If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/GhostPack/Seatbelt shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Stale — last commit 1y ago

• 15 active contributors
• Distributed ownership (top contributor 34% of recent commits)
• Other licensed
• ⚠ Stale — last commit 1y ago
• ⚠ Non-standard license (Other) — review terms
• ⚠ No CI workflows detected
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live GhostPack/Seatbelt repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/GhostPack/Seatbelt.

What it runs against: a local clone of GhostPack/Seatbelt — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in GhostPack/Seatbelt | Confirms the artifact applies here, not a fork | | 2 | License is still Other | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 514 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of GhostPack/Seatbelt. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/GhostPack/Seatbelt.git
#   cd Seatbelt
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of GhostPack/Seatbelt and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "GhostPack/Seatbelt(\\.git)?\\b" \\
  && ok "origin remote is GhostPack/Seatbelt" \\
  || miss "origin remote is not GhostPack/Seatbelt (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Other)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Other\"" package.json 2>/dev/null) \\
  && ok "license is Other" \\
  || miss "license drift — was Other at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "Seatbelt/Commands/CommandBase.cs" \\
  && ok "Seatbelt/Commands/CommandBase.cs" \\
  || miss "missing critical file: Seatbelt/Commands/CommandBase.cs"
test -f "Seatbelt/Commands/CommandGroup.cs" \\
  && ok "Seatbelt/Commands/CommandGroup.cs" \\
  || miss "missing critical file: Seatbelt/Commands/CommandGroup.cs"
test -f "Seatbelt/Commands/CommandDTOBase.cs" \\
  && ok "Seatbelt/Commands/CommandDTOBase.cs" \\
  || miss "missing critical file: Seatbelt/Commands/CommandDTOBase.cs"
test -f "Seatbelt/Commands/CommandOutputTypeAttribute.cs" \\
  && ok "Seatbelt/Commands/CommandOutputTypeAttribute.cs" \\
  || miss "missing critical file: Seatbelt/Commands/CommandOutputTypeAttribute.cs"
test -f "Seatbelt/Commands/HostDTO.cs" \\
  && ok "Seatbelt/Commands/HostDTO.cs" \\
  || miss "missing critical file: Seatbelt/Commands/HostDTO.cs"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 514 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~484d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/GhostPack/Seatbelt"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Seatbelt is a C# offensive/defensive security auditing tool that performs host-survey 'safety checks' by enumerating system configuration, installed products, browser artifacts, cloud credentials, and Windows security settings. It collects security-relevant artifacts from a single machine and outputs structured reports, enabling both red teamers to assess attack surface and blue teamers to identify configuration weaknesses. Monolithic C# solution (Seatbelt.sln) with Commands/ folder organizing checks into subdirectories: Browser/ (6 commands for Chrome, Firefox, IE), Products/ (20+ commands for installed apps like PuTTY, KeePass, LAPS, Slack), Misc/ (file enumeration, cloud creds), Windows/ (AMSI, system checks). Each command inherits CommandBase.cs and outputs a CommandDTOBase DTO, enforcing uniform CLI and JSON serialization.

Offensive security professionals (red teamers) and defensive security engineers (blue teamers) who need to quickly audit a Windows host's security posture, credential exposure, and misconfigurations. System administrators validating secure baselines. Incident responders collecting forensic artifacts.

Actively developed and production-ready. The repo shows regular maintenance (CHANGELOG.md, v1.2.1 tag visible in README banner) with a mature command structure supporting 40+ discrete safety checks organized into command groups (system, user, misc, products, browser, windows). BSD 3-Clause licensed with clear documentation and GitHub issue templates suggest established project governance.

Standard open source risks apply.

No visible active PR or commit data in provided file list, but the mature versioning (v1.2.1) and structured CHANGELOG.md suggest regular updates. The breadth of commands (40+) indicates ongoing addition of new artifact collectors. Hidden: check GitHub's Releases page and Issues for pending work.

git clone https://github.com/GhostPack/Seatbelt.git
cd Seatbelt
dotnet build Seatbelt.sln
dotnet run --project Seatbelt -- --help

Daily commands: Compile with dotnet build Seatbelt.sln, then run as Seatbelt.exe [CommandName] [arguments] or dotnet run --project Seatbelt -- [CommandName]. Requires administrative privileges. Use --help for command listing.

