经 AI Skill Hub 精选评估,xalgorix Agent工作流 获评「强烈推荐」。这款AI工具在功能完整性、社区活跃度和易用性方面表现出色,AI 评分 8.2 分,适合有一定技术背景的用户使用。
xalgorix Agent工作流 是一款基于 Go 开发的开源工具,专注于 AI安全测试、渗透测试、开源工具 等核心功能。作为 GitHub 开源项目,它拥有活跃的社区支持和持续的版本迭代,代码完全透明可审计,支持本地部署以保护数据隐私。无论是个人使用还是集成到企业工作流,都能提供稳定可靠的解决方案。
xalgorix Agent工作流 是一款基于 Go 开发的开源工具,专注于 AI安全测试、渗透测试、开源工具 等核心功能。作为 GitHub 开源项目,它拥有活跃的社区支持和持续的版本迭代,代码完全透明可审计,支持本地部署以保护数据隐私。无论是个人使用还是集成到企业工作流,都能提供稳定可靠的解决方案。
# 方式一:go install(推荐) go install github.com/xalgord/xalgorix@latest # 方式二:从源码编译 git clone https://github.com/xalgord/xalgorix cd xalgorix go build -o xalgorix . # 方式三:下载预编译二进制 # 访问 Releases 页面下载对应平台二进制文件 # https://github.com/xalgord/xalgorix/releases
# 查看帮助 xalgorix --help # 基本运行 xalgorix [options] <input> # 详细使用说明请查阅文档 # https://github.com/xalgord/xalgorix
# xalgorix 配置说明 # 查看配置选项 xalgorix --config-example > config.yml # 常见配置项 # output_dir: ./output # log_level: info # workers: 4 # 环境变量(覆盖配置文件) export XALGORIX_CONFIG="/path/to/config.yml"
<img src="assets/banner.png?v=4.5.38" alt="Xalgorix" width="860" />
<br />
Self-hosted AI security testing with a local Web UI, live agent telemetry, verified findings, and branded PDF reports.
</div>
---
Xalgorix is a self-hosted AI security testing platform for authorized penetration testing and bug bounty workflows. It combines an LLM-driven agent, browser automation, terminal tooling, a 22-phase testing methodology, live WebSocket events, finding management, report generation, and integrations for AgentMail and Discord.
The default experience is the Web UI. From one local dashboard you can start scans, monitor active runs, inspect findings, configure model/provider settings, manage environment variables, generate branded PDF reports, and delete or resume historical scans.
| Area | Capabilities |
|---|---|
| Dashboard | Local Web UI on 127.0.0.1:9137 by default, scan management, live status, bulk scan actions, and historical scan recovery. |
| Scanning | Single target, DAST, wildcard, and multi-target flows with selectable methodology phases. |
| Live telemetry | Tool calls, agent messages, findings, errors, HTTP activity, and LLM activity over WebSockets. |
| Findings | Scan detail pages, severity filters, CVSS details, finding index, and verified finding workflows. |
| Reporting | Branded PDF reports with target/company name, uploaded logo, report list, open/download/delete actions. |
| Integrations | AgentMail test inboxes, verification emails, OTP flows, email triage events, Discord and Telegram notifications. |
| Configuration | Dashboard settings for LLM, AgentMail, Discord, Telegram, proxy, runtime, browser, auth, rate limits, and resources. |
| Runtime safety | Resource-aware instance limits and loopback-only binding unless external access is explicitly configured with auth. |
| Requirement | Notes |
|---|---|
| Linux | Primary supported platform. |
| Go | 1.24.2 or newer. |
| Node.js + npm | Required when building the bundled React Web UI from source. |
| Security tools | Installed on demand only when auto-install is enabled. |
Check your Go version:
go version
git clone https://github.com/xalgord/xalgorix.git
cd xalgorix
make build
sudo install -m 755 build/xalgorix /usr/local/bin/xalgorix
make build builds the React Web UI into internal/web/static, then builds the Go binary.
