← Back to Skills Marketplace
132
Downloads
1
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install pentest-workbench
Description
Comprehensive offensive security workflow for bug bounty, vulnerability assessment, penetration testing, and exploitation. Use when performing security testi...
Usage Guidance
This skill is an offensive-security reference and includes scripts that will actively scan and fuzz network targets and detailed exploit/privesc recipes. That is coherent with its stated purpose but high-risk if used on systems you do not own or without authorization. Before installing or invoking: 1) Confirm legal authorization and a defined scope for testing. 2) Review/limit agent/network permissions — running the skill will call tools like nmap and may contact remote hosts. 3) Ensure required tools (nmap, msfvenom, sqlmap, python) are installed on the host — the manifest does not declare them. 4) Consider running scripts manually in a controlled lab, and avoid allowing autonomous agent invocation against production networks. 5) Note the package source is unknown (no homepage); if provenance matters, obtain a vetted copy from a known repository or author.
Capability Analysis
Type: OpenClaw Skill
Name: pentest-workbench
Version: 1.0.0
The 'pentest-workbench' skill provides a comprehensive suite of offensive security tools and documentation for reconnaissance, fuzzing, and exploitation. While the behavior is aligned with its stated purpose, it includes high-risk capabilities such as automated network scanning (scripts/pentest-recon.sh) and protocol fuzzing (scripts/vulnserver-fuzz.py). The reconnaissance script is vulnerable to shell injection because it fails to sanitize the target input before passing it to nmap. Additionally, the documentation in the references/ directory provides actionable instructions for buffer overflows and privilege escalation (GTFOBins/LOLBAS), which are high-risk activities.
Capability Assessment
Purpose & Capability
The name/description match the provided content: recon, vuln analysis, exploit dev, and privesc guidance. However the skill's metadata lists no required binaries while the SKILL.md and scripts clearly assume many external tools are present (nmap, msfvenom, sqlmap, netcat, etc.). Also the package has no homepage or known source — provenance is unknown and should be considered.
Instruction Scope
SKILL.md explicitly instructs active network scanning, fuzzing, exploitation, privilege escalation, and persistence techniques. Those actions are coherent for a pentest skill, but they are inherently destructive and broad: the top guidance relies on user-supplied scope yet the skill also lists many trigger phrases (e.g., 'exploit this', 'run a pentest') that could encourage use outside authorized scope. The included scripts (nmap scans writing to /tmp, a fuzzing socket tool) will perform network activity if run. There are no instructions that read unrelated local secrets, but there are explicit instructions for extracting credentials (Mimikatz/LaZagne) and modifying target systems — expected for the purpose but high-risk if misapplied.
Install Mechanism
No install spec is present (instruction-only + two small scripts). No network download/install steps are embedded. The absence of an install phase reduces supply‑chain risk, but bundled scripts will run local binaries when executed.
Credentials
The skill declares no required environment variables or credentials, which aligns with the provided artifacts. The content references attacker-controlled LHOST/LPORT values and credentials/tools that pentesters commonly use, but those are not requested from the host environment by the skill itself. No unrelated secrets or system config paths are requested by the skill manifest.
Persistence & Privilege
always:false and no special privileges or modifications of other skills/system settings are requested. The SKILL.md discusses persistence techniques for targets (scheduled tasks, SSH keys), which is appropriate for a pentest reference but unrelated to the skill's own installation or privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install pentest-workbench - After installation, invoke the skill by name or use
/pentest-workbench - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: buffer overflow, privesc, recon, tools catalog
Metadata
Frequently Asked Questions
What is Pentest Workbench?
Comprehensive offensive security workflow for bug bounty, vulnerability assessment, penetration testing, and exploitation. Use when performing security testi... It is an AI Agent Skill for Claude Code / OpenClaw, with 132 downloads so far.
How do I install Pentest Workbench?
Run "/install pentest-workbench" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Pentest Workbench free?
Yes, Pentest Workbench is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Pentest Workbench support?
Pentest Workbench is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Pentest Workbench?
It is built and maintained by mamuaminu (@mamuaminu); the current version is v1.0.0.
More Skills