← 返回 Skills 市场
metasploit-framework-skill
作者
Herbert He
· GitHub ↗
· v1.0.0
· MIT-0
100
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install metasploit-framework-skill
功能描述
Guides AI agents to perform penetration testing with Metasploit Framework via bash; includes scanning, exploit selection, payload delivery, session and post-...
安全使用建议
This skill is a full Metasploit playbook — internally consistent for authorized penetration testing but dangerous if run on production or without permission. Before installing or invoking it: 1) Confirm you have explicit authorization to test the target(s). 2) Run in an isolated lab/VM (not your workstation or production host). 3) Inspect any remote install commands (the SKILL.md recommends curl from GitHub raw and running the script); prefer distro packages or vetted installers where possible. 4) Avoid running docker with --network host or mounting sensitive host paths; prefer running the container in an isolated network/VM. 5) Disable autonomous execution or require human confirmation before executing any install, msfconsole, msfvenom, handler, or persistence commands. 6) Be aware the skill instructs clearing logs and creating persistence — these are intrusive actions; review and approve each command before execution. Given the skill has no provenance (no homepage/source), treat it with additional caution and review the exact commands you or the agent will run.
功能分析
Type: OpenClaw Skill
Name: metasploit-framework-skill
Version: 1.0.0
This skill bundle provides a comprehensive toolkit and detailed instructions for an AI agent to perform offensive cyber operations using the Metasploit Framework. It includes explicit guidance for reconnaissance, exploitation, credential theft (e.g., `hashdump`), data exfiltration, and establishing persistence (e.g., adding a 'hacker' user or registry backdoors) across files like SKILL.md, pentest-workflows.md, and post-exploitation.md. While these activities are aligned with the stated purpose of penetration testing, the automation of high-risk behaviors—including stealth techniques like log clearing (clearev) and the use of curl|bash for installation from the official Rapid7 repository—poses a significant risk of unauthorized use or automated abuse.
能力评估
Purpose & Capability
The name/description (Metasploit-based pentesting) matches the content: SKILL.md and supplemental files provide step-by-step, non-interactive Metasploit workflows (nmap, msfconsole, msfvenom, handlers, post-exploitation). The instructions expect msfconsole, msfvenom, nmap, docker, etc., which are appropriate for the stated purpose even though the registry metadata did not declare those binaries.
Instruction Scope
The instructions go beyond passive guidance and specify concrete system-altering actions: installing software, pulling images, running containers with --network host and mounted volumes, generating payloads, starting background handlers, creating user accounts, modifying cron/registry for persistence, and clearing logs. These actions are consistent with an offensive pentest guide but are high-impact and could cause harm if executed unintentionally or without authorization.
Install Mechanism
There is no formal install spec in the registry, but the SKILL.md tells agents to run installation commands that download and execute remote scripts (curl raw.githubusercontent.com → /tmp/msfinstall && exec) and to docker pull/run images. Download-and-execute from the network and running containers with host networking are high-risk operations and should be reviewed before use. The sources (GitHub raw, Docker Hub metasploit image) are common release hosts, but executing remote scripts remains a risk.
Credentials
The skill declares no required environment variables or credentials, which aligns with the registry metadata. At runtime it auto-detects local network addresses (LHOST) and reads local network/config state (ip route, ifconfig) and writes files under /tmp or mounted volumes. Those accesses are proportional to launching reverse handlers and payloads for pentesting, but they expose/require system network context and filesystem write access.
Persistence & Privilege
The guide explicitly instructs creating persistent backdoors (cron entries, registry persistence, new users, service modifications), running long-lived background handlers, and clearing logs. While normal for a pentest workflow, these are elevated, persistent changes to the host. The skill is not marked always:true, but because the agent may autonomously run commands, allow-listing/approval and constrained runtime privileges are recommended before allowing it to run.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install metasploit-framework-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/metasploit-framework-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Init
元数据
常见问题
metasploit-framework-skill 是什么?
Guides AI agents to perform penetration testing with Metasploit Framework via bash; includes scanning, exploit selection, payload delivery, session and post-... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 100 次。
如何安装 metasploit-framework-skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install metasploit-framework-skill」即可一键安装,无需额外配置。
metasploit-framework-skill 是免费的吗?
是的,metasploit-framework-skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
metasploit-framework-skill 支持哪些平台?
metasploit-framework-skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 metasploit-framework-skill?
由 Herbert He(@herberthe)开发并维护,当前版本 v1.0.0。
推荐 Skills