by Null-Square
Open-source AI pentest and compliance-readiness CLI by NullSquare.
# Add to your Claude Code skills
git clone https://github.com/Null-Square/Null-CLiLast scanned: 7/15/2026
{
"issues": [
{
"file": "README.md",
"line": 44,
"type": "remote-install",
"message": "Install command (remote install script piped to a shell — review the source before running): \"curl -fsSL https://raw.githubusercontent.com/Null-Square/Null-CLi/main/scripts/i\"",
"severity": "low"
}
],
"status": "PASSED",
"scannedAt": "2026-07-15T06:13:18.313Z",
"npmAuditRan": true,
"pipAuditRan": true,
"promptInjectionRan": true
}Null-CLi is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by Null-Square. Open-source AI pentest and compliance-readiness CLI by NullSquare. It has 121 GitHub stars.
Yes. Null-CLi passed SkillsLLM's automated security scan — a dependency vulnerability audit plus prompt-injection heuristics — with no high-severity issues. You can read the full report in the Security Report section on this page.
Clone the repository with "git clone https://github.com/Null-Square/Null-CLi" and add it to your Claude Code skills directory (see the Installation section above).
Null-CLi is primarily written in TypeScript. It is open-source under Null-Square on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh Null-CLi against similar tools.
No comments yet. Be the first to share your thoughts!

Open-source AI pentest and compliance-readiness CLI by NullSquare.
Docs | Website | CLI | Compliance
A scoped terminal agent for authorized testing: safe reconnaissance, scanner orchestration, evidence-backed findings, Markdown/SARIF reports, and lightweight compliance-readiness mapping.
Coverage: OWASP Top 10 | PCI DSS lite | ISO 27001 lite | NIST CSF lite
Modern teams need security feedback that is faster than a traditional pentest and more useful than raw scanner output. Null AI CLI is the open-source layer: a reproducible command-line framework for local assessments, scanner normalization, evidence capture, reports, and readiness mapping.
It is intentionally separate from the NullSquare managed platform. The public repo is useful on its own while keeping managed-platform internals out of scope. For hosted sandboxes, team workflows, dashboards, continuous testing, and enterprise reporting, see nullsquare.net.
# Run instantly with npx (no install)
npx @nullsquare/null-cli --help
# Or install globally
npm install -g @nullsquare/null-cli
null-ai --help
# Or one-line installer (checks Node >= 20, installs globally)
curl -fsSL https://raw.githubusercontent.com/Null-Square/Null-CLi/main/scripts/install.sh | bash
git clone https://github.com/Null-Square/Null-CLi.git
cd Null-CLi
npm install
npm run build
node dist/cli/index.js --help
Binaries after install: null-ai, null-cli, null, nullsquare (all identical).
# Open the guided home screen
null-ai
# Or run the demo flow against a lab you are authorized to test
null-ai demo --target http://localhost:3000 --authorize --out .null/demo
The demo flow is designed for your own OWASP Juice Shop, WebGoat, or equivalent training lab. It refuses live target contact unless you pass --authorize, writes a full local report, and keeps the public agent shallow and evidence-first.
null-ai run show .null/demo
null-ai run open .null/demo
Scale the same workflow with hosted infrastructure, dashboards, team evidence review, and enterprise reporting at nullsquare.net.
First launch creates a reusable model profile. Later launches open Home, where pentest, compliance readiness, lab demo, saved assessment, results, model settings, and advanced commands are separate choices. The API key is encrypted in a local user vault and is never written to the assessment session.
For automation or offline planning:
null-ai agent run --target https://example.com --dry-run --out .null/example
Only test systems you own or are explicitly authorized to test. Scanner and shell execution are off by default; enable them with
--allow-shellonly for in-scope assets.
Run null-ai with no arguments to open the primary guided, persistent
assessment.
