@Dinosn: uphiago/recon-skills: 144 offensive security skills for recon and pentest. Field-validated techniques from 600+ targets…
Summary
A GitHub repository providing 144 offensive security skills for reconnaissance and penetration testing, field-validated across 600+ targets in 45+ sectors, covering web enumeration, email security, Google dorks, cloud IAM, and more.
View Cached Full Text
Cached at: 06/27/26, 05:51 AM
uphiago/recon-skills: 144 offensive security skills for recon and pentest. Field-validated techniques from 600+ targets across 45+ sectors. Updated with web enum, email sec, google dorks, cloud IAM, WordPress full compromise ch… https://t.co/pUvq61RPyT
uphiago/recon-skills
Source: https://github.com/uphiago/recon-skills
🛡️ Recon & Pentest Skill Pack
144 skills for autonomous offensive reconnaissance at scale. Built from 600+ company targets, 11 rounds of field recon, and a pentest playbook validated across government, healthtech, fintech, e-commerce, ISP, and SMB sectors.
📖 Blog & research: hiago.sh — Pentest Playbook, field notes, and tooling.
📦 What’s Inside (144 skills)
recon-skills/
├── SOUL.md — Philosophy & agent operating instructions
├── AGENTS.md — Complete catalog + HARDLINE skill standards
├── recon/ (24) — WordPress/CORS/XMLRPC recon, source leaks, JS secrets, web enum, email sec, staging hunt, port scans
├── redteam/ (104) — 51 hunt-* (xss, sqli, ssrf, rce, ato, idor, cors, firebase, supabase, k8s, etc) + 24 sector recon + 29 methodology/ops
├── meta/ (6) — Recon playbook, sector methodology, attack patterns, wave delta, google dorks, pentest playbook
├── chains/ (2) — Cross-attack chaining, WordPress full compromise
├── auth/ (1) — SAML SSO attacks
├── infra/ (1) — Docker privilege escalation
├── attacks/ (2) — Flask Werkzeug debugger RCE
├── agentiko-hermes/ — Hermes agent operating spec
└── agentiko-worker/ — Worker runtime spec + references
🔥 Key Skills
| Category | Skill | What It Does |
|---|---|---|
| meta | recon-playbook | 4-phase pipeline: target gen → quick filter → WP deep check → deep invade |
| recon | cors-credential-wordpress | 8 CORS variants (V1-V8) with real confirmed targets |
| recon | xmlrpc-exploitation | System.multicall, pingback SSRF, IMDS role guessing, wp.uploadFile |
| recon | web-enumeration | 200+ sensitive file paths, .env extraction, path traversal, vhost enum |
| recon | js-secrets-extraction | 12 regex patterns for API keys, JWTs, Firebase, Supabase in JS bundles |
| recon | email-security | DMARC/SPF/DKIM checks, SMTP spoofing, header analysis |
| chains | cross-attack-chains | Attack chain methodology — CORS+XMLRPC→RCE, SSRF→IMDS, etc |
| chains | wordpress-full-compromise | Kill chains for full WordPress takeover |
| meta | attack-patterns-reference | 25 patterns (P-01 to P-25), 18 WP abuse patterns, 8 CORS variants |
| meta | cross-wave-delta-analysis | Compare waves → NEW / REGRESSION / PERSISTENT / CHANGE |
| meta | sector-recon-methodology | Tier-based sector selection + per-sector vulnerability baselines |
| meta | google-dorks-catalog | 100+ dork patterns by service type + GitHub code search |
| redteam | hunt-* (51 skills) | One per vuln class: xss, sqli, ssrf, rce, ato, idor, cors, firebase, supabase, k8s, llm-ai, etc |
| redteam | parallel-recon-triad | 3 parallel subagents every 20min: Deep Invade + Expand + Skill Evolution |
| redteam | ops-proxyns | Kernel-level proxy via network namespaces — Tor for all traffic |
| redteam | cloud-iam-deep | AWS/GCP/Azure IAM enumeration, SA key abuse, Cloud Run, Artifact Registry |
📊 Field Results
| Metric | Value |
|---|---|
