← 返回 Skills 市场

Pentest Api Attacker

Name: Pentest Api Attacker
Author: 0x-professor

作者 Muhammad Mazhar Saeed · GitHub ↗ · v0.1.0

cross-platform ⚠ suspicious

1206

总下载

当前安装

版本数

在 OpenClaw 中安装

/install pentest-api-attacker

功能描述

Test APIs against OWASP API Security Top 10 including discovery, auth abuse, and protocol-specific checks.

使用说明 (SKILL.md)

Pentest API Attacker

Stage

PTES: 5
MITRE: T1190

Objective

Enumerate and test API endpoints and business logic attack vectors.

Required Workflow

Validate scope before any active action and reject out-of-scope targets.
Run only authorized checks aligned to PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK.
Write findings in canonical finding_schema format with reproducible PoC notes.
Honor dry-run mode and require explicit --i-have-authorization for live execution.
Export deterministic artifacts for downstream skill consumption.

Execution

python skills/pentest-api-attacker/scripts/api_attacker.py --scope scope.json --target \x3Ctarget> --input \x3Cpath> --output \x3Cpath> --format json --dry-run

Outputs

api-endpoints.json
api-findings.json
api-attack-report.json

References

references/tools.md
skills/autonomous-pentester/shared/scope_schema.json
skills/autonomous-pentester/shared/finding_schema.json

Legal and Ethical Notice

WARNING AUTHORIZED USE ONLY
This skill executes real security testing tools against live targets.
Use only with written authorization.

安全使用建议

This package appears to be a scaffold that enforces scope and authorization and then writes placeholder artifacts rather than actually running the pentesting tools it advertises. Before installing or running it: 1) Verify the origin/author since the source is unknown. 2) Inspect the shared module referenced at skills/autonomous-pentester/shared/pentest_common.py (not included here) — it may contain the real network/testing logic or sensitive operations. 3) Confirm you understand whether real attack tooling is intentionally omitted (is this a dry-run-only helper?) and, if you plan to run live tests, only do so with written authorization and in an isolated/test environment. 4) If you expect active scanning (kiterunner, restler, jwt_tool, etc.), request evidence from the author showing how and where those tools are invoked; rely on signed releases or an authoritative source before granting execution privileges.

功能分析

Type: OpenClaw Skill Name: pentest-api-attacker Version: 0.1.0 The skill bundle is classified as benign. It is designed for authorized API penetration testing, with strong safeguards including explicit `--i-have-authorization` for live execution, a `--dry-run` mode, and scope validation. The `SKILL.md` and `agents/openai.yaml` instructions reinforce ethical use and security best practices for the AI agent. The `api_attacker.py` script, even when authorized, currently only generates placeholder findings, indicating it acts as an orchestrator or wrapper, not the direct attack tool itself, and contains no evidence of malicious intent like data exfiltration or unauthorized command execution.

能力评估

⚠ Purpose & Capability

The name and description claim active testing against the OWASP API Top 10 (discovery, auth abuse, protocol checks). The repo contains a single script that enforces scope/authorization checks and writes placeholder artifacts, but does not implement the scanning/fuzzing logic or invoke the external tools referenced in references/tools.md. That discrepancy (promised active testing vs implemented placeholder behavior) is incoherent and should be explained by the author.

ℹ Instruction Scope

SKILL.md instructs a safe workflow (validate scope, require explicit --i-have-authorization, honor dry-run) and uses deterministic outputs. The execution example matches the provided script. However, the script imports shared functions from skills/autonomous-pentester/shared/pentest_common.py (via a sys.path insertion). The shared module is out-of-bundle here and could contain additional behavior; inspect it to confirm the runtime scope is limited to authorized testing and that no unrelated file reads/exfiltration occur.

✓ Install Mechanism

No install spec is provided (instruction-only with one bundled script). Nothing is downloaded or written during an install step — this is the lowest-risk pattern for install mechanism.

✓ Credentials

The skill does not request any environment variables, credentials, or config paths. The script requires only command-line arguments (scope, target, input/output). This is proportionate to the stated purpose.

✓ Persistence & Privilege

always is false and the skill does not request permanent presence or attempt to modify other skills' configuration. Autonomous invocation is allowed (platform default) but is not combined here with other high-risk attributes.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install pentest-api-attacker
安装完成后，直接呼叫该 Skill 的名称或使用 /pentest-api-attacker 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.0

pentest-api-attacker v0.1.0 - Initial release with support for testing APIs against OWASP API Security Top 10. - Includes mechanisms for API endpoint discovery, authentication abuse, and protocol-specific checks. - Enforces scope validation and authorization before active testing. - Outputs findings and artifacts in standard formats for reporting and downstream use. - Integrates with PTES, MITRE ATT&CK, OWASP WSTG, and NIST SP 800-115 methodologies.

元数据

Slug pentest-api-attacker

版本 0.1.0

许可证 —

累计安装 8

当前安装数 6

历史版本数 1

常见问题