-
Notifications
You must be signed in to change notification settings - Fork 121
Modules: Agent Builder Hunter
AvishaiEZen edited this page Dec 10, 2025
·
1 revision
Discovers and analyzes OpenAI Agent Builder deployments in the wild. This module uses FFUF to scan for externally-hosted AI agent chatbots and can enumerate their tools and integrations.
Agent Builder is OpenAI's platform for creating custom AI agents with tool access and integrations. This module helps identify publicly accessible deployments that may expose sensitive functionality.
| Tool | Purpose | Installation |
|---|---|---|
| FFUF | Web fuzzing for discovery | FFUF GitHub |
| Node.js & npm | Required for tools-recon | Node.js |
| Puppeteer | Browser automation | Puppeteer GitHub |
| Submodule | Description |
|---|---|
| scan | Discover Agent Builder deployments using FFUF |
| tools-recon | Enumerate tools and integrations from discovered agents |
# Basic scan with default wordlist
powerpwn agent-builder-hunter scan
# Scan with custom wordlist and output file
powerpwn agent-builder-hunter scan -w custom_wordlist.txt -o results.txt
# Scan with custom rate limiting and threads
powerpwn agent-builder-hunter scan -r 50 -t 20
# Scan with custom timing
powerpwn agent-builder-hunter scan --run-duration 30 --pause-duration 20
# Reset progress and start fresh
powerpwn agent-builder-hunter scan --reset# Scan a single agent URL
powerpwn agent-builder-hunter tools-recon -u https://openai-chatkit-example123.vercel.app
# Scan multiple agents from file
powerpwn agent-builder-hunter tools-recon -f agent_urls.txt| Parameter | Description | Default |
|---|---|---|
-w, --wordlist
|
Path to custom wordlist file | Bundled default |
-o, --output
|
Output file for found URLs | found_agent_builder_deployments_<timestamp>.txt |
-r, --rate
|
Rate limit (requests per second) | 40 |
-t, --threads
|
Number of concurrent threads | 10 |
--run-duration |
How long to run FFUF before pausing (seconds) | 20 |
--pause-duration |
How long to pause between FFUF runs (seconds) | 15 |
--filter-codes |
HTTP status codes to filter out (comma-separated) | 404,403 |
--timeout |
Timeout in seconds | — |
--timeout-per-endpoint |
Apply timeout per endpoint instead of entire scan | — |
--reset |
Reset progress and start fresh | — |
| Parameter | Description |
|---|---|
-u, --url
|
Single Agent Builder chatbot URL to scan |
-f, --file
|
File containing list of chatbot URLs (one per line) |
-
scan: Found URLs saved to output file (default:
found_agent_builder_deployments_<timestamp>.txt) -
tools-recon: Results saved to
src/powerpwn/agent_builder/results/agent_tools_output.xlsx
Tip: Use discovered URLs from
scanas input fortools-reconto enumerate exposed capabilities.
Open Chatgpt