| Hey HN, I've been building Spectator for the past year — a purpose-built scripting language for pentesters, red teamers, and security researchers. Why another language?
Most security work is a mix of Bash, Python, and random tools glued together. Spectator unifies that: one language with built-in security modules, a native GUI framework, and a package manager — all compiled into a single binary. What makes it different: High-level syntax — Python-like, f-strings, closures, goroutines (spawn). Recon scripts in 5 lines. Built-in hacking modules — PortScan, SubdomainEnum, SQLiTest, PayloadGen, CORS/SSRF, HTTP fuzzing, crypto, encoding. No pip installs. Native GUI framework (#Import Spec.GUI) — Desktop tools without Electron. Inputs, tables, tabs, output. Windows (WebView2), Linux (WebKitGTK), macOS (WKWebView). Space package manager — Libraries like coffee (recon) and ghost (OSINT) are SHA-256 verified. Blocks supply-chain attacks. Mission engine — Pentest workflow with HTML report generation. Cross-compilation — spectator build script.str to app.exe for windows = standalone binaries. Example — GUI port scanner (complete tool): spectator
#Import Spec.GUI
open.window({"title": "Port Scanner", "bg": "#070b14", "accent": "#00d4aa"})
GUI.input("target", "Enter target...")
GUI.button("Scan", "run_scan")
GUI.progress("bar")
GUI.output("out", {"height": 380}) GUI.on("run_scan", func() {
target = GUI.get("target")
GUI.print("out", "Scanning " + target)
ports = [21,22,23,80,443,3306,8080]
each p : ports {
if hasPort(target, p) {
GUI.print("out", "OPEN " + str(p))
}
}
})
end()
Current state: v2.0.0 — stable CLI/TUI across Windows, Linux, macOS GUI fully functional on Windows; Linux/macOS GUI works (WebKit vs WebView2 differences) ~177 built-in functions, written in Go Space registry live, anyone can publish What I'd love feedback on: Does the syntax feel intuitive? (string concat --> is unusual but I like it) GUI approach — native desktop vs web-based? Package manager security — SHA-256 verification enough? What modules would make you actually use this? I know the security tooling space is crowded, but there's room for a language built for this domain rather than adapted. GitHub: https://github.com/CzaxStudio/Spectator
Docs: https://github.com/CzaxStudio/SpectatorDocs/ Appreciate any thoughts, criticism, or wild ideas. |