← Back to Skills Marketplace
38
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install picoclaw-self-pen-testing
Description
Picoclaw-only local posture-review skill focused on read-only findings and safe operator remediation guidance.
README (SKILL.md)
Picoclaw Posture Review (separate package)
Purpose: keep Picoclaw posture-review checks isolated from the broader guardian package so moderation-sensitive checks can be versioned/published independently.
Scope
This skill only performs local, read-only posture-review analysis against an existing Picoclaw posture profile.
It flags:
- public Web UI exposure
- disabled UI auth
- unrestricted workspace/tooling
- unsigned verification mode
- MCP trust-boundary review needs
- scheduler persistence review
- plaintext secret markers
- multi-channel auth review
Usage
node scripts/self_pen_test.mjs --profile ~/.picoclaw/security/clawsec/current-profile.json
Validation
python utils/validate_skill.py skills/picoclaw-self-pen-testing
node skills/picoclaw-self-pen-testing/test/self_pen_test.test.mjs
Usage Guidance
This package appears coherent and read-only: it only parses the JSON profile file you explicitly pass and prints findings. Before installing, verify the package source (homepage/owner) and license (AGPL implications for redistribution). Run the included unit test locally (node test/self_pen_test.test.mjs) to confirm behavior. Note the README references a python validation script that isn't packaged—ignore or supply your own validator. Most importantly, only point --profile at files you intend to inspect (do not feed it arbitrary sensitive files), and review the small JS files yourself if you want to be certain they only read and summarize the profile. If you need stronger guarantees, run the CLI in a sandboxed environment or with a copy of the profile that has secrets redacted.
Capability Analysis
Type: OpenClaw Skill
Name: picoclaw-self-pen-testing
Version: 0.0.1
The skill is a local security auditing tool designed to perform read-only posture reviews of Picoclaw configuration profiles. The code in lib/self_pen_test.mjs and scripts/self_pen_test.mjs purely analyzes JSON input for security weaknesses (e.g., disabled authentication or exposed interfaces) and outputs a report. There is no evidence of network egress, data exfiltration, or malicious execution; the behavior is entirely consistent with the documentation provided in SKILL.md and skill.json.
Capability Assessment
Purpose & Capability
Name/description say 'local posture-review' and the package contains a small Node-based engine and CLI that reads a profile JSON and emits findings. Declared requirement of node and optional PICOCLAW_HOME are appropriate and proportional. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions require an explicit --profile path and the CLI only reads that file, runs in-memory checks, and prints JSON. This matches the stated read-only scope. Minor note: SKILL.md/README mention a python utils/validate_skill.py validation command that is not included in the package—this is a documentation/test mismatch but not a runtime risk. Also: because the tool reads whatever profile path you supply, do not point it at files containing secrets unless you intend local inspection.
Install Mechanism
No install spec is provided (instruction-only skill) and the package includes only small JS modules and a script; nothing is downloaded or executed from remote URLs. This is low-risk for installation.
Credentials
The skill requires no credentials or sensitive environment variables. The manifest declares an optional PICOCLAW_HOME only. There are no unexpected required env vars or keys.
Persistence & Privilege
always is false, the package states 'Read-only/on-demand; no scheduler is installed', and the code does not write to system paths or modify other skills. It runs on-demand with no autonomous persistence requested.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install picoclaw-self-pen-testing - After installation, invoke the skill by name or use
/picoclaw-self-pen-testing - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.0.1
Release 0.0.1 via CI
Metadata
Frequently Asked Questions
What is picoclaw-self-pen-testing?
Picoclaw-only local posture-review skill focused on read-only findings and safe operator remediation guidance. It is an AI Agent Skill for Claude Code / OpenClaw, with 38 downloads so far.
How do I install picoclaw-self-pen-testing?
Run "/install picoclaw-self-pen-testing" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is picoclaw-self-pen-testing free?
Yes, picoclaw-self-pen-testing is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does picoclaw-self-pen-testing support?
picoclaw-self-pen-testing is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created picoclaw-self-pen-testing?
It is built and maintained by davida-ps (@davida-ps); the current version is v0.0.1.
More Skills