Getting Started
pwnkit is a general-purpose autonomous pentesting framework. It scans LLM endpoints, web applications, npm packages, and source code using an agentic pipeline that discovers, attacks, verifies, and reports — with blind verification to kill false positives. It ships as an npm package. You can run it directly with npx or install it globally.
Installation
Section titled “Installation”# Run directly (no install)npx pwnkit-cli scan --target https://your-app.com/api/chat
# Or install globallynpm i -g pwnkit-cliRequirements: Node.js 20+ and pnpm 8+ (for development).
Set up an API key
Section titled “Set up an API key”pwnkit needs an LLM provider to power its agentic pipeline. Set one of these environment variables:
# Recommended — one key, many modelsexport OPENROUTER_API_KEY="sk-or-..."
# Or use a direct providerexport ANTHROPIC_API_KEY="sk-ant-..."export OPENAI_API_KEY="sk-..."pwnkit checks for keys in this order: OpenRouter > Anthropic > Azure OpenAI > OpenAI. If none are set, the api runtime will not work, but you can still use --runtime claude, --runtime codex, or --runtime gemini if those CLIs are installed and authenticated.
See API Keys for full details on supported providers.
Your first scan
Section titled “Your first scan”Scan an LLM endpoint
Section titled “Scan an LLM endpoint”npx pwnkit-cli scan --target https://your-app.com/api/chatThis discovers the attack surface, launches targeted attacks (prompt injection, jailbreaks, data exfiltration), verifies every finding, and generates a report — typically in under 5 minutes.
Scan a web application
Section titled “Scan a web application”npx pwnkit-cli scan --target https://your-app.com --mode webRuns autonomous pentesting against a web application — probing for CORS misconfigurations, exposed files, SSRF, XSS, and other traditional web vulnerabilities.
Audit an npm package
Section titled “Audit an npm package”npx pwnkit-cli audit lodashInstalls the package in a sandbox, runs static analysis (semgrep), and performs an AI-powered code review.
Review a codebase
Section titled “Review a codebase”# Local directorynpx pwnkit-cli review ./my-app
# GitHub URL (clones automatically)npx pwnkit-cli review https://github.com/user/repoAuto-detect
Section titled “Auto-detect”You can skip the subcommand entirely. pwnkit figures out what to do:
pwnkit-cli express # audits npm packagepwnkit-cli ./my-repo # reviews source codepwnkit-cli https://github.com/user/repo # clones and reviewspwnkit-cli https://example.com/api/chat # scans LLM endpointpwnkit-cli https://example.com --mode web # pentests web appScan depth
Section titled “Scan depth”Control how thorough the scan is:
| Depth | Test Cases | Time |
|---|---|---|
quick | ~15 | ~1 min |
default | ~50 | ~3 min |
deep | ~150 | ~10 min |
# Quick scan for CInpx pwnkit-cli scan --target https://api.example.com/chat --depth quick
# Deep audit before launchnpx pwnkit-cli scan --target https://api.example.com/chat --depth deepNext steps
Section titled “Next steps”- Commands — full reference for every CLI command
- Configuration — runtime modes, depth settings, and options
- Architecture — how the 4-stage pipeline works