web3-ai-toolslisted

# AI TOOLS ARSENAL > AI-powered automation for every phase of Web3 bug hunting. > Replaces: 28-cai-framework, 29-claude-skills-security, 30-shannon-ai-pentester, > 31-luan1ao-agent, 32-ai-generated-code-hunting, 33-smartguard-agent --- ## TOOL SELECTION GUIDE | Tool | Target Type | Best For | Cost | |------|------------|----------|------| | **Shannon** | Web apps + API (white-box) | IDOR, SQLi, SSRF, auth bypass | ~$50/run | | **LuaN1ao** | Any web target | Autonomous OWASP Top 10 | $0.09/exploit | | **CAI** | Web/network/IoT | Bug bounty recon + validation | API cost only | | **SmartGuard** | Solidity files | Auto PoC generation for SC bugs | API cost | | **AI Code Hunt** | AI-written contracts | Bugs Slither/Forge miss | Manual (patterns) | **For DeFi smart contracts:** SmartGuard + AI Code Hunt patterns **For DeFi web frontends:** Shannon (web layer) + skills 01-07 (contract layer) **For CTF/web targets:** LuaN1ao or CAI --- ## TOOL 1: SHANNON — AUTONOMOUS WEB PENTESTER **Source:** github.com/KeygraphHQ/shannon **Score:** 96.15% on XBOW source-aware benchmark (100/104 exploits) **Model:** Claude Agent SDK (Anthropic) **Cost:** ~$50/run | ~1-1.5 hours ### What Shannon Finds ``` ✅ IDOR — changes IDs across accounts, tests all API routes ✅ SQLi — error-based and time-based blind ✅ Command injection — OS separators in all inputs ✅ XSS — reflected + stored (confirmed in real browser) ✅ SSRF — webhook/fetch URL inputs, OOB callbacks ✅ JWT attacks — alg:none, RS