← 返回 Skills 市场
Xss Scanner
作者
snipercat69
· GitHub ↗
· v1.4.0
· MIT-0
133
总下载
0
收藏
0
当前安装
5
版本数
在 OpenClaw 中安装
/install edgeiq-xss-scanner
功能描述
Scans web apps for reflected and DOM-based XSS using 24+ payloads across 6 contexts, with crawl and concurrency support for authorized security audits.
使用说明 (SKILL.md)
EdgeIQ XSS Scanner
Version: 1.2.0
Skill Name: xss-scanner
Category: Security / Offensive / Auditing
Author: EdgeIQ Labs
License: Defensive Use Only
OpenClaw Compatible: Yes — Python 3, pure stdlib, WSL + Windows + macOS
What It Does
Professional-grade XSS vulnerability scanner for authorized security auditing. Scans web applications for reflected XSS, DOM-based XSS, stored/persistent XSS (via blind callback), and WAF-bypass variants. Designed for penetration testers, bug bounty researchers, and security teams with explicit written authorization.
⚠️ Legal Notice: Only scan targets you own or have explicit written permission to audit. Unauthorized scanning is illegal and strictly prohibited. This tool is for defensive security professionals.
Pricing
| Feature | Lifetime ($39) | Optional Monthly ($7/mo) |
|---|---|---|
| All scanner features | ✅ | ✅ |
| Blind XSS detection | ✅ | ✅ |
| Screenshot evidence capture | ✅ | ✅ |
| HTML report export | ✅ | ✅ |
| Reflected params deep analysis | ✅ | ✅ |
| Scheduled recurring scans | ✅ | ✅ |
| Alert delivery (Discord/Telegram/Email) | ✅ | ✅ |
| Priority support | ✅ | ✅ |
| Core reflected XSS scan (40+ payloads) | ✅ | ✅ |
| Crawl mode + BFS depth | ✅ | ✅ |
| JSON report export | ✅ | ✅ |
| HTTP security header analysis | ✅ | ✅ |
| WAF detection + auto-bypass | ✅ | ✅ |
| Custom headers, cookies, auth | ✅ | ✅ |
| Proxy support | ✅ | ✅ |
| Rate limiting control | ✅ | ✅ |
--quiet mode + exit codes |
✅ | ✅ |
Lifetime License: $39 — your tool forever, all Pro features included permanently.
Optional Monthly: $7/mo — for those who prefer recurring billing (cancel anytime).
👉 Buy Lifetime — $39 👉 Subscribe Monthly — $7/mo 👉 Subscribe Monthly — $7/mo
Feature Tiers at a Glance
| Feature | Free | Lifetime ($39) |
|---|---|---|
| Core reflected XSS scan (40+ payloads) | ✅ | ✅ |
| Crawl mode + BFS depth | ✅ | ✅ |
| JSON report export | ✅ | ✅ |
| HTTP security header analysis | ✅ | ✅ |
| WAF detection + auto-bypass | ✅ | ✅ |
| Custom headers, cookies, auth | ✅ | ✅ |
| Proxy support | ✅ | ✅ |
| Rate limiting control | ✅ | ✅ |
--quiet mode + exit codes |
✅ | ✅ |
Blind XSS detection (--blind-callback) |
❌ | ✅ |
Screenshot evidence capture (--screenshot-dir) |
❌ | ✅ |
HTML report export (--format html) |
❌ | ✅ |
| Reflected params deep analysis | ❌ | ✅ |
| Scheduled recurring scans | ❌ | ✅ |
| Alert delivery (Discord/Telegram/Email) | ❌ | ✅ |
| Priority support | ❌ | ✅ |
All Pro features are now included in the Lifetime License. The Lifetime purchase gives you permanent access to everything previously locked behind Pro/Bundle tiers.
