npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@intentsolutionsio/penetration-tester

v2.0.0

Published

Security testing toolkit with HTTP header analysis, dependency auditing, and static code scanning

Downloads

141

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

intentsolutionsiointentsolutionsio

Keywords

securitypenetration-testingpentestingowaspexploitationagent-skillsclaude-codeclaude-plugintonsofskills

Readme

Penetration Tester Plugin

Security testing toolkit for web applications, dependencies, and source code. Three real scanners that wrap established tools (requests, bandit, pip-audit, npm audit) with unified reporting.

What It Does

| Scanner | Target | What It Checks | |---------|--------|----------------| | security_scanner.py | Live URLs | Security headers, SSL/TLS, exposed endpoints, HTTP methods, CORS | | dependency_auditor.py | Project dirs | npm and pip vulnerabilities, CVEs, outdated packages | | code_security_scanner.py | Codebases | Hardcoded secrets, SQL injection, command injection, insecure deserialization |

Installation

/plugin install penetration-tester@claude-code-plugins-plus

Setup

Install Python dependencies:

bash scripts/setup_pentest_env.sh

Or with a virtual environment:

bash scripts/setup_pentest_env.sh --venv

Requires Python 3.9+. The setup script installs requests, bandit, and pip-audit, then verifies each tool works.

Quick Start

Check security headers on a URL:

> Check the security headers on https://example.com

Audit project dependencies:

> Audit the dependencies in this project for vulnerabilities

Scan code for security issues:

> Scan this codebase for hardcoded secrets and security issues

Full security audit:

> Run a full security audit on this project

Scanners

security_scanner.py

HTTP security analysis for live web applications.

python3 scripts/security_scanner.py https://example.com
python3 scripts/security_scanner.py https://example.com --checks headers,ssl
python3 scripts/security_scanner.py https://example.com --output report.json

Checks:

  • Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
  • SSL/TLS certificate validity and expiry
  • Exposed endpoints (.git, .env, admin panels, server-status)
  • Dangerous HTTP methods (PUT, DELETE, TRACE)
  • CORS misconfigurations (wildcard, reflected origin)

dependency_auditor.py

Unified dependency vulnerability scanner.

python3 scripts/dependency_auditor.py /path/to/project
python3 scripts/dependency_auditor.py . --min-severity high
python3 scripts/dependency_auditor.py . --scanners npm,pip --output findings.json

Supports:

  • npm projects (via npm audit)
  • Python projects (via pip-audit)
  • Auto-detects project type from manifest files

code_security_scanner.py

Static analysis for security vulnerabilities.

python3 scripts/code_security_scanner.py /path/to/code
python3 scripts/code_security_scanner.py . --tools bandit,regex --severity high
python3 scripts/code_security_scanner.py . --exclude "test_*,*_test.py"

Detects:

  • Hardcoded secrets (API keys, AWS keys, passwords, tokens)
  • SQL injection (string concatenation in queries)
  • Command injection (os.system, subprocess with shell=True)
  • Eval/exec usage
  • Insecure deserialization (pickle, unsafe YAML loading)
  • Weak cryptography (MD5, SHA1)
  • Disabled SSL verification

Output

All scanners produce:

  • Markdown-formatted reports for terminal display
  • JSON reports via --output for programmatic use
  • Risk scoring with severity levels (critical, high, medium, low, info)
  • Remediation guidance for each finding

Exit code 0 means no critical or high findings. Exit code 1 means issues found.

Reference Documentation

The references/ directory contains detailed guides:

  • OWASP_TOP_10.md -- Each OWASP Top 10 risk with scanner mapping and fix templates
  • SECURITY_HEADERS.md -- HTTP header implementation for Express, Django, Nginx, Apache
  • REMEDIATION_PLAYBOOK.md -- Copy-paste fix templates for common vulnerabilities

Authorization Warning

Only test systems you are authorized to test.

  • Never scan URLs you do not own or have written permission to test
  • Local code scanning and dependency auditing of your own projects is always safe
  • The scanners will ask for authorization confirmation before external scans
  • Unauthorized security testing may violate laws in your jurisdiction

Commands

  • /pentest -- Full security testing workflow with authorization checks
  • /scan-headers -- Quick security header check for a single URL

Requirements

  • Python 3.9+
  • requests >= 2.31.0
  • bandit >= 1.7.5 (optional, for code scanning)
  • pip-audit >= 2.6.0 (optional, for Python dependency auditing)
  • npm (optional, for JavaScript dependency auditing)

Contributors

  • @duskfallcrew -- Reported AV false positive from PHP payloads in docs (#300), prompting the v2.0.0 rebuild

License

MIT License - See LICENSE file for details.