← Back to Skills Marketplace
davida-ps

picoclaw-self-pen-testing

by davida-ps · GitHub ↗ · v0.0.3 · MIT-0
cross-platform ✓ Security Clean
30
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install clawsec-picoclaw-self-pen-testing
Description
Picoclaw-only local posture-review skill focused on read-only findings and safe operator remediation guidance.
README (SKILL.md)

Picoclaw Posture Review (separate package)

Purpose: keep Picoclaw posture-review checks isolated from the broader guardian package so moderation-sensitive checks can be versioned/published independently.

Vercel Skills Installation

Install with the Vercel Skills CLI for this harness:

npx skills add prompt-security/clawsec --skill picoclaw-self-pen-testing -a openclaw -y

Release Artifact Verification

For standalone installs, verify the signed release manifest before trusting SKILL.md, skill.json, or the archive. The skill.json file is the package metadata/SBOM source, and the release pipeline signs checksums.json with the ClawSec release key.

set -euo pipefail

SKILL_NAME="picoclaw-self-pen-testing"
VERSION="0.0.3"
REPO="prompt-security/clawsec"
TAG="${SKILL_NAME}-v${VERSION}"
BASE="https://github.com/${REPO}/releases/download/${TAG}"
ZIP_NAME="${SKILL_NAME}-v${VERSION}.zip"
TMP_DIR="$(mktemp -d)"
trap 'rm -rf "$TMP_DIR"' EXIT

RELEASE_PUBKEY_SHA256="711424e4535f84093fefb024cd1ca4ec87439e53907b305b79a631d5befba9c8"

curl -fsSL "$BASE/checksums.json" -o "$TMP_DIR/checksums.json"
curl -fsSL "$BASE/checksums.sig" -o "$TMP_DIR/checksums.sig"
curl -fsSL "$BASE/signing-public.pem" -o "$TMP_DIR/signing-public.pem"
curl -fsSL "$BASE/$ZIP_NAME" -o "$TMP_DIR/$ZIP_NAME"
curl -fsSL "$BASE/SKILL.md" -o "$TMP_DIR/SKILL.md"
curl -fsSL "$BASE/skill.json" -o "$TMP_DIR/skill.json"

ACTUAL_PUBKEY_SHA256="$(openssl pkey -pubin -in "$TMP_DIR/signing-public.pem" -outform DER | shasum -a 256 | awk '{print $1}')"
if [ "$ACTUAL_PUBKEY_SHA256" != "$RELEASE_PUBKEY_SHA256" ]; then
  echo "ERROR: signing-public.pem fingerprint mismatch" >&2
  exit 1
fi

openssl base64 -d -A -in "$TMP_DIR/checksums.sig" -out "$TMP_DIR/checksums.sig.bin"
openssl pkeyutl -verify -rawin -pubin \
  -inkey "$TMP_DIR/signing-public.pem" \
  -sigfile "$TMP_DIR/checksums.sig.bin" \
  -in "$TMP_DIR/checksums.json" >/dev/null

hash_file() {
  if command -v shasum >/dev/null 2>&1; then
    shasum -a 256 "$1" | awk '{print $1}'
  else
    sha256sum "$1" | awk '{print $1}'
  fi
}

verify_manifest_file() {
  asset="$1"
  path="$2"
  expected="$(jq -r --arg asset "$asset" '.files[$asset].sha256 // empty' "$TMP_DIR/checksums.json")"
  if [ -z "$expected" ]; then
    echo "ERROR: checksums.json missing $asset" >&2
    exit 1
  fi
  actual="$(hash_file "$path")"
  if [ "$actual" != "$expected" ]; then
    echo "ERROR: checksum mismatch for $asset" >&2
    exit 1
  fi
}

expected_archive="$(jq -r '.archive.sha256 // empty' "$TMP_DIR/checksums.json")"
if [ -z "$expected_archive" ]; then
  echo "ERROR: checksums.json missing archive.sha256" >&2
  exit 1
fi
actual_archive="$(hash_file "$TMP_DIR/$ZIP_NAME")"
if [ "$actual_archive" != "$expected_archive" ]; then
  echo "ERROR: archive checksum mismatch" >&2
  exit 1
fi

verify_manifest_file "SKILL.md" "$TMP_DIR/SKILL.md"
verify_manifest_file "skill.json" "$TMP_DIR/skill.json"

echo "Signed release manifest, archive, SKILL.md, and skill.json verified."

Only install or extract the archive after this verification succeeds.

Scope

This skill only performs local, read-only posture-review analysis against an existing Picoclaw posture profile.

It flags:

  • public Web UI exposure
  • disabled UI auth
  • unrestricted workspace/tooling
  • unsigned verification mode
  • MCP trust-boundary review needs
  • scheduler persistence review
  • plaintext secret markers
  • multi-channel auth review

Usage

node scripts/self_pen_test.mjs --profile ~/.picoclaw/security/clawsec/current-profile.json

Validation

python utils/validate_skill.py skills/picoclaw-self-pen-testing
node skills/picoclaw-self-pen-testing/test/self_pen_test.test.mjs
Usage Guidance
Install only if you expect ClawHub/Convex maintainer workflows. Review the moderation and autoreview skills before use because they can guide agents toward admin actions or full-access review tooling, but the artifacts disclose those capabilities and include user-control safeguards.
Capability Assessment
Purpose & Capability
The visible skill files describe Convex setup, migration, performance, ClawHub moderation, PR maintenance, and review workflows, and the commands they recommend fit those purposes.
Instruction Scope
Several skills instruct agents to use powerful local or administrative tools, but the instructions include scoping, confirmation, dry-run, verification, and explicit-user-request requirements for sensitive actions.
Install Mechanism
No hidden installer, obfuscated setup, unexpected package installation hook, or persistence mechanism was found in the inspected skill artifacts.
Credentials
The autoreview helper can run nested review tooling with full-access sandbox bypass by default and may run CI/static checks, which is broad but disclosed and aligned with its review-gate purpose.
Persistence & Privilege
The artifacts do not show background persistence, credential harvesting, exfiltration, or privilege escalation; admin/moderation operations are framed as authenticated, audited, and user-confirmed workflows.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install clawsec-picoclaw-self-pen-testing
  3. After installation, invoke the skill by name or use /clawsec-picoclaw-self-pen-testing
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.0.3
Release 0.0.3 via CI
Metadata
Slug clawsec-picoclaw-self-pen-testing
Version 0.0.3
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is picoclaw-self-pen-testing?

Picoclaw-only local posture-review skill focused on read-only findings and safe operator remediation guidance. It is an AI Agent Skill for Claude Code / OpenClaw, with 30 downloads so far.

How do I install picoclaw-self-pen-testing?

Run "/install clawsec-picoclaw-self-pen-testing" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is picoclaw-self-pen-testing free?

Yes, picoclaw-self-pen-testing is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does picoclaw-self-pen-testing support?

picoclaw-self-pen-testing is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created picoclaw-self-pen-testing?

It is built and maintained by davida-ps (@davida-ps); the current version is v0.0.3.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments