← 返回 Skills 市场
Poc Validator
作者
whatyourname12345
· GitHub ↗
· v0.1.0
· MIT-0
103
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-poc-validator
功能描述
Automated Vulnerability Verification and Payload Replay Probe. Dynamically executes HTTP requests and analyzes HTTP status codes/error traces (e.g., SQL Inje...
安全使用建议
This skill behaves as advertised (it replays HTTP requests and extracts error traces), but take these precautions before installing or using it:
- Ensure you have explicit authorization to test any target. The skill will send arbitrary payloads and has no built-in permission checks; misuse can be illegal.
- The package does not declare runtime dependencies: you need python3 and the Python 'requests' library available where the agent runs.
- The script disables TLS verification (verify=False) and will accept self-signed certs; consider modifying this if you need strict TLS validation.
- Requests may include Cookie or Authorization headers and the skill prints response headers/body snippets to stdout — avoid sending sensitive credentials as part of tests or ensure logs are protected.
- If you plan to run this autonomously, add operational safeguards (rate limits, allowlist of target hosts, explicit confirmation prompts) to avoid accidental scanning/exfiltration.
If those conditions are acceptable and you only intend to test authorized targets, the skill is coherent with its stated purpose.
功能分析
Type: OpenClaw Skill
Name: openclaw-poc-validator
Version: 0.1.0
The skill bundle provides a tool for replaying HTTP requests and analyzing responses for vulnerabilities like SQL injection. While the logic in 'scripts/replay.py' is functional for its stated purpose, it introduces high-risk capabilities including arbitrary network access, SSL verification bypass, and proxy support. Additionally, the command construction pattern in 'SKILL.md' (e.g., python3 scripts/replay.py --url "{URL}") presents a potential command injection vulnerability if the agent's execution environment does not strictly sanitize input parameters. No evidence of intentional malicious behavior such as data exfiltration or persistence was found.
能力评估
Purpose & Capability
The name/description (PoC Validator) aligns with the included script and SKILL.md: both replay HTTP requests and extract error snippets (SQLSTATE, syntax errors, etc.). Nothing requested (no env vars or unrelated binaries) appears out-of-scope. Minor omission: the SKILL.md examples invoke `python3` and the script uses the `requests` library, but the registry metadata lists no required binaries or dependencies — this is an implementation detail mismatch that should be declared.
Instruction Scope
SKILL.md instructions are narrowly focused on accepting a user-provided URL, method, headers (including Cookie and User-Agent), and payload, running scripts/replay.py, and analyzing the response. It does not instruct the agent to read unrelated files or environment variables. However, it explicitly permits replaying 'malicious payloads' against arbitrary targets and contains no built-in authorization checks or rate limits — this means the skill can be used for unauthorized testing if the agent or user supplies unapproved targets/payloads. The SKILL.md warns against mass scanning/DDoS/unauthorized exploitation but does not enforce safeguards.
Install Mechanism
There is no install spec (instruction-only plus a script), which is low-risk. The script requires Python 3 and the third-party 'requests' package, but these requirements are not declared in the registry metadata. No downloads from external URLs or archives are present.
Credentials
The skill requests no environment variables or credentials, which is proportionate. Still, the runtime behavior can transmit or capture sensitive data (cookies, auth headers, and full response bodies) from the target. The skill will print response headers/body snippets to stdout (JSON), so secrets obtained from target responses could be exposed in agent logs — this is expected for this class of tool but worth noting.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not modify other skills or system configurations. Model-invocation is enabled by default but not excessive here; autonomous invocation combined with lack of authorization checks could increase misuse risk, but that is an operational concern rather than an incoherence in the skill itself.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-poc-validator - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-poc-validator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
**Initial public release of poc-validator.**
- Automates vulnerability verification and payload replay for supplied raw HTTP requests or payloads.
- Runs test requests via scripts/replay.py and analyzes HTTP responses for errors and stack traces.
- Detects and reports signs of SQL injection and server exceptions by scanning response status and error keywords.
- Produces clear, standardized validation reports including request details, outcome, and relevant evidence.
- Not designed for mass scanning, DDoS, or unauthorized exploitation activities.
元数据
常见问题
Poc Validator 是什么?
Automated Vulnerability Verification and Payload Replay Probe. Dynamically executes HTTP requests and analyzes HTTP status codes/error traces (e.g., SQL Inje... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 103 次。
如何安装 Poc Validator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-poc-validator」即可一键安装,无需额外配置。
Poc Validator 是免费的吗?
是的,Poc Validator 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Poc Validator 支持哪些平台?
Poc Validator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Poc Validator?
由 whatyourname12345(@whatyourname12345)开发并维护,当前版本 v0.1.0。
推荐 Skills