A community-driven registry for Claude, Cursor, Windsurf, Cline & more. Not affiliated with Anthropic.
Are you the author? Sign in to claim
An AI red-team agent for authorized labs and web app pentesting workflows. Turns Claude Code / OpenCode / Codex into a s
Autonomous AI-Powered Red Team Simulation Agent
Install · Quick Start · Architecture · 中文
An autonomous red team simulation agent that works with Claude Code, OpenCode, and Codex. It transforms any workspace into a full penetration testing environment for CTF/lab targets — featuring 8 AI agents, containerized Kali tools, a streaming case collection pipeline, and 79 security reference files.
Key Features:
intel.md accumulates tech stack, people, domains, credentials from recon through exploitation; OSINT agent enriches with CVE, breach, DNS history, and social dataexternal_directory approval prompts from blocking /autoengage runs), finding deduplication, surface coverage enforcement, and automatic report synthesis when report artifacts are missing or incompletenpm install -g opencode-ai)curl, jq, sqlite3 (not required for the Docker all-in-one runtime)./install.sh -h
Install
bash <(curl -fsSL https://raw.githubusercontent.com/NeoTheCapt/RedteamAgent/v0.1.1/install.sh) docker
# or:
./install.sh docker ~/redteam-docker
./install.sh --force docker ~/redteam-docker
Start
cd ~/redteam-docker
./run.sh
Run
/engage http://your-ctf-target:8080
/autoengage http://your-ctf-target:8080
Notes
run.sh starts from the image-baked clean template, persists engagement files in workspace/, and persists the OpenCode XDG dirs across restarts: opencode-home/ (auth tokens), opencode-config/ (model selection), opencode-state/ (TUI state)../run.sh --ephemeral-opencode if you do not want to persist any OpenCode state outside the container (you'll have to reconfigure the model each run)../run.sh --rebuild to force a clean image rebuild after install.Install
bash <(curl -fsSL https://raw.githubusercontent.com/NeoTheCapt/RedteamAgent/v0.1.1/install.sh) opencode
# or:
./install.sh opencode
./install.sh opencode ~/my-project
./install.sh --dry-run opencode
Start
cd ~/redteam-agent
opencode
Run
/engage http://your-ctf-target:8080
/autoengage http://your-ctf-target:8080
Notes
.opencode/opencode.json.Exploit when a finding clearly maps to a known module family, service, product/version, or CVE.Install
bash <(curl -fsSL https://raw.githubusercontent.com/NeoTheCapt/RedteamAgent/v0.1.1/install.sh) claude
# or:
./install.sh claude
./install.sh claude ~/my-project
Start
cd ~/redteam-agent
claude
Run
/engage http://your-ctf-target:8080
/autoengage http://your-ctf-target:8080
Install
bash <(curl -fsSL https://raw.githubusercontent.com/NeoTheCapt/RedteamAgent/v0.1.1/install.sh) codex
# or:
./install.sh codex
./install.sh codex ~/my-project
Start
cd ~/redteam-agent
codex
Run
engage http://your-ctf-target:8080
autoengage http://your-ctf-target:8080
Notes
Use the local web UI when you want to manage multiple workspaces or inspect live runs outside the CLI.
Start
./orchestrator/run.sh
# or rebuild the all-in-one image first:
./orchestrator/run.sh --rebuild
Stop
./orchestrator/stop.sh
Notes
http://127.0.0.1:18000./orchestrator/run.sh bootstraps the backend virtualenv, installs frontend dependencies if needed, and builds the frontend before starting.Every runtime writes engagement artifacts to:
engagements/<timestamp-target>/
Common outputs:
findings.md — vulnerability findings and supporting evidencereport.md — final engagement reportlog.md — execution log and operator timelineintel.md — summary intelligence safe for routine reviewintel-secrets.json — full captured secrets and tokensauth.json — active auth material and session statecases.db — SQLite queue, classification, and work statesurfaces.jsonl — high-risk surface coverage trackingSensitive outputs:
intel-secrets.json, auth.json, or any engagement directory that still contains live credentials, tokens, or session state.report.md, selected excerpts from findings.md, and a reviewed/redacted subset of supporting files./engage | /autoengage | |
|---|---|---|
| Auth setup | Asks you to choose (proxy/cookie/skip) | Auto-skip, auto-register if endpoint found, auto-use discovered creds |
| Phase approval | Auto-confirm by default, first phase needs approval | Never asks. Every phase auto-proceeds. |
| Decisions | Parallel by default, can choose sequential | Always parallel. No options. |
| Errors | May stop on unexpected issues | Logs error, continues next task |
| When to use | First time on a target, want oversight | Repeat runs, overnight scans, maximum coverage |
The agent runs through 5 phases:
Phase 1: RECON ─── recon-specialist + source-analyzer (parallel)
│
Phase 2: COLLECT ─ Import endpoints → SQLite queue, start Katana crawler
│
Phase 3: TEST ──── Stage-based case pipeline (replaces strict phase gates):
│ cases carry a `stage` column independent of `status`.
