← Back to Skills Marketplace

Web Security Penetration Test

Name: Web Security Penetration Test
Author: liubo2025code

by liubo2025code · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

122

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install web-security-pentest-skill-complete

Description

Automates web security penetration testing by performing reconnaissance, vulnerability scanning, exploitation, and generating detailed compliance reports.

Usage Guidance

This package is coherent with a penetration-testing toolkit, but it includes explicit attack payloads (reverse shells, exfiltration examples, cloud metadata access) that can be destructive or leak data. Only run this skill against systems you are authorized to test. Before installing or running: review and edit config.yaml scope/exclusions; remove or blank any webhook/Jira/SMTP/GitHub tokens if you don't intend to integrate; enable safe defaults (e.g., verify_ssl: true, lower concurrency); do not run scans from your production host or as root—use an isolated VM/container; inspect start.sh and scripts that invoke system commands or open network connections; and obtain written authorization for any external testing. If you want lower risk, use the repo for offline analysis and tests against intentionally vulnerable lab systems (e.g., local VMs or known test targets).

Capability Analysis

Type: OpenClaw Skill Name: web-security-pentest-skill-complete Version: 1.0.0 The skill bundle provides a comprehensive suite for web penetration testing but contains critical vulnerabilities and high-risk capabilities. Specifically, 'scripts/utils/nmap_wrapper.py' is vulnerable to shell injection because it constructs nmap commands using unsanitized input and executes them via 'subprocess.Popen' with 'shell=True'. While the bundle's intent appears to be legitimate security auditing, it grants the AI agent broad power to execute system commands and perform network attacks, which could be exploited if the agent is subverted.

Capability Tags

cryptocan-make-purchasesrequires-sensitive-credentials

Capability Assessment

✓ Purpose & Capability

Name/description match the contents: scripts for reconnaissance, vulnerability scanning, exploitation, and reporting are present along with payload corpuses and configuration files. Required system tools listed (nmap, sqlmap, nikto, gobuster, etc.) are appropriate for the stated purpose and there are no unrelated environment variables or external cloud credentials declared.

ℹ Instruction Scope

SKILL.md instructs the agent to run scanning and exploitation scripts (e.g., run full_pentest, sql_injection_test, generate reports). That scope is appropriate for a pentest skill, but the instructions and bundled payload files include explicit destructive payloads (reverse shells, curl/wget to attacker hosts, payloads that exfiltrate cookies or cloud metadata). These behaviors are expected for a pentesting tool but are high-risk if run against unauthorized targets or on the host running the agent.

✓ Install Mechanism

No remote install spec is included (instruction-only install/copy into skills directory). There are no downloads from arbitrary URLs or archive extraction steps in an installer. The code bundle is present in the repository, so installation is a local copy and dependency installation via pip/apt/brew as documented; that is proportionate and transparent.

✓ Credentials

The registry metadata declares no required env vars or primary credential. The repo/config contain optional integration fields (Slack webhook, SMTP, Jira/GitHub tokens) but these are empty by default and not required. No unrelated cloud or system credentials are demanded at install-time.

✓ Persistence & Privilege

always: false and the skill does not request elevated platform privileges. Model-invocation is allowed (the default) which is normal; because the skill can run powerful scans and exploitation scripts, users should be careful about autonomous invocation in production agents, but autonomy alone is not an incoherence here.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install web-security-pentest-skill-complete
After installation, invoke the skill by name or use /web-security-pentest-skill-complete
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

security, pentest, web, owasp, vulnerability

Metadata

Slug web-security-pentest-skill-complete

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Web Security Penetration Test?

Automates web security penetration testing by performing reconnaissance, vulnerability scanning, exploitation, and generating detailed compliance reports. It is an AI Agent Skill for Claude Code / OpenClaw, with 122 downloads so far.

How do I install Web Security Penetration Test?

Run "/install web-security-pentest-skill-complete" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Web Security Penetration Test free?

Yes, Web Security Penetration Test is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Web Security Penetration Test support?

Web Security Penetration Test is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Web Security Penetration Test?

It is built and maintained by liubo2025code (@liubo2025code); the current version is v1.0.0.

More Skills