Agent Tool Expansion: Shodan, Google Dorking, Python Execution & Memory System #49
Description
Description
Expand the agent's toolset from 9 tools to ~15+ by adding the highest-ROI capabilities identified in the GAP analysis. The #1 gap between RedAmon and competing frameworks is tools, not architecture — more tools in the existing ReAct agent yields immediate capability gains with zero architectural changes.
Why new tools (not just better prompts)
The agent's ceiling is defined by what it can DO, not what it can THINK. Today, when the agent needs to:
- Find exposed assets on the internet → it has web_search (generic results) but no Shodan (structured service/banner/CVE data per IP). A pentester's first move is
shodan host <target>— the agent can't do this. - Discover exposed admin panels, backup files, or sensitive endpoints → it can't Google dork.
site:target.com filetype:sql,inurl:admin intitle:login— these are OSINT fundamentals the agent is blind to. - Craft a custom exploit or parse complex output → it can't write and run code. When sqlmap output needs parsing, or a custom protocol handler needs implementing, the agent is stuck trying to do string manipulation in natural language.
- Remember what worked last session → it starts fresh every time. "SSH brute force with admin:admin worked on this target last week" is lost knowledge. The agent repeats failed strategies and forgets successful ones.
Each of these is a hard blocker that no amount of prompt engineering can fix — the agent literally lacks the capability.
Proposed tools (prioritized by ROI)
Tier 1 — Maximum impact, minimum effort
| Tool | Category | Why | Effort |
|---|---|---|---|
| Shodan search + host info | OSINT | Structured intelligence on any IP: open ports, banners, CVEs, SSL certs, geolocation, ISP. Replaces hours of manual nmap scanning for internet-facing targets. One API call = what 10 nmap scans would reveal. | Small — direct API integration, SHODAN_API_KEY env var |
| Google Custom Search / dorking | OSINT | Find exposed admin panels (inurl:admin), database dumps (filetype:sql), backup files (filetype:bak), login pages (intitle:login). Google dorking is the #1 passive recon technique pentesters use. |
Small — Google Custom Search API |
| Sandboxed Python execution | Code Exec | Write and run Python in the Kali container — payload crafting, data parsing, encoding/decoding, custom exploit logic, hash manipulation, protocol implementation. Covers 50% of what a human pentester does in a terminal. | Medium — new MCP server with restricted imports, timeout, memory limits |
Tier 2 — High value depth additions
| Tool | Category | Why | Effort |
|---|---|---|---|
| Agent memory system | Learning | Cross-session episodic + semantic memory. Remember: "target X uses fail2ban on SSH" (don't brute force), "Nuclei template Y always false-positives on Cloudflare" (skip it), "admin:admin worked on port 8080" (try first). Compounds value over time. | Medium — vector DB (Qdrant) or PostgreSQL + embedding store |
| JS surface mapper | Web Recon | Extract API endpoints, GraphQL operations, WebSocket URLs, source maps, and high-value strings from JavaScript assets. Discovers hidden attack surface invisible to crawlers. | Medium — new MCP server |
| SSH command execution | Post-Expl | Execute commands on remote hosts via SSH using discovered credentials. Essential after brute force succeeds — currently the agent finds creds but struggles to use them programmatically. | Small — sshpass/Paramiko integration |
What already exists
- 9 agent tools: query_graph, web_search, execute_curl, execute_naabu, execute_nmap, execute_nuclei, kali_shell, execute_code, metasploit_console
- MCP server architecture for tool registration
- Tool registry in
agentic/prompts/tool_registry.py - Project settings system for API keys
What needs to be built
- Shodan MCP server or direct API integration (
shodan_search,shodan_host_info) - Google Custom Search integration (
google_dork_search) - Sandboxed Python execution MCP server (
exec_python) with safety limits - Agent memory system (episodic: what happened; semantic: what was learned)
- JS surface mapper for hidden API/endpoint discovery
- SSH command execution tool for post-exploitation
- Tool registration and prompt updates for each new tool
- New env vars:
SHODAN_API_KEY,GOOGLE_SEARCH_API_KEY,GOOGLE_SEARCH_CX