展示HN:Spectator – 一种用于网络安全和黑客攻击的编程语言
嗨,HN,
我在过去一年里一直在构建Spectator——一个专为渗透测试人员、红队成员和安全研究人员设计的脚本语言。
为什么要再创建一种语言?
大多数安全工作都是将Bash、Python和各种随机工具混合在一起。Spectator统一了这一切:一种语言,内置安全模块、原生GUI框架和包管理器——所有功能都编译成一个单独的二进制文件。
它的不同之处在于:
- 高级语法——类似Python的语法,支持f-strings、闭包和goroutines(生成)。侦查脚本只需5行代码。
- 内置黑客模块——PortScan、SubdomainEnum、SQLiTest、PayloadGen、CORS/SSRF、HTTP模糊测试、加密、编码。无需pip安装。
- 原生GUI框架(#Import Spec.GUI)——无需Electron的桌面工具。输入框、表格、标签、输出。支持Windows(WebView2)、Linux(WebKitGTK)和macOS(WKWebView)。
- Space包管理器——像coffee(侦查)和ghost(OSINT)这样的库经过SHA-256验证,能够阻止供应链攻击。
- 任务引擎——渗透测试工作流程,支持HTML报告生成。
- 交叉编译——spectator build script.str到app.exe用于Windows = 独立的二进制文件。
示例——GUI端口扫描器(完整工具):
```plaintext
spectator
#Import Spec.GUI
open.window({"title": "端口扫描器", "bg": "#070b14", "accent": "#00d4aa"})
GUI.input("target", "输入目标...")
GUI.button("扫描", "run_scan")
GUI.progress("bar")
GUI.output("out", {"height": 380})
GUI.on("run_scan", func() {
target = GUI.get("target")
GUI.print("out", "正在扫描 " + target)
ports = [21, 22, 23, 80, 443, 3306, 8080]
each p : ports {
if hasPort(target, p) {
GUI.print("out", "开放端口 " + str(p))
}
}
})
end()
```
当前状态:
- v2.0.0——在Windows、Linux和macOS上稳定的CLI/TUI
- Windows上的GUI完全功能正常;Linux/macOS上的GUI也能工作(WebKit与WebView2的差异)
- 大约177个内置函数,使用Go编写
- Space注册中心已上线,任何人都可以发布
我希望能得到以下反馈:
- 语法是否直观?(字符串连接——虽然不寻常,但我喜欢)
- GUI方法——原生桌面与基于网页的?
- 包管理器的安全性——SHA-256验证是否足够?
- 哪些模块会让你真正使用这个工具?
我知道安全工具领域竞争激烈,但仍然有空间为这个领域构建一种专用语言,而不是适配现有语言。
GitHub: [https://github.com/CzaxStudio/Spectator](https://github.com/CzaxStudio/Spectator)
文档: [https://github.com/CzaxStudio/SpectatorDocs/](https://github.com/CzaxStudio/SpectatorDocs/)
感谢任何想法、批评或奇思妙想。
查看原文
Hey HN,<p>I've been building Spectator for the past year — a purpose-built scripting language for pentesters, red teamers, and security researchers.<p>Why another language?
Most security work is a mix of Bash, Python, and random tools glued together. Spectator unifies that: one language with built-in security modules, a native GUI framework, and a package manager — all compiled into a single binary.<p>What makes it different:<p>High-level syntax — Python-like, f-strings, closures, goroutines (spawn). Recon scripts in 5 lines.<p>Built-in hacking modules — PortScan, SubdomainEnum, SQLiTest, PayloadGen, CORS/SSRF, HTTP fuzzing, crypto, encoding. No pip installs.<p>Native GUI framework (#Import Spec.GUI) — Desktop tools without Electron. Inputs, tables, tabs, output. Windows (WebView2), Linux (WebKitGTK), macOS (WKWebView).<p>Space package manager — Libraries like coffee (recon) and ghost (OSINT) are SHA-256 verified. Blocks supply-chain attacks.<p>Mission engine — Pentest workflow with HTML report generation.<p>Cross-compilation — spectator build script.str to app.exe for windows = standalone binaries.<p>Example — GUI port scanner (complete tool):<p>spectator
#Import Spec.GUI
open.window({"title": "Port Scanner", "bg": "#070b14", "accent": "#00d4aa"})
GUI.input("target", "Enter target...")
GUI.button("Scan", "run_scan")
GUI.progress("bar")
GUI.output("out", {"height": 380})<p>GUI.on("run_scan", func() {
target = GUI.get("target")
GUI.print("out", "Scanning " + target)
ports = [21,22,23,80,443,3306,8080]
each p : ports {
if hasPort(target, p) {
GUI.print("out", "OPEN " + str(p))
}
}
})
end()
Current state:<p>v2.0.0 — stable CLI/TUI across Windows, Linux, macOS<p>GUI fully functional on Windows; Linux/macOS GUI works (WebKit vs WebView2 differences)<p>~177 built-in functions, written in Go<p>Space registry live, anyone can publish<p>What I'd love feedback on:<p>Does the syntax feel intuitive? (string concat --> is unusual but I like it)<p>GUI approach — native desktop vs web-based?<p>Package manager security — SHA-256 verification enough?<p>What modules would make you actually use this?<p>I know the security tooling space is crowded, but there's room for a language built for this domain rather than adapted.<p>GitHub: <a href="https://github.com/CzaxStudio/Spectator" rel="nofollow">https://github.com/CzaxStudio/Spectator</a>
Docs: <a href="https://github.com/CzaxStudio/SpectatorDocs/" rel="nofollow">https://github.com/CzaxStudio/SpectatorDocs/</a><p>Appreciate any thoughts, criticism, or wild ideas.