Hermes continues to self-evolve, with treasures emerging one after another! Kali penetration testing skills, Dashboard dark theme packs, pixel world bridging, AIOps Operations Legion, native video creation pipeline… Programmers across the web are turning Hermes into the next-generation Agent: Red Team Hacker + Silky Dashboard + Metaverse Resident + Production Duty Officer + Video Factory: kali-pentest(https://github.com/x-glacier/kali-pentest…) 200+ Kali tools + 15 scenario playbooks, autonomous attack paths + human approval gates. “Agents finally dare to perform penetration testing” is confirmed! Hermes-Dashboard-Themes(https://github.com/yakuzadevopps/Hermes-Dashboard-Themes…) 4 sets of dark clean themes + large font optimized panels. The era of official themes that “blind your eyes” is over. hermes-miniverse(https://github.com/teknium1/hermes-miniverse…) Pixel world bridging: Agents move into Miniverse, pixel avatars display thinking status in real-time + cross-Agent chat. Too meta, Agents also have a second life! RunbookHermes(https://github.com/Tommy-yw/RunbookHermes…) Hermes-native AIOps: Evidence collection + approval + runbook self-learning. Production incident 24/7 duty legion ready! Noustiny(https://github.com/UfukNode/Noustiny…) One-sentence seed → Tree-structured story → Cloned voiceover → Complete MP4 video pipeline. Hackathon masterpiece, stories turn directly into videos! // Why are these new evolutions so explosive? All consume the Hermes underlying loop as DNA, while the community frantically adds penetration testing, theme beautification, pixel metaverse, AIOps legion, video factory… The ecosystem’s rapid evolution is visible to the naked eye.

x-glacier/kali-pentest

Source: https://github.com/x-glacier/kali-pentest English | Simplified Chinese

kali-pentest

A penetration testing skill built on Kali Linux for AI agents such as Claude Code, OpenClaw, and Hermes Agent. Currently includes 200+ CLI tools across 14 categories. Built-in coverage matrices, zero-findings fallbacks, and objective stopping conditions for each scenario ensure testing depth.

Unlike traditional automated penetration testing tools, the AI agent connects to a Kali environment via SSH or Docker, then autonomously plans the attack path based on the target, selects tools, integrates and analyzes results across phases to adapt the penetration strategy, and produces a structured report — with mandatory authorization checks and human approval gates for high-risk actions.

Workflow

Overall Workflow

flowchart LR
A[Receive Task] --> B[Step 1: Environment]
B --> C[Step 2: Plan]
C --> D[Step 3: Execute]
D --> E[Step 4: Analyze & Iterate]
E -->|Adapt strategy| D
E --> F[Step 5: Report]
C --- C1[Confirm authorization & scope]
C --- C2[Plan attack path & select depth]
C --- C3[Select playbook from decision tree]
E --- E1[Integrate results across phases]

Execution Detail (Step 3)

flowchart TD
PB[Select Playbook] --> CAT[Read category README]
CAT --> TOOL[Select tool & run]
TOOL --> OUT[Collect output]
OUT --> EVAL{Findings?}
EVAL -->|Yes| NEXT{New target type?}
EVAL -->|No| DEEPER[Escalate: deeper scan or alternate tool]
NEXT -->|AD| AD[active-directory.md]
NEXT -->|Web app| WEB[web-application.md]
NEXT -->|Credentials| PWD[password-audit.md]
NEXT -->|Initial access| POST[post-exploitation.md]
NEXT -->|No| ITER[Next iteration]
AD --> ITER
WEB --> ITER
PWD --> ITER
POST --> ITER
DEEPER --> ITER
ITER --> TOOL

Getting Started

1. Install the skill

Copy the skill directory into your AI agent’s skills folder:

cp -r kali-pentest /path/to/your/agent/skills/kali-pentest

2. Provide Kali access

The agent needs a Kali Linux environment. Two options:

• Server mode (recommended): full Kali over SSH — avoids Docker networking, raw-socket, wireless, and GPU limitations. Documentation: Kali installation guide, Server mode guide.
• Docker mode: pre-build a persistent container with tools installed. Best for CLI information gathering, vulnerability scanning, web/API and cloud-native testing, and reporting. Documentation: Kali Docker guide, Docker mode guide.

Tell the agent how to connect (SSH key is recommended; username/password is supported but not recommended):

My Kali server is at 192.168.1.100, SSH user root, key at ~/.ssh/kali_key.

Or use Docker locally:

I have Docker installed locally. Use Docker to run Kali tools.

For OpenClaw and similar AI assistants, you can also configure Kali connection details in TOOLS.md so the agent reads them automatically without asking each time.

3. Invoke

Use natural language to assign a penetration testing task. The agent confirms scope and proceeds autonomously.

Slash command: For Claude Code and compatible agents.

/kali-pentest

Conversational: For OpenClaw, Hermes Agent, and other AI assistants.

