Share
## https://sploitus.com/exploit?id=CBFD105B-401D-5E28-BE4B-7CEA5C8FCD7A
# Red Hound Arsenal

Agent-consumable security skill library for authorized offensive and defensive operations.

---

## What It Is

Red Hound Arsenal is a structured library of security skills โ€” each skill is a self-describing YAML file that defines a security tool invocation, its inputs, expected outputs, prerequisites, MITRE ATT&CK mappings, and safety constraints.

Skills are designed to be consumed directly by AI agents, security automation pipelines, and human operators through a consistent CLI and Python API. Every skill produces structured JSON output, supports dry-run mode, and carries explicit authorization requirements.

## Who It Is For

- **AI agents** orchestrating multi-step security assessments
- **Security engineers** who want reproducible, documented tool invocations
- **Red teams** mapping operations to MITRE ATT&CK
- **Blue teams and purple teams** building detection-validation workflows
- **Security automation platforms** that need a standardized skill catalog

## Authorized Use Only

This library is for use against systems you own or have explicit written permission to test. See [RESPONSIBLE-USE.md](RESPONSIBLE-USE.md) for the full policy. Unauthorized use is illegal and violates the terms of this project.

---

## Architecture

```
redhound-arsenal/
โ”‚
โ”œโ”€โ”€ arsenal.py                  # CLI entry point (arsenal list / info / check / run / search / validate)
โ”‚
โ”œโ”€โ”€ core/
โ”‚   โ”œโ”€โ”€ models.py               # Pydantic skill schema (SkillDefinition, SkillResult, ...)
โ”‚   โ”œโ”€โ”€ loader.py               # Skill discovery, YAML loading, caching
โ”‚   โ”œโ”€โ”€ validator.py            # Input validation, prerequisite checks, platform check, auth gate
โ”‚   โ”œโ”€โ”€ executor.py             # Command rendering, subprocess execution, evidence saving
โ”‚   โ”œโ”€โ”€ reporter.py             # Result formatting (JSON / text / markdown), evidence packaging
โ”‚   โ””โ”€โ”€ logging.py             # Logging configuration
โ”‚
โ”œโ”€โ”€ skills/                     # Skill YAML files, organized by category
โ”‚   โ”œโ”€โ”€ recon/
โ”‚   โ”‚   โ””โ”€โ”€ nmap-service-scan.yaml
โ”‚   โ”œโ”€โ”€ dns/
โ”‚   โ”‚   โ”œโ”€โ”€ dns-records.yaml
โ”‚   โ”‚   โ””โ”€โ”€ subfinder-enum.yaml
โ”‚   โ”œโ”€โ”€ web/
โ”‚   โ”‚   โ”œโ”€โ”€ httpx-probe.yaml
โ”‚   โ”‚   โ””โ”€โ”€ nuclei-scan.yaml
โ”‚   โ”œโ”€โ”€ tls/
โ”‚   โ”‚   โ””โ”€โ”€ testssl-check.yaml
โ”‚   โ”œโ”€โ”€ hardening/
โ”‚   โ”‚   โ””โ”€โ”€ lynis-audit.yaml
โ”‚   โ””โ”€โ”€ secrets/
โ”‚       โ””โ”€โ”€ gitleaks-scan.yaml
โ”‚
โ”œโ”€โ”€ adapters/                   # Tool output parsers (one per tool)
โ”‚   โ”œโ”€โ”€ base.py                 # BaseAdapter abstract class
โ”‚   โ”œโ”€โ”€ nmap.py                 # Parses nmap XML (-oX -)
โ”‚   โ”œโ”€โ”€ subfinder.py            # Parses subfinder JSON-lines
โ”‚   โ”œโ”€โ”€ httpx.py                # Parses httpx JSON-lines
โ”‚   โ”œโ”€โ”€ nuclei.py               # Parses nuclei JSON-lines
โ”‚   โ”œโ”€โ”€ testssl.py              # Parses testssl.sh JSON output
โ”‚   โ”œโ”€โ”€ lynis.py                # Parses lynis report data files
โ”‚   โ”œโ”€โ”€ gitleaks.py             # Parses gitleaks JSON report
โ”‚   โ””โ”€โ”€ dns.py                  # Parses dig answer output
โ”‚
โ”œโ”€โ”€ schemas/                    # JSON Schema files (for external validation)
โ”‚   โ”œโ”€โ”€ skill-schema.json
โ”‚   โ””โ”€โ”€ result-schema.json
โ”‚
โ”œโ”€โ”€ templates/                  # Starter templates
โ”‚   โ”œโ”€โ”€ skill-template.yaml
โ”‚   โ””โ”€โ”€ adapter-template.py
โ”‚
โ”œโ”€โ”€ examples/                   # Runnable example scripts
โ”œโ”€โ”€ docs/                       # Extended documentation
โ””โ”€โ”€ reports/                    # Sample output files
```

