Run the full NuClide AI/LLM assessment chain from a single command.
VisorPlus is a Go CLI that drives eight subcommands across the discovery, enumeration, passive-recon, and adversarial-corpus stages of an AI/LLM infrastructure assessment. It invokes JAXEN for Shodan harvesting, VisorSD for severity-ranked stack audits, aimap for active AI/ML service fingerprinting, BARE for exploit-module ranking, VisorCorpus for adversarial prompt corpus generation, and VisorBishop for AI observability platform meta-fingerprinting. Running visorplus full sequences five phases end-to-end; each phase can also be called directly and skipped selectively.
git clone https://github.com/nuclide-research/VisorPlus
cd VisorPlus
go build -o visorplus .
Requires Go 1.22+. Shodan API key in SHODAN_API_KEY or at ~/.config/nuclide/shodan.key.
Install all dependent NuClide tools in one step:
./visorplus install
install clones and builds JAXEN, VisorSD, VisorCorpus, BARE, aimap, and VisorBishop into ~/Tools/ and prompts for a Shodan key if one is not already saved.
visorplus <command> [flags]
COMMANDS:
install Install all NuClide tools
hunt <dork> Shodan hunt via JAXEN; harvest into empire.db
audit [flags] VisorSD severity-ranked scan (four stack tiers)
enum <ip:port> Enumerate Ollama /api/version, /api/tags, /api/ps
assess <ip> Full passive recon on a single IP
corpus [flags] Generate adversarial LLM prompt corpus via VisorCorpus
full [dork] End-to-end chain: audit -> hunt -> enum -> assess -> corpus
bishop [flags] VisorBishop meta-fingerprinter for AI observability platforms
| Flag | Default | Effect |
|---|---|---|
--dork |
http.html:"Ollama is running" -port:443 |
Shodan dork for the hunt phase |
--org |
Scope all phases to an organization | |
--asn |
Scope to ASN (e.g. AS48090) |
|
--net |
Scope to CIDR | |
--out |
./visorplus-run |
Output directory |
--skip |
Comma-separated phases to skip: audit,hunt,enum,assess,corpus |
| Flag | Default | Effect |
|---|---|---|
--tier |
(lists tiers) | Stack tier: beginner, intermediate, advanced, enterprise |
--org / --asn / --net |
Scope filters | |
--limit |
10 | Max results per query |
--dry-run |
false | Print queries without calling Shodan |
--format |
text |
Output format: text, json, csv |
--out |
Write results to file | |
--fail-on |
Exit non-zero if severity >= threshold |
| Flag | Default | Effect |
|---|---|---|
--out |
. |
Output directory |
| Flag | Default | Effect |
|---|---|---|
--tier |
beginner |
Corpus depth: beginner (100 cases), intermediate (100+500), advanced (100+500+5000) |
--out |
./visorplus-corpora |
Output directory |
| Flag | Effect |
|---|---|
-t <url> |
Single-target probe |
-i <file> |
Batch probe, one URL per line |
--ip-shadow |
Add direct-IP port sweep (15 ports) on confirmed platform IPs |
--ip-shadow-all |
IP shadow on every target |
-c |
Concurrent probes (default 16) |
--timeout |
Per-probe timeout (default 8s) |
--json / --csv |
Output file |
-q |
Quiet mode |
Phase 1: visorsd audit (dry-run preview of beginner stack)
Phase 2: Shodan count + JAXEN hunt -> empire.db, recon_dump.json, summary.csv
Phase 3: /api/tags sweep across found hosts, red-flag detection
Phase 4: interactive target selection -> full assess on chosen IP
Phase 5: VisorCorpus beginner corpus generation
assess saves all artifacts to <out>/<ip>/:
whois.txt whois lookup
rdns.txt reverse DNS via dig
nmap_top1000.txt TCP top-1000, -sV, --min-rate 2000
ssh_keys.txt ssh-keyscan rsa/ecdsa/ed25519
greynoise.json GreyNoise community classification
shodan_host.json Shodan host detail (all ports + banners)
passive_dns.txt HackerTarget reverse-IP lookup
dnsbl.txt Spamhaus zen.spamhaus.org check
After the file sweep, assess calls visorplus enum on port 11434 and runs BARE exploit matching against the collected service information.
| Tier | Components |
|---|---|
beginner |
Ollama, Open WebUI, ChromaDB, n8n, Cloudflared |
intermediate |
LangChain/LangGraph, Qdrant/Weaviate, FastAPI, Langfuse |
advanced |
vLLM/TGI, Kubernetes vector DB, MLflow, custom RAG API |
enterprise |
OpenSearch, Airflow, Prometheus/Grafana, multi-tenant auth |
VisorBishop detects: Phoenix (Arize AI), Langfuse, Helicone, LangSmith, OpenLIT, Lunary, Pezzo.
--ip-shadow probes 15 ports per confirmed platform host for co-located unauthenticated services: NFS, MailHog, MailCatcher, Postgres, ClickHouse, Redis, Kibana, Prometheus, AlertManager, node_exporter, Elasticsearch, and others. Read-only; no credential testing or payload fuzzing.
enum calls /api/version, /api/tags, and /api/ps and flags:
| Pattern | Signal |
|---|---|
*-abliterated |
Safety-stripped weights |
*-uncensored |
Uncensored fine-tune |
hexstrike-ai |
Offensive AI orchestrator brand |
*:cloud |
Operator's paid cloud quota exposed unauthenticated |
| embed + chat models coresident | RAG stack, vector DB likely co-located |
visorplus-run/
hunt/
recon_dump.json Shodan banners
summary.csv Compact host list
assess/
<ip>/ One directory per assessed host
corpora/
beginner.json
intermediate.json (if tier >= intermediate)
advanced.json (if tier = advanced)
VisorPlus orchestrates the discovery, enumeration, and adversarial-corpus stages. It does not ingest findings into a ledger (VisorLog), run compliance scoring (VisorScuba), drive agentic recon (VisorRAG), or execute injection benchmarks (VisorAgent, VisorHollow). Those tools run independently and consume VisorPlus output.
MIT. Part of the NuClide toolchain. Contact: nuclide-research.com