hermes-agent-features/optional-skills/security/web-pentest/templates/pentest-report.md
Teknium 263e008d6b
feat(skills): add web-pentest optional skill (#32265)
Adds optional-skills/security/web-pentest/ — an authorized web app
penetration testing skill adapted from Shannon's methodology (concepts
only; AGPL-clean fresh implementation).

Phased: recon (read-only) → vuln analysis (delegate_task per OWASP
class) → proof-based exploitation → report.

Guardrails baked in:
- Authorization gate before first active scan (templates/authorization.md)
- Scope allowlist (scope.txt) consulted by recon-scan.sh and
  documented as the rule for every active request
- Aux-client leakage warning (compression + title gen replay history;
  payloads/creds must not enter chat verbatim)
- Bypass-exhaustion discipline before false-positive classification
- L3/L4 (proof-required) for reportable findings; L1/L2 listed as
  candidates only

Closes #400. Supersedes #21845 (plugin-shaped proposal; skill-shaped is
cheaper and matches the existing optional-skills/security/ pattern).
2026-05-25 14:51:41 -07:00

4.6 KiB
Raw Blame History

Penetration Test Report

Target: <name + URL> Engagement ID: Engagement window: Operator: Tester: Hermes Agent + operator Report generated: <ISO 8601 timestamp>


Executive Summary

<2-4 paragraph plain-language summary. Focus on:

  • What was tested
  • What was found (count by severity)
  • Most critical finding in one sentence
  • High-level remediation recommendation>
Severity Count
Critical 0
High 0
Medium 0
Low 0
Info 0

Engagement Scope

In-scope targets (from engagement/scope.txt):

Out of scope: see engagement/authorization.md.

Authorization basis: see engagement/authorization.md.

Methodology

Approach was based on the Hermes web-pentest skill (a Hermes Agent adaptation of the OWASP Testing Guide with elements of Shannon's proof-based methodology). Phases performed:

  • Pre-recon (source code review)
  • Recon (live, read-only)
  • Vulnerability analysis (one queue per OWASP class)
  • Exploitation (proof-based)
  • Reporting

Tools used: <nmap, whatweb, curl, Hermes browser tool, ...>.

Findings (L3/L4 — Verified Exploitable)

Every finding in this section has a reproducible proof-of-concept. L1/L2 candidates that were not promoted to confirmed exploitation are listed in the "Not Exploited" section.

F-001: