← Back to Skills Marketplace
0x-professor

Pentest Api Attacker

by Muhammad Mazhar Saeed · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
1206
Downloads
1
Stars
6
Active Installs
1
Versions
Install in OpenClaw
/install pentest-api-attacker
Description
Test APIs against OWASP API Security Top 10 including discovery, auth abuse, and protocol-specific checks.
README (SKILL.md)

Pentest API Attacker

Stage

  • PTES: 5
  • MITRE: T1190

Objective

Enumerate and test API endpoints and business logic attack vectors.

Required Workflow

  1. Validate scope before any active action and reject out-of-scope targets.
  2. Run only authorized checks aligned to PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK.
  3. Write findings in canonical finding_schema format with reproducible PoC notes.
  4. Honor dry-run mode and require explicit --i-have-authorization for live execution.
  5. Export deterministic artifacts for downstream skill consumption.

Execution

python skills/pentest-api-attacker/scripts/api_attacker.py --scope scope.json --target \x3Ctarget> --input \x3Cpath> --output \x3Cpath> --format json --dry-run

Outputs

  • api-endpoints.json
  • api-findings.json
  • api-attack-report.json

References

  • references/tools.md
  • skills/autonomous-pentester/shared/scope_schema.json
  • skills/autonomous-pentester/shared/finding_schema.json

Legal and Ethical Notice

WARNING AUTHORIZED USE ONLY
This skill executes real security testing tools against live targets.
Use only with written authorization.
Usage Guidance
This package appears to be a scaffold that enforces scope and authorization and then writes placeholder artifacts rather than actually running the pentesting tools it advertises. Before installing or running it: 1) Verify the origin/author since the source is unknown. 2) Inspect the shared module referenced at skills/autonomous-pentester/shared/pentest_common.py (not included here) — it may contain the real network/testing logic or sensitive operations. 3) Confirm you understand whether real attack tooling is intentionally omitted (is this a dry-run-only helper?) and, if you plan to run live tests, only do so with written authorization and in an isolated/test environment. 4) If you expect active scanning (kiterunner, restler, jwt_tool, etc.), request evidence from the author showing how and where those tools are invoked; rely on signed releases or an authoritative source before granting execution privileges.
Capability Analysis
Type: OpenClaw Skill Name: pentest-api-attacker Version: 0.1.0 The skill bundle is classified as benign. It is designed for authorized API penetration testing, with strong safeguards including explicit `--i-have-authorization` for live execution, a `--dry-run` mode, and scope validation. The `SKILL.md` and `agents/openai.yaml` instructions reinforce ethical use and security best practices for the AI agent. The `api_attacker.py` script, even when authorized, currently only generates placeholder findings, indicating it acts as an orchestrator or wrapper, not the direct attack tool itself, and contains no evidence of malicious intent like data exfiltration or unauthorized command execution.
Capability Assessment
Purpose & Capability
The name and description claim active testing against the OWASP API Top 10 (discovery, auth abuse, protocol checks). The repo contains a single script that enforces scope/authorization checks and writes placeholder artifacts, but does not implement the scanning/fuzzing logic or invoke the external tools referenced in references/tools.md. That discrepancy (promised active testing vs implemented placeholder behavior) is incoherent and should be explained by the author.
Instruction Scope
SKILL.md instructs a safe workflow (validate scope, require explicit --i-have-authorization, honor dry-run) and uses deterministic outputs. The execution example matches the provided script. However, the script imports shared functions from skills/autonomous-pentester/shared/pentest_common.py (via a sys.path insertion). The shared module is out-of-bundle here and could contain additional behavior; inspect it to confirm the runtime scope is limited to authorized testing and that no unrelated file reads/exfiltration occur.
Install Mechanism
No install spec is provided (instruction-only with one bundled script). Nothing is downloaded or written during an install step — this is the lowest-risk pattern for install mechanism.
Credentials
The skill does not request any environment variables, credentials, or config paths. The script requires only command-line arguments (scope, target, input/output). This is proportionate to the stated purpose.
Persistence & Privilege
always is false and the skill does not request permanent presence or attempt to modify other skills' configuration. Autonomous invocation is allowed (platform default) but is not combined here with other high-risk attributes.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install pentest-api-attacker
  3. After installation, invoke the skill by name or use /pentest-api-attacker
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
pentest-api-attacker v0.1.0 - Initial release with support for testing APIs against OWASP API Security Top 10. - Includes mechanisms for API endpoint discovery, authentication abuse, and protocol-specific checks. - Enforces scope validation and authorization before active testing. - Outputs findings and artifacts in standard formats for reporting and downstream use. - Integrates with PTES, MITRE ATT&CK, OWASP WSTG, and NIST SP 800-115 methodologies.
Metadata
Slug pentest-api-attacker
Version 0.1.0
License
All-time Installs 8
Active Installs 6
Total Versions 1
Frequently Asked Questions

What is Pentest Api Attacker?

Test APIs against OWASP API Security Top 10 including discovery, auth abuse, and protocol-specific checks. It is an AI Agent Skill for Claude Code / OpenClaw, with 1206 downloads so far.

How do I install Pentest Api Attacker?

Run "/install pentest-api-attacker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Pentest Api Attacker free?

Yes, Pentest Api Attacker is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Pentest Api Attacker support?

Pentest Api Attacker is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Pentest Api Attacker?

It is built and maintained by Muhammad Mazhar Saeed (@0x-professor); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments