Description

Scans web apps for reflected and DOM-based XSS using 24+ payloads across 6 contexts, with crawl and concurrency support for authorized security audits.

README (SKILL.md)

EdgeIQ XSS Scanner

Name: Xss Scanner
Author: snipercat69

Version: 1.2.0
Skill Name: xss-scanner
Category: Security / Offensive / Auditing
Author: EdgeIQ Labs
License: Defensive Use Only
OpenClaw Compatible: Yes — Python 3, pure stdlib, WSL + Windows + macOS

What It Does

Professional-grade XSS vulnerability scanner for authorized security auditing. Scans web applications for reflected XSS, DOM-based XSS, stored/persistent XSS (via blind callback), and WAF-bypass variants. Designed for penetration testers, bug bounty researchers, and security teams with explicit written authorization.

⚠️ Legal Notice: Only scan targets you own or have explicit written permission to audit. Unauthorized scanning is illegal and strictly prohibited. This tool is for defensive security professionals.

Pricing

Feature	Lifetime ($39)	Optional Monthly ($7/mo)
All scanner features	✅	✅
Blind XSS detection	✅	✅
Screenshot evidence capture	✅	✅
HTML report export	✅	✅
Reflected params deep analysis	✅	✅
Scheduled recurring scans	✅	✅
Alert delivery (Discord/Telegram/Email)	✅	✅
Priority support	✅	✅
Core reflected XSS scan (40+ payloads)	✅	✅
Crawl mode + BFS depth	✅	✅
JSON report export	✅	✅
HTTP security header analysis	✅	✅
WAF detection + auto-bypass	✅	✅
Custom headers, cookies, auth	✅	✅
Proxy support	✅	✅
Rate limiting control	✅	✅
`--quiet` mode + exit codes	✅	✅

Lifetime License: $39 — your tool forever, all Pro features included permanently.

Optional Monthly: $7/mo — for those who prefer recurring billing (cancel anytime).

👉 Buy Lifetime — $39 👉 Subscribe Monthly — $7/mo 👉 Subscribe Monthly — $7/mo

Feature Tiers at a Glance

Feature	Free	Lifetime ($39)
Core reflected XSS scan (40+ payloads)	✅	✅
Crawl mode + BFS depth	✅	✅
JSON report export	✅	✅
HTTP security header analysis	✅	✅
WAF detection + auto-bypass	✅	✅
Custom headers, cookies, auth	✅	✅
Proxy support	✅	✅
Rate limiting control	✅	✅
`--quiet` mode + exit codes	✅	✅
Blind XSS detection (`--blind-callback`)	❌	✅
Screenshot evidence capture (`--screenshot-dir`)	❌	✅
HTML report export (`--format html`)	❌	✅
Reflected params deep analysis	❌	✅
Scheduled recurring scans	❌	✅
Alert delivery (Discord/Telegram/Email)	❌	✅
Priority support	❌	✅

All Pro features are now included in the Lifetime License. The Lifetime purchase gives you permanent access to everything previously locked behind Pro/Bundle tiers.

What's New in v2

Feature	Free	Lifetime ($39)
Core reflected XSS scan	✅	✅
40+ payloads (incl. WAF bypass)	✅	✅
7 injection context modes	✅	✅
Crawl mode with BFS depth	✅	✅
JSON + HTML report export	✅	✅
HTTP security header analysis (CSP, XFO, HSTS…)	✅	✅
WAF detection + auto-bypass payload switching	✅	✅
Custom headers, cookies, auth	✅	✅
Proxy support (stealth scanning)	✅	✅
Rate limiting control	✅	✅
Blind XSS detection (callback mode)	❌	✅
Reflected params analysis	❌	✅
Screenshot evidence capture	❌	✅
`--quiet` mode + exit codes (CI/CD)	✅	✅
Scheduled recurring scans	❌	✅
Alert delivery (Discord / Telegram / Email)	❌	✅
Priority support	❌	✅