On the first launch only, Null AI creates a model profile:
null-ai
First-time model setup
? Provider OpenAI / DeepSeek / Anthropic / GLM / Moonshot / Qwen
? Profile name default
? Use custom API endpoint? No
? API key ********
42 models discovered
? Model family OpenAI
? Model gpt-5-mini
The API key prompt remains visible while input is masked. The key is encrypted
in the local credential vault. Available models are discovered from the
provider; family and searchable model selectors replace manual model typing. Supported profile providers are OpenAI, DeepSeek, Anthropic, GLM, Moonshot, and Qwen. Change profiles later with /profile.
Later launches open a task-focused home screen instead of forcing a wizard:
? Home
❯ New pentest
Compliance readiness
Resume saved assessment
Authorized lab demo
Results and reports
Model settings
Advanced commands
Pentest asks only for pentest inputs. A safe scope is generated automatically; detailed exclusions remain optional:
New pentest
? Target(s) https://app.example
? Assessment goal Test the authorized staging application
Scope & authorization
default scope Authorized testing for app.example; destructive testing excluded
? Customize scope? No
Run policy
? Assessment depth Standard
? Enable local scanners? No
? Confirm authorization Yes
? Start assessment now? Yes
Compliance readiness follows a different path: target, readiness objective, framework, evidence-review depth, optional scanner evidence, and authorization. Pentest does not ask for a compliance framework or generate compliance mapping. Advanced scope details can capture exclusions, authorization reference, test window, and rate limits when needed.
During a live run, the terminal shows planning, discovery, scanning, analysis, and reporting phases plus structured agent narration (agent ...),
tool calls, and artifact paths as they happen. The same trail is saved in the
report's Agent Activity section. After setup or a run, the searchable command
launcher supports / filtering, arrow-key navigation, descriptions, and Enter
selection. The CLI also checks npm periodically and displays a one-line upgrade
command when a newer version exists.
| Command | Purpose |
|---|---|
/wizard |
Run the guided setup-to-assessment flow |
/profile setup|list|use|delete |
Manage saved model profiles |
/workflow pentest|compliance |
Choose assessment workflow |
/depth quick|standard|deep |
Choose scan depth |
/target <t> / /targets [clear] |
Manage scope (repeatable) |
/scope <text> / /authorize |
Set a scope summary and confirm authorization |
/framework / /shell on|off / /stream on|off |
Configure the run |
/env model|key|base <v> |
Temporary per-process model overrides |
/run / /findings / /report / /compliance / /open report |
Run and review |
/status / /help / /exit |
Session control (config is saved between sessions) |
A live/scanner run is gated behind authorization. Profile metadata and
encrypted credentials are stored under ~/.null-ai (or %USERPROFILE%\.null-ai
on Windows); session.json never stores the API key.
null-ai demo turns an authorized lab target into a traceable run and Markdown/SARIF report.--scan-mode quick | standard | deep trade speed for coverage.--target to assess several assets in one command.nuclei, semgrep, and trivy JSON/JSONL into unified findings.owasp-top10, pci-dss-lite, iso27001-lite, nist-csf-lite.| Tool | Purpose |
|---|---|
http_request |
Safe HTTP capture and endpoint checks |
browser_action |
Browser-like page capture for surface mapping |
scanner_run |
Orchestrate scanners (gated behind --allow-shell) |
attach_evidence |
Attach raw artifacts to the assessment |
report_finding |
Draft evidence-backed findings with severity, CWE, OWASP, CVSS |
map_compliance |
Map findings to a readiness framework (compliance workflow only) |
file_read |
Read local target sources within scope |
| Category | Examples |
|---|---|
| Access Control | IDOR, missing authorization, auth bypass |
| Misconfiguration | Missing security headers, verbose banners, exposed services |
| Client-Side | Reflected / stored XSS |
| Transport & Session | Missing HSTS, insecure cookies |
| Disclosure | Sensitive data / error leakage |
Deep validation, exploit-chaining, and advanced heuristics live only in the managed NullSquare platform. This OSS layer focuses on safe, evidence-backed discovery.
| Mode | Model guidance | Use when |
|---|---|---|
quick |
Focused, conservative coverage | Fast scoped review of a single target |
standard |
Balanced repeatable coverage | Default open-source assessment |