31 playbooks · 8 references · 0 plugins · 0 brokers · 100% Hermes built-in tools
Violin is a pluginless Hermes Agent profile for supervised, authorised penetration tests — from reconnaissance through safe exploit validation to reporting. It uses only Hermes' built-in toolsets, skill-based playbooks, and lightweight guard scripts.
hermes profile install https://github.com/StrategicAutomation/violin
hermes -p violin
| 🔬 31 Methodology Playbooks | 7 phase playbooks (scoping → recon → exploitation → reporting) + 24 per-vulnerability-class playbooks covering OWASP Top 10, OWASP API Top 10, LLM Top 10, and beyond. |
| 🛡️ Multi-Layer Safety | Interactive scoping (8 questions) → scope validation → guard check → approval gates — every target-touching command validated before execution. |
| 🧠 Pentesting Task Tree | Structured artifact tracking every task via `[x]/[ ]/[~]` markers across phases, with command history and hypothesis linking. |
| 🌐 Browser + Web Research | Browser toolset for website enumeration. Web toolset for CVE lookup, exploit search, and OSINT. |
| 📋 Evidence-Driven Reporting | Reproducible evidence with screenshots, tool output, request/response pairs. CVSS 3.1 scoring + auto-patch remediation. |
| 🔗 Hermes-Native | Inherits your existing Hermes provider/model. No extra API keys, no per-profile credentials, no lock-in. |
# 1. Install the profile
hermes profile install https://github.com/StrategicAutomation/violin
# 2. Start a session
hermes -p violin
# 3. Let Violin ask scoping questions, then run your test
> Run a pentest against example.comPrerequisites
- Hermes Agent >= 0.18.0 — installed and on your PATH
- Hermes provider configured — Violin inherits your normal Hermes provider/model
- Kali Linux or Parrot OS recommended — Docker Kali, WSL, macOS, Windows, and remote jump boxes also work
Set as default profile
hermes profile use violinflowchart LR
A["1. Scoping"] --> B["2. Recon"]
B --> C["3. Vuln Research"]
C --> D["4. Exploitation"]
D --> E["5. Reporting"]
E --> F["6. Retrospective"]
A -.->|"clarify"| G("Approval Gate")
B -.->|"guard check"| G
C -.->|"guard check"| G
D -.->|"clarify + guard"| G
style A fill:#1a1a2e,stroke:#e94560,stroke-width:2px
style B fill:#16213e,stroke:#0f3460,stroke-width:2px
style C fill:#1a1a2e,stroke:#e94560,stroke-width:2px
style D fill:#16213e,stroke:#0f3460,stroke-width:2px
style E fill:#1a1a2e,stroke:#e94560,stroke-width:2px
style F fill:#16213e,stroke:#0f3460,stroke-width:2px
style G fill:#2d2d2d,stroke:#ffd700,stroke-width:2px
| Phase | Action | Safety Gate |
|---|---|---|
| 1. Scoping | 8 questions via clarify |
User approval |
| 2. Reconnaissance | Passive OSINT → tech detection → active scanning | Guard + approval |
| 3. Vuln Research | CVE lookup, exploit search, attack surface analysis | Guard check |
| 4. Exploitation | Safe PoC validation per vulnerability class | Guard + user approval |
| 5. Reporting | Evidence compilation, CVSS scoring, remediation | — |
| 6. Retrospective | Gap analysis, playbook coverage update | Mandatory |
graph TB
subgraph "Your Machine"
HE["Hermes Agent"]
VI["Violin Profile"]
GUARD["violin_guard.py"]
end
subgraph "Violin Skills"
SK["SKILL.md"]
PB["31 Playbooks"]
REF["8 References"]
TEMP["5 Templates"]
end
subgraph "Hermes Built-in Tools"
T["terminal"]
W["web"]
B["browser"]
F["file"]
CE["code_execution"]
S["skills"]
CL["clarify"]
D["delegation"]
V["vision"]
TD["todo"]
P["process"]
end
LLM["Your LLM Provider"]
HE -->|"hermes -p violin"| VI
VI -->|"loads"| SK
SK -->|"routes to"| PB
HE -->|"calls"| T & W & B & F & CE & S & CL & D & V & TD & P
HE -->|"inherits"| LLM
style HE fill:#2d2d2d,stroke:#ffd700,stroke-width:2px
style VI fill:#1a1a2e,stroke:#e94560,stroke-width:2px
style GUARD fill:#16213e,stroke:#0f3460,stroke-width:2px
10 toolsets configured in config.yaml: terminal, web, browser, file, code_execution, skills, todo, clarify, delegation, vision.