Installation

# Standalone usage
python3 /home/guy/.openclaw/workspace/apps/xss-scanner/scanner.py \x3Ctarget>

# As OpenClaw command (in any channel):
!xss https://example.com
!xss https://example.com --depth 3 --workers 20

Quick Start

Basic Scan

python3 scanner.py https://example.com

Verbose / Full Crawl

python3 scanner.py https://example.com --depth 2 --max-urls 30

With Proxy (Burp Suite / OWASP ZAP)

python3 scanner.py https://example.com --proxy http://127.0.0.1:8080 --quiet

Authenticated Scan

python3 scanner.py https://example.com --auth admin:secret --cookies "session=abc123"

Blind XSS (stored/persistent XSS detection)

python3 scanner.py https://example.com --blind-callback https://your-callback.com/log

Security Headers Audit

python3 scanner.py https://example.com --analyze-headers --format json --out report.json

Export HTML Report

python3 scanner.py https://example.com --format html --out xss-report.html

Automation / CI-CD (exit codes + quiet mode)

python3 scanner.py https://example.com --quiet --format json -o result.json
echo "Exit code: $?"   # 0=safe, 1=vulns found, 2=error, 3=interrupted

Command Reference

Positional Arguments

Argument	Description
`url`	Target URL (auto-adds https:// if missing)

Core Options

Flag	Type	Default	Description
`--depth`	int	2	Crawl depth (BFS link discovery)
`--max-urls`	int	20	Maximum URLs to scan before stopping
`--workers`	int	15	Concurrent threads for payload testing
`--format`	choice	discord	Output format: `discord`, `json`, `html`, `simple`
`--follow-external`	flag	False	Follow links to external domains
`--quiet`, `-q`	flag	False	Suppress progress output
`--out`, `-o`	path	—	Write output to file

Network Options

Flag	Type	Description
`--proxy`	URL	HTTP/S proxy (e.g. `http://127.0.0.1:8080` for Burp/ZAP)
`--user-agent`	string	Custom User-Agent string
`--auth`	user:pass	Basic HTTP authentication
`--cookies`	string	Cookie string (`name=value; name2=value2`)
`--custom-header`	HDR	Add custom header (`Name: value`) — repeatable
`--timeout`	float	Request timeout in seconds (default: 15)
`--rate-limit`	float	Minimum seconds between requests (anti-rate-limit)

Advanced Options

Flag	Type	Description
`--blind-callback`	URL	Blind XSS callback URL for stored XSS detection
`--analyze-headers`	flag	Analyze HTTP security headers (CSP, X-Frame-Options, HSTS…)
`--reflected-only`	flag	Map reflected params without sending payloads
`--screenshot-dir`	path	Directory for evidence HTML files (default: `/tmp/xss-screenshots`)

Exit Codes

Code	Meaning
`0`	Scan complete — no vulnerabilities found
`1`	Scan complete — vulnerabilities detected
`2`	Scan error — target unreachable or connection failed
`3`	Interrupted — SIGINT/SIGTERM received

Payload Context Detection

The scanner automatically detects the injection context of each reflection and assigns severity accordingly:

Context	Triggered When	Severity	Example
`js_string`	Payload inside `\x3Cscript>` or JS string	Critical	`\x3Cscript>alert(1)\x3C/script>`
`event_handler`	Payload inside `on*` attribute	Critical	`onerror=alert(1)`
`html_attr`	Payload inside HTML attribute	High	`" onmouseover=alert(1) x="`
`dom`	DOM mutation / innerHTML injection	High	DOM clobbering vectors
`html_body`	Plain text reflection in HTML	Medium	`\x3Cscript>alert(1)\x3C/script>`
`comment`	Inside HTML comment `\x3C!-- -->`	Medium	`-->\x3Cscript>alert(1)\x3C/script>`
`css`	Inside `\x3Cstyle>` tag	Medium	Style-based injection
`url_param`	URL-encoded param in URL	Low	`?q=\x3Cscript>alert(1)\x3C/script>`

WAF Detection & Bypass

Automatically detects these WAFs and switches to bypass payloads:

Cloudflare, AWS CloudFront, Akamai, Imperva
Fortinet, Sucuri, F5 BIG-IP ASM, Barracuda
DenyAll, Cisco ACE, dotDefender, Google Armr

