You are right, this is what I did in my first version, but it failed terribly due to context length issues and the fact that SPA applications work by loading JS code, etc.
Currently, for the backend, tools like Nmap, Dirsearch, ZAP, etc., are employed. When a user asks specific queries like 'Check all open ports in my web app,' 'Check security headers of my app,' or simply 'Find all vulnerabilities in my web app,' it writes commands for the above tools, executes them, and provides the answer. This mix-and-match of tools using simple words allows users to create custom workflows that may run weekly, monthly, or fortnightly.
Currently, for the backend, tools like Nmap, Dirsearch, ZAP, etc., are employed. When a user asks specific queries like 'Check all open ports in my web app,' 'Check security headers of my app,' or simply 'Find all vulnerabilities in my web app,' it writes commands for the above tools, executes them, and provides the answer. This mix-and-match of tools using simple words allows users to create custom workflows that may run weekly, monthly, or fortnightly.