Community plugin registry for prowlrview.
Every plugin lives in its own directory under categories/ with a plugin.toml manifest and a main.lua entry point. CI validates Lua syntax and manifest schema on every PR.
# one-shot
curl -fsSL https://raw.githubusercontent.com/ProwlrBot/prowlrview-plugins/main/categories/passive-scan/secret-sniffer/main.lua \
-o ~/.config/prowlrview/plugins/secret-sniffer.lua
# or: clone and symlink
git clone https://github.com/ProwlrBot/prowlrview-plugins ~/src/prowlrview-plugins
ln -s ~/src/prowlrview-plugins/categories/passive-scan/secret-sniffer/main.lua \
~/.config/prowlrview/plugins/secret-sniffer.luaRestart prowlrview or press r in the TUI to reload.
| Category | What goes here |
|---|---|
recon/ |
Subdomain, tech, WAF, takeover detection |
passive-scan/ |
Read-only response/body analysis (secrets, JWT, CORS, …) |
active-scan/ |
Sends crafted requests (IDOR, SSRF, SQLi heuristics, …) |
graph/ |
Graph decorators, chain detectors, scope guards, exporters |
themes/ |
.toml color schemes |
categories/<category>/<plugin-name>/
├── plugin.toml # manifest (required)
├── main.lua # entry point (required)
├── README.md # docs (recommended)
└── test/ # fixtures, optional
[plugin]
name = "idor-hunter"
version = "0.1.0"
author = "kdairatchi"
license = "MIT"
summary = "Flags numeric-ID API paths as IDOR candidates."
category = "active-scan"
events = ["on_request", "on_response"]
severity_range = ["low", "high"]
tags = ["idor", "authz", "api"]
[runtime]
engine = "lua" # lua | wasm
entry = "main.lua"
min_prowlrview = "0.2.0"Read the API reference, or use the Claude skill:
claude /prowlrview-plugin-author- Fork, add your plugin under the right category dir.
- Fill out
plugin.toml, writemain.lua. make validate(or let CI do it).- PR with a screenshot/GIF if it affects the graph visually.
Report suspected vulnerabilities privately — see SECURITY.md.
Each plugin declares its own license in plugin.toml. The registry itself is MIT.