## https://sploitus.com/exploit?id=CBFD105B-401D-5E28-BE4B-7CEA5C8FCD7A
# Red Hound Arsenal
Agent-consumable security skill library for authorized offensive and defensive operations.
---
## What It Is
Red Hound Arsenal is a structured library of security skills โ each skill is a self-describing YAML file that defines a security tool invocation, its inputs, expected outputs, prerequisites, MITRE ATT&CK mappings, and safety constraints.
Skills are designed to be consumed directly by AI agents, security automation pipelines, and human operators through a consistent CLI and Python API. Every skill produces structured JSON output, supports dry-run mode, and carries explicit authorization requirements.
## Who It Is For
- **AI agents** orchestrating multi-step security assessments
- **Security engineers** who want reproducible, documented tool invocations
- **Red teams** mapping operations to MITRE ATT&CK
- **Blue teams and purple teams** building detection-validation workflows
- **Security automation platforms** that need a standardized skill catalog
## Authorized Use Only
This library is for use against systems you own or have explicit written permission to test. See [RESPONSIBLE-USE.md](RESPONSIBLE-USE.md) for the full policy. Unauthorized use is illegal and violates the terms of this project.
---
## Architecture
```
redhound-arsenal/
โ
โโโ arsenal.py # CLI entry point (arsenal list / info / check / run / search / validate)
โ
โโโ core/
โ โโโ models.py # Pydantic skill schema (SkillDefinition, SkillResult, ...)
โ โโโ loader.py # Skill discovery, YAML loading, caching
โ โโโ validator.py # Input validation, prerequisite checks, platform check, auth gate
โ โโโ executor.py # Command rendering, subprocess execution, evidence saving
โ โโโ reporter.py # Result formatting (JSON / text / markdown), evidence packaging
โ โโโ logging.py # Logging configuration
โ
โโโ skills/ # Skill YAML files, organized by category
โ โโโ recon/
โ โ โโโ nmap-service-scan.yaml
โ โโโ dns/
โ โ โโโ dns-records.yaml
โ โ โโโ subfinder-enum.yaml
โ โโโ web/
โ โ โโโ httpx-probe.yaml
โ โ โโโ nuclei-scan.yaml
โ โโโ tls/
โ โ โโโ testssl-check.yaml
โ โโโ hardening/
โ โ โโโ lynis-audit.yaml
โ โโโ secrets/
โ โโโ gitleaks-scan.yaml
โ
โโโ adapters/ # Tool output parsers (one per tool)
โ โโโ base.py # BaseAdapter abstract class
โ โโโ nmap.py # Parses nmap XML (-oX -)
โ โโโ subfinder.py # Parses subfinder JSON-lines
โ โโโ httpx.py # Parses httpx JSON-lines
โ โโโ nuclei.py # Parses nuclei JSON-lines
โ โโโ testssl.py # Parses testssl.sh JSON output
โ โโโ lynis.py # Parses lynis report data files
โ โโโ gitleaks.py # Parses gitleaks JSON report
โ โโโ dns.py # Parses dig answer output
โ
โโโ schemas/ # JSON Schema files (for external validation)
โ โโโ skill-schema.json
โ โโโ result-schema.json
โ
โโโ templates/ # Starter templates
โ โโโ skill-template.yaml
โ โโโ adapter-template.py
โ
โโโ examples/ # Runnable example scripts
โโโ docs/ # Extended documentation
โโโ reports/ # Sample output files
```
**Execution flow:**
```
arsenal run --input key=value --acknowledge-auth
โ
โโ loader.py โ find and validate YAML โ SkillDefinition
โโ validator.py โ check auth, platform, inputs, prerequisites
โโ executor.py โ render command template โ subprocess โ raw output
โโ adapter โ parse raw output โ structured dict
โโ reporter.py โ format as JSON / text / markdown โ stdout
```
---
## Quick Start
### Install
```bash
git clone https://github.com/redhoundinfosec/redhound-arsenal.git
cd redhound-arsenal
pip install -e .