│ Routing by stage+type:
│ ingested + {api,form,graphql,upload,websocket} → vuln-analyst
│ ingested + {javascript,page,stylesheet,data,unknown,api-spec} → source-analyzer
│ vuln_confirmed → exploit-developer
│ fuzz_pending → fuzzer (deep wordlists, >500 entries)
│ Consume-test dispatch is SERIALIZED: one fetch + one task() per turn.
Phase 4: EXPLOIT ── osint-analyst + exploit-developer (parallel)
│ osint-analyst: CVE/breach/DNS/social intel from intel.md
│ exploit-developer: chain analysis, impact assessment
│ osint-respawn: operator runs `intel_changed_check.sh` per
│ loop tick; flag triggers a fresh osint correlation pass.
Phase 5: REPORT ── report-writer with coverage statistics + intelligence summary
| Command | Description |
|---|---|
/engage <url> | Start a new engagement (semi-autonomous) |
/autoengage <url> | Fully autonomous — zero interaction, max coverage |
/resume | Continue an interrupted engagement |
/status | Show progress dashboard with queue stats |
/proxy start/stop | Manage mitmproxy interception proxy |
/auth cookie/header | Configure authentication credentials |
/queue | Show case queue statistics |
/report | Generate final report |
/stop | Stop all background containers |
/confirm auto/manual | Toggle auto/manual approval mode |
/config [key] [value] | View or set runtime configuration |
/subdomain <domain> | Enumerate subdomains for a domain |
/vuln-analyze | Analyze scan results for vulnerabilities |
/osint | Run OSINT intelligence gathering on current engagement |
/recon /scan /enumerate /exploit /pivot | Manual phase overrides |
1 — Proxy login (recommended): /proxy start → login in browser
2 — Manual cookie: /auth cookie "session=abc123"
3 — Manual header: /auth header "Authorization: Bearer ..."
4 — Skip: test unauthenticated surface, configure auth later
┌─────────────────────────┐
│ OPERATOR │
│ (primary — drives all) │
└──┬──┬──┬──┬──┬──┬──┬────┘
│ │ │ │ │ │ │
┌────────────────────┘ │ │ │ │ │ └──────────────────┐
▼ ▼ │ ▼ │ │ ▼
recon- source- │ vuln- │ │ report-
specialist analyzer │ analyst│ │ writer
(network) (code) │ (test) │ │ (report)
│ │ ▼ ▼ ▼
│ │ fuzzer exploit- osint-
│ │ (fuzz) developer analyst
│ │ (exploit) (OSINT)
│ │ ▲ │
│ intel.md ◄─┘ │ │
└──► intel.md └────────┘
operator feeds
OSINT intel → exploit
Producers Queue (SQLite) Consumers
┌──────────┐
│ mitmproxy │─┐ ┌──────────┐ ┌────────┐ ┌─ vuln-analyst (api/form)
│ Katana │─┼──→│ cases.db │─→│dispatch│──┼─ source-analyzer (js/css)
│ recon │─┤ └──────────┘ │ (.sh) │ ├─ fuzzer (deep params)
│ spec │─┘ dedup+state └────────┘ └─ exploit-dev (confirmed)
└──────────┘ 15 types 0 tokens ▲
▲ │
└──────────── new endpoints ──────────────┘
RedteamOpencode/ ← dev workspace (git root)
├── install.sh ← installs agent/ to ~/redteam-agent
├── README.md ← project docs
│
├── agent/ ← ALL agent runtime files (what gets installed)
│ ├── CLAUDE.md ← operator prompt (Claude Code)
│ ├── AGENTS.md ← operator prompt (Codex)
│ ├── .opencode/ ← OpenCode config + single source of truth
│ │ ├── opencode.json ← agent metadata, skills, commands, plugins
│ │ ├── prompts/agents/ ← 8 agent prompts (.txt) — SINGLE SOURCE
│ │ ├── commands/ ← 19 slash commands (.md) — SINGLE SOURCE
│ │ └── plugins/ ← engagement hooks (TypeScript)
│ ├── .claude/ ← Claude Code config (agents + commands generated)
│ │ └── settings.json ← hooks (scope check + auto-logging)
│ ├── .codex/ ← Codex config (agents generated)
│ ├── scripts/
