Summary: Purpose, industry, user base, critical functions
- User Roles: Access levels and capabilities
- User Flows: Step-by-step processes with sensitive data
- Technology Stack: Frontend, backend, auth, third-party
- Attack Surface: Entry points, inputs, file uploads, websockets
CreateThreatModel Output
Generates prioritized attack plan:
- Threats: OWASP/CWE mapped with risk scores
- Attack Paths: Multi-step attack scenarios
- Test Plan: Prioritized with tool suggestions
- Effort Estimates: Quick/medium/extensive per threat
Threat Categories
| Category | Triggers On |
|---|---|
| Authentication | Auth mechanisms detected |
| Access Control | Multiple user roles |
| Injection | All web apps |
| Data Exposure | Sensitive data identified |
| File Upload | Upload functionality |
| API Security | API endpoints |
| WebSocket | WebSocket detected |
| Business Logic | All web apps |
| Payment Security | Payment flows |
6-Phase Pentest Methodology
Phase 0: Scoping & Preparation Phase 1: Reconnaissance (Recon skill) Phase 2: Mapping (content discovery) Phase 3: Vulnerability Analysis Phase 4: Exploitation Phase 5: Reporting
Key Principles
- Authorization first - Never test without explicit permission
- Understand before testing - Build app narrative first
- Threat model guides testing - Don't test blindly
- Breadth then depth - Wide recon, focused exploitation
- Document everything - Notes, screenshots, commands
Workflow Index
Core Assessment:
Workflows/UnderstandApplication.md- Application reconnaissanceWorkflows/CreateThreatModel.md- Attack scenario generation
Penetration Testing:
Workflows/pentest/MasterMethodology.md- 6-phase methodologyWorkflows/pentest/ToolInventory.md- Security tools referenceWorkflows/pentest/Reconnaissance.md- Asset discoveryWorkflows/pentest/Exploitation.md- Vulnerability testing
Web Fuzzing:
Workflows/ffuf/FfufGuide.md- FFUF fuzzing guideWorkflows/ffuf/FfufHelper.md- Automated fuzzing helper
Bug Bounty:
Workflows/bug-bounty/Programs.md- Program trackingWorkflows/bug-bounty/AutomationTool.md- Bounty automation
Web App Testing:
Workflows/webapp/TestingGuide.md- Playwright testingWorkflows/webapp/Examples.md- Testing patterns
OSINT:
Workflows/osint/MasterGuide.md- OSINT methodologyWorkflows/osint/Reconnaissance.md- Domain reconWorkflows/osint/SocialMediaIntel.md- SOCMINTWorkflows/osint/Automation.md- SpiderFoot/MaltegoWorkflows/osint/MetadataAnalysis.md- ExifTool analysis
AI-Powered:
Workflows/VulnerabilityAnalysisGemini3.md- Gemini deep analysis
Examples
Example 1: Full assessment workflow
User: "Security assessment on app.example.com"
→ Run UnderstandApplication to build narrative
→ Run CreateThreatModel to prioritize testing
→ Follow MasterMethodology with threat model guidance
→ Report findings with OWASP/CWE references
Example 2: Quick threat model
User: "How would I attack this app?"
→ Run CreateThreatModel on target
→ Get prioritized attack paths
→ Get test plan with tool suggestions
Example 3: Integrate with Recon
User: "Assessment on target.com including all subdomains"
→ CorporateStructure (Recon) → Find parent/child companies
→ SubdomainEnum (Recon) → Find all subdomains
→ EndpointDiscovery (Recon) → Extract JS endpoints
→ UnderstandApplication → Build app narrative
→ CreateThreatModel → Generate attack plan
More from danielmiessler/personal_ai_infrastructure
osint
Structured OSINT investigations — people lookup, company intel, investment due diligence, entity/threat intel, domain recon, organization research using public sources with ethical authorization framework. USE WHEN OSINT, due diligence, background check, research person, company intel, investigate, company lookup, domain lookup, entity lookup, organization lookup, threat intel, discover OSINT sources.
259firstprinciples
Physics-based reasoning framework (Musk/Elon methodology) that deconstructs problems to irreducible fundamental truths rather than reasoning by analogy. Three-step structure: DECONSTRUCT (break to constituent parts and actual values), CHALLENGE (classify every element as hard constraint / soft constraint / unvalidated assumption — only physics is truly immutable), RECONSTRUCT (build optimal solution from fundamentals alone, ignoring inherited form). Outputs: constituent-parts breakdown, constraint classification table, and reconstructed solution with key insight. Three workflows: Deconstruct.md, Challenge.md, Reconstruct.md. Integrates with RedTeam (attack assumptions before deploying adversarial agents), Security (decompose threat model), Architecture (challenge design constraints), and Pentesters (decompose assumed security boundaries). Other skills invoke via: Challenge on all stated constraints → classify as hard/soft/assumption. Cross-domain synthesis: solutions from unrelated fields often apply once the fundamental truths are exposed. NOT FOR incident investigation and causal chains (use RootCauseAnalysis). NOT FOR structural feedback loops (use SystemsThinking). USE WHEN first principles, fundamental truths, challenge assumptions, is this a real constraint, rebuild from scratch, what are we actually paying for, what is this really made of, start over, physics first, question everything, reasoning by analogy, is this really necessary.
