claude-red is an offensive security tooling library. Its content describes attack methodologies for use by authorized red team operators, penetration testers, and security researchers.
These skills are intended for:
- Authorized penetration testing engagements with documented scope and rules of engagement
- Bug bounty programs with explicit written permission for the techniques described
- CTF competitions and security training environments
- Independent vulnerability research with responsible disclosure
These skills are not intended for unauthorized access to systems you do not own or do not have explicit, written permission to test. Misuse may violate computer-misuse laws in your jurisdiction (CFAA in the US, Computer Misuse Act in the UK, equivalent statutes elsewhere).
If you discover a security issue in this repository — for example a malicious payload accidentally committed, a credential leaked in an example, a typosquat-prone install path, or an unsafe shell command in install.sh — please report it privately rather than opening a public issue.
Contact: security@snailsploit.com
Please include:
- Affected file(s) and commit hash
- A description of the issue and its impact
- Reproduction steps if applicable
- Any suggested remediation
We aim to acknowledge reports within 72 hours and resolve confirmed issues within 14 days.
If you discover a vulnerability in a third-party product or service while using claude-red's methodologies, follow that vendor's responsible disclosure process. The offensive-reporting skill includes guidance on responsible disclosure, evidence handling, and report writing.
If the vendor has no published security contact:
- Try
security@<vendor-domain>, then their PSIRT page, thenreportmailing addresses - For ICS/OT vendors, escalate via CISA ICS-CERT
- For broad-impact bugs, request a CVE via MITRE CNAs
- Allow at least 90 days before public disclosure unless the vulnerability is being actively exploited
This repository is signed by SnailSploit. Verify commit signatures with:
git log --show-signatureIf you receive a claude-red archive from a third party (mirror, pastebin, package manager), verify it against the upstream repository before using.
| In scope | Out of scope |
|---|---|
| Issues in repository content (skills, scripts, install logic) | Vulnerabilities in third-party tools mentioned in skills |
| Malicious payloads in examples | The Claude platform itself (report to Anthropic) |
| Unsafe installation defaults | Bugs in tools you find using this library |
| Leaked credentials in example traffic | Bugs in your own implementation of techniques described |
We credit researchers who report security issues responsibly in the project CHANGELOG. Let us know if you'd prefer to remain anonymous.