GOPROXY=direct GOSUMDB=off go install github.com/xalgord/xalgorix/v4/cmd/xalgorix@latest
git clone https://github.com/xalgord/xalgorix.git
cd xalgorix
make build
sudo install -m 755 build/xalgorix /usr/local/bin/xalgorix
Create ~/.xalgorix.env:
XALGORIX_LLM=minimax/MiniMax-M2.7
XALGORIX_API_KEY=your_provider_api_key
Start the dashboard:
xalgorix --web
Open http://127.0.0.1:9137.
[!IMPORTANT] Use Xalgorix only on systems you own or have explicit permission to test.
[!TIP] Prefer not to self-host? A fully managed version is available at www.xalgorix.com — click-to-scan, no install or API keys required.
OpenAI:
XALGORIX_LLM=openai/gpt-5.4
XALGORIX_API_KEY=sk-...
Custom OpenAI-compatible provider:
XALGORIX_LLM=custom/security-model
XALGORIX_API_BASE=https://your-provider.example/v1
XALGORIX_API_KEY=your_provider_api_key
| Overview dashboard | Scan detail | Findings |
|---|---|---|
|  |  |  |
Xalgorix loads configuration in this order. Later sources override earlier ones.
| Order | Source |
|---|---|
| 1 | /etc/xalgorix.env |
| 2 | /home/<sudo-user>/.xalgorix.env when launched through sudo |
| 3 | ~/.xalgorix.env |
| 4 | Environment variables already present in the process |
Create the local environment file:
nano ~/.xalgorix.env
XALGORIX_LLM=minimax/MiniMax-M2.7
XALGORIX_API_KEY=your_provider_api_key
GEMINI_API_KEY=AIza...
AGENTMAIL_POD=am_us_pod_47
AGENTMAIL_API_KEY=ak_...
XALGORIX_DISCORD_WEBHOOK=https://discord.com/api/webhooks/...
XALGORIX_DISCORD_MIN_SEVERITY=high
| Variable | Default | Description |
|---|---|---|
XALGORIX_LLM_MAX_INFLIGHT | 4 × EffectiveMaxInstances | Caps simultaneous outbound LLM calls across all running scans. Minimum 1. Cancelled waiters do not consume a slot. |
Most operational settings can be changed from the Web UI under Settings.
| Area | Examples |
|---|---|
| Engagement | Dashboard request rate limits |
| LLM | Model, API key, API base, reasoning effort, retries, max iterations |
| AgentMail | Pod and API key |
| Notifications | Discord webhook and minimum severity, Telegram bot token, chat ID, and minimum severity |
| Proxy | Proxy URL, proxy file, rotation, TLS verification |
| Runtime | Workspace, browser path, auto-install controls |
| Security | Dashboard username, password, password hash, bind address |
| Resources | CPU/RAM/disk thresholds and scan concurrency budget |
Some settings require a restart because they affect process startup or server binding. The UI marks those fields.
GET /api/status now exposes:
| Field | Meaning |
|---|---|
panics_recovered | Goroutine, HTTP handler, and tool panics that were recovered without crashing. |
path_rejections | Filesystem writes refused by Path_Policy (outside data_dir / ~/.xalgorix/ / /tmp). |
watchdog_kills | Subprocesses terminated by the per-tool hard-timeout watchdog. |
admission_refusals | Scan admission requests denied due to the concurrency ceiling. |
llm_inflight_cap | Effective XALGORIX_LLM_MAX_INFLIGHT value for this process. |
data_dir | Resolved Data_Dir in use. |
allow_list | Filesystem roots accepted by Path_Policy. |
xalgorix --target https://example.com
With custom instructions:
xalgorix --target https://app.example.com --instruction "Focus on SQL injection, IDOR, and auth bypass. Avoid destructive tests."
