From 71dc6e79a43ab26d3ab5015cef9c6eadc15e520e Mon Sep 17 00:00:00 2001 From: Gandalf the Greybeard Date: Thu, 23 Apr 2026 14:01:08 +0000 Subject: [PATCH] chore: remove hightower skill (moved to farhoodlabs/hightower) The hightower skill is now maintained in the Hightower project repo at farhoodlabs/hightower so the API-owning team controls its agent docs. Co-Authored-By: Paperclip --- CLAUDE.md | 1 - hightower/SKILL.md | 127 --------------------------------------------- 2 files changed, 128 deletions(-) delete mode 100644 hightower/SKILL.md diff --git a/CLAUDE.md b/CLAUDE.md index a06d496..df36f7b 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -17,7 +17,6 @@ Each skill follows this convention: ## Current Skills - **`github-app-token`** — Generates a short-lived GitHub App installation access token, writes it to `.gh-token` under `$GH_CONFIG_DIR` (preferred) or `$AGENT_HOME` (fallback), and authenticates the `gh` CLI. Requires `GITHUB_APP_ID`, `GITHUB_APP_INSTALLATION_ID`, and one of `GITHUB_APP_PEM` (inline PEM) or `GITHUB_APP_PEM_FILE` (path). Depends on `openssl`, `curl`, `jq`, `gh`. -- **`hightower`** — Interacts with the Hightower AI pentest API: start scans, poll status, retrieve markdown reports. Requires `HIGHTOWER_API_URL` and `HIGHTOWER_API_TOKEN`. Documentation only — no scripts. - **`kubernetes-reflector`** — Documents Kubernetes Reflector annotations for mirroring secrets and configmaps across namespaces. Documentation only — no scripts. - **`minimax-image-generation`** — Generates images from MiniMax's `image-01` model via `/v1/image_generation`. Requires `MINIMAX_API_KEY`; `MINIMAX_API_BASE_URL` is optional. Depends on `curl`, `jq`, `base64`. diff --git a/hightower/SKILL.md b/hightower/SKILL.md deleted file mode 100644 index c440e88..0000000 --- a/hightower/SKILL.md +++ /dev/null @@ -1,127 +0,0 @@ ---- -name: hightower -version: "1.0.0" -description: "Interact with the Hightower pentest API — start scans, check status, retrieve reports. Hightower is a K8s-deployed penetration testing platform. Use when you need to run a security scan, check scan progress, or retrieve findings." -allowed-tools: Bash, Read ---- - -# Hightower: Penetration Testing API - -Hightower is an AI-powered penetration testing platform forked from [KeygraphHQ/shannon](https://github.com/KeygraphHQ/shannon). It runs multi-agent security assessments against a target URL and git repository, coordinating up to 13 specialized AI agents (recon, auth testing, injection, etc.) to produce a structured findings report. - -**Architecture:** -- **`hightower-api`** — Hono REST API. Accepts scan requests, creates Kubernetes Jobs for each scan, queries Temporal for job progress, and serves reports from the workspace PVC. -- **Worker** — Shannon fork running inside K8s Jobs. Each scan gets its own Job; the worker executes the full AI agent pipeline against the target. -- **Temporal** — Workflow orchestration engine. Tracks scan state, retries, and completion. -- **Workspace PVC** — Persistent volume where completed scan reports are stored and served by the API. - -Scans are triggered via REST API and run asynchronously. Typical scan duration is ~36 minutes for the full 13-agent pipeline. - -## Configuration - -All settings come from environment variables: - -| Variable | Description | -|----------|-------------| -| `HIGHTOWER_API_URL` | Hightower REST API base URL (e.g., `http://hightower-api:3000`) | -| `HIGHTOWER_API_TOKEN` | Bearer auth token for the Hightower API | - ---- - -## Common Operations - -### List all scans - -```bash -curl -s -H "Authorization: Bearer $HIGHTOWER_API_TOKEN" \ - "$HIGHTOWER_API_URL/api/scans" -``` - -### Start a new scan - -```bash -curl -s -X POST "$HIGHTOWER_API_URL/api/scans" \ - -H "Authorization: Bearer $HIGHTOWER_API_TOKEN" \ - -H "Content-Type: application/json" \ - -d '{ - "targetUrl": "https://example.com", - "gitUrl": "https://github.com/user/repo", - "workspace": "my-workspace" - }' -``` - -Response: `{ "id": "hightower-worker-abc123", "workspace": "my-workspace", "status": "running" }` - -### Get scan status by workspace name - -```bash -curl -s -H "Authorization: Bearer $HIGHTOWER_API_TOKEN" \ - "$HIGHTOWER_API_URL/api/scans?workspace=my-workspace" -``` - -The `workspace` filter returns all jobs for that workspace. Look for `status: "completed"` or `status: "running"`. - -### Get scan report - -```bash -curl -s -H "Authorization: Bearer $HIGHTOWER_API_TOKEN" \ - "$HIGHTOWER_API_URL/api/scans/{workspace}/report" -``` - -Returns the full markdown report. Use `workspace` name, not job ID. - -### Cancel a running scan - -```bash -curl -s -X POST "$HIGHTOWER_API_URL/api/scans/{id}/cancel" \ - -H "Authorization: Bearer $HIGHTOWER_API_TOKEN" -``` - ---- - -## Report Format - -The report is a markdown file with the following structure: - -``` -# Comprehensive Security Assessment Report - -## Executive Summary -- Assessment Date: YYYY-MM-DD -- Target: https://example.com -- Model: MiniMax-M2.7 - -## Findings - -### [CRITICAL|HIGH|MEDIUM|LOW] Title -- **Location:** URL or code reference -- **Description:** ... -- **PoC:** ... -- **Remediation:** ... -``` - -## Parsing Findings - -Extract findings by looking for `### [SEVERITY]` headers: - -```bash -# Extract all finding titles and severities -grep -E "^### \[(CRITICAL|HIGH|MEDIUM|LOW)\]" report.md - -# Extract CRITICAL and HIGH findings only -grep -A 10 "^### \[CRITICAL\]" report.md -grep -A 10 "^### \[HIGH\]" report.md -``` - -## Scan Lifecycle - -1. **running** — Job is active, worker processing -2. **completed** — Job succeeded, report available at `{workspace}/report` -3. **failed** — Job failed (check pod logs) - ---- - -## Notes - -- Reports are private to the cluster (PVC); fetch via the API -- For Paperclip issues from findings, parse the report and create issues via the Paperclip API \ No newline at end of file