← Back to Skills Marketplace
93
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-security-testing-agent
Description
安全测试Agent。漏洞扫描、渗透测试、代码审计、安全加固。触发词:安全、渗透、漏洞、xss、sql注入、csrf、扫描、审计。
Usage Guidance
This skill appears coherent for its stated purpose, but it performs active scans and includes potentially destructive payloads. Before installing or using it: 1) Only run scans against systems you explicitly have permission to test; unauthorized scanning may be illegal. 2) Review the full SKILL.md and any referenced repository (skill.json points to a GitHub URL) to confirm the author and intent—the registry metadata shows an unknown source. 3) Run the skill in an isolated/test environment (or sandbox) first to avoid accidental damage to production systems. 4) The SKILL.md references many external tools but won't install them for you—install and vet those tools yourself. 5) Do not provide credentials or tokens to the skill unless you understand and trust where they will be used; prefer ephemeral/test credentials. If you want higher assurance, request the complete SKILL.md and verify there are no instructions that read or exfiltrate local files or environment variables before running.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-security-testing-agent
Version: 1.0.0
The skill bundle provides a security testing suite in SKILL.md that includes active vulnerability scanning, secret detection, and dependency auditing. It utilizes high-risk capabilities such as executing shell commands via subprocess.run and scanning the local filesystem for sensitive credentials like AWS, GitHub, and OpenAI tokens. While these actions are consistent with the stated purpose of a security agent, the presence of destructive SQL injection payloads (e.g., DROP TABLE) and the broad access to local secrets without built-in safeguards make the bundle inherently risky, though no clear evidence of intentional data exfiltration or malicious intent was found.
Capability Tags
Capability Assessment
Purpose & Capability
The name/description (security testing, scanning, pentest, code audit) align with the SKILL.md content: SAST/DAST/SCA/static secret scanning/container scanning and example scanner code. The required environment, binaries, and config paths are minimal and consistent with an instruction-only pentesting helper. The SKILL.md references common tools (SonarQube, Semgrep, ZAP, Burp, Snyk, Trivy) which are expected for this domain.
Instruction Scope
The provided instructions include runnable scanner code that issues HTTP requests with offensive payloads (SQL injection strings, XSS payloads, time-based tests, etc.). This is consistent with a pentest tool but means the skill performs active probing and can be destructive (e.g., payloads like "'; DROP TABLE users--"). The SKILL.md also mentions static-secret scanning and other tools which imply reading project files or repositories; the skill does not declare explicit limits or require an authorization token, so you must ensure explicit permission before use. The SKILL.md lists many external tools but provides no install steps — the agent may assume those tools are available or try to run equivalent Python code, which could fail or behave unexpectedly.
Install Mechanism
No install spec and no code files beyond SKILL.md means nothing will be downloaded or written by an installer. That lowers supply-chain risk. However, because the document references many third-party tools without providing installers, users should be aware they need to install and trust those tools themselves.
Credentials
The skill declares no required environment variables or credentials. The example scanner accepts an optional api_key parameter but the skill does not demand or request access to unrelated secrets. There is no evidence the skill tries to read unrelated environment variables or system config.
Persistence & Privilege
always is false and there are no install hooks or persistent components. The skill does not request to modify other skills or global agent settings; it is instruction-only and only runs when invoked.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-security-testing-agent - After installation, invoke the skill by name or use
/openclaw-security-testing-agent - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
openclaw-security-testing-agent 1.0.0
- Initial release of the AI-driven security testing agent
- Supports vulnerability scanning, penetration testing, code auditing, and security hardening
- Covers SAST (static analysis), DAST (dynamic analysis), SCA (dependency scanning), secret/key leakage, and container image scanning
- Integrates with tools such as SonarQube, Semgrep, CodeQL, OWASP ZAP, BurpSuite, Snyk, Trivy, and others
- Provides Python-based frameworks for detecting common web vulnerabilities including SQL injection, XSS, and CSRF
Metadata
Frequently Asked Questions
What is Security Testing Agent?
安全测试Agent。漏洞扫描、渗透测试、代码审计、安全加固。触发词:安全、渗透、漏洞、xss、sql注入、csrf、扫描、审计。 It is an AI Agent Skill for Claude Code / OpenClaw, with 93 downloads so far.
How do I install Security Testing Agent?
Run "/install openclaw-security-testing-agent" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Security Testing Agent free?
Yes, Security Testing Agent is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Security Testing Agent support?
Security Testing Agent is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Security Testing Agent?
It is built and maintained by SKY-lv (@sky-lv); the current version is v1.0.0.
More Skills