│ │ ├── install-time generators ← install.sh builds .claude/agents + .codex/agents + .claude/commands
│ │ ├── dispatcher.sh ← case queue management
│ │ └── ... ← ingest, hooks, shared libraries
│ ├── skills/ ← 31 attack methodology skills
│ ├── references/ ← 79 reference files (OWASP, tools, tactics, AD)
│ ├── docker/ ← Dockerfiles + docker-compose.yml
│ └── engagements/ ← per-engagement output (created at runtime)
│
└── orchestrator/ ← optional web UI (FastAPI backend + React frontend)
├── backend/ ← Python API; reads from agent/ via agent_source_dir
└── frontend/ ← React shell (Documents / Events / Progress / Cases tabs)
| Feature | Claude Code | OpenCode | Codex |
|---|---|---|---|
| Operator prompt | CLAUDE.md | .opencode/prompts/agents/operator.txt | AGENTS.md |
| Subagents (8) | Generated .claude/agents/*.md | .opencode/prompts/agents/*.txt (source) | Generated .codex/agents/*.toml |
| Slash commands (19) | Generated .claude/commands/*.md | .opencode/commands/*.md (source) | Not supported — use natural language instead |
| Skills (31) | skills/*/SKILL.md (read on demand) | Loaded via instructions array | skills/*/SKILL.md (read on demand) |
| Build | install.sh claude generates agents + commands at install time | N/A (source files) | install.sh codex generates agents at install time |
| Auto-logging | .claude/settings.json hooks | .opencode/plugins/engagement-hooks.ts | N/A |
| Scope enforcement | Hook blocks out-of-scope | Hook warns out-of-scope | N/A |
| Agent attribution | agent_type in hook JSON | chat.message event tracking | N/A |
Development-only wrappers
agent/.claude/agents/operator.md and agent/.codex/agents/operator.toml exist only for working inside the source repo.CLAUDE.md or AGENTS.md as the operator entrypoint and install only generated subagents.mkdir agent/skills/my-skill
# Write agent/skills/my-skill/SKILL.md with frontmatter + methodology
# Add "skills/my-skill/SKILL.md" to instructions array in agent/.opencode/opencode.json
Add files to agent/references/<category>/ and update agent/references/INDEX.md.
Edit model in agent/.opencode/opencode.json. Supports Anthropic, OpenAI, Google, Ollama.
Each project stores its own config, inherited by every run launched under it. Configure via the Edit project button in the Sidebar or NewRunForm, which opens the Project Edit modal with 6 tabs:
| Tab | Fields | Env vars injected into run container |
|---|---|---|
| Model | provider_id, model_id, small_model_id, api_key, base_url | REDTEAM_OPENCODE_MODEL, REDTEAM_OPENCODE_SMALL_MODEL, OPENAI_API_KEY, OPENAI_BASE_URL (or ANTHROPIC_*) |
| Auth | JSON blob for cookies / headers / tokens | Written to auth.json in seed dir |
| Env | Free-form JSON {"VAR": "value"} | Merged into container env |
| Crawler | Katana crawl parameters | KATANA_CRAWL_DEPTH, KATANA_CRAWL_DURATION, KATANA_TIMEOUT_SECONDS, KATANA_CONCURRENCY, KATANA_PARALLELISM, KATANA_RATE_LIMIT, KATANA_STRATEGY, KATANA_ENABLE_HYBRID, KATANA_ENABLE_XHR, KATANA_ENABLE_HEADLESS, KATANA_ENABLE_JSLUICE, KATANA_ENABLE_PATH_CLIMB |
| Parallel | Concurrency ceiling | REDTEAM_MAX_PARALLEL_BATCHES |
| Agents | Enable/disable per subagent | REDTEAM_DISABLED_AGENTS (comma-separated list of disabled agent IDs when any are off) |
Defaults: Empty JSON {} for every config category. When a key is absent, the runtime falls back to the value baked into .env or the agent defaults. Fields only override when explicitly set.
