📦 网页 安全 Penetration Test
v1.0.0Automates 网页 安全 penetration 测试 by performing reconnaissance, vulnerability scanning, exploitation, and generating detailed compliance reports.
0· 33·0 当前·0 累计
by 安全扫描
OpenClaw
安全
medium confidenceThe skill's files, instructions, and payloads are consistent with a web penetration-testing toolkit; it requests no unrelated credentials or install-time downloads, but it contains destructive/exfiltrative payloads and examples that require careful, authorized use.
评估建议
This package is coherent with a penetration-testing toolkit, but it includes explicit attack payloads (reverse shells, exfiltration examples, cloud metadata access) that can be destructive or leak data. Only run this skill against systems you are authorized to test. Before installing or running: review and edit config.yaml scope/exclusions; remove or blank any webhook/Jira/SMTP/GitHub tokens if you don't intend to integrate; enable safe defaults (e.g., verify_ssl: true, lower concurrency); do no...详细分析 ▾
✓ 用途与能力
Name/description match the contents: scripts for reconnaissance, vulnerability scanning, exploitation, and reporting are present along with payload corpuses and configuration files. Required system tools listed (nmap, sqlmap, nikto, gobuster, etc.) are appropriate for the stated purpose and there are no unrelated environment variables or external cloud credentials declared.
ℹ 指令范围
SKILL.md instructs the agent to run scanning and exploitation scripts (e.g., run full_pentest, sql_injection_test, generate reports). That scope is appropriate for a pentest skill, but the instructions and bundled payload files include explicit destructive payloads (reverse shells, curl/wget to attacker hosts, payloads that exfiltrate cookies or cloud metadata). These behaviors are expected for a pentesting tool but are high-risk if run against unauthorized targets or on the host running the agent.
✓ 安装机制
No remote install spec is included (instruction-only install/copy into skills directory). There are no downloads from arbitrary URLs or archive extraction steps in an installer. The code bundle is present in the repository, so installation is a local copy and dependency installation via pip/apt/brew as documented; that is proportionate and transparent.
✓ 凭证需求
The registry metadata declares no required env vars or primary credential. The repo/config contain optional integration fields (Slack webhook, SMTP, Jira/GitHub tokens) but these are empty by default and not required. No unrelated cloud or system credentials are demanded at install-time.
✓ 持久化与权限
always: false and the skill does not request elevated platform privileges. Model-invocation is allowed (the default) which is normal; because the skill can run powerful scans and exploitation scripts, users should be careful about autonomous invocation in production agents, but autonomy alone is not an incoherence here.
⚠ config/config.yaml:309
Install source points to URL shortener or raw IP.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/17
security, pentest, web, owasp, vulnerability
● 可疑
安装命令
点击复制官方npx clawhub@latest install web-security-pentest-skill-complete
镜像加速npx clawhub@latest install web-security-pentest-skill-complete --registry https://cn.longxiaskill.com镜像同步中