• Seatbelt/Commands/CommandBase.cs — Abstract base class defining the command execution framework; all 80+ commands inherit from this interface.
• Seatbelt/Commands/CommandGroup.cs — Orchestrates command grouping and enumeration logic; required to understand how commands are organized and executed.
• Seatbelt/Commands/CommandDTOBase.cs — Base class for all Data Transfer Objects; establishes serialization and output formatting conventions across all commands.
• Seatbelt/Commands/CommandOutputTypeAttribute.cs — Metadata attribute system for command output configuration; critical for understanding how commands register their output types.
• Seatbelt/Commands/HostDTO.cs — Primary aggregate DTO containing all host survey results; represents the main output model of the entire application.
• Seatbelt/Seatbelt.sln — Solution file defining project structure and build configuration; entry point for building and understanding project organization.

Add a new Windows security check command

1. Create new class inheriting from CommandBase in Seatbelt/Commands/Windows/ directory (Seatbelt/Commands/Windows/YourNewCommand.cs)
2. Define a DTO class inheriting from CommandDTOBase to model the output (Seatbelt/Commands/Windows/YourNewCommand.cs (nested class or separate file))
3. Implement Execute() method with CommandBase<T> generic type parameter matching your DTO (Seatbelt/Commands/Windows/YourNewCommand.cs)
4. Add [CommandOutputType(CommandOutputType.json)] or other format attributes to your DTO (Seatbelt/Commands/Windows/YourNewCommand.cs)
5. Register command in CommandGroup enumeration logic or auto-discovery mechanism (Seatbelt/Commands/CommandGroup.cs)

Add browser or application artifact extraction

1. Create command class in appropriate subdirectory (Browser/, Products/) inheriting CommandBase (Seatbelt/Commands/Browser/YourBrowserCommand.cs or Seatbelt/Commands/Products/YourProductCommand.cs)
2. Define data extraction logic targeting application-specific registry keys, SQLite databases, or config files (Seatbelt/Commands/Browser/YourBrowserCommand.cs)
3. Create DTO to serialize extracted artifacts with proper attribute decorators (Seatbelt/Commands/Browser/YourBrowserCommand.cs)
4. Implement error handling for missing applications or inaccessible data (Seatbelt/Commands/Browser/YourBrowserCommand.cs)

Add event log analysis or forensic command

1. Create command in Seatbelt/Commands/Windows/EventLogs/ inheriting CommandBase (Seatbelt/Commands/Windows/EventLogs/YourEventCommand.cs)
2. Query Windows Event Log using System.Diagnostics.Eventing.Reader APIs for target event IDs (Seatbelt/Commands/Windows/EventLogs/YourEventCommand.cs)
3. Create DTOs for parsed event properties and optional custom TextFormatter for display (Seatbelt/Commands/Windows/EventLogs/YourEventCommandDTO.cs and YourEventCommandTextFormatter.cs)
4. Add filtering and date-range logic following pattern from ExplicitLogonEventsCommand (Seatbelt/Commands/Windows/EventLogs/ExplicitLogonEvents/ExplicitLogonEventsCommand.cs)

Add custom output formatting

1. Create TextFormatter class inheriting from framework formatter base (examine existing formatters) (Seatbelt/Commands/Windows/EventLogs/ExplicitLogonEvents/ExplicitLogonEventsTextFormatter.cs)
2. Implement formatting logic specific to your DTO structure for human-readable console output (YourCommandTextFormatter.cs)
3. Reference formatter in command's output configuration or CommandGroup registration (Seatbelt/Commands/CommandGroup.cs or your command file)

• C# / .NET Framework — Enables deep integration with Windows APIs (WMI, Registry, Event Logs, DPAPI) and works in restricted environments where PowerShell may be blocked; provides compiled binary execution without interpreter dependencies.
• Windows Event Log Reader API (System.Diagnostics.Eventing.Reader) — Native access to Windows Security and Application event logs for forensic analysis without PowerShell or external tools.
• Registry API & WMI — Direct querying of Windows Registry and system management interfaces for configuration enumeration without spawning processes.
• SQLite/Database libraries — Parsing browser history, Slack workspace data, and application SQLite databases for artifact extraction.
• DTO + Serialization (JSON/XML) — Allows consistent output formatting and programmatic parsing; supports remote enumeration and integration with security tooling.

• Single-threaded command execution with sequential batch processing

  • Why: Simplifies state management and error reporting; avoids race conditions on shared system resources.
  • Consequence: Slower enumeration on systems with many commands; no parallel execution of independent checks.

• No built-in credential storage or decryption (DPAPI command only enumerates keys)

  • Why: Avoids introducing credential theft vectors; keeps tool focused on detection/audit rather than offensive credential capture.
  • Consequence: Users must manually decrypt DPAPI data or use separate tools; limited to what tool explicitly extracts.

• No remote enumeration mechanism built into core commands

  • Why: Keeps implementation simple and focused on local host enumeration; reduces surface area for accidental privilege escalation.
  • Consequence: Remote scanning requires manual credential passing or wrapping; not suitable for agentless remote assessments.