What's New in v2
| Feature | Free | Lifetime ($39) |
|---|---|---|
| Core reflected XSS scan | ✅ | ✅ |
| 40+ payloads (incl. WAF bypass) | ✅ | ✅ |
| 7 injection context modes | ✅ | ✅ |
| Crawl mode with BFS depth | ✅ | ✅ |
| JSON + HTML report export | ✅ | ✅ |
| HTTP security header analysis (CSP, XFO, HSTS…) | ✅ | ✅ |
| WAF detection + auto-bypass payload switching | ✅ | ✅ |
| Custom headers, cookies, auth | ✅ | ✅ |
| Proxy support (stealth scanning) | ✅ | ✅ |
| Rate limiting control | ✅ | ✅ |
| Blind XSS detection (callback mode) | ❌ | ✅ |
| Reflected params analysis | ❌ | ✅ |
| Screenshot evidence capture | ❌ | ✅ |
--quiet mode + exit codes (CI/CD) |
✅ | ✅ |
| Scheduled recurring scans | ❌ | ✅ |
| Alert delivery (Discord / Telegram / Email) | ❌ | ✅ |
| Priority support | ❌ | ✅ |
Installation
# Standalone usage
python3 /home/guy/.openclaw/workspace/apps/xss-scanner/scanner.py \x3Ctarget>
# As OpenClaw command (in any channel):
!xss https://example.com
!xss https://example.com --depth 3 --workers 20
Quick Start
Basic Scan
python3 scanner.py https://example.com
Verbose / Full Crawl
python3 scanner.py https://example.com --depth 2 --max-urls 30
With Proxy (Burp Suite / OWASP ZAP)
python3 scanner.py https://example.com --proxy http://127.0.0.1:8080 --quiet
Authenticated Scan
python3 scanner.py https://example.com --auth admin:secret --cookies "session=abc123"
Blind XSS (stored/persistent XSS detection)
python3 scanner.py https://example.com --blind-callback https://your-callback.com/log
Security Headers Audit
python3 scanner.py https://example.com --analyze-headers --format json --out report.json
Export HTML Report
python3 scanner.py https://example.com --format html --out xss-report.html
Automation / CI-CD (exit codes + quiet mode)
python3 scanner.py https://example.com --quiet --format json -o result.json
echo "Exit code: $?" # 0=safe, 1=vulns found, 2=error, 3=interrupted
Command Reference
Positional Arguments
| Argument | Description |
|---|---|
url |
Target URL (auto-adds https:// if missing) |
Core Options
| Flag | Type | Default | Description |
|---|---|---|---|
--depth |
int | 2 | Crawl depth (BFS link discovery) |
--max-urls |
int | 20 | Maximum URLs to scan before stopping |
--workers |
int | 15 | Concurrent threads for payload testing |
--format |
choice | discord | Output format: discord, json, html, simple |
--follow-external |
flag | False | Follow links to external domains |
--quiet, -q |
flag | False | Suppress progress output |
--out, -o |
path | — | Write output to file |
Network Options
| Flag | Type | Description |
|---|---|---|
--proxy |
URL | HTTP/S proxy (e.g. http://127.0.0.1:8080 for Burp/ZAP) |
--user-agent |
string | Custom User-Agent string |
--auth |
user:pass | Basic HTTP authentication |
--cookies |
string | Cookie string (name=value; name2=value2) |
--custom-header |
HDR | Add custom header (Name: value) — repeatable |
--timeout |
float | Request timeout in seconds (default: 15) |
--rate-limit |
float | Minimum seconds between requests (anti-rate-limit) |
Advanced Options
| Flag | Type | Description |
|---|---|---|
--blind-callback |
URL | Blind XSS callback URL for stored XSS detection |
--analyze-headers |
flag | Analyze HTTP security headers (CSP, X-Frame-Options, HSTS…) |
--reflected-only |
flag | Map reflected params without sending payloads |
--screenshot-dir |
path | Directory for evidence HTML files (default: /tmp/xss-screenshots) |
Exit Codes
| Code | Meaning |
|---|---|
0 |
Scan complete — no vulnerabilities found |
1 |
Scan complete — vulnerabilities detected |
2 |
Scan error — target unreachable or connection failed |
3 |
Interrupted — SIGINT/SIGTERM received |
Payload Context Detection
The scanner automatically detects the injection context of each reflection and assigns severity accordingly:
| Context | Triggered When | Severity | Example |
|---|---|---|---|
js_string |
Payload inside \x3Cscript> or JS string |
Critical | \x3Cscript>alert(1)\x3C/script> |
event_handler |
Payload inside on* attribute |
Critical | onerror=alert(1) |
html_attr |
Payload inside HTML attribute | High | " onmouseover=alert(1) x=" |
dom |
DOM mutation / innerHTML injection | High | DOM clobbering vectors |
html_body |
Plain text reflection in HTML | Medium | \x3Cscript>alert(1)\x3C/script> |
comment |
Inside HTML comment \x3C!-- --> |
Medium | -->\x3Cscript>alert(1)\x3C/script> |
css |
Inside \x3Cstyle> tag |
Medium | Style-based injection |
