Penetration Testing Report Generation Skill
Authorization Declaration
This Skill is only used to generate reports for authorized penetration testing. Before use, ensure that:
- The testing has obtained explicit written authorization from the owner of the target system
- All vulnerability discoveries come from legally authorized testing activities
- The report is only sent to authorized personnel
- Comply with local laws, regulations, and data protection requirements
Unauthorized penetration testing is illegal.
Skill Usage
Use this skill in the following situations:
- Users request to generate penetration testing reports
- Users request to output security testing results
- Users need to summarize vulnerability discoveries
- Users explicitly mention "generate report according to format" or "follow template"
Report Format Requirements
Mandatory Sections
All reports must include the following sections in order:
-
Title and Project Information Sheet
- Format:
# Penetration Testing Report: [Target System Name/Project Name]
- Contains a 4-field table: Testing Target, Testing Time, Testers, Report Date
-
Vulnerability Summary
- In table format, with columns: ID, Vulnerability Title, Risk Level, Status
- ID format: VL-001, VL-002, VL-003...
- Risk level icons: 🔴Critical, 🟠High, 🟡Medium, 🔵Low, ⚪Info
-
Detailed Findings
- Each vulnerability has an independent section
- Section title:
### [VL-XXX] Vulnerability Title
- Must include 4 sub-sections:
#### 2.1 Vulnerability Description
#### 2.2 Proof of Concept (Reproduction Steps)
#### 2.3 Evidence Screenshots
#### 2.4 Remediation Suggestions
-
Appendix
### 3.1 Risk Level Definition
### 3.2 CVSS Scoring Explanation
### 3.3 Leaked Credentials List
### 3.4 Testing Tools Reference
### 3.6 Reference Documents
-
Report Sign-off
- Tester information
- Disclaimer
Detailed Vulnerability Section Format
Each vulnerability section must start with an attribute table:
markdown
| :--- | :--- |
| **Risk Level** | 🔴 **Critical** / 🟠 **High** / 🟡 **Medium** / 🔵 **Low** |
| **CVSS Score** | 0.0 - 10.0 |
| **Vulnerability Type** | [Vulnerability Type] |
| **Affected URL** | `[Full URL]` |
| **Parameter** | `[Parameter Name]` (if applicable)|
Code Block Format
- HTTP requests use language identifier
http
POST /api/login HTTP/1.1
{"username":"admin","password":"123456"}
- Bash commands use language identifier
bash
sqlmap -u "http://target.com" --dbs
- PHP code uses language identifier
php
$stmt = $pdo->prepare("SELECT * FROM users WHERE id =?");
$stmt->execute([$id]);
Workflow
Follow these steps when generating penetration testing reports:
Step 1: Collect Information
Obtain the following information from the user:
- Testing target (URL or system name)
- Testing date range
- Tester information
- List of discovered vulnerabilities
- Detailed information for each vulnerability (type, impact, evidence, PoC)
Step 2: Assign Vulnerability IDs
Assign IDs to each vulnerability:
- First vulnerability: VL-001
- Second vulnerability: VL-002
- And so on
Step 3: Assess Risk Level
Determine risk level based on CVSS score:
| CVSS Range | Risk Level | Icon |
|---|
| 9.0 - 10.0 | Critical | 🔴 |
| 7.0 - 8.9 | High | 🟠 |
| 4.0 - 6.9 | Medium | 🟡 |
| 0.1 - 3.9 | Low | 🔵 |
| 0.0 | Info | ⚪ |
Step 4: Generate Report Body
Generate in the following order:
-
Project Information Sheet - Fill in the 4 mandatory fields
-
Vulnerability Summary - Create a table with summary information of all vulnerabilities
-
Detailed Findings - Create independent sections for each vulnerability:
- Attribute table (risk level, CVSS, type, URL, parameter)
- 2.1 Vulnerability Description (2-3 paragraphs explaining principle, impact, harm)
- 2.2 Reproduction Steps (detailed steps including HTTP requests and commands)
- 2.3 Evidence Screenshots (placeholder or description)
- 2.4 Remediation Suggestions (including incorrect and correct code examples)
-
Appendix - Include all mandatory sub-sections as per template
Step 5: Verify Format
After generating the report, check:
Step 6: Output Report
Save the generated report to the user's reports directory:
/Users/huimingliao/Documents/code/pentest-skills/reports/
File naming format:
pentest_report_[Target System]_[Date].md
Important Notes
Mandatory Format Rules
- Table Format: All tables must include header separator line
- Risk Level Icons: Must use the specified emoji icons
- Section Numbering: Strictly follow sub-section numbering 2.1, 2.2, 2.3, 2.4
- Code Language: All code blocks must specify language identifiers
- ID Format: Vulnerability IDs must be in VL-XXX format with 3-digit numbers
Avoid Common Mistakes
❌ Do not omit appendix sections
❌ Do not mix different risk level representations
❌ Do not miss mandatory fields in attribute tables
❌ Do not omit HTTP request examples in reproduction steps
❌ Do not provide only text descriptions in remediation suggestions (must include code examples)
✅ Each vulnerability must include all 4 complete sub-sections
✅ Remediation suggestions must include code comparisons (incorrect vs correct)
✅ All tables must have correct Markdown format
✅ Must include disclaimer
Template Resource Locations
- Report Template:
/Users/huimingliao/Documents/code/pentest-skills/templates/pentest_report_template.md
- Reference Report:
/Users/huimingliao/Documents/code/pentest-skills/reports/pentest_report_localhost_9999_v2.md
- Report Directory:
/Users/huimingliao/Documents/code/pentest-skills/reports/