```
Or install with dev dependencies:
```bash
pip install -e ".[dev]"
```
### List all skills
```bash
arsenal list
```
```
ID CATEGORY VERSION DESCRIPTION
dns-records dns 0.1.0 Enumerate DNS records for a domain using dig
gitleaks-scan secrets 0.1.0 Scan a git repository for hardcoded secrets
httpx-probe web 0.1.0 Probe URLs/hosts for HTTP status and tech fingerprints
lynis-audit hardening 0.1.0 System hardening assessment using lynis
nmap-service-scan recon 0.1.0 Discover open ports and detect running services
nuclei-scan web 0.1.0 Template-based vulnerability detection using nuclei
subfinder-enum dns 0.1.0 Passive subdomain enumeration using subfinder
testssl-check tls 0.1.0 Audit TLS/SSL configuration using testssl.sh
```
### Inspect a skill
```bash
arsenal info nmap-service-scan
arsenal info nmap-service-scan --format json
```
### Check prerequisites
```bash
arsenal check nmap-service-scan
```
### Dry-run a skill
```bash
arsenal run nmap-service-scan \
--input target=192.168.1.1 \
--input ports=22,80,443 \
--acknowledge-auth \
--dry-run
```
Output:
```
[DRY RUN] Would execute: nmap -sV -p 22,80,443 -T3 -oX - 192.168.1.1
```
### Execute a skill
```bash
arsenal run nmap-service-scan \
--input target=192.168.1.1 \
--input ports=22,80,443 \
--acknowledge-auth \
--format json \
--output-dir ./evidence
```
### Search skills
```bash
arsenal search recon
arsenal search subdomain
arsenal search "T1046"
```
### Validate all skill YAML files
```bash
arsenal validate
```
---
## Skill Categories
| Category | Description |
|-------------|-----------------------------------------------------------------------------|
| `recon` | Network-level reconnaissance โ port scanning, service/version detection |
| `dns` | DNS enumeration โ record queries, passive subdomain discovery |
| `web` | Web application testing โ HTTP probing, tech fingerprinting, vuln scanning |
| `tls` | TLS/SSL auditing โ cipher suites, protocol versions, certificate analysis |
| `secrets` | Secret detection โ hardcoded credentials, tokens, keys in source code |
| `hardening` | System hardening assessment โ configuration review, compliance checks |
| `vuln` | Vulnerability assessment โ CVE detection, misconfiguration identification |
| `cloud` | Cloud infrastructure assessment โ misconfigured buckets, IAM issues |
---
## Available Skills
| ID | Tool | Category | MITRE Technique |
|--------------------|-------------|-------------|----------------------------------------------|
| `nmap-service-scan`| nmap | recon | T1046 โ Network Service Discovery |
| `dns-records` | dig | dns | T1590.002 โ DNS |
| `subfinder-enum` | subfinder | dns | T1596.002 โ Search Open Technical Databases |
| `httpx-probe` | httpx | web | T1595.002 โ Active Scanning |
| `nuclei-scan` | nuclei | web | T1595.002 โ Active Scanning |
| `testssl-check` | testssl.sh | tls | T1590.001 โ Domain Properties |
| `lynis-audit` | lynis | hardening | T1082 โ System Information Discovery |
| `gitleaks-scan` | gitleaks | secrets | T1552.001 โ Credentials In Files |
---
## CLI Reference
### `arsenal list`
List all available skills in a formatted table.
```bash
arsenal list
```
### `arsenal info `
Show full skill details: description, purpose, limitations, inputs, prerequisites, safety constraints, and MITRE mappings.
```bash
arsenal info subfinder-enum
arsenal info subfinder-enum --format json
```
**Flags:**
- `--format text|json` โ Output format (default: `text`)
### `arsenal check `
Run prerequisite checks for a skill. Exits non-zero if any required prerequisite is missing.
```bash
arsenal check nuclei-scan
```
### `arsenal run `
Execute a skill with the given inputs.
