Hermes 继续自进化，宝藏接一连三出现！ Kali 渗透测试技能，Dashboard 深色主题包、像素世界桥接、AIOps 运维军团、原生视频创作管线……全网程序员把 Hermes 玩成了下一代 Agent 红队黑客 + 丝滑仪表盘 + 元宇宙居民 + 生产值班官 + 视频工厂： kali-pentest（https://github.com/x-glacier/kali-pentest…） 200+ Kali 工具 + 15 场景 playbooks，自主攻击路径 + 人类审批门。 “Agent 终于敢干渗透”实锤了！ Hermes-Dashboard-Themes（https://github.com/yakuzadevopps/Hermes-Dashboard-Themes…） 4 套深色干净主题 + 大字体优化面板。 官方主题“亮瞎眼”时代结束了 hermes-miniverse（https://github.com/teknium1/hermes-miniverse…） 像素世界桥接：Agent 住进 Miniverse，像素小人实时展示思考状态 + 跨 Agent 聊天。 太 meta 了，Agent 也有第二人生！ RunbookHermes（https://github.com/Tommy-yw/RunbookHermes…） Hermes-native AIOps：证据收集 + 审批 + runbook 自学习。 生产事故 24/7 值班军团就位！ Noustiny（https://github.com/UfukNode/Noustiny…） 一句话种子 → 树形故事 → 克隆配音 → 完整 MP4 视频管线。 Hackathon 神作，故事直接变视频了！ // 为什么这些新进化体这么炸？ 全吃 Hermes 底层循环当 DNA，社区再疯狂补渗透测试、主题美化、像素元宇宙、AIOps 军团、视频工厂……生态卷速肉眼可见

x-glacier/kali-pentest

Source: https://github.com/x-glacier/kali-pentest

English | 简体中文

kali-pentest

A penetration testing skill built on Kali Linux for AI agents such as Claude Code, OpenClaw, and Hermes Agent. Currently includes 200+ CLI tools across 14 categories. Built-in coverage matrices, zero-findings fallbacks, and objective stopping conditions for each scenario ensure testing depth.

Unlike traditional automated penetration testing tools, the AI agent connects to a Kali environment via SSH or Docker, then autonomously plans the attack path based on the target, selects tools, integrates and analyzes results across phases to adapt the penetration strategy, and produces a structured report — with mandatory authorization checks and human approval gates for high-risk actions.

Workflow

Overall Workflow

flowchart LR
    A[Receive Task] --> B[Step 1: Environment]
    B --> C[Step 2: Plan]
    C --> D[Step 3: Execute]
    D --> E[Step 4: Analyze & Iterate]
    E -->|Adapt strategy| D
    E --> F[Step 5: Report]

    C --- C1[Confirm authorization & scope]
    C --- C2[Plan attack path & select depth]
    C --- C3[Select playbook from decision tree]
    E --- E1[Integrate results across phases]

Execution Detail (Step 3)

flowchart TD
    PB[Select Playbook] --> CAT[Read category README]
    CAT --> TOOL[Select tool & run]
    TOOL --> OUT[Collect output]
    OUT --> EVAL{Findings?}
    EVAL -->|Yes| NEXT{New target type?}
    EVAL -->|No| DEEPER[Escalate: deeper scan or alternate tool]
    NEXT -->|AD| AD[active-directory.md]
    NEXT -->|Web app| WEB[web-application.md]
    NEXT -->|Credentials| PWD[password-audit.md]
    NEXT -->|Initial access| POST[post-exploitation.md]
    NEXT -->|No| ITER[Next iteration]
    AD --> ITER
    WEB --> ITER
    PWD --> ITER
    POST --> ITER
    DEEPER --> ITER
    ITER --> TOOL

Getting Started

1. Install the skill

Copy the skill directory into your AI agent’s skills folder:

cp -r kali-pentest /path/to/your/agent/skills/kali-pentest

2. Provide Kali access

The agent needs a Kali Linux environment. Two options:

• Server mode (recommended): full Kali over SSH — avoids Docker networking, raw-socket, wireless, and GPU limitations.
  Documentation: Kali installation guide, Server mode guide.

• Docker mode: pre-build a persistent container with tools installed. Best for CLI information gathering, vulnerability scanning, web/API and cloud-native testing, and reporting.
  Documentation: Kali Docker guide, Docker mode guide.

Tell the agent how to connect (SSH key is recommended; username/password is supported but not recommended):

My Kali server is at 192.168.1.100, SSH user root, key at ~/.ssh/kali_key.

Or use Docker locally:

I have Docker installed locally. Use Docker to run Kali tools.

For OpenClaw and similar AI assistants, you can also configure Kali connection details in TOOLS.md so the agent reads them automatically without asking each time.

3. Invoke

Use natural language to assign a penetration testing task. The agent confirms scope and proceeds autonomously.

Slash command:

For Claude Code and compatible agents.

/kali-pentest

Conversational:

For OpenClaw, Hermes Agent, and other AI assistants.