Tested Models

The skill workflow has been optimized and tested with:

• claude-sonnet-4.6
• deepseek-v4-pro
• qwen3.6:27b — local fallback for air-gapped environments (requires context length ≥ 128K)

Usage Examples

Kali server: ssh -i ~/.ssh/kali_key [email protected]
First run a full port scan and service fingerprinting against 192.168.1.50, then plan and execute an in-depth penetration test based on the results — do not overlook any potential weakness. After testing, produce a detailed report. I have authorization.

Kali server: ssh -i ~/.ssh/kali_key [email protected]
Target: 10.0.0.0/24
Quickly scan the target network for open ports along with their service/protocol names and versions, then produce a report. I have authorization.

The persistent Docker container `kali-pentest` is initialized with the full toolset. Use Docker mode to run a web application penetration test against http://192.168.1.50 and produce a detailed HTML report. I have authorization.

More examples (API, cloud, mobile, wireless, source code, VoIP/ICS)

Target domain: corp.example.com, domain controller 10.0.0.5
Perform an Active Directory security assessment covering enumeration, Kerberoasting, ACL abuse, and certificate template checks.

Target API: https://api.example.com, OpenAPI spec at /tmp/openapi.yaml
Perform an API security assessment covering authentication, authorization, and schema-driven testing.

Target: Kubernetes cluster context prod-audit and container registry registry.example.com
Run a read-only cloud-native security assessment and produce a findings report.

Target app: /tmp/app.apk with test account [email protected]
Perform an Android application security assessment, including static analysis, runtime checks, and backend endpoint mapping.

Authorized SSID: CorpWiFi, BSSID: AA:BB:CC:DD:EE:FF, channel 6
Perform a wireless security assessment including passive discovery, handshake capture, WPS detection, and evil twin testing.

Target repository: /tmp/source-repo (including Git history)
Perform a source code and dependency audit including secret scanning, SAST, and CI/CD pipeline security checks.

Target: SIP service 10.10.20.15 and Modbus host 10.10.30.20
Conservative read-only VoIP/ICS protocol assessment. Do not place calls or write PLC/Modbus values.

Architecture

Directory Structure

kali-pentest/
├── SKILL.md ← Agent entry point: planning, execution, error handling
└── references/
    ├── playbooks/ ← 15 scenario workflows (AD, web, internal, cloud, wireless, ...)
    ├── environment/ ← Server mode and Docker mode setup
    ├── information-gathering/ ← 39 tools
    ├── vulnerability/ ← 14 tools
    ├── sniffing-spoofing/ ← 6 tools
    ├── web/ ← 31 tools
    ├── exploitation/ ← 19 tools
    ├── password/ ← 19 tools
    ├── wireless/ ← 26 tools
    ├── cloud-native/ ← 7 tools
    ├── rfid-nfc/ ← 5 tools
    ├── voip-ics/ ← 6 tools
    ├── reverse-engineering/ ← 16 tools
    ├── forensics/ ← 13 tools
    ├── post-exploitation/ ← 19 tools
    └── reporting/ ← 2 tools

The kali-pentest-zh/ directory is the Chinese mirror and stays structurally synchronized with kali-pentest/.

Document Layering

The skill uses a four-layer document hierarchy. Each layer has a distinct responsibility, and the agent reads top-down:

General principles live in SKILL.md (brief, no code blocks). Scenario-specific implementations live in playbooks (concrete commands, test matrices, coverage requirements). The layered structure prevents duplication while ensuring both global coverage and per-scenario depth.

Depth Enforcement

Each playbook includes bold-labeled directives at key workflow decision points to prevent the agent from doing shallow, surface-level work:

• Coverage requirements — test ALL discovered items (endpoints, services, credentials), not just a sample.
• Zero-findings fallback — escalate or manually verify when automated tools report no findings.
• Coverage matrices — build explicit item × test matrices and complete every cell.
• Attack escalation — progress through multiple attack techniques of increasing depth.

Every playbook has objective, verifiable stopping conditions — not “testing is complete” but specific artifacts, matrices, and checklists that must be filled. Every confirmed finding must include the complete reproducible command and its actual output as evidence.

Cross-Reference Logic

Playbooks form a connected graph. When a workflow phase discovers targets that belong to a different scenario (e.g., AD signals during internal network scanning, API endpoints during web testing), the playbook directs the agent to switch. All such handoffs are listed in each playbook’s Cross-References section. Reusable methodology (e.g., the port scanning and service testing procedures in internal-network.md) can be referenced from other playbooks.

Playbooks

15 scenario workflows with phases, decision trees, risk gates, and stopping conditions:

Tool Selection Criteria

All tools are selected for autonomous agent operation:

• CLI-automatable only — GUI-only tools and interactive debuggers are excluded
• Headless binary analysis included — strings, checksec, radare2 one-shot, Ghidra Headless
• CLI alternatives preferred — e.g., tshark instead of Wireshark

Contributing

Contributions are welcome — issues, pull requests, and new tool documentation.