Kali Linux 2026.2 just made AI assisted pentesting the default, and almost nobody is asking the right questions about privacy and exposure yet…
Nine new tools shipped this week, and two of them point to the same privacy and sovereignty problem from different angles. shell-gpt turns natural language prompts into shell commands, code, and documentation inside the terminal. tookie-osint scans social media platforms to surface every account tied to a username. Both now ship by default in the world's most widely used pentesting distribution, and both quietly export exposure to places the tester doesn't control.
shell-gpt sends prompts to OpenAI's API by default. Target hostnames, internal paths, log snippets, and engagement details leave the tester's environment the moment someone types a question. Local models through Ollama exist, but they're not the default, and most testers will never switch. Engagement data ends up handed to a public LLM as a side effect of working faster.
That same tool lowers the skill floor for generating working commands, which means the population of vibe pentesters and vibe red teamers, people prompting an AI for the next step rather than understanding the technique, is about to grow fast. A default Kali install puts that capability in front of every tester, whether or not they have the judgment to know when a generated command is dangerous or leaking data it shouldn't.