Tested Models

The skill workflow has been optimized and tested with:

• claude-sonnet-4.6
• deepseek-v4-pro
• qwen3.6:27b — local fallback for air-gapped environments (requires context length ≥ 128K)

Usage Examples

Kali server: ssh -i ~/.ssh/kali_key [email protected]
First run a full port scan and service fingerprinting against 192.168.1.50, then plan and execute an in-depth penetration test based on the results — do not overlook any potential weakness. After testing, produce a detailed report.
I have authorization.

Kali server: ssh -i ~/.ssh/kali_key [email protected]
Target: 10.0.0.0/24
Quickly scan the target network for open ports along with their service/protocol names and versions, then produce a report.
I have authorization.

The persistent Docker container `kali-pentest` is initialized with the full toolset.
Use Docker mode to run a web application penetration test against http://192.168.1.50 and produce a detailed HTML report.
I have authorization.

Target domain: corp.example.com, domain controller 10.0.0.5
Perform an Active Directory security assessment covering enumeration, Kerberoasting, ACL abuse, and certificate template checks.

Target API: https://api.example.com, OpenAPI spec at /tmp/openapi.yaml
Perform an API security assessment covering authentication, authorization, and schema-driven testing.

Target: Kubernetes cluster context prod-audit and container registry registry.example.com
Run a read-only cloud-native security assessment and produce a findings report.

Target app: /tmp/app.apk with test account [email protected]
Perform an Android application security assessment, including static analysis, runtime checks, and backend endpoint mapping.

Authorized SSID: CorpWiFi, BSSID: AA:BB:CC:DD:EE:FF, channel 6
Perform a wireless security assessment including passive discovery, handshake capture, WPS detection, and evil twin testing.

Target repository: /tmp/source-repo (including Git history)
Perform a source code and dependency audit including secret scanning, SAST, and CI/CD pipeline security checks.

Target: SIP service 10.10.20.15 and Modbus host 10.10.30.20
Conservative read-only VoIP/ICS protocol assessment. Do not place calls or write PLC/Modbus values.

Architecture

Directory Structure

kali-pentest/
├── SKILL.md                   ← Agent entry point: planning, execution, error handling
└── references/
    ├── playbooks/             ← 15 scenario workflows (AD, web, internal, cloud, wireless, ...)
    ├── environment/           ← Server mode and Docker mode setup
    ├── information-gathering/ ← 39 tools
    ├── vulnerability/         ← 14 tools
    ├── sniffing-spoofing/     ← 6 tools
    ├── web/                   ← 31 tools
    ├── exploitation/          ← 19 tools
    ├── password/              ← 19 tools
    ├── wireless/              ← 26 tools
    ├── cloud-native/          ← 7 tools
    ├── rfid-nfc/              ← 5 tools
    ├── voip-ics/              ← 6 tools
    ├── reverse-engineering/   ← 16 tools
    ├── forensics/             ← 13 tools
    ├── post-exploitation/     ← 19 tools
    └── reporting/             ← 2 tools

The kali-pentest-zh/ directory is the Chinese mirror and stays structurally synchronized with kali-pentest/.

Document Layering

The skill uses a four-layer document hierarchy. Each layer has a distinct responsibility, and the agent reads top-down:

General principles live in SKILL.md (brief, no code blocks). Scenario-specific implementations live in playbooks (concrete commands, test matrices, coverage requirements). The layered structure prevents duplication while ensuring both global coverage and per-scenario depth.

Depth Enforcement

Each playbook includes bold-labeled directives at key workflow decision points to prevent the agent from doing shallow, surface-level work:

• Coverage requirements — test ALL discovered items (endpoints, services, credentials), not just a sample.
• Zero-findings fallback — escalate or manually verify when automated tools report no findings.
• Coverage matrices — build explicit item × test matrices and complete every cell.
• Attack escalation — progress through multiple attack techniques of increasing depth.

Every playbook has objective, verifiable stopping conditions — not “testing is complete” but specific artifacts, matrices, and checklists that must be filled. Every confirmed finding must include the complete reproducible command and its actual output as evidence.

Cross-Reference Logic

Playbooks form a connected graph. When a workflow phase discovers targets that belong to a different scenario (e.g., AD signals during internal network scanning, API endpoints during web testing), the playbook directs the agent to switch. All such handoffs are listed in each playbook’s Cross-References section.

Reusable methodology (e.g., the port scanning and service testing procedures in internal-network.md) can be referenced from other playbooks.

Playbooks

15 scenario workflows with phases, decision trees, risk gates, and stopping conditions:

Tool Selection Criteria

All tools are selected for autonomous agent operation:

• CLI-automatable only — GUI-only tools and interactive debuggers are excluded
• Headless binary analysis included — strings, checksec, radare2 one-shot, Ghidra Headless
• CLI alternatives preferred — e.g., tshark instead of Wireshark

Contributing

Contributions are welcome — issues, pull requests, and new tool documentation.