```bash
arsenal run dns-records \
--input domain=example.com \
--input record_type=MX \
--format json
arsenal run nmap-service-scan \
--input target=10.0.0.0/24 \
--input ports=22,80,443,3389 \
--input timing=T4 \
--acknowledge-auth \
--format json \
--output-dir ./evidence/2026-04-03
```
**Flags:**
- `--input KEY=VALUE` โ Input parameter (repeatable)
- `--dry-run` โ Print commands without executing
- `--format json|text|markdown` โ Output format (default: `text`)
- `--output-dir PATH` โ Save raw output and result JSON to this directory
- `--acknowledge-auth` โ Required for skills with `requires_authorization: true`
### `arsenal search `
Search skills by keyword. Matches against ID, name, category, description, purpose, and tags.
```bash
arsenal search recon
arsenal search "passive"
arsenal search T1046
```
### `arsenal validate`
Validate all skill YAML files against the schema. Useful in CI.
```bash
arsenal validate
```
**Global flags:**
- `-v, --verbose` โ Enable debug logging
- `-q, --quiet` โ Suppress non-error output
---
## Agent Integration
AI agents can consume this library through the CLI or Python API. See [docs/agent-integration.md](docs/agent-integration.md) for the complete guide. The short version:
**1. Discover available skills:**
```bash
arsenal list --format json # Not yet implemented; use arsenal info --format json
```
```python
from core.loader import list_skills
skills = list_skills() # Returns list of summary dicts
```
**2. Select a skill by task:**
```python
from core.loader import search_skills
results = search_skills("subdomain")
```
**3. Check prerequisites:**
```bash
arsenal check subfinder-enum
```
**4. Validate inputs before running:**
```python
from core.loader import load_skill
from core.validator import validate_inputs
skill = load_skill("nmap-service-scan")
inputs = {"target": "192.168.1.1", "ports": "22,80,443"}
result = validate_inputs(skill, inputs)
if not result.passed:
raise ValueError(result.errors)
```
**5. Execute and parse:**
```bash
arsenal run nmap-service-scan \
--input target=192.168.1.1 \
--acknowledge-auth \
--format json
```
The JSON output (`SkillResult`) has a stable schema:
```json
{
"skill_id": "nmap-service-scan",
"success": true,
"started_at": "2026-04-03T18:30:00+00:00",
"completed_at": "2026-04-03T18:30:45+00:00",
"duration_seconds": 45.2,
"dry_run": false,
"inputs_used": {"target": "192.168.1.1", "ports": "22,80,443", "timing": "T3"},
"outputs": {"hosts": [...], "summary": {...}},
"raw_output": "...",
"errors": [],
"warnings": [],
"evidence_path": null
}
```
**6. Chain skills:**
Feed `outputs` from one skill as `inputs` to the next. See [examples/chain-recon.py](examples/chain-recon.py).
---
## Output Formats
| Format | Use case |
|------------|-----------------------------------------------|
| `json` | Agent consumption, structured parsing, CI/CD |
| `text` | Human review in a terminal |
| `markdown` | Embedding in reports, Notion, GitHub issues |
---
## Safety Controls
Arsenal enforces several layers of safety:
1. **Authorization gate** โ Skills with `requires_authorization: true` will not execute unless `--acknowledge-auth` is passed. Agents must explicitly set this flag.
2. **Input validation** โ All inputs are validated against type rules and regex patterns before execution. Invalid inputs abort with a clear error.
3. **Platform check** โ Skills declare supported platforms. Execution fails if the current OS is not in the list.
4. **Prerequisite check** โ Required tools are verified via their `check_command` before the skill runs.
5. **Dry-run mode** โ All skills with `dry_run_supported: true` support `--dry-run`, which renders commands without executing them.
6. **Safety constraints** โ Each skill carries `safety_constraints` rules. Mandatory rules are enforced programmatically; recommended and informational rules are surfaced as warnings.
7. **Evidence trail** โ Use `--output-dir` to capture raw output, timing, and result JSON for every skill run. Evidence directories are named `//`.
---
## Contributing
See [CONTRIBUTING.md](CONTRIBUTING.md) for code standards, skill submission requirements, and the review process.
---
## Security
To report a vulnerability in this project, see [SECURITY.md](SECURITY.md).
---
## License
MIT โ see [LICENSE](LICENSE).
Copyright 2026 Red Hound Information Security LLC.