Ap6pack
UserAutonomous agentic recon pipeline for Claude Code. 90 OSINT capabilities for authorized red-team and bug-bounty. One-click install, 11 skills, optional MCP server.
Categories
Indexed Skills (11)
analysis-and-reporting
Endpoint interest scoring (0–100), mobile app ownership confidence, attack-path hint patterns (35 templates), severity decision matrix (92 examples), sector severity overrides, and sidecar coordination.
cloud-and-infra
Cloud-native service fingerprints, Kubernetes/container exposure, CI/CD platform exposure, TLS deep audit, and favicon hash pivot for authorized infrastructure recon.
identity-fabric
Concrete endpoints, probes, and enumeration techniques for identity provider fingerprinting and auth surface mapping. Covers Microsoft Entra (Azure AD), Okta, ADFS, Google Workspace, generic OIDC (Keycloak/Auth0/Ping/OneLogin/Duo), SAML metadata, AWS account-ID extraction, Microsoft 365 deep enumeration (Teams/SharePoint/OneDrive/OAuth/Power Platform), GraphQL field-suggestion enumeration when introspection is disabled, and LinkedIn employee enumeration with role prioritization. Use when mapping an org's auth architecture, enumerating SSO/IdP surfaces, or building a target employee list.
offensive-osint
Router for the Offensive OSINT arsenal. Dispatches to focused sub-skills by task type. Covers the full external red-team surface: asset discovery, web enumeration, identity/SSO, secrets/dorks, post-credential workflows, cloud/infra, people/breach intel, and analysis/reporting. Companion to osint-methodology. Use for any authorized external recon, bug bounty, or ASM engagement.
osint-methodology
Comprehensive OSINT methodology for external red-team operations and authorized attack-surface assessments. Covers the 5-stage recon pipeline, asset-graph discipline, severity rubric, confidence upgrade workflows, time budgeting, identity-fabric mapping, breach×identity correlation, detectability tagging, detection-aware probing, WAF/CDN bypass, vulnerability prioritization, phishing infrastructure planning, bug bounty submission, and client deliverable templates. Use when planning or executing reconnaissance against authorized targets, mapping an organization's external attack surface, investigating a person/entity, or producing client deliverables.
people-breach-intel
Breach data lookup, HudsonRock infostealer intel, email-pattern inference, email harvest, Slack/Discord discovery, package registry leaks, and vulnerability prioritization endpoints.
post-discovery
Post-credential enumeration workflows for validated live keys — AWS IAM enum, GitHub PAT scope/repo enum, Slack workspace enum, JWT triage, Postman PMAK workspace enum, Anthropic/OpenAI usage enum. Requires validator confirmation first.
recon-asset-discovery
Subdomain enumeration, CT logs, DNS record catalog, WHOIS/RDAP, and passive reconnaissance for authorized external recon.
report-template
Autonomous report generation from collected findings. Produces bug bounty submissions, client deliverables, and vulnerability reports using the standard finding schema.
secrets-and-dorks
48-pattern secret regex catalog, 70 dork corpus across 9 categories, GitHub code-search dorks, and 9 read-only credential validators for authorized secret discovery and verification.
web-surface
Probe paths, endpoint scoring, email security analysis, vendor fingerprints, documentation leak hunting, and API endpoint references for authorized web-surface enumeration.
Bio shown is the top-scored skill's repo description as a fallback — real GitHub bios land in a future update.