AI writes the code.
pwnkit hacks it.

npx pwnkit-cli
GitHub

Or read the documentation

pwnkit scanning a target and finding vulnerabilities

General-purpose autonomous pentesting.

LLM Endpoints

ChatGPT, Claude, Llama APIs, custom chatbots

npm Packages

Supply chain, malicious code, dependency risk

Source Code

Local repos, GitHub URLs, deep AI audit

Just give it a target.

pwnkit-cli express

Audit an npm package

pwnkit-cli ./my-repo

Review source code

pwnkit-cli https://api.com/chat

Scan an LLM endpoint

Why pwnkit

Zero config

No YAML. No Python. Just npx pwnkit-cli and you're running.

Blind verification

Every finding is independently re-exploited. Can't reproduce it? Killed as a false positive.

Bring your own AI

Your API key, or use Claude Code CLI / Codex CLI with your subscription. Any model, any provider.

How it compares

Scroll to compare →

Feature pwnkit promptfoo (acquired by OpenAI) garak nuclei Semgrep
Autonomous multi-agent Agentic pipeline
Verification (no false positives) Re-exploits
LLM endpoint scanning
npm package audit Rules
Source code review AI-powered Rules
AI attack coverage 30+ agentic Partial Partial
Zero config npx YAML Python Templates Config
Independent Acquired VC-backed
Open source Apache-2.0 OpenAI-owned OSS MIT LGPL

Findings in GitHub's Security tab.

.github/workflows/pwnkit.yml 
name: AI Security Scan
on: [push, pull_request]

jobs:
  pwnkit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run pwnkit
        uses: peaktwilight/pwnkit/action@v1
        with:
          target: $${{ secrets.STAGING_API_URL }}
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: pwnkit-report/report.sarif

Dogfooding

pwnkit reviews its own source code

On every push via GitHub Actions

pwnkit runs pwnkit review . on its own repository. The same agentic pipeline that found 7 CVEs — pointed at itself. If it finds something, you'll see it here.

pwnkit verified View CI runs

Set it up on your repo in 2 minutes:

1. Add to your GitHub Actions workflow:

- run: npx pwnkit-cli review . --format json > pwnkit-report.json

2. Add the badge to your README:

[![pwnkit](https://pwnkit.com/badge/ORG/REPO)](https://pwnkit.com)

Built from real security research

7 CVEs found in packages with 40M+ weekly downloads.

node-forge 32M/week mysql2 5M/week Uptime Kuma 86K stars LiquidJS CVE jsPDF 2 CVEs picomatch CVE
Full CVE writeups

Stop guessing.
Start proving.

pwnkit-cli https://api.example.com/chat
pwnkit-cli express
pwnkit-cli ./my-repo
pwnkit-cli https://github.com/org/repo
Star on GitHub
pwnkit
BlogGitHub