| Flag | Alias | Description |
|---|---|---|
--web | -w | Start the Web UI. |
--port <port> | -p | Web UI port. Default: 9137. |
--bind <addr> | none | Bind address. Default: 127.0.0.1. |
--target <target> | -t | Target URL, host, IP, or path. Repeatable. |
--instruction <text> | -i | Custom scan instructions. |
--model <model> | -m | Override XALGORIX_LLM for this run. |
--update | -up | Update to the latest release. |
--version | -v | Print version. |
--start | none | Install and start the system service. |
--stop | none | Stop the system service. |
--restart | none | Restart the system service. |
--uninstall | none | Remove the system service. |
--help | -h | Show help. |
| Method | Endpoint | Purpose |
|---|---|---|
POST | /api/scan | Start or save a scan. |
POST | /api/stop | Stop all running scans. |
GET | /api/status | Current global status. |
GET | /api/scans | List scans. |
GET | /api/scans/:id | Get scan detail. |
DELETE | /api/scans/:id | Delete a scan and its report data. |
GET | /api/findings | List all findings (deduplicated across scans). |
GET | /api/findings/summary | Severity tally across all scans. |
GET | /api/report/:id | Download a PDF report. |
GET | /api/instances | List live and historical instances. |
GET | /api/instances/:id/events | Get buffered event history. |
POST | /api/instances/:id/stop | Stop a specific instance. |
POST | /api/instances/:id/start | Start a saved or completed scan as a new run. |
POST | /api/instances/:id/restart | Restart with the same configuration. |
POST | /api/instances/:id/pause | Pause a running scan. |
POST | /api/instances/:id/resume | Resume a paused scan. |
POST | /api/upload-logo | Upload a report logo. |
POST | /api/upload-targets | Upload a target list. |
GET | /api/settings/environment | List editable environment settings. |
POST | /api/settings/environment | Save environment settings. |
GET | /api/settings/llm | Get LLM settings. |
POST | /api/settings/llm | Save LLM settings. |
GET | /api/settings/agentmail | Get AgentMail settings. |
POST | /api/settings/agentmail | Save AgentMail settings. |
GET | /ws | WebSocket live event stream. |
http://127.0.0.1:9137./api/findings always include every vulnerability the agent discovered.| Variable | Default | Description |
|---|---|---|
AGENTMAIL_POD | none | AgentMail pod identifier. |
AGENTMAIL_API_KEY | none | AgentMail API key. |
XALGORIX_DISCORD_WEBHOOK | none | Global Discord webhook. |
XALGORIX_DISCORD_MIN_SEVERITY | none | Minimum severity sent to Discord. |