memory.memory_enabled: false— no global memory recall/writememory.user_profile_enabled: false— no global user profile accesssession_searchavailable for cross-referencing past engagements on the same target- Engagement continuity lives in project files (scope docs, evidence, reports)
- Start a fresh Hermes conversation per engagement to keep boundaries clean
flowchart LR
subgraph "Layer 1"
A["8 Scoping Questions"]
B["Written Authorisation"]
end
subgraph "Layer 2"
C["violin_guard.py validate-scope"]
end
subgraph "Layer 3"
D["violin_guard.py check-command"]
end
subgraph "Layer 4"
E["clarify approval gate"]
end
subgraph "Layer 5"
F["Standards & Blocked Actions"]
end
A --> B --> C --> D --> E --> F
- Authorised testing only — no probing before scoping is complete
- Approval gates — scope, active recon, and exploitation each require explicit user approval
- Guard check — every target-touching terminal command validated by
violin_guard.py(exit 0=allowed, 1=blocked, 2=review) - Non-destructive by default — exploitation limited to safe, reproducible PoC
- Evidence-first — every finding backed by reproducible tool output, screenshots, request/response pairs
- Exploit-first validation — no hypothesis advances to Validated without a verification command
- Fresh context per objective — structured state summaries on phase transitions to prevent context bloat
Full safety policy: skills/pentest/references/standards.md. Forbidden actions: .hermes.md §Forbidden Behaviour.
violin/
├── .hermes.md # Project-level agent context
├── SOUL.md # Agent identity — senior pentester persona
├── config.yaml # Profile config (toolsets, safety, memory)
├── distribution.yaml # Hermes distribution manifest
├── scripts/ # Guard & smoke tests
│ ├── violin_guard.py # Scope, command & release validation
│ ├── smoke-test.sh # Linux/macOS release smoke
│ ├── smoke-test.ps1 # Windows supplemental smoke
│ └── kali.sh # Docker Kali helper
└── skills/pentest/ # Pentest methodology
├── SKILL.md # Orchestrator skill (playbook index, workflow)
├── playbooks/ # 31 playbooks (7 phase + 24 vuln-class)
├── references/ # 8 reference documents
└── templates/ # 3 templates (PTT, scope, report)
python scripts/violin_guard.py check-releaseValidates: YAML structure, 31 playbooks present, required sections in vuln playbooks, no stale evidence paths, all markdown references resolve.
One-time setup for a full Kali toolchain on any OS
See scripts/kali.sh for the container exec helper.
docker pull kalilinux/kali-rolling
docker create -it --name kali-pentest \
-v /path/to/violin/engagements:/engagements \
kalilinux/kali-rolling bash
docker start kali-pentest
docker exec kali-pentest apt update
docker exec kali-pentest apt install -y kali-linux-headlessEnhance Violin with community MCP servers
| MCP Server | Install | Purpose |
|---|---|---|
onlinecybertools-mcp-server |
npx -y onlinecybertools-mcp-server |
280+ OSINT/recon tools — whois, SSL check, JWT decode, network diag, hashes |
runyourempire/4DA |
npx -y @runyourempire/4DA |
Live CVE scanning, dependency health, upgrade planning |
Add to config.yaml under mcp_servers: after install. See Hermes MCP docs.
See CONTRIBUTING.md for development setup, PR process, and code style.
See SECURITY.md for reporting vulnerabilities.
MIT — see LICENSE.