| Unique domains tested | 600+ |
| Vulnerable companies found | 80+ |
| Sectors tested | 45+ |
| CORS variants cataloged | 8 (V1-V8) |
| Attack patterns cataloged | 25 (P-01 to P-25) |
| WP abuse patterns | 18 (WP-01 to WP-18) |
| Attack chains confirmed | 10 |
| Recon rounds completed | 11 |
| Executable scripts | 48 (40 .py, 7 .sh, 1 .js) |
| Hunt skills expanded (2025-2026) | 7 (smuggling, mfa, saml, ato, api, llm, race) |
Finding Distribution
| Severity | Count | Common Patterns |
|---|---|---|
| Critical | 8 | MySQL exposed, PHPInfo + open reg, CORS + XMLRPC + upload → RCE |
| High | 24 | CORS credential reflection, XMLRPC multicall, staging takeover |
| Medium | 18 | WP user enum, WooCommerce API, plugin version disclosure |
Top Patterns by Sector
| Sector | Vuln Rate | Top Finding |
|---|---|---|
| Law Firms | ~25% | WP REST API user enumeration |
| Landscaping | ~20% | CORS credential reflection |
| Pool Services | ~20% | CORS + XMLRPC open |
| Pest Control | ~20% | CORS credential reflection |
| HVAC/Plumbing | ~14% | CORS + WP user enumeration |
| Locksmiths | ~33% | WP REST API + XMLRPC |
| Window Cleaning | ~25% | CORS + XMLRPC |
| Bakeries | ~18% | Source leaks + CORS wildcard |
| Septic Services | ~25% | Source leaks + CORS |
🚀 Getting Started
git clone [email protected]:uphiago/recon-skills.git
cd recon-skills
cat SOUL.md # Read the philosophy
cat AGENTS.md # Read the standards & catalog
ls recon/ # Browse recon skills
ls redteam/ # Browse hunt skills
Each skill directory has a SKILL.md with:
- When to Use
- Prerequisites
- How to Run (copy-paste commands)
- Procedure (numbered steps with exact commands)
- Pitfalls
- Verification
🧠 Design Principles
- Terminal-native — every command runs via curl, nmap, python3. No browser automation.
- Self-contained — each SKILL.md is a complete operational package.
- Field-validated — techniques confirmed on real targets before shipping.
- Chain everything — one finding is Medium. Two chained is Critical.
- Cross-reference, don’t duplicate — hosting tables belong in one place.
⭐ Star History
📄 License
MIT — Use freely, contribute back.
Similar Articles
mukul975/Anthropic-Cybersecurity-Skills
An open-source repository containing 754 structured cybersecurity skills for AI agents, covering 26 security domains and mapped to multiple industry frameworks, enabling agents to perform expert-level security analysis.
@dani_avila7: NVIDIA built exactly what I needed to secure agent skills https://github.com/nvidia/skillspector… Adding it as a GitHub…
NVIDIA released SkillSpector, an open-source security scanner for AI agent skills that detects vulnerabilities like prompt injection and data exfiltration before installation.
@dharmvir_: UNDERRATED GITHUB REPOS: 1. h4cker http://github.com/The-Art-of-Hac… Includes thousands of resources related to ethical…
A thread listing underrated GitHub repositories covering ethical hacking, LLM SDK, JavaScript concepts, system design, and SQL injection testing tools.
trimstray/the-book-of-secret-knowledge
A curated GitHub repository collecting inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, and CLI/web tools for system administrators, DevOps, pentesters, and security researchers.
ClawHub Security Signals: When VirusTotal, Static Analysis, and SkillSpector Disagree
This paper investigates security scanner disagreement for AI agent skills, finding that VirusTotal, static analysis, and NVIDIA SkillSpector flag different skills with minimal overlap. It releases a sanitized dataset of over 67,000 skill versions to support further research on layered security governance.