npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@opensploit/core

v0.2.0

Published

Autonomous penetration testing plugin for OpenCode

Downloads

199

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

opensploitopensploit

Keywords

opensploitpentestpenetration-testingsecuritymcpopencodepluginai-agent

Readme

OpenSploit

The autonomous penetration testing plugin for OpenCode.

OpenSploit turns OpenCode into a penetration testing platform. It provides pentest-specific agents, MCP security tool orchestration, engagement state tracking, and attack methodology — all as a plugin that runs on stock OpenCode.

What it provides

11 pentest agents — Master orchestrator + 10 specialized sub-agents (recon, enum, exploit, post-exploitation, reporting, research, build, captcha, validator, tool-runner). Each follows the TVAR reasoning framework and delegates work through a hierarchical agent system.

13 custom tools — security tool invocation (mcp_tool, cli_in_container, plus a detach trio for held processes), tool registry search (RAG), engagement state read/write, hosts management, browser VNC mode, and the validated-engagement memory surface (save_solve, solve_search, save_validation_failure).

7 hooks — Live engagement state injection, session path rewriting, ultrasploit auto-approve, compaction context preservation, trajectory recording, chat-message filtering, and chat-messages transformation.

TUI features — OpenSploit logo, rainbow "ultrasploit" text, sidebar indicator, terminal title override, slash commands.

Validated-engagement memory (Doc 36)

After a successful engagement, OpenSploit auto-spawns a hidden pentest/validator sub-agent that re-runs the procedure against the target to verify each reported step actually reproduces the objective, then saves a concise canonical solve-doc into a LanceDB store. Future engagements call solve_search to retrieve relevant prior solves and adapt them. Failed re-validations are recorded separately in a queryable audit table — useful both as a reliability flag on the original report and as a negative-label training signal.

Install

Add the plugin to your OpenCode configuration:

// .opencode/opencode.jsonc
{
  "plugin": ["@opensploit/core"]
}
// .opencode/tui.json
{
  "plugin": ["@opensploit/core"]
}

Or use the full OpenSploit desktop app which comes preconfigured.

How it works

  1. OpenSploit registers pentest agents via the config hook — the default agent becomes pentest
  2. The master agent orchestrates the engagement, spawning sub-agents for each phase
  3. Sub-agents discover and invoke security tools via the MCP tool registry
  4. Tools run in Docker containers (nmap, sqlmap, ffuf, hydra, etc.) managed by the container manager
  5. Engagement state (ports, credentials, vulnerabilities) is shared across all agents
  6. The system.transform hook injects live state into every agent's system prompt

MCP Security Tools

The security tools run as MCP servers in Docker containers, maintained in a separate repository:

silicon-works/mcp-tools — 70+ tools including nmap, sqlmap, ffuf, hydra, metasploit, impacket, netexec, nuclei, nikto, and more.

Contributing

Add an agent — Write a markdown file with YAML frontmatter describing the agent's role, permissions, and prompt. Submit a PR.

Add a tool — Write a TypeScript file using the tool() API from @opencode-ai/plugin. The tool receives a ToolContext with session info and returns a string result.

Add an MCP server — Fork mcp-tools, create a Python MCP server extending BaseMCPServer, wrap it in Docker.

Improve a prompt — Agent prompts are in src/agents/prompts/. Better methodology, more techniques, clearer instructions — all welcome.

Development

git clone https://github.com/silicon-works/opensploit-plugin
cd opensploit-plugin
bun install
bun test

To test with OpenCode:

# In your opencode project
echo '{ "plugin": ["file:///path/to/opensploit-plugin"] }' > .opencode/opencode.jsonc
bun dev

Architecture

src/
  index.ts          — Server plugin entry (agents, tools, hooks)
  tui.tsx           — TUI plugin entry (logo, ultrasploit, rainbow)
  agents/           — Agent definitions + prompt files
  tools/            — Custom tools (mcp_tool, registry search, etc.)
  hooks/            — Hook implementations (state injection, path rewriting, etc.)
  memory/           — LanceDB: tool registry + validated solve-doc store (Doc 36)
  pattern/          — Anonymization utility (anonymizeText, containsSensitiveData)
  container/        — Docker container lifecycle management
  session/          — Session hierarchy and directory management
  training/         — Trajectory recording
  util/             — Target validation, phase gating, output normalizers

License

MIT

Built on OpenCode by Silicon Works Ltd.