← 返回 Skills 市场
93
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install openclaw-security-testing-agent
功能描述
安全测试Agent。漏洞扫描、渗透测试、代码审计、安全加固。触发词:安全、渗透、漏洞、xss、sql注入、csrf、扫描、审计。
安全使用建议
This skill appears coherent for its stated purpose, but it performs active scans and includes potentially destructive payloads. Before installing or using it: 1) Only run scans against systems you explicitly have permission to test; unauthorized scanning may be illegal. 2) Review the full SKILL.md and any referenced repository (skill.json points to a GitHub URL) to confirm the author and intent—the registry metadata shows an unknown source. 3) Run the skill in an isolated/test environment (or sandbox) first to avoid accidental damage to production systems. 4) The SKILL.md references many external tools but won't install them for you—install and vet those tools yourself. 5) Do not provide credentials or tokens to the skill unless you understand and trust where they will be used; prefer ephemeral/test credentials. If you want higher assurance, request the complete SKILL.md and verify there are no instructions that read or exfiltrate local files or environment variables before running.
功能分析
Type: OpenClaw Skill
Name: openclaw-security-testing-agent
Version: 1.0.0
The skill bundle provides a security testing suite in SKILL.md that includes active vulnerability scanning, secret detection, and dependency auditing. It utilizes high-risk capabilities such as executing shell commands via subprocess.run and scanning the local filesystem for sensitive credentials like AWS, GitHub, and OpenAI tokens. While these actions are consistent with the stated purpose of a security agent, the presence of destructive SQL injection payloads (e.g., DROP TABLE) and the broad access to local secrets without built-in safeguards make the bundle inherently risky, though no clear evidence of intentional data exfiltration or malicious intent was found.
能力标签
能力评估
Purpose & Capability
The name/description (security testing, scanning, pentest, code audit) align with the SKILL.md content: SAST/DAST/SCA/static secret scanning/container scanning and example scanner code. The required environment, binaries, and config paths are minimal and consistent with an instruction-only pentesting helper. The SKILL.md references common tools (SonarQube, Semgrep, ZAP, Burp, Snyk, Trivy) which are expected for this domain.
Instruction Scope
The provided instructions include runnable scanner code that issues HTTP requests with offensive payloads (SQL injection strings, XSS payloads, time-based tests, etc.). This is consistent with a pentest tool but means the skill performs active probing and can be destructive (e.g., payloads like "'; DROP TABLE users--"). The SKILL.md also mentions static-secret scanning and other tools which imply reading project files or repositories; the skill does not declare explicit limits or require an authorization token, so you must ensure explicit permission before use. The SKILL.md lists many external tools but provides no install steps — the agent may assume those tools are available or try to run equivalent Python code, which could fail or behave unexpectedly.
Install Mechanism
No install spec and no code files beyond SKILL.md means nothing will be downloaded or written by an installer. That lowers supply-chain risk. However, because the document references many third-party tools without providing installers, users should be aware they need to install and trust those tools themselves.
Credentials
The skill declares no required environment variables or credentials. The example scanner accepts an optional api_key parameter but the skill does not demand or request access to unrelated secrets. There is no evidence the skill tries to read unrelated environment variables or system config.
Persistence & Privilege
always is false and there are no install hooks or persistent components. The skill does not request to modify other skills or global agent settings; it is instruction-only and only runs when invoked.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-security-testing-agent - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-security-testing-agent触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
openclaw-security-testing-agent 1.0.0
- Initial release of the AI-driven security testing agent
- Supports vulnerability scanning, penetration testing, code auditing, and security hardening
- Covers SAST (static analysis), DAST (dynamic analysis), SCA (dependency scanning), secret/key leakage, and container image scanning
- Integrates with tools such as SonarQube, Semgrep, CodeQL, OWASP ZAP, BurpSuite, Snyk, Trivy, and others
- Provides Python-based frameworks for detecting common web vulnerabilities including SQL injection, XSS, and CSRF
元数据
常见问题
Security Testing Agent 是什么?
安全测试Agent。漏洞扫描、渗透测试、代码审计、安全加固。触发词:安全、渗透、漏洞、xss、sql注入、csrf、扫描、审计。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 93 次。
如何安装 Security Testing Agent?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-security-testing-agent」即可一键安装,无需额外配置。
Security Testing Agent 是免费的吗?
是的,Security Testing Agent 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Security Testing Agent 支持哪些平台?
Security Testing Agent 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Security Testing Agent?
由 SKY-lv(@sky-lv)开发并维护,当前版本 v1.0.0。
推荐 Skills