← Back to Skills Marketplace
Security Tester
by
zhanghengyi1986-afk
· GitHub ↗
· v1.0.0
· MIT-0
81
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install security-tester
Description
Security testing for web applications and APIs based on OWASP standards. Identify common vulnerabilities (injection, auth bypass, XSS, CSRF, IDOR), generate...
Usage Guidance
This skill appears to be a legitimate OWASP-based security-testing guide, but take these precautions before installing or running it:
- Only run tests against targets you own or have explicit authorization to test. Many included checks are intrusive (SQLi payloads that include 'DROP TABLE', brute-force login attempts, DoS-style loops, SSRF tests targeting cloud metadata) and can cause data loss, account lockout, or legal issues.
- The SKILL.md expects runtime inputs (URL, bearer tokens, JWTs, API tokens) and uses tools (python3, base64, nmap, openssl) but the registry metadata does not declare these environment variables or binary requirements — the skill will implicitly depend on them. Ask the publisher to explicitly list required env vars and binaries.
- Consider running tests in a safe staging environment or with rate limits and non-destructive payloads first. Remove obviously destructive payloads (e.g., DROP TABLE) from automated runs.
- If you allow autonomous invocation, restrict its scope or disable autonomous execution until you confirm what inputs it will use. Autonomous operation combined with undisclosed credentials/targets increases risk.
- Verify legal/organizational approval and have backups/incident contacts ready before running active tests. If you need higher confidence, request the publisher to add a clear requires.env section, explicit warnings about destructive tests, and non-destructive default test mode.
Capability Assessment
Purpose & Capability
The name, description, and included test matrices (OWASP Top 10, API Security) match the instructions and reference documents. The actions described (IDOR, XSS, SQLi, CSRF, SSRF, auth testing) are appropriate for a security-testing skill.
Instruction Scope
SKILL.md tells the agent to run many live tests (curl loops, brute-force attempts, payload injection including a 'DROP TABLE' payload, SSRF checks targeting metadata IPs). It also invokes tools and commands (python3, base64, nmap, openssl, jwt decoding, curl, shell loops) and references environment variables ($URL, $USER_A_TOKEN, $NORMAL_USER_TOKEN, $JWT) that are not declared. These instructions can be destructive or invasive if run against production or without authorization and grant broad operational discretion to the user/agent.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing will be written to disk by an installer. This reduces some risk compared to an arbitrary download/install, but runtime commands may still execute local binaries.
Credentials
The SKILL.md expects multiple runtime inputs and secrets (URL, various bearer tokens, JWTs) but requires.env lists none and the registry metadata declares no primary credential. This mismatch is important: the skill relies on user-provided credentials and target URLs but does not declare or document them as required variables. Additionally, the instructions include tests that may attempt to reach internal services (169.254.169.254) — access to cloud metadata is sensitive and must be intentionally authorized.
Persistence & Privilege
The skill is not always-included and does not request special persistence or system-wide configuration changes. Autonomous model invocation is enabled (platform default); combine this with the above concerns when deciding whether to allow autonomous runs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install security-tester - After installation, invoke the skill by name or use
/security-tester - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: OWASP Top 10 testing, API security, injection/auth/access control tests, CVSS scoring
Metadata
Frequently Asked Questions
What is Security Tester?
Security testing for web applications and APIs based on OWASP standards. Identify common vulnerabilities (injection, auth bypass, XSS, CSRF, IDOR), generate... It is an AI Agent Skill for Claude Code / OpenClaw, with 81 downloads so far.
How do I install Security Tester?
Run "/install security-tester" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Security Tester free?
Yes, Security Tester is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Security Tester support?
Security Tester is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Security Tester?
It is built and maintained by zhanghengyi1986-afk (@zhanghengyi1986-afk); the current version is v1.0.0.
More Skills