Customization
Before executing, check for user customizations at:
~/.claude/PAI/USER/SKILLCUSTOMIZATIONS/WebAssessment/
If this directory exists, load and apply any PREFERENCES.md, configurations, or resources found there. These override default behavior. If the directory does not exist, proceed with skill defaults.
🚨 MANDATORY: Voice Notification (REQUIRED BEFORE ANY ACTION)
You MUST send this notification BEFORE doing anything else when this skill is invoked.
- •
Send voice notification:
bashcurl -s -X POST http://localhost:8888/notify \ -H "Content-Type: application/json" \ -d '{"message": "Running the WORKFLOWNAME workflow in the WebAssessment skill to ACTION"}' \ > /dev/null 2>&1 & - •
Output text notification:
codeRunning the **WorkflowName** workflow in the **WebAssessment** skill to ACTION...
This is not optional. Execute this curl command immediately upon skill invocation.
WebAssessment Skill
Security assessment infrastructure integrating reconnaissance, threat modeling, and vulnerability testing.
Workflow Routing
| Trigger | Workflow |
|---|---|
| "understand application", "what does this app do", "map the application" | UnderstandApplication |
| "threat model", "attack scenarios", "how would I attack" | CreateThreatModel |
| "pentest", "security assessment", "test for vulnerabilities" | Pentest/MasterMethodology |
| "fuzz with ffuf", "directory fuzzing", "content discovery" | ffuf/FfufGuide |
| "OSINT", "reconnaissance", "open source intelligence" | osint/MasterGuide |
| "test web app", "Playwright", "browser automation" | webapp/TestingGuide |
| "bug bounty", "bounty programs" | bug-bounty/Programs |
| "vulnerability analysis with AI", "Gemini analysis" | VulnerabilityAnalysisGemini3 |
Skill Integration
WebAssessment coordinates with specialized skills:
| Phase | Skill | Purpose |
|---|---|---|
| Scope Definition | Recon | Corporate structure, domain enumeration |
| Target Discovery | Recon | Subdomains, endpoints, ports |
| Understanding | WebAssessment | App narrative, user flows, sensitive data |
| Threat Modeling | WebAssessment | Attack scenarios, test prioritization |
| Injection Testing | PromptInjection | LLM-specific attacks |
| Intelligence | OSINT | People, companies, social media |
Assessment Workflow
1. Corporate Structure (Recon) → Define scope and targets 2. Subdomain Enumeration (Recon) → Find all domains 3. Endpoint Discovery (Recon) → Extract JS endpoints 4. Understand Application → Build app narrative 5. Create Threat Model → Prioritize attack scenarios 6. Execute Testing → Test against identified threats 7. Report Findings → Document with PoCs
Recon Skill Tools
WebAssessment uses tools from the Recon skill:
# Corporate structure for scope bun ~/.claude/skills/Security/Recon/Tools/CorporateStructure.ts target.com # Subdomain enumeration bun ~/.claude/skills/Security/Recon/Tools/SubdomainEnum.ts target.com # Endpoint discovery from JavaScript bun ~/.claude/skills/Security/Recon/Tools/EndpointDiscovery.ts https://target.com # Port scanning bun ~/.claude/skills/Security/Recon/Tools/PortScan.ts target.com # Path discovery bun ~/.claude/skills/Security/Recon/Tools/PathDiscovery.ts https://target.com
UnderstandApplication Output
Produces structured narrative including:
- •Summary: Purpose, industry, user base, critical functions
- •User Roles: Access levels and capabilities
- •User Flows: Step-by-step processes with sensitive data
- •Technology Stack: Frontend, backend, auth, third-party
- •Attack Surface: Entry points, inputs, file uploads, websockets
CreateThreatModel Output
Generates prioritized attack plan:
- •Threats: OWASP/CWE mapped with risk scores
- •Attack Paths: Multi-step attack scenarios
- •Test Plan: Prioritized with tool suggestions
- •Effort Estimates: Quick/medium/extensive per threat
Threat Categories
| Category | Triggers On |
|---|---|
| Authentication | Auth mechanisms detected |
| Access Control | Multiple user roles |
| Injection | All web apps |
| Data Exposure | Sensitive data identified |
| File Upload | Upload functionality |
| API Security | API endpoints |
| WebSocket | WebSocket detected |
| Business Logic | All web apps |
| Payment Security | Payment flows |
6-Phase Pentest Methodology
Phase 0: Scoping & Preparation Phase 1: Reconnaissance (Recon skill) Phase 2: Mapping (content discovery) Phase 3: Vulnerability Analysis Phase 4: Exploitation Phase 5: Reporting
Key Principles
- •Authorization first - Never test without explicit permission
- •Understand before testing - Build app narrative first
- •Threat model guides testing - Don't test blindly
- •Breadth then depth - Wide recon, focused exploitation
- •Document everything - Notes, screenshots, commands
Workflow Index
Core Assessment:
- •
Workflows/UnderstandApplication.md- Application reconnaissance - •
Workflows/CreateThreatModel.md- Attack scenario generation
Penetration Testing:
- •
Workflows/pentest/MasterMethodology.md- 6-phase methodology - •
Workflows/pentest/ToolInventory.md- Security tools reference - •
Workflows/pentest/Reconnaissance.md- Asset discovery - •
Workflows/pentest/Exploitation.md- Vulnerability testing
Web Fuzzing:
- •
Workflows/ffuf/FfufGuide.md- FFUF fuzzing guide - •
Workflows/ffuf/FfufHelper.md- Automated fuzzing helper
Bug Bounty:
- •
Workflows/bug-bounty/Programs.md- Program tracking - •
Workflows/bug-bounty/AutomationTool.md- Bounty automation
Web App Testing:
- •
Workflows/webapp/TestingGuide.md- Playwright testing - •
Workflows/webapp/Examples.md- Testing patterns
OSINT:
- •
Workflows/osint/MasterGuide.md- OSINT methodology - •
Workflows/osint/Reconnaissance.md- Domain recon - •
Workflows/osint/SocialMediaIntel.md- SOCMINT - •
Workflows/osint/Automation.md- SpiderFoot/Maltego - •
Workflows/osint/MetadataAnalysis.md- ExifTool analysis
AI-Powered:
- •
Workflows/VulnerabilityAnalysisGemini3.md- Gemini deep analysis
Examples
Example 1: Full assessment workflow
User: "Security assessment on app.example.com" → Run UnderstandApplication to build narrative → Run CreateThreatModel to prioritize testing → Follow MasterMethodology with threat model guidance → Report findings with OWASP/CWE references
Example 2: Quick threat model
User: "How would I attack this app?" → Run CreateThreatModel on target → Get prioritized attack paths → Get test plan with tool suggestions
Example 3: Integrate with Recon
User: "Assessment on target.com including all subdomains" → CorporateStructure (Recon) → Find parent/child companies → SubdomainEnum (Recon) → Find all subdomains → EndpointDiscovery (Recon) → Extract JS endpoints → UnderstandApplication → Build app narrative → CreateThreatModel → Generate attack plan