---
title: "Run autonomous white-box pentests against web apps and APIs with Shannon"
description: "Analyze a web app's source code, execute real exploit attempts against the running target, and return proof-backed findings before release."
verification: "security_reviewed"
source: "https://github.com/KeygraphHQ/shannon"
author: "KeygraphHQ"
publisher_type: "open_source_project"
category:
  - "Security & Verification"
framework:
  - "Custom Agents"
tool_ecosystem:
  github_repo: "KeygraphHQ/shannon"
  github_stars: 39843
  npm_package: "@keygraph/shannon"
  npm_weekly_downloads: 3964
---

# Run autonomous white-box pentests against web apps and APIs with Shannon

Analyze a web app's source code, execute real exploit attempts against the running target, and return proof-backed findings before release.

## Prerequisites

Node.js 18+, Docker, target web app URL, local source repository, model/API credentials supported by Shannon

## Installation

Choose whichever fits your setup:

1. Copy this skill folder into your local skills directory.
2. Clone the repo and symlink or copy the skill into your agent workspace.
3. Add the repo as a git submodule if you manage shared skills centrally.
4. Install it through your internal provisioning or packaging workflow.
5. Download the folder directly from GitHub and place it in your skills collection.

Install command or upstream instructions:

```
Run npx @keygraph/shannon setup, then start a scan with npx @keygraph/shannon start -u https://your-app.com -r /path/to/your-repo. Docker is required because the npx workflow pulls and runs the Shannon worker image.
```

## Documentation

- https://keygraph.io/

## Source

- [Agent Skill Exchange](https://agentskillexchange.com/skills/run-autonomous-white-box-pentests-against-web-apps-and-apis-with-shannon/)