An autonomous AI assistant for penetration testing, security research, and general-purpose tasks.
Real-time tool execution β’ Unlimited autonomous operations β’ Self-improving AI β’ Beautiful dark UI
| Feature | Description |
|---|---|
| π€ Any LLM Backend | OpenAI, OpenRouter, Ollama, LM Studio, DeepSeek, Claude β any OpenAI-compatible API |
| β‘ Real-Time Streaming | Live tool execution output, typing animations, and AI thinking display |
| π Unlimited Operations | No tool call limits β PHANTOM runs autonomously until the task is done |
| π§ Self-Improving | Creates its own tools, saves execution traces, learns from past runs |
| π Secure Sudo | One-time sudo password with system validation β persisted securely |
| π Workspace System | Configurable workspace directory for scripts, reports, and file operations |
| 𧩠MCP Integration | Model Context Protocol server management for extended capabilities |
| π¦ Skills System | Import, manage, and create reusable skill packages (.zip import supported) |
| π Web Research | Built-in web search and webpage scraping for real-time information |
| π·οΈ Scrapling Integration | Anti-bot bypass, Cloudflare solving, JS rendering via Scrapling |
| πΎ Persistent Memory | Remembers targets, credentials, findings across sessions |
| π Emergency Stop | Instant abort button to halt any running operation |
| π¨ Premium Dark UI | Glassmorphism, matrix background, smooth animations |
- Node.js 18+ (install)
- Python 3.10+ (for Scrapling integration)
- npm (comes with Node.js)
- Any OpenAI-compatible API key
# Clone the repository
git clone https://github.com/OmYarewar/PHANTOM.git
cd PHANTOM
# Install dependencies
npm install
# Configure your API
cp .env.example .env
nano .env # Add your API key and modelEdit .env with your API provider:
# OpenAI
API_BASE_URL=https://api.openai.com/v1
API_KEY=sk-your-key-here
MODEL_ID=gpt-4o
# OpenRouter (access to 100+ models)
API_BASE_URL=https://openrouter.ai/api/v1
API_KEY=sk-or-your-key-here
MODEL_ID=deepseek/deepseek-chat
# Ollama (local, free)
API_BASE_URL=http://localhost:11434/v1
API_KEY=ollama
MODEL_ID=llama3
# LM Studio (local)
API_BASE_URL=http://localhost:1234/v1
API_KEY=lm-studio
MODEL_ID=your-model-namenpm run devOpen http://localhost:5173 in your browser. That's it! π
PHANTOM/
βββ server/ # Backend (Express + WebSocket)
β βββ ai/
β β βββ llm-client.js # LLM communication & streaming
β β βββ system-prompt.js # Dynamic system prompt builder
β βββ tools/
β β βββ executor.js # Tool execution engine (14 tools)
β β βββ registry.js # Tool definitions for function calling
β βββ memory/
β β βββ store.js # SQLite persistence layer
β βββ routes/
β β βββ api.js # REST API endpoints
β βββ config.js # Configuration management
β βββ index.js # Server entry point
βββ frontend/ # Frontend (Vanilla JS + Vite)
β βββ css/styles.css # Dark theme design system
β βββ js/
β β βββ app.js # Main controller & WebSocket
β β βββ chat.js # Chat rendering & animations
β β βββ settings.js # Settings panel
β β βββ management.js # MCP & Skills management
β β βββ markdown.js # Markdown renderer
β βββ index.html # Main page
βββ workspace/ # AI workspace (scripts, reports, skills)
βββ .env.example # Configuration template
βββ vite.config.js # Vite dev server config
βββ package.json
PHANTOM has 15 built-in tools that the AI uses autonomously:
| Tool | Purpose |
|---|---|
execute_command |
Run shell commands with auto sudo injection |
read_file |
Read file contents |
write_file |
Write/create files |
list_directory |
List directory contents |
install_tool |
Auto-install packages (apt/pacman/pip/npm/go/cargo) |
web_request |
HTTP requests for recon & API testing |
search_web |
Web search via DuckDuckGo |
scrape_webpage |
Fetch & parse webpage content |
scrapling_fetch |
β Advanced scraping β anti-bot bypass, Cloudflare, JS rendering (Scrapling) |
python_execute |
Execute Python code directly |
save_memory |
Store findings to persistent memory |
recall_memory |
Search persistent memory |
edit_source_code |
Self-modify PHANTOM's own code |
save_trace |
Log execution traces for self-optimization |
- Sudo passwords are stored in a local SQLite database on your machine only
- API keys are stored locally and never transmitted except to your configured API endpoint
- The
.envfile andphantom.dbare excluded from git - PHANTOM runs locally only β no external telemetry or data collection
- The
edit_source_codetool only works within the project directory and creates backups
Click to expand
The dark-themed command center with matrix background, real-time streaming, and AI thinking display.
Configure API provider, model, temperature, workspace, and sudo access.
Manage MCP servers and skills with tabbed interface and .zip import.
All settings can be configured from the web UI and persist across restarts:
- API Configuration β Base URL, API key, model, temperature, max tokens
- Workspace β Default directory for all AI file operations
- Sudo Password β System-validated and securely stored
- MCP Servers β Add/remove Model Context Protocol servers
- Skills β Import .zip skill packages or let AI create them
- You ask β Type a request in the chat
- AI thinks β Reasoning displayed in real-time (for supported models)
- AI acts β Executes tools autonomously with live output streaming
- AI reports β Clean, formatted results with typing animation
- AI learns β Saves traces and memories for future optimization
PHANTOM implements ideas from Meta-Harness for automated harness optimization β the AI can review its own execution traces and improve its approach over time.
| Endpoint | Method | Description |
|---|---|---|
/api/settings |
GET/PUT | Configuration management |
/api/conversations |
GET/POST | Conversation CRUD |
/api/conversations/:id |
GET/DELETE | Single conversation |
/api/tools |
GET | List available tools |
/api/memory |
GET | Query persistent memory |
/api/mcp/servers |
GET/POST/DELETE | MCP server management |
/api/skills |
GET | List installed skills |
/api/skills/upload |
POST | Import skill (.zip) |
/api/sudo/validate |
POST | Validate sudo password |
/api/system/info |
GET | System information |
/ws |
WebSocket | Real-time chat & streaming |
- Fork the repository
- Create your feature branch (
git checkout -b feature/awesome) - Commit your changes (
git commit -m 'Add awesome feature') - Push to the branch (
git push origin feature/awesome) - Open a Pull Request
This project is licensed under the MIT License β see the LICENSE file for details.
PHANTOM is designed for authorized security testing only. Always obtain proper authorization before testing any systems. The developers are not responsible for misuse of this tool.
Built with π€ for the security community