Bypass payloads activated automatically when WAF block patterns are detected:

Case mutation: \x3CScRipT>, \x3CIMG SRC=x ONERROR=...>
Unicode escape: \x3Cscript>\u0061lert(1)\x3C/script>
Protocol-less: //evil.com/x.js

Security Header Analysis

When --analyze-headers is used, reports on:

Header	What It Checks
`Content-Security-Policy`	`unsafe-inline` / `unsafe-eval` present?
`X-Frame-Options`	Clickjacking protection (`DENY` / `SAMEORIGIN`)
`X-Content-Type-Options`	MIME-sniffing disabled (`nosniff`)
`Strict-Transport-Security`	HTTPS enforcement
`Referrer-Policy`	Referrer leakage
`X-XSS-Protection`	Legacy XSS filter (often disabled intentionally)
`Permissions-Policy`	Browser feature restrictions

Output Formats

Discord (default)

Rich embed with severity breakdown, grouped by critical/high/medium/low. Clean formatting for Discord channels.

JSON (machine-readable)

Full structured report for CI/CD pipelines, includes:

Scan stats + metadata
All vulnerabilities with severity, evidence, timestamp
Security header findings
WAF detection results
Reflected parameter map

HTML (shareable report)

Self-contained styled HTML file — dark theme, sortable vulnerability table, header findings, WAF info. Ready to share with clients or include in pentest deliverables.

Simple (console)

One-line-per-finding format. Good for grep/parsing.

Discord Command Usage

In any OpenClaw Discord channel:

!xss https://example.com
!xss https://example.com --depth 3 --max-urls 50 --workers 20
!xss https://example.com --follow-external --format json -o report.json
!xss https://example.com --proxy http://127.0.0.1:8080 --quiet
!xss https://example.com --blind-callback https://your-domain.com/log
!xss https://example.com --analyze-headers --format html -o report.html

Free vs Pro

Free (v1) — Included

Full-featured scanner for manual authorized auditing. Everything in this SKILL.md except the Pro-only items.

Pro ($19/mo)

Blind XSS detection with persistent callback monitoring
Scheduled recurring scans (cron-based)
Alert delivery to Discord, Telegram, or Email
Screenshot evidence capture
Reflected params deep analysis
Priority onboarding and support

Network Pro ($29/mo) (deprecated)

All features included in Lifetime purchase above.

Bundle ($39/mo) (deprecated)

All features now included in Lifetime purchase above.

Upgrade Links

Tier	Link
$39	$39
Monthly ($7/mo)	$7/mo
$7/mo	$7/mo

Contact: [email protected]

Architecture

Component	Detail
Language	Python 3 (pure stdlib — no external dependencies)
Concurrency	`concurrent.futures.ThreadPoolExecutor` for parallel payload testing
Crawl Strategy	BFS with configurable depth, URL dedup, external-link filtering
HTTP Client	Custom `HTTPClient` class with proxy, auth, cookie, custom-header support
WAF Detection	Pattern-matching on response body + headers against 15+ WAF signatures
Context Detection	Regex + HTML parser across 8 injection contexts
Payload Library	40+ payloads across script injection, event handlers, attribute injection, URL injection, context breakers, mution/mull-byte bypass, Unicode, DOM clobbering
Supported OS	Linux/WSL, Windows, macOS
Exit Codes	Full automation support (0/1/2/3)

Legal & Ethical Use

This tool is for:

Security researchers auditing authorized bug bounty targets
Penetration testers assessing client applications under contract
Developers testing their own applications
Defensive security teams auditing internal infrastructure
Capture The Flag (CTF) participants in authorized labs

This tool must NOT be used:

Against targets without explicit written permission
On production systems without authorization
For any unauthorized access, enumeration, or exploitation
In any jurisdiction where automated vulnerability scanning is restricted

Support

Email: [email protected]
Discord: https://discord.gg/aPhSnrU9
Site: https://edgeiqlabs.com

🔗 More from EdgeIQ Labs

edgeiqlabs.com — Security tools, OSINT utilities, and micro-SaaS products for developers and security professionals.

