Migrate Metasploit MCP to Claude Code skills architecture#74
Merged
Conversation
…ted code Phase 1 — Skills & Configuration: - Convert all 10 pentest templates into native Claude Code skills in .claude/skills/ — each becomes a /slash-command (e.g., /full-pentest, /quick-scan, /bug-bounty) with $ARGUMENTS for target input - Multi-placeholder templates (bug-bounty, full-attack-chain, api-security, web-app-assessment) now collect scope/auth/rules interactively instead of requiring manual placeholder editing — better UX - Add 4 subdirectory CLAUDE.md files (mcp/, models/, backends/, reporting/) with directory-scoped development rules loaded on-demand - Mount .claude/skills/ and CLAUDE.md into claude-code Docker container via docker-compose volumes + baked-in Dockerfile COPY as fallback - Update entrypoint dashboard to show /skill-name usage pattern Phase 2 — Cleanup (safe removals, zero functional dependencies): - Remove deprecated metasploit-mcp/ directory (MSF integrated in kali-mcp) - Remove docker/metasploit-mcp.Dockerfile - Remove empty mcp_servers/ stub directory - Remove duplicate blhackbox/prompts/templates/README.md - Remove dead load_agent_prompt() function and its test - Clean metasploit-mcp reference from README.md directory tree All 187 tests pass. MCP template path preserved for non-Claude-Code clients. https://claude.ai/code/session_01KBrjHu875M7qs84jAXpB63
README.md: - Add Skills / Slash Commands section with all 10 skills, usage examples, and comparison table (skills vs MCP templates) - Add Advanced Usage & FAQ section with 10 practical tutorials: full pentest workflow, bug bounty with scope, API with auth, chaining recon into pentest, web app with creds, quick triage, natural language usage, creating custom skills, subdirectory CLAUDE.md explained, lab/CTF authorization setup - Update Tutorial 1 (Docker) to show skill-based usage (/quick-scan, /full-pentest) instead of free-form prompts - Update Tutorial 2 (Web) to mention skills availability - Update Project Structure tree with .claude/skills/, subdirectory CLAUDE.md files, and reorganized module listing - Remove duplicate lab testing example (now in FAQ) - Update Table of Contents with Skills and Advanced sections DOCKER.md: - Add Skills in Docker section with quick start, mount explanation, and available skills table - Update Claude Code image details to include skills info - Add skills and CLAUDE.md to host bind mounts table https://claude.ai/code/session_01KBrjHu875M7qs84jAXpB63
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR migrates the blhackbox pentesting framework from a standalone Metasploit MCP server to a Claude Code-native skills architecture. The Metasploit MCP server (
metasploit-mcp/) is removed entirely, and autonomous pentesting workflows are now implemented as Claude Code slash commands (.claude/skills/) that orchestrate existing MCP servers (Kali, WireMCP, Screenshot).Key Changes
Removed Components
metasploit-mcp/server.py,entrypoint.sh,requirements.txt) — 1,077 lines of msgpack-based RPC client codedocker/metasploit-mcp.Dockerfile) — no longer needed; Metasploit tools are accessed via Kali MCPblhackbox/prompts/templates/README.md, agent prompt loading) — replaced by skillsAdded Components
10 autonomous pentesting skills (
.claude/skills/*/SKILL.md):/full-pentest— end-to-end penetration testing/full-attack-chain— maximum-impact testing with attack chain reporting/quick-scan— fast triage with on-the-spot exploitation/recon-deep— comprehensive attack surface mapping/web-app-assessment— focused web application testing/network-infrastructure— network-level assessment with credential testing/osint-gathering— passive-only intelligence collection/vuln-assessment— systematic vulnerability identification and exploitation/api-security— REST/GraphQL API testing (OWASP API Top 10)/bug-bounty— bug bounty hunting with exploitation-driven PoC reportsDevelopment guidelines (
blhackbox/mcp/CLAUDE.md,blhackbox/backends/CLAUDE.md,blhackbox/models/CLAUDE.md,blhackbox/reporting/CLAUDE.md) — document contracts and constraints for future developmentModified Components
.claude/and.instructions/directories into Claude Code container for skill discoveryload_agent_prompttestImplementation Details
Architecture Shift
Skills Design
Each skill:
$ARGUMENTS(e.g.,/full-pentest example.com)Backward Compatibility
get_templatetool) remain available for Claude Desktop and ChatGPT via the blhackbox MCP serverTesting
test_load_agent_promptfromtests/test_prompts.py(agent prompts nohttps://claude.ai/code/session_01KBrjHu875M7qs84jAXpB63