Mephit
← All documentation
DOCS · CHAT

Chat & slash commands

The interactive console — composer affordances, mentions, and every slash command in the catalogue.

01

How a turn is processed

Every message you send goes through the same pipeline:

  • Slash-command parsing. If your message starts with or contains /<cmd>, the matching skill is activated immediately — no router guess.
  • Router pass. Otherwise the router scores all skills against your prompt and picks the top few that get their tools wired in for this turn.
  • Tool execution. Activated tools run in parallel — passive DNS, breach lookups, sandbox queries, mindmap renderers, etc. Each one is a real network call.
  • Synthesis. Findings are streamed back as short prose, structured cards, and code blocks where useful.

Conversations are auto-titled after the second turn and stored against your account so you can resume them.

02

Composer affordances

Slash picker

Type / to open the picker. Filter by typing, confirm with . The picker shows the label, description, and an example for every command.

Server mentions

Type @ to open the registered-server picker. Selecting one inserts @<name>as an unambiguous target — the model will not ask “which server?” when a mention is present.

Multiple commands in one message

You can chain commands. /scan /checkleak acme.com runs both on the same target. The model interprets each one and merges the answer.

Recall
Press in an empty composer to recall and edit your last message. Press Esc to cancel a streaming response.
03

Slash command catalogue

Single source of truth for what each command does and what argument it expects. Generated directly from SLASH_COMMANDS in packages/ai/src/slash-commands.ts.

Flows· 6
  • /flow-perimeterFlow · Perimeter auditskill: flows

    Full external attack surface — domain → subdomains → IPs → ports → services → certs → fingerprints.

    expects: domain /flow-perimeter acme.com
  • /flow-leaksFlow · Leak auditskill: flows

    Sweep breach indices, paste sites, and code hosts for credentials and tokens tied to a domain or brand.

    expects: domain /flow-leaks acme.com
  • /flow-squatFlow · Typosquat watchskill: flows

    Generate lookalike-domain set, resolve each, score for live phishing infrastructure, draft takedown packets.

    expects: domain /flow-squat acme.com
  • /flow-vulnsFlow · Vuln sweepskill: flows

    Match recent CVEs against the detected stack on the target. Sorted by exploitability × severity.

    expects: domain (or stack tags) /flow-vulns acme.com
  • /flow-kickoffFlow · Engagement kickoffskill: flows

    First-hour brief — perimeter + leak audit + light typosquat + draft threat model. Run it after creating a project.

    expects: domain /flow-kickoff acme.com
  • /flow-iocFlow · IOC triageskill: flows

    Indicator → impact in one pass: reputation, sandbox, passive-DNS pivot, ASN/cert correlation, incident packet.

    expects: IP, hash, URL, or domain /flow-ioc 1.1.1.1
Recon· 1
  • /scanRecon scanskill: recon

    Map a target — IPs, ports, services, subdomains, technology fingerprint.

    expects: domain or IP /scan acme.com
Intel· 4
  • /checkleakBreach / leak checkskill: intel-breach

    Search dark-web breaches and HIBP for an email or domain.

    expects: email or domain /checkleak [email protected]
  • /cveCVE lookupskill: intel-vuln

    Resolve a CVE ID — CVSS, vendor advisories, exploits.

    expects: CVE-YYYY-NNNNN /cve CVE-2024-3094
  • /threatThreat intelskill: intel-threats

    Reputation lookup — VirusTotal, AbuseIPDB, GreyNoise, urlscan.

    expects: IP, hash, URL, or domain /threat 1.2.3.4
  • /brandBrand OSINTskill: brand-osint

    Extract a site's logos, color palette, and brand identity.

    expects: URL /brand https://stripe.com
Offensive· 5
  • /payloadGenerate payloadskill: offensive

    Reverse / bind shells, msfvenom, web shells.

    expects: type + LHOST/LPORT (optional) /payload reverse_shell lhost=1.2.3.5 lport=4444
  • /ctfCTF web triageskill: ctf-web

    Approach a CTF web challenge — recon, vuln triage, exploit.

    expects: URL /ctf http://1.2.3.6/login
  • /postPost-exploit guidanceskill: post-exploit

    Privesc, lateral movement, persistence, AD attacks.

    expects: context (Linux/Windows/AD details) /post i have a shell as www-data on debian
  • /revReverse engineeringskill: reverse-eng

    Static / dynamic binary analysis — Ghidra, GDB, radare2.

    expects: paste disassembly or describe the binary /rev pasted Ghidra decompilation here
  • /runRun on serverskill: remote-exec

    Propose a command for one of your registered SSH servers. Combine with @<server>.

    expects: @server + command /run @kali-docker df -h
Defensive· 2
  • /sigmaSigma / detection ruleskill: blue-team

    Generate a Sigma / KQL / SPL detection rule for a TTP or pasted log.

    expects: technique or pasted log /sigma LSASS access via WinAPI
  • /huntThreat hunt queryskill: blue-team

    Hunt query for credential dumping, lateral movement, C2.

    expects: TTP description /hunt unusual outbound DNS volume per host
Crypto· 1
  • /decodeHash / cipher IDskill: crypto

    Identify a hash (md5/sha*/bcrypt) or decode common encodings.

    expects: hash, base64, or hex blob /decode 5f4dcc3b5aa765d61d8327deb882cf99
Meta & reporting· 5
  • /mindmapMindmapskill: threat-model

    Generate a Mermaid mindmap (center node + radial branches) for a topic.

    expects: topic to map /mindmap web app pentest checklist
  • /diagramDiagramskill: threat-model

    Render a Mermaid diagram — flowchart, sequence, kill chain, DFD.

    expects: what to diagram /diagram OAuth2 PKCE flow
  • /cvssCVSS scoreskill: reporting

    Compute a CVSS v3.1 vector + score from a description.

    expects: vulnerability description /cvss SQL injection in /api/login
  • /reportPentest findingskill: reporting

    Draft a vulnerability finding — title, impact, repro, remediation.

    expects: finding details /report XSS reflected in search param
  • /threatmodelThreat modelskill: threat-model

    STRIDE / PASTA / attack-tree analysis of a system.

    expects: system description /threatmodel SaaS app with public API + mobile clients
04

Output blocks you'll see

  • Prose — short, dense paragraphs. No disclaimers, no padding.
  • Findings cards — labelled key/value rows for recon, intel, breach hits, etc., with severity dots.
  • Code blocks — payloads, queries, Sigma / KQL / SPL rules, JSON samples. Always copy-paste-ready.
  • Command cards — when the remote-exec skill is involved, the model emits a card you click to run on a registered server.
  • Mermaid diagrams — mindmaps, flowcharts, kill chains, DFDs from /mindmap and /diagram.
05

A worked example

Sample turn: combining recon and breach intel on one message.

prompt
copy
/scan /checkleak acme.com

Two skills activate. Recon enumerates subdomains, ports, and stack fingerprint; intel-breach checks paste indices and known breach sources. The reply weaves both into a single answer with separate findings cards and a closing recommendation.