• DTO-based output with multiple formatter implementations

  • Why: Allows
  • Consequence: undefined

1. Admin privileges required: Most commands fail silently without elevation; test under runas /user:Administrator cmd. 2. Registry paths vary by OS: 32-bit vs 64-bit registry views (HKLM vs HKU) differ; commands must account for View.Registry32 and View.Registry64. 3. User context matters: Browser history and product configs live in user profiles; enumerating multiple users requires iterating C:\Users\ or using remote registry access. 4. Output format coupling: CommandOutputTypeAttribute controls JSON vs text serialization; changing DTO structure breaks downstream parsing. 5. No tests in file list: Verify commands with real installations before shipping; unit test harness not visible.

• GhostPack/SharpHound3 — Companion BloodHound ingestor by same author (harmj0y); Seatbelt often precedes SharpHound for local enumeration before domain reconnaissance
• PowerShellMafia/PowerSploit — PowerShell equivalent of Seatbelt checks; shared philosophy of host-survey enumeration for red team assessment
• 411Hall/JAWS — PowerShell-based host enumeration script predating Seatbelt; Seatbelt reimplements similar checks in compiled C# for stealth and speed
• ropnop/aquatone — Companion reconnaissance tool often used after Seatbelt to visualize discovered web services and credentials
• GhostPack/Rubeus — Kerberos exploitation tool by same author; Seatbelt's AMSI and LSA checks often identify Kerberos misconfigurations that Rubeus exploits

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add unit tests for CommandBase.cs and CommandDTOBase.cs

The CommandBase.cs and CommandDTOBase.cs are the foundation for all 50+ command implementations across Browser, Products, Windows, Misc, and EventLogs directories. Currently, there are no test files in the repo structure, making it difficult to ensure refactoring safety and catch regressions. Adding a Tests/ directory with unit tests for these base classes would provide a safety net for maintainers and contributors, especially given the complexity of serialization (CommandOutputTypeAttribute) and error handling (ErrorDTO, VerboseDTO, WarningDTO).

• [ ] Create Seatbelt.Tests/ directory with xUnit or NUnit project
• [ ] Write tests for CommandBase.cs covering Execute(), GetFromWMI(), and command lifecycle
• [ ] Write tests for CommandDTOBase.cs and its serialization logic
• [ ] Add test cases for CommandOutputTypeAttribute behavior
• [ ] Integrate tests into CI/CD pipeline (see separate PR suggestion)

Add GitHub Actions workflow for .NET build, test, and release validation

The repo contains Seatbelt.sln and a complete C# project structure but has no build/test automation visible in the .github directory (only issue templates exist). This means PRs cannot be validated automatically, increasing merge risk. A .NET workflow would catch compilation errors, test failures, and version misalignment before merge.

• [ ] Create .github/workflows/dotnet.yml with build matrix for .NET Framework and .NET Core versions
• [ ] Add steps to restore NuGet dependencies, build Seatbelt.sln, and run tests (once tests exist from PR #1)
• [ ] Add artifact upload for compiled binaries on release tags
• [ ] Document the workflow in CONTRIBUTING.md (or create it if missing)
• [ ] Ensure workflow runs on push to main, PRs, and manual dispatch

Refactor Browser commands into a shared BrowserCredentialParser utility

The Browser/ directory contains 5 commands (ChromiumBookmarks, ChromiumHistory, FirefoxHistory, InternetExplorerFavorites, etc.) that likely share common parsing logic for browser artifacts, SQLite databases, and registry access. Extracting this into a BrowserCredentialParser or BrowserHistoryParser utility would reduce code duplication, improve maintainability, and make it easier to add new browser support. README.md mentions Browser commands but doesn't document their architecture.

• [ ] Create Seatbelt/Commands/Browser/Utilities/BrowserHistoryParser.cs to handle SQLite queries and registry parsing
• [ ] Create Seatbelt/Commands/Browser/Utilities/BrowserCredentialExtractor.cs for decryption/extraction logic
• [ ] Refactor ChromiumBookmarksCommand.cs, ChromiumHistoryCommand.cs, and FirefoxHistoryCommand.cs to use new utilities
• [ ] Add unit tests for parser edge cases (corrupted databases, missing files)
• [ ] Document the Browser utilities in a Browser/README.md with examples for adding new browser support

