← Back to Skills Marketplace

Web Shells

Name: Web Shells
Author: pandaai-1337

by PandaAI-1337 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

124

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install web-shells

Description

Provides diverse web shell samples in PHP, ASP, ASPX, JSP, Python, and Perl for detection, malware analysis, and security testing under authorized conditions.

Usage Guidance

This skill is coherent for security research: it bundles many real web‑shell samples intended for detection and testing. That also means the files are inherently malicious if executed. Before installing or using it: (1) only use in authorized, legal contexts; (2) open and inspect files before running anything; (3) perform analysis in an isolated environment (air‑gapped VM, container, or sandbox) that you can destroy afterward; (4) never run samples on production or connected networks; (5) if uncertain about provenance, prefer to obtain the original SecLists repository directly from GitHub; and (6) ensure you have written authorization for any testing against third‑party systems.

Capability Analysis

Type: OpenClaw Skill Name: web-shells Version: 1.0.0 This skill bundle contains a large collection of functional web shells, backdoors, and exploit samples (e.g., PHP, ASPX, JSP, and ColdFusion shells) sourced from the SecLists repository for security research and detection testing. Key files include 'shell.cfm.html', which contains logic to extract and decrypt database credentials, and 'cmd.sh', a functional CGI-based command execution shell. While the stated purpose is research and the SKILL.md does not contain prompt injection or instructions to harm the host, the presence of ready-to-deploy malware and a 'vulnerable' Vtiger extension (references/Web-Shells/Vtiger/) represents a high-risk 'dual-use' capability that could be easily repurposed for malicious activity.

Capability Assessment

✓ Purpose & Capability

Name/description match the packaged content: the skill contains many web‑shell samples (PHP, ASP/ASPX, JSP, Python, Perl, shell scripts) and the SKILL.md states the SecLists/Web‑Shells source. The registry metadata lists 'Source: unknown' while the SKILL.md points to the SecLists repo (minor metadata inconsistency), but the requested resources and files are proportionate to the stated purpose.

✓ Instruction Scope

The SKILL.md instructs the agent to read/list files from the skill path and includes an example that reads files locally. It explicitly warns about authorized use. The instructions do not direct the agent to execute the shells, collect unrelated system data, or transmit content to external endpoints — they stay within the stated analysis/detection scope.

ℹ Install Mechanism

No install spec (instruction‑only) — lowest installer risk. Note: the skill includes executable sample scripts (sh, war, JSP, etc.). Although there is no automatic install, those files, if executed by a user or agent, perform command execution, file upload, or filesystem access — so the shipped artifacts are dangerous when run.

✓ Credentials

The skill does not request environment variables, credentials, or config paths. That is proportionate. However several included samples reference system paths (/tmp, C:\, etc.) and contain command execution primitives (cfexecute, eval, dd, shell execution). Those are expected in web‑shell samples but are hazardous if executed on a host.

✓ Persistence & Privilege

No elevated persistence requested. always: false and default autonomous invocation are set (normal). The skill does not attempt to modify other skills or system agent configuration.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install web-shells
After installation, invoke the skill by name or use /web-shells
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

- Initial release of the SecLists Web-Shells skill. - Provides sample web shells in PHP, ASP, ASPX, JSP, Python, and Perl for detection and analysis. - Intended for security research, detection system testing, malware analysis, and educational purposes. - Includes guidelines for responsible and authorized use only.

Metadata

Slug web-shells

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Web Shells?

Provides diverse web shell samples in PHP, ASP, ASPX, JSP, Python, and Perl for detection, malware analysis, and security testing under authorized conditions. It is an AI Agent Skill for Claude Code / OpenClaw, with 124 downloads so far.

How do I install Web Shells?

Run "/install web-shells" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Web Shells free?

Yes, Web Shells is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Web Shells support?

Web Shells is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Web Shells?

It is built and maintained by PandaAI-1337 (@pandaai-1337); the current version is v1.0.0.

More Skills