clpzbug/clpzcode

clpzcode is a command-line tool for security testing and penetration testing, built as a fork of Claude Code, the AI coding assistant from Anthropic. It takes the underlying agent framework and adds offensive security capabilities on top: given a target URL, it can run a full sequence of reconnaissance, vulnerability scanning, exploitation, and privilege escalation steps without you having to script each phase manually. When you give it a target, the tool enumerates subdomains, discovers endpoints, fingerprints the technology stack, and tests for vulnerabilities across 29 different categories in parallel. When it confirms a finding, it does not stop at reporting it. It attempts exploitation and, if successful, follows a built-in escalation chain. For example, finding a server-side request forgery vulnerability leads it to probe cloud metadata endpoints, extract credentials, and enumerate storage. Finding a SQL injection leads it toward shell access and further privilege escalation. A separate command handles Active Directory environments: given a domain controller IP and a domain name, it runs the standard steps used in internal network testing from initial enumeration through to extracting the domain's credential database. The tool also supports running multiple agents simultaneously on different tasks, so reconnaissance, exploitation, and Active Directory enumeration can run in parallel on different AI models. Unlike the upstream Claude Code, which is limited to Anthropic's own models, clpzcode supports a range of AI providers including xAI Grok, OpenAI, Google Gemini, GitHub Models, and locally run models through Ollama. You can switch providers mid-session. The project is written in TypeScript, installable via npm, and licensed under MIT.