← 返回 Skills 市场
132
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install pentest-workbench
功能描述
Comprehensive offensive security workflow for bug bounty, vulnerability assessment, penetration testing, and exploitation. Use when performing security testi...
安全使用建议
This skill is an offensive-security reference and includes scripts that will actively scan and fuzz network targets and detailed exploit/privesc recipes. That is coherent with its stated purpose but high-risk if used on systems you do not own or without authorization. Before installing or invoking: 1) Confirm legal authorization and a defined scope for testing. 2) Review/limit agent/network permissions — running the skill will call tools like nmap and may contact remote hosts. 3) Ensure required tools (nmap, msfvenom, sqlmap, python) are installed on the host — the manifest does not declare them. 4) Consider running scripts manually in a controlled lab, and avoid allowing autonomous agent invocation against production networks. 5) Note the package source is unknown (no homepage); if provenance matters, obtain a vetted copy from a known repository or author.
功能分析
Type: OpenClaw Skill
Name: pentest-workbench
Version: 1.0.0
The 'pentest-workbench' skill provides a comprehensive suite of offensive security tools and documentation for reconnaissance, fuzzing, and exploitation. While the behavior is aligned with its stated purpose, it includes high-risk capabilities such as automated network scanning (scripts/pentest-recon.sh) and protocol fuzzing (scripts/vulnserver-fuzz.py). The reconnaissance script is vulnerable to shell injection because it fails to sanitize the target input before passing it to nmap. Additionally, the documentation in the references/ directory provides actionable instructions for buffer overflows and privilege escalation (GTFOBins/LOLBAS), which are high-risk activities.
能力评估
Purpose & Capability
The name/description match the provided content: recon, vuln analysis, exploit dev, and privesc guidance. However the skill's metadata lists no required binaries while the SKILL.md and scripts clearly assume many external tools are present (nmap, msfvenom, sqlmap, netcat, etc.). Also the package has no homepage or known source — provenance is unknown and should be considered.
Instruction Scope
SKILL.md explicitly instructs active network scanning, fuzzing, exploitation, privilege escalation, and persistence techniques. Those actions are coherent for a pentest skill, but they are inherently destructive and broad: the top guidance relies on user-supplied scope yet the skill also lists many trigger phrases (e.g., 'exploit this', 'run a pentest') that could encourage use outside authorized scope. The included scripts (nmap scans writing to /tmp, a fuzzing socket tool) will perform network activity if run. There are no instructions that read unrelated local secrets, but there are explicit instructions for extracting credentials (Mimikatz/LaZagne) and modifying target systems — expected for the purpose but high-risk if misapplied.
Install Mechanism
No install spec is present (instruction-only + two small scripts). No network download/install steps are embedded. The absence of an install phase reduces supply‑chain risk, but bundled scripts will run local binaries when executed.
Credentials
The skill declares no required environment variables or credentials, which aligns with the provided artifacts. The content references attacker-controlled LHOST/LPORT values and credentials/tools that pentesters commonly use, but those are not requested from the host environment by the skill itself. No unrelated secrets or system config paths are requested by the skill manifest.
Persistence & Privilege
always:false and no special privileges or modifications of other skills/system settings are requested. The SKILL.md discusses persistence techniques for targets (scheduled tasks, SSH keys), which is appropriate for a pentest reference but unrelated to the skill's own installation or privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pentest-workbench - 安装完成后,直接呼叫该 Skill 的名称或使用
/pentest-workbench触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: buffer overflow, privesc, recon, tools catalog
元数据
常见问题
Pentest Workbench 是什么?
Comprehensive offensive security workflow for bug bounty, vulnerability assessment, penetration testing, and exploitation. Use when performing security testi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 132 次。
如何安装 Pentest Workbench?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pentest-workbench」即可一键安装,无需额外配置。
Pentest Workbench 是免费的吗?
是的,Pentest Workbench 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Pentest Workbench 支持哪些平台?
Pentest Workbench 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Pentest Workbench?
由 mamuaminu(@mamuaminu)开发并维护,当前版本 v1.0.0。
推荐 Skills