Cocodedk / Pentest Tool

ClawPwn

AI-assisted offensive security with a focus on signal, speed, and operator control.

Intertwined wireframe cubes
View on GitHub Quick Start llms.txt
Interface Natural language + CLI
Focus Recon → Scan → Report
Storage SQLite + Postgres
AI Claude · GPT · OpenRouter

Core Capabilities

Recon Grid

Target mapping, service fingerprinting, raw content fetching, CVE research, and anomaly spotting with structured output.

Scanner Orchestration

Modular plugin system: nmap, nuclei, sqlmap, nikto, feroxbuster, wpscan, testssl, and more.

AI Agent

LLM-driven tool-use agent plans attacks, executes tiered scans, revises strategy on findings.

Autopilot Mode

Autonomous multi-cycle recon. The agent loops: plan → scan → analyze → decide → repeat.

Interactive Console

Natural language or CLI input with auto-routing. Prefix ! for CLI, ? for NLI.

Shell Command Execution

Run CLI tools (aws, curl, openssl) directly via the agent with approval gates and audit logging.

Report Forge

Generate findings reports in HTML, PDF, JSON, or Markdown with evidence and remediation steps.

Doctor

Pre-flight health check: Python version, external tools, privileges, wordlists, API keys, and project status.

Autopilot Mode

Unattended, multi-cycle reconnaissance and vulnerability detection driven by the LLM agent. No exploitation or credential brute-forcing — recon only.

# Basic usage (uses active target)
clawpwn autopilot

# Specify target, limit to 3 cycles and 1 hour
clawpwn autopilot http://10.0.0.5 --cycles 3 --duration 1.0

# Verbose output with progress details
clawpwn autopilot http://10.0.0.5 -c 5 -d 4.0 --verbose

How It Works

  • Each cycle generates a recon plan ordered fastest-first
  • Executes tiered tools: fingerprint, research, web scan, network scan
  • Summarizes results and evaluates new attack surfaces
  • Lightweight LLM call evaluates results and decides next steps
  • Stops when coverage is thorough, cycle or time limit reached

Options

OptionDescription
--cycles, -cMax recon cycles (default: 5)
--duration, -dMax hours (default: 4.0)
--verbose, -vShow per-step progress

Excluded tools: credential_test, run_custom_script, run_command

Command Reference

CommandPurposeExample
initInitialize projectclawpwn init
targetSet active targetclawpwn target http://10.0.0.5
statusShow target, phase, findingsclawpwn status
scanNetwork + web scanningclawpwn scan --depth deep
discoverDiscover live hostsclawpwn discover --range 192.168.1.0/24
autopilotAutonomous recon loopclawpwn autopilot --cycles 3
reconSubdomain enumeration (Amass)clawpwn recon example.com --mode passive
experienceManage global experience DBclawpwn experience --domain example.com
killchainAI-guided end-to-end phasesclawpwn killchain --auto
reportGenerate reportclawpwn report --format html
logsShow project logsclawpwn logs --limit 100
configShow/edit configclawpwn config show
objectiveSet/show/clear objectiveclawpwn objective set "..."
memoryShow/clear project memoryclawpwn memory show
doctorPre-flight health checkclawpwn doctor
consoleInteractive consoleclawpwn console

Quick Start

# Install
./install.sh

# Check setup
clawpwn doctor

# Create project
mkdir -p ~/pentest/target && cd ~/pentest/target
clawpwn init

# Set target and scan
clawpwn target https://example.com
clawpwn scan --depth normal

# Or run autonomous recon
clawpwn autopilot https://example.com --cycles 3

# Open interactive console
clawpwn console

Architecture

Signal Stack

  • CLI Typer + Rich terminal UI
  • AI Core LLM orchestrator with tool-use agent
  • Autopilot Supervisor loop over plan executor
  • Modules Scanner plugins, network, credential test
  • Storage SQLite per project + Postgres experience DB

AI Execution Paths

  • Plan Executor Code-driven, 3 LLM calls, tiered parallel
  • Agent Loop Conversational, up to 16 tool-use rounds
  • Autopilot Multi-cycle supervisor with follow-up decisions
  • Routing Intent classification selects the right path

Scanner Support

Network

nmap · masscan · rustscan · naabu

Recon

amass (subdomain enumeration)

Web

builtin · nuclei · nikto · sqlmap · feroxbuster · ffuf · wpscan · testssl · zap

Credentials

Built-in form tester · hydra backend

Agent Tools

fetch_url (raw content extraction) · run_command (shell: aws, curl, etc.)

Configuration

cp .env.example .env

Environment Variables

CLAWPWN_LLM_PROVIDERanthropic, openai, openrouter
CLAWPWN_LLM_API_KEYAPI key for selected provider
CLAWPWN_LLM_MODELModel override
CLAWPWN_EXPERIENCE_DB_URLPostgres connection string
CLAWPWN_CRED_WORDLISTPath to credential wordlist

Precedence

  1. Process environment variables
  2. Project .clawpwn/.env
  3. Global ~/.clawpwn/config.yml
  4. Code defaults

Operational Notes

ClawPwn is intended for authorized security testing only. Always obtain written permission and follow local laws. MIT License.