XALGORIX_TELEGRAM_BOT_TOKEN | none | Telegram bot token from @BotFather. |
XALGORIX_TELEGRAM_CHAT_ID | none | Telegram chat/channel ID (numeric or @username). |
XALGORIX_TELEGRAM_MIN_SEVERITY | none | Minimum severity sent to Telegram. |
CAIDO_PORT | 0 | Caido proxy port. 0 means auto-detect. |
CAIDO_API_TOKEN | none | Caido API token. |
Xalgorix 是一个专为授权渗透测试和 Bug Bounty 工作流设计的自托管 AI 安全测试平台。它集成了由 LLM 驱动的智能 Agent、浏览器自动化技术、终端工具集以及一套包含 22 个阶段的专业测试方法论。平台支持通过 WebSocket 实现实时事件流,并提供漏洞管理、报告生成以及与 AgentMail 和 Discord 的深度集成。用户可以通过直观的 Web UI 本地仪表盘进行统一管理,实现高效的安全自动化扫描。
Xalgorix 提供功能全面的安全测试能力。其 Dashboard 仪表盘支持在本地 `127.0.0.1:9137` 运行,提供扫描管理、实时状态监控、批量扫描操作及历史记录恢复功能。在扫描引擎方面,支持单目标、DAST、通配符及多目标扫描流,并允许用户根据需求灵活选择测试方法论,确保测试过程既符合专业标准又具备高度的灵活性。
在部署 Xalgorix 之前,请确保您的环境满足以下要求:系统方面,主要支持 Linux 平台;开发环境需要安装 Go `1.24.2` 或更高版本;如果您需要从源码构建集成了 React 的 Web UI,则必须安装 Node.js 和 npm 环境。建议在配置好上述依赖后再进行后续的安装与编译操作。
您可以根据需求选择不同的安装方式:1. 从源码构建:通过 `git clone` 获取代码,执行 `make build` 编译 React Web UI 与 Go 二进制文件,最后使用 `sudo install` 将其安装至 `/usr/local/bin/xalgorix`;2. 使用 Go 安装:直接运行 `go install github.com/xalgord/xalgorix/v4/cmd/xalgorix@latest` 即可快速完成部署。
快速上手指南:首先通过 Git 克隆项目并完成编译安装。接着,在用户目录下创建 `~/.xalgorix.env` 文件,配置所需的 `XALGORIX_LLM` 模型名称及 `XALGORIX_API_KEY`。启动服务时使用 `xalgorix --web` 命令,随后通过浏览器访问 `http://127.0.0.1:9137` 即可进入 Web UI 界面。平台同样支持通过 CLI 模式进行目标扫描,并允许通过 `--instruction` 参数自定义测试指令。
Xalgorix 的配置遵循特定的优先级顺序,后续来源会覆盖早期配置。配置加载顺序依次为:`/etc/xalgorix.env`、`sudo` 用户下的环境文件、用户家目录下的 `~/.xalgorix.env` 以及系统环境变量。除了基础的 LLM 模型与 API Key 配置外,您还可以通过环境变量集成 Gemini、AgentMail 以及 Discord Webhook,实现自动化通知与漏洞推送。
Xalgorix 提供了完善的 CLI 工具与 RESTful API 接口。CLI 模式支持通过 `--target` 指定目标,并可通过参数控制 Web UI 的端口与绑定地址。API 层面,提供了 `/api/scan` 用于启动或保存扫描任务,`/api/stop` 用于停止所有运行中的扫描,以及 `/api/status` 和 `/api/scans` 用于获取全局状态与扫描历史,方便开发者进行二次开发或集成。
在 Web UI 工作流中,用户首先在仪表盘访问设置页面,确认 LLM Provider、API Key、速率限制及第三方集成配置。随后通过 'New Scan' 创建扫描任务,并根据需要选择特定的扫描模式或方法论阶段。您还可以通过设置严重性过滤器(Severity Filters)来精简测试范围,确保扫描结果聚焦于您关注的安全风险。
融合AI与安全工程的创新产品,自动化渗透测试能力强,社区热度较高。代码质量有保证,适合专业安全团队集成。
AI Skill Hub 为第三方内容聚合平台,本页面信息基于公开数据整理,不对工具功能和质量作任何法律背书。
建议在沙箱或测试环境中充分验证后,再部署至生产环境,并做好必要的安全评估。
✅ MIT 协议 — 最宽松的开源协议之一,可自由商用、修改、分发,仅需保留版权声明。
AI Skill Hub 点评:xalgorix Agent工作流 的核心功能完整,质量优秀。对于AI爱好者来说,这是一个值得纳入个人工具库的选择。建议先在非生产环境试用,再逐步推广。
| 原始名称 | xalgorix |
| 原始描述 | 开源AI工作流:Xalgorix - The Most Powerful Open-Source AI Pentesting Agent。⭐219 · Go |
| Topics | AI安全测试渗透测试开源工具工作流自动化漏洞挖掘 |
| GitHub | https://github.com/xalgord/xalgorix |
| License | MIT |
| 语言 | Go |
收录时间:2026-05-16 · 更新时间:2026-05-19 · License:MIT · AI Skill Hub 不对第三方内容的准确性作法律背书。