• Add a new Browser command for Microsoft Edge (Chromium-based): examine Seatbelt/Commands/Browser/ChromiumHistoryCommand.cs and Seatbelt/Commands/Browser/ChromiumPresenceCommand.cs, then implement EdgePresenceCommand.cs and EdgeHistoryCommand.cs by adapting the Chromium paths for Edge's Local/Roaming AppData. Edge stores history in WebCacheV01.dat; research SQLite schema and write a command returning an EdgeHistoryDTO.
• Document the command argument parsing contract in CommandBase.cs: The Execute() signature accepts string[] args but no docstring explains how subclasses should parse them. Add XML comments with examples for how --verbose, --remote, and custom flags should be implemented, then audit 3 existing commands (e.g., CloudCredentialsCommand.cs, InterestingFilesCommand.cs) and add their argument patterns to the docstring.
• Expand InterestingFilesCommand.cs to enumerate credential files in user home directories: Currently it scans hardcoded paths; refactor to recursively search C:\Users[user]\AppData for .pem, .ppk, .key, .kdbx (KeePass), and .aws/credentials files, returning a structured DTO with file paths, sizes, and modification times. Add a --depth parameter to limit recursion.

• High · Sensitive Data Exposure via Browser History and Credentials Commands — Seatbelt/Commands/Browser/* and Seatbelt/Commands/Products/*. Multiple commands in the Browser and Products categories (ChromiumHistoryCommand, FirefoxHistoryCommand, InternetExplorerTypedURLsCommand, PuttySessionsCommand, etc.) extract and display sensitive user data including browsing history, saved credentials, and session information. This data could expose authentication tokens, API keys, or sensitive URLs. Fix: Implement output filtering for sensitive data patterns (URLs, IPs, credentials). Add warnings when sensitive data is collected. Consider implementing data masking or truncation for credentials in output. Document the sensitivity of collected data.
• High · Unrestricted File System Access via DirectoryListCommand and InterestingFilesCommand — Seatbelt/Commands/Misc/DirectoryListCommand.cs, Seatbelt/Commands/Misc/InterestingFilesCommand.cs. DirectoryListCommand and InterestingFilesCommand allow arbitrary file system enumeration and reading. These commands could be exploited to access restricted files, configuration files containing credentials, or other sensitive system data without proper access control validation. Fix: Implement whitelist-based directory access controls. Validate file paths to prevent directory traversal. Add logging of all file access operations. Consider restricting access to system-critical directories. Implement role-based access controls.
• High · Credential Extraction from Multiple Applications — Seatbelt/Commands/Products/KeePass.cs, FileZillaCommand.cs, PuttySessionsCommand.cs, OracleSQLDeveloperCommand.cs, RemoteDesktopConnectionManagerCommand.cs. Multiple product-specific commands (KeePass, FileZilla, PuttySessionsCommand, OracleSQLDeveloperCommand, RemoteDesktopConnectionManagerCommand) extract and display credentials stored by third-party applications. This could expose plaintext or weakly encrypted passwords. Fix: Implement encryption for any extracted credentials in memory and at rest. Add warnings when credentials are extracted. Consider implementing a secure credential storage mechanism. Log all credential extraction attempts. Implement access controls restricting who can run these commands.
• Medium · Registry Access Without Validation — Seatbelt/Commands/Windows/AuditPolicyRegistryCommand.cs, Seatbelt/Commands/Windows/LocalGPOCommand.cs, Seatbelt/Commands/Products/*. Multiple commands access Windows Registry (AuditPolicyRegistryCommand, LocalGPOCommand, and implicit registry access in product commands). Registry access could expose sensitive system configuration, group policies, and stored credentials without proper validation of registry paths. Fix: Implement registry path whitelisting to restrict access to sensitive registry keys. Add access control checks before registry operations. Log all registry access attempts. Handle registry access exceptions gracefully to prevent information disclosure.
• Medium · WMI Query Execution Without Input Validation — Seatbelt/Commands/Windows/EventLogs/*, Seatbelt/Commands/Windows/*Command.cs. Multiple commands execute WMI queries (evident from Windows event log and system commands). WMI query injection could occur if user input is not properly sanitized before being included in WMI queries. Fix: Use parameterized WMI queries instead of string concatenation. Implement strict input validation for any user-supplied parameters. Use WMI connection options that enforce security. Implement timeout mechanisms for WMI queries to prevent DoS.
• Medium · Event Log Access Without Proper Authorization Checks — Seatbelt/Commands/Windows/EventLogs/*Command.cs. EventLog commands (LogonEventsCommand, PowerShellEventsCommand, ProcessCreationEventsCommand, SysmonEventsCommand) access Windows Event Logs without documented authorization checks. Sensitive event logs may be accessible to unprivileged users. Fix: Implement proper privilege level checks before accessing event logs. Document required permissions for each command. Implement audit logging for event log access. Consider implementing role-based access controls per event log type.
• Medium · Potential Information Disclosure via Error Messages — Seatbelt/. The presence of generic exception handling throughout the codebase (implied by CommandBase.cs and multiple command implementations) could result in detailed error messages being displayed to users, potentially disclosing sensitive system information. Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.