ReaperBot is an experimental Agentic AI system designed specifically to orchestrate the Reaper project via its APIs to solve the Ghostbank challenge and showcase the emergent behavior of this type of system applied to the AppSec testing space. It uses multiple specialized agents using the Pydantic-AI framework powered by OpenAI models for tasks like discovering live hosts, scanning domains, identifying potential security vulnerabilities (e.g., BOLA/IDOR), and reporting on the findings.
-
Clone the repository:
git clone https://github.com/ghostsecurity/reaper.git cd reaper/reaperbot -
Ensure you have Python 3.13+ and uv installed.
python3 --version uv -V
-
Install the dependencies:
uv sync
-
Obtain API keys:
- OpenAI API Key
- Reaper Token - Navigate to the Reaper UI and fetch the token by clicking the key icon in the lower left of the navbar.
-
Set up environment variables: Create a
.envfile based on thesample.envand fill in the required keys:OPENAI_API_KEY="sk_your_openai_api_key" X_REAPER_TOKEN="your_reaper_api_key" REAPER_BASE_URL="http://localhost:8000"
-
Run the application: Start the FastAPI app with Uvicorn:
make run
-
Access the chat interface:
make uior browse to
http://localhost:11000
Once the application is running, you can interact with ReaperBot through the WebSocket interface. Type in a command or request related to web application security, and ReaperBot will guide you through the steps to scan domains, find live hosts and endpoints, and test for vulnerabilities.
- "Scan the (domain_name) domain"
- "What are the live hosts for (domain_name)?"
- "What endpoints in (domain_name) are vulnerable to BOLA?"
- "Which endpoints in the (domain_name) application are vulnerable to BOLA? Write a technical report on the findings."
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.