Precedence: crawler_json / parallel_json / agents_json win over free-form env_json. To clear a field, set it to "" (empty string), not null.
This repo has a strict three-layer split — do not cross the lines:
| Layer | Purpose | Examples |
|---|---|---|
| Repo root | Meta only — install script, docs, CI | install.sh, README*.md, .gitignore, docs/ |
agent/ | ALL agent runtime (canonical) | .opencode/, scripts/, skills/, references/, docker/, prompts, operator core |
orchestrator/ | Optional web UI (reads agent/, never copies from root) | backend/ (FastAPI), frontend/ (React) |
Rule: agent/ is the single source of truth for the agent runtime. The orchestrator backend hardcodes agent_source_dir = REPO_ROOT / "agent" (orchestrator/backend/app/config.py:17) and syncs from there into each engagement's workspace. install.sh also installs from agent/ into the target dir.
DO NOT create root-level /.opencode/, /scripts/, /skills/, /references/, or /docker/. Edit the agent/-scoped copy instead.
Two guards are in place:
.gitignore blocks those paths at git add time.
Pre-commit hook at agent/scripts/hooks/block-root-dup-dirs.sh refuses the commit if the paths slip through. Install once per clone:
cp agent/scripts/hooks/block-root-dup-dirs.sh .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit
RedteamOpencode/): dev workspace. Run CLI here for repo-level tooling (tests, docs work, orchestrator dev).agent/: runtime home. Run CLI inside agent/ (or the installed target ~/redteam-agent/) to drive engagements.Agent prompts and commands are maintained only in OpenCode format (.opencode/). Claude Code and Codex versions are generated at install time by install.sh:
# install.sh handles building for the target product:
./install.sh claude ~/my-project # generates .claude/agents/*.md + commands at install time
./install.sh codex ~/my-project # generates .codex/agents/*.toml at install time
./install.sh opencode ~/my-project # copies .opencode/ directly (no build needed)
To modify an agent: edit agent/.opencode/prompts/agents/<name>.txt, then re-run install.sh for your product.
To add a new agent: create the .txt file, add agent entry to opencode.json, re-run install.sh.
Operator prompts use a mixed model:
agent/.opencode/prompts/agents/operator.txt stays as the OpenCode source promptagent/operator-core.md is the shared Claude/Codex methodology bodyagent/scripts/render-operator-prompts.sh renders CLAUDE.md, AGENTS.md, and the thin local operator wrappersbash tests/agent-contracts/check-operator-prompts.sh verifies the generated files are still in sync| Problem | Solution |
|---|---|
| Docker images fail to build | docker system prune -af && cd agent/docker && docker compose build --no-cache |
| Docker build fails while fetching Kali packages | Re-run the build. The Dockerfiles configure apt retry/timeout and pin Kali to the official mirror, but transient network failures can still require another attempt. |
| Katana doesn't start | Check: docker logs redteam-katana |
| Agent refuses to test target | Adjust auth in agent/CLAUDE.md or agent/.opencode/instructions/INSTRUCTIONS.md |
| Queue shows 0 cases | Run /status — check Collect phase was executed |
| ProviderModelNotFoundError | Set model in agent/.opencode/opencode.json |
For authorized security testing only. Only use against targets you have explicit permission to test.
Pocket Flow: Codebase to Tutorial
A Comprehensive Benchmark to Evaluate LLMs as Agents (ICLR'24)
💻 A curated list of papers and resources for multi-modal Graphical User Interface (GUI) agents.
npx CLI installing 100+ agents, commands, hooks, and integrations in one command