**Execution flow:**

```
arsenal run  --input key=value --acknowledge-auth
      โ”‚
      โ”œโ”€ loader.py      โ†’ find and validate YAML โ†’ SkillDefinition
      โ”œโ”€ validator.py   โ†’ check auth, platform, inputs, prerequisites
      โ”œโ”€ executor.py    โ†’ render command template โ†’ subprocess โ†’ raw output
      โ”œโ”€ adapter        โ†’ parse raw output โ†’ structured dict
      โ””โ”€ reporter.py    โ†’ format as JSON / text / markdown โ†’ stdout
```

---

## Quick Start

### Install

```bash
git clone https://github.com/redhoundinfosec/redhound-arsenal.git
cd redhound-arsenal
pip install -e .
```

Or install with dev dependencies:

```bash
pip install -e ".[dev]"
```

### List all skills

```bash
arsenal list
```

```
 ID                    CATEGORY    VERSION    DESCRIPTION
 dns-records           dns         0.1.0      Enumerate DNS records for a domain using dig
 gitleaks-scan         secrets     0.1.0      Scan a git repository for hardcoded secrets
 httpx-probe           web         0.1.0      Probe URLs/hosts for HTTP status and tech fingerprints
 lynis-audit           hardening   0.1.0      System hardening assessment using lynis
 nmap-service-scan     recon       0.1.0      Discover open ports and detect running services
 nuclei-scan           web         0.1.0      Template-based vulnerability detection using nuclei
 subfinder-enum        dns         0.1.0      Passive subdomain enumeration using subfinder
 testssl-check         tls         0.1.0      Audit TLS/SSL configuration using testssl.sh
```

### Inspect a skill

```bash
arsenal info nmap-service-scan
arsenal info nmap-service-scan --format json
```

### Check prerequisites

```bash
arsenal check nmap-service-scan
```

### Dry-run a skill

```bash
arsenal run nmap-service-scan \
  --input target=192.168.1.1 \
  --input ports=22,80,443 \
  --acknowledge-auth \
  --dry-run
```

Output:
```
[DRY RUN] Would execute: nmap -sV -p 22,80,443 -T3 -oX - 192.168.1.1
```

### Execute a skill

```bash
arsenal run nmap-service-scan \
  --input target=192.168.1.1 \
  --input ports=22,80,443 \
  --acknowledge-auth \
  --format json \
  --output-dir ./evidence
```

### Search skills

```bash
arsenal search recon
arsenal search subdomain
arsenal search "T1046"
```

### Validate all skill YAML files

```bash
arsenal validate
```

---

## Skill Categories

| Category    | Description                                                                 |
|-------------|-----------------------------------------------------------------------------|
| `recon`     | Network-level reconnaissance โ€” port scanning, service/version detection     |
| `dns`       | DNS enumeration โ€” record queries, passive subdomain discovery               |
| `web`       | Web application testing โ€” HTTP probing, tech fingerprinting, vuln scanning  |
| `tls`       | TLS/SSL auditing โ€” cipher suites, protocol versions, certificate analysis   |
| `secrets`   | Secret detection โ€” hardcoded credentials, tokens, keys in source code       |
| `hardening` | System hardening assessment โ€” configuration review, compliance checks       |
| `vuln`      | Vulnerability assessment โ€” CVE detection, misconfiguration identification   |
| `cloud`     | Cloud infrastructure assessment โ€” misconfigured buckets, IAM issues         |

---

## Available Skills

| ID                 | Tool        | Category    | MITRE Technique                              |
|--------------------|-------------|-------------|----------------------------------------------|
| `nmap-service-scan`| nmap        | recon       | T1046 โ€” Network Service Discovery            |
| `dns-records`      | dig         | dns         | T1590.002 โ€” DNS                              |
| `subfinder-enum`   | subfinder   | dns         | T1596.002 โ€” Search Open Technical Databases  |
| `httpx-probe`      | httpx       | web         | T1595.002 โ€” Active Scanning                  |
| `nuclei-scan`      | nuclei      | web         | T1595.002 โ€” Active Scanning                  |
| `testssl-check`    | testssl.sh  | tls         | T1590.001 โ€” Domain Properties                |
| `lynis-audit`      | lynis       | hardening   | T1082 โ€” System Information Discovery         |
| `gitleaks-scan`    | gitleaks    | secrets     | T1552.001 โ€” Credentials In Files             |

---

## CLI Reference

### `arsenal list`

List all available skills in a formatted table.

```bash
arsenal list
```

### `arsenal info `

Show full skill details: description, purpose, limitations, inputs, prerequisites, safety constraints, and MITRE mappings.

```bash
arsenal info subfinder-enum
arsenal info subfinder-enum --format json
```