🛠️ Subdomain Hunter — Passive subdomain enumeration via Certificate Transparency
📸 Screenshot API — URL-to-screenshot API for developers
🔔 uptime.check — URL uptime monitoring with alerts
🛡️ headers.check — HTTP security headers analyzer

👉 Visit edgeiqlabs.com →

Usage Guidance

This package appears coherent for authorized security testing, but it contains intentionally malicious-looking XSS payloads (including ones that fetch/exfiltrate document.cookie to external domains) and a blind-callback feature and proxy loader that perform network requests. Only install/use this on targets you own or have explicit written permission to test. Before using in shared/chat environments: (1) review/replace any hardcoded callback domains (e.g., 'evil.com') with your own collector or remove exfiltration-style payloads; (2) be aware the Discord wrapper runs the scanner as a subprocess and may run long scans; (3) the proxy rotator fetches public proxy lists from third-party raw URLs — verify these sources if you require provenance; (4) inspect licensing/upgrade URLs if you do not want external payment links printed. If you need higher assurance, run the scanner in an isolated environment and audit network traffic during its first runs.

Capability Tags

cryptocan-make-purchases

Capability Assessment

✓ Purpose & Capability

Name, description, SKILL.md and included Python modules (scanner, proxy rotation, licensing, Discord wrapper) are consistent with an XSS scanning tool. The proxy rotator, licensing checks, and Discord command wrapper are plausible components for this purpose.

ℹ Instruction Scope

SKILL.md instructs running scanner.py against arbitrary targets (including blind-callback and proxy options) and the discord wrapper runs scanner.py via subprocess. This is expected, but the shipped payload library contains explicit exfiltration payloads (e.g. fetch calls to hardcoded domains like 'evil.com') and the blind-callback option sends data to external callback URLs — both are normal for XSS testing but can leak data if used irresponsibly. The proxy loader fetches third-party proxy lists from raw GitHub URLs.

✓ Install Mechanism

Instruction-only / no install spec. All code is present in the package and no external installers or arbitrary downloads are performed during install. Risk from install mechanism is low.

✓ Credentials

The skill requests no environment variables or credentials. Licensing checks read local license files and respect an EDGEIQ_LICENSE_TIER env var — this is proportionate to the declared pricing/licensing behavior.

✓ Persistence & Privilege

The skill is not always-enabled, does not request elevated or persistent platform privileges, and does not write to other skills' configs. It reads local license files and may print upgrade prompts, which is typical and proportionate.

Version History

v1.4.0

v1.4.0: URGENT FIX — corrected Stripe Payment Link URLs (no suffixes, correct live URLs)

v1.3.0

v1.3.0: CRITICAL FIX — replaced placeholder Stripe URLs with real working Payment Link checkout URLs

v1.2.0

v1.2.0: Dual pricing — Lifetime as primary purchase option with optional monthly. Updated Stripe checkout URLs.

v1.1.0

Monetization update: added Free vs Pro plans, Stripe upgrade links, bundle option, and updated support/contact details.

v1.0.0

Initial release of XSS Scanner Skill. - Scans web apps for reflected and DOM-based XSS using 24+ payloads across 6 injection contexts. - Features smart filtering to skip API responses, concurrent worker threads, and an auto-crawl mode with configurable depth. - Pure Python 3—no external dependencies; compatible with WSL and Windows. - Supports command-line usage, OpenClaw Discord commands, and offers a Pro upgrade with export, integrations, and scheduled scans. - Strictly for authorized, legal security testing.

Metadata

Slug edgeiq-xss-scanner

Version 1.4.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 5

Frequently Asked Questions

What is Xss Scanner?

Scans web apps for reflected and DOM-based XSS using 24+ payloads across 6 contexts, with crawl and concurrency support for authorized security audits. It is an AI Agent Skill for Claude Code / OpenClaw, with 133 downloads so far.

How do I install Xss Scanner?

Run "/install edgeiq-xss-scanner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Xss Scanner free?

Yes, Xss Scanner is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Xss Scanner support?

Xss Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Xss Scanner?

It is built and maintained by snipercat69 (@snipercat69); the current version is v1.4.0.

More Skills

Xss Scanner