160council
Multi-agent collaborative debate that produces visible round-by-round transcripts with genuine intellectual friction. All council members are custom-composed via ComposeAgent (Agents skill) with domain expertise, unique voice, and personality tailored to the specific topic — never built-in generic types. ComposeAgent invoked as: bun run ~/.claude/skills/Agents/Tools/ComposeAgent.ts. Two workflows: DEBATE (3 rounds, full transcript + synthesis, parallel execution within rounds, 40-90 seconds total) and QUICK (1 round, fast perspective check). Context files: CouncilMembers.md (agent composition instructions), RoundStructure.md (three-round structure and timing), OutputFormat.md (transcript format templates). Agents are designed per debate topic to create real disagreement; 4-6 well-composed agents outperform 12 generic ones. Council is collaborative-adversarial (debate to find best path); for pure adversarial attack on an idea, use RedTeam instead. NOT FOR parallel task execution across agents (use Delegation skill). USE WHEN council, debate, multiple perspectives, weigh options, deliberate, get different views, multi-agent discussion, what would experts say, is there consensus, pros and cons from multiple angles.
112privateinvestigator
Ethical people-finding using 15 parallel research agents (45 search threads) across public records, social media, reverse lookups. Public data only, no pretexting. USE WHEN find person, locate, reconnect, people search, skip trace, reverse lookup, social media search, public records search, verify identity.
112redteam
Military-grade adversarial analysis that deploys 32 parallel expert agents (engineers, architects, pentesters, interns) to stress-test ideas, strategies, and plans — not systems or infrastructure. Two workflows: ParallelAnalysis (5-phase: decompose into 24 atomic claims → 32-agent parallel attack → synthesis → steelman → counter-argument, each 8 points) and AdversarialValidation (competing proposals synthesized into best solution). Context files: Philosophy.md (core principles, success criteria, agent types), Integration.md (how to combine with FirstPrinciples, Council, and other skills; output format). Targets arguments, not network vulnerabilities. Findings ranked by severity; goal is to strengthen, not destroy — weaknesses delivered with remediation paths. Collaborates with FirstPrinciples (decompose assumptions before attacking) and Council (Council debates to find paths; RedTeam attacks whatever survives). Also invoked internally by Ideate (TEST phase) and WorldThreatModel (horizon stress-testing). NOT FOR AI instruction set auditing (use BitterPillEngineering). NOT FOR network/system vulnerability testing (use a security assessment skill). USE WHEN red team, attack idea, counterarguments, critique, stress test, devil's advocate, find weaknesses, break this, poke holes, what could go wrong, strongest objection, adversarial validation, battle of bots.
112art
Generates static visual content across 20+ formats via Flux, Nano Banana Pro (Gemini 3 Pro), and GPT-Image-1. Covers blog header illustrations, editorial art, Mermaid flowcharts, technical architecture diagrams, D3.js dashboards, taxonomies, timelines, 2x2 framework matrices, comparisons, annotated screenshots, recipe cards, aphorism/quote cards, conceptual maps, stat cards, comic panels, YouTube thumbnails, PAI pack icons, and brand-logo wallpapers. Named workflows: Essay, D3Dashboards, Visualize, Mermaid, TechnicalDiagrams, Taxonomies, Timelines, Frameworks, Comparisons, AnnotatedScreenshots, RecipeCards, Aphorisms, Maps, Stats, Comics, YouTubeThumbnailChecklist, AdHocYouTubeThumbnail, CreatePAIPackIcon, LogoWallpaper, RemoveBackground. SKILLCUSTOMIZATIONS loads PREFERENCES.md, CharacterSpecs.md, and SceneConstruction.md. --remove-bg flag produces transparent-background PNG (can produce black backgrounds — verify visually). Up to 14 reference images per request (5 human, 6 object Gemini API limit). Output staged to ~/Downloads/ for preview before any project directory copy. Nano Banana Pro uses --size for resolution tier 1K/2K/4K and separate --aspect-ratio. USE WHEN: art, illustration, diagram, flowchart, infographic, header image, thumbnail, visualize, generate image, mermaid, architecture diagram, comic, icon, blog art, framework diagram, D3 chart, remove background, wallpaper. NOT FOR video or animation (use Remotion). NOT FOR the user's personal portrait/headshot (use a dedicated headshot skill).
107