url_param |
URL-encoded param in URL | Low | ?q=\x3Cscript>alert(1)\x3C/script> |
WAF Detection & Bypass
Automatically detects these WAFs and switches to bypass payloads:
- Cloudflare, AWS CloudFront, Akamai, Imperva
- Fortinet, Sucuri, F5 BIG-IP ASM, Barracuda
- DenyAll, Cisco ACE, dotDefender, Google Armr
Bypass payloads activated automatically when WAF block patterns are detected:
- Case mutation:
\x3CScRipT>,\x3CIMG SRC=x ONERROR=...> - Unicode escape:
\x3Cscript>\u0061lert(1)\x3C/script> - Protocol-less:
//evil.com/x.js
Security Header Analysis
When --analyze-headers is used, reports on:
| Header | What It Checks |
|---|---|
Content-Security-Policy |
unsafe-inline / unsafe-eval present? |
X-Frame-Options |
Clickjacking protection (DENY / SAMEORIGIN) |
X-Content-Type-Options |
MIME-sniffing disabled (nosniff) |
Strict-Transport-Security |
HTTPS enforcement |
Referrer-Policy |
Referrer leakage |
X-XSS-Protection |
Legacy XSS filter (often disabled intentionally) |
Permissions-Policy |
Browser feature restrictions |
Output Formats
Discord (default)
Rich embed with severity breakdown, grouped by critical/high/medium/low. Clean formatting for Discord channels.
JSON (machine-readable)
Full structured report for CI/CD pipelines, includes:
- Scan stats + metadata
- All vulnerabilities with severity, evidence, timestamp
- Security header findings
- WAF detection results
- Reflected parameter map
HTML (shareable report)
Self-contained styled HTML file — dark theme, sortable vulnerability table, header findings, WAF info. Ready to share with clients or include in pentest deliverables.
Simple (console)
One-line-per-finding format. Good for grep/parsing.
Discord Command Usage
In any OpenClaw Discord channel:
!xss https://example.com
!xss https://example.com --depth 3 --max-urls 50 --workers 20
!xss https://example.com --follow-external --format json -o report.json
!xss https://example.com --proxy http://127.0.0.1:8080 --quiet
!xss https://example.com --blind-callback https://your-domain.com/log
!xss https://example.com --analyze-headers --format html -o report.html
Free vs Pro
Free (v1) — Included
Full-featured scanner for manual authorized auditing. Everything in this SKILL.md except the Pro-only items.
Pro ($19/mo)
- Blind XSS detection with persistent callback monitoring
- Scheduled recurring scans (cron-based)
- Alert delivery to Discord, Telegram, or Email
- Screenshot evidence capture
- Reflected params deep analysis
- Priority onboarding and support
Network Pro ($29/mo) (deprecated)
All features included in Lifetime purchase above.
Bundle ($39/mo) (deprecated)
All features now included in Lifetime purchase above.
Upgrade Links
| Tier | Link |
|---|---|
| $39 | $39 |
| Monthly ($7/mo) | $7/mo |
| $7/mo | $7/mo |
Contact: [email protected]
Architecture
| Component | Detail |
|---|---|
| Language | Python 3 (pure stdlib — no external dependencies) |
| Concurrency | concurrent.futures.ThreadPoolExecutor for parallel payload testing |
| Crawl Strategy | BFS with configurable depth, URL dedup, external-link filtering |
| HTTP Client | Custom HTTPClient class with proxy, auth, cookie, custom-header support |
| WAF Detection | Pattern-matching on response body + headers against 15+ WAF signatures |
| Context Detection | Regex + HTML parser across 8 injection contexts |
| Payload Library | 40+ payloads across script injection, event handlers, attribute injection, URL injection, context breakers, mution/mull-byte bypass, Unicode, DOM clobbering |
| Supported OS | Linux/WSL, Windows, macOS |
| Exit Codes | Full automation support (0/1/2/3) |
Legal & Ethical Use
This tool is for:
- Security researchers auditing authorized bug bounty targets
- Penetration testers assessing client applications under contract
- Developers testing their own applications
- Defensive security teams auditing internal infrastructure
- Capture The Flag (CTF) participants in authorized labs
This tool must NOT be used:
- Against targets without explicit written permission
- On production systems without authorization
- For any unauthorized access, enumeration, or exploitation
- In any jurisdiction where automated vulnerability scanning is restricted
Support
- Email: [email protected]
- Discord: https://discord.gg/aPhSnrU9
- Site: https://edgeiqlabs.com
🔗 More from EdgeIQ Labs
edgeiqlabs.com — Security tools, OSINT utilities, and micro-SaaS products for developers and security professionals.