**Flags:**
- `--format text|json` โ€” Output format (default: `text`)

### `arsenal check `

Run prerequisite checks for a skill. Exits non-zero if any required prerequisite is missing.

```bash
arsenal check nuclei-scan
```

### `arsenal run `

Execute a skill with the given inputs.

```bash
arsenal run dns-records \
  --input domain=example.com \
  --input record_type=MX \
  --format json

arsenal run nmap-service-scan \
  --input target=10.0.0.0/24 \
  --input ports=22,80,443,3389 \
  --input timing=T4 \
  --acknowledge-auth \
  --format json \
  --output-dir ./evidence/2026-04-03
```

**Flags:**
- `--input KEY=VALUE` โ€” Input parameter (repeatable)
- `--dry-run` โ€” Print commands without executing
- `--format json|text|markdown` โ€” Output format (default: `text`)
- `--output-dir PATH` โ€” Save raw output and result JSON to this directory
- `--acknowledge-auth` โ€” Required for skills with `requires_authorization: true`

### `arsenal search `

Search skills by keyword. Matches against ID, name, category, description, purpose, and tags.

```bash
arsenal search recon
arsenal search "passive"
arsenal search T1046
```

### `arsenal validate`

Validate all skill YAML files against the schema. Useful in CI.

```bash
arsenal validate
```

**Global flags:**
- `-v, --verbose` โ€” Enable debug logging
- `-q, --quiet` โ€” Suppress non-error output

---

## Agent Integration

AI agents can consume this library through the CLI or Python API. See [docs/agent-integration.md](docs/agent-integration.md) for the complete guide. The short version:

**1. Discover available skills:**
```bash
arsenal list --format json   # Not yet implemented; use arsenal info  --format json
```

```python
from core.loader import list_skills
skills = list_skills()  # Returns list of summary dicts
```

**2. Select a skill by task:**
```python
from core.loader import search_skills
results = search_skills("subdomain")
```

**3. Check prerequisites:**
```bash
arsenal check subfinder-enum
```

**4. Validate inputs before running:**
```python
from core.loader import load_skill
from core.validator import validate_inputs

skill = load_skill("nmap-service-scan")
inputs = {"target": "192.168.1.1", "ports": "22,80,443"}
result = validate_inputs(skill, inputs)
if not result.passed:
    raise ValueError(result.errors)
```

**5. Execute and parse:**
```bash
arsenal run nmap-service-scan \
  --input target=192.168.1.1 \
  --acknowledge-auth \
  --format json
```

The JSON output (`SkillResult`) has a stable schema:
```json
{
  "skill_id": "nmap-service-scan",
  "success": true,
  "started_at": "2026-04-03T18:30:00+00:00",
  "completed_at": "2026-04-03T18:30:45+00:00",
  "duration_seconds": 45.2,
  "dry_run": false,
  "inputs_used": {"target": "192.168.1.1", "ports": "22,80,443", "timing": "T3"},
  "outputs": {"hosts": [...], "summary": {...}},
  "raw_output": "...",
  "errors": [],
  "warnings": [],
  "evidence_path": null
}
```

**6. Chain skills:**
Feed `outputs` from one skill as `inputs` to the next. See [examples/chain-recon.py](examples/chain-recon.py).

---

## Output Formats

| Format     | Use case                                      |
|------------|-----------------------------------------------|
| `json`     | Agent consumption, structured parsing, CI/CD  |
| `text`     | Human review in a terminal                    |
| `markdown` | Embedding in reports, Notion, GitHub issues   |

---

## Safety Controls

Arsenal enforces several layers of safety:

1. **Authorization gate** โ€” Skills with `requires_authorization: true` will not execute unless `--acknowledge-auth` is passed. Agents must explicitly set this flag.

2. **Input validation** โ€” All inputs are validated against type rules and regex patterns before execution. Invalid inputs abort with a clear error.

3. **Platform check** โ€” Skills declare supported platforms. Execution fails if the current OS is not in the list.

4. **Prerequisite check** โ€” Required tools are verified via their `check_command` before the skill runs.

5. **Dry-run mode** โ€” All skills with `dry_run_supported: true` support `--dry-run`, which renders commands without executing them.

6. **Safety constraints** โ€” Each skill carries `safety_constraints` rules. Mandatory rules are enforced programmatically; recommended and informational rules are surfaced as warnings.

7. **Evidence trail** โ€” Use `--output-dir` to capture raw output, timing, and result JSON for every skill run. Evidence directories are named `//`.

---

## Contributing

See [CONTRIBUTING.md](CONTRIBUTING.md) for code standards, skill submission requirements, and the review process.

---

## Security

To report a vulnerability in this project, see [SECURITY.md](SECURITY.md).

---

## License

MIT โ€” see [LICENSE](LICENSE).

Copyright 2026 Red Hound Information Security LLC.