- 🛠️ Subdomain Hunter — Passive subdomain enumeration via Certificate Transparency
- 📸 Screenshot API — URL-to-screenshot API for developers
- 🔔 uptime.check — URL uptime monitoring with alerts
- 🛡️ headers.check — HTTP security headers analyzer
安全使用建议
This package appears coherent for authorized security testing, but it contains intentionally malicious-looking XSS payloads (including ones that fetch/exfiltrate document.cookie to external domains) and a blind-callback feature and proxy loader that perform network requests. Only install/use this on targets you own or have explicit written permission to test. Before using in shared/chat environments: (1) review/replace any hardcoded callback domains (e.g., 'evil.com') with your own collector or remove exfiltration-style payloads; (2) be aware the Discord wrapper runs the scanner as a subprocess and may run long scans; (3) the proxy rotator fetches public proxy lists from third-party raw URLs — verify these sources if you require provenance; (4) inspect licensing/upgrade URLs if you do not want external payment links printed. If you need higher assurance, run the scanner in an isolated environment and audit network traffic during its first runs.
能力标签
能力评估
Purpose & Capability
Name, description, SKILL.md and included Python modules (scanner, proxy rotation, licensing, Discord wrapper) are consistent with an XSS scanning tool. The proxy rotator, licensing checks, and Discord command wrapper are plausible components for this purpose.
Instruction Scope
SKILL.md instructs running scanner.py against arbitrary targets (including blind-callback and proxy options) and the discord wrapper runs scanner.py via subprocess. This is expected, but the shipped payload library contains explicit exfiltration payloads (e.g. fetch calls to hardcoded domains like 'evil.com') and the blind-callback option sends data to external callback URLs — both are normal for XSS testing but can leak data if used irresponsibly. The proxy loader fetches third-party proxy lists from raw GitHub URLs.
Install Mechanism
Instruction-only / no install spec. All code is present in the package and no external installers or arbitrary downloads are performed during install. Risk from install mechanism is low.
Credentials
The skill requests no environment variables or credentials. Licensing checks read local license files and respect an EDGEIQ_LICENSE_TIER env var — this is proportionate to the declared pricing/licensing behavior.
Persistence & Privilege
The skill is not always-enabled, does not request elevated or persistent platform privileges, and does not write to other skills' configs. It reads local license files and may print upgrade prompts, which is typical and proportionate.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install edgeiq-xss-scanner - 安装完成后,直接呼叫该 Skill 的名称或使用
/edgeiq-xss-scanner触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.4.0
v1.4.0: URGENT FIX — corrected Stripe Payment Link URLs (no suffixes, correct live URLs)
v1.3.0
v1.3.0: CRITICAL FIX — replaced placeholder Stripe URLs with real working Payment Link checkout URLs
v1.2.0
v1.2.0: Dual pricing — Lifetime as primary purchase option with optional monthly. Updated Stripe checkout URLs.
v1.1.0
Monetization update: added Free vs Pro plans, Stripe upgrade links, bundle option, and updated support/contact details.
v1.0.0
Initial release of XSS Scanner Skill.
- Scans web apps for reflected and DOM-based XSS using 24+ payloads across 6 injection contexts.
- Features smart filtering to skip API responses, concurrent worker threads, and an auto-crawl mode with configurable depth.
- Pure Python 3—no external dependencies; compatible with WSL and Windows.
- Supports command-line usage, OpenClaw Discord commands, and offers a Pro upgrade with export, integrations, and scheduled scans.
- Strictly for authorized, legal security testing.
元数据
常见问题
Xss Scanner 是什么?
Scans web apps for reflected and DOM-based XSS using 24+ payloads across 6 contexts, with crawl and concurrency support for authorized security audits. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 133 次。
如何安装 Xss Scanner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install edgeiq-xss-scanner」即可一键安装,无需额外配置。
Xss Scanner 是免费的吗?
是的,Xss Scanner 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Xss Scanner 支持哪些平台?
Xss Scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Xss Scanner?
由 snipercat69(@snipercat69)开发并维护,当前版本 v1.4.0。
推荐 Skills