← 返回 Skills 市场
541
总下载
1
收藏
2
当前安装
5
版本数
在 OpenClaw 中安装
/install web-recon
功能描述
Website vulnerability scanner and security audit toolkit. Scan any website for security issues: open ports (nmap), exposed secrets, subdomain enumeration, di...
安全使用建议
This package appears to do what it says (an integrated web reconnaissance tool), but it comes from an unknown owner and will perform intrusive network actions (port scans, directory brute force, secrets discovery) and call public APIs (ip‑api, Shodan if configured). Before installing or running: 1) only scan targets you are explicitly authorized to test (unauthorized scanning may be illegal); 2) review the two scripts yourself (they're included) and run them in a sandbox or isolated environment; 3) be cautious about providing SHODAN_API_KEY; 4) if you don't want password‑spray or brute‑force behavior, avoid installing or supplying wordlists that enable credential attacks. If you want higher assurance, request provenance (homepage or repo) or verify the upstream projects referenced (titus, nuclei, subfinder, etc.) before use.
功能分析
Type: OpenClaw Skill
Name: web-recon
Version: 0.1.0
The bundle is a comprehensive web reconnaissance and vulnerability scanning toolkit that orchestrates multiple security tools like nmap, gobuster, and nuclei. It includes scripts for automated technology fingerprinting, subdomain enumeration, and secrets detection (scripts/titus-web.sh). While the functionality is aligned with its stated purpose for security auditing, it is classified as suspicious due to its high-risk capabilities, including active network scanning, directory brute-forcing, and the automated fetching of remote content for analysis. It also communicates with external services like ip-api.com and shodan.io for geolocation and infrastructure intelligence.
能力评估
Purpose & Capability
The name/description (web recon / vuln scanning) match the included scripts and references: nmap, whatweb, subfinder/amass, gobuster/ffuf, nikto, nuclei, WPScan and a 'titus' secrets scanner are all used. The included wordlists and references align with directory/subdomain discovery and secrets reconnaissance.
Instruction Scope
SKILL.md and scripts are explicit about network scanning, downloading site content, running port scans, querying public APIs (ip-api.com, Shodan if API key provided) and producing reports in ~/.openclaw/workspace/recon/<domain>/. They do not attempt to read unrelated system files, but they do look for wordlists at system paths (/usr/share/seclists, /usr/share/dirb) and may use password lists (references mention password spraying wordlists). This is expected for pentesting but increases potential for misuse.
Install Mechanism
There is no install spec; the skill is instruction+script based and expects the user to have or install third‑party CLI tools. The scripts skip missing tools gracefully. No archive downloads or obscure install URLs are performed by the included scripts themselves (references mention GitHub releases for third‑party tools).
Credentials
The skill does not require secrets. SKILL.md documents an optional SHODAN_API_KEY and OUTDIR. Registry metadata lists no required env vars; the presence of an optional SHODAN API key in documentation is reasonable but should be considered optional. The references to password lists and password-spraying wordlists are relevant to pentesting but also facilitate offensive actions—this increases sensitivity but is coherent with purpose.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configs. It writes scan outputs to a workspace directory under the user's home; that is a normal, limited footprint.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install web-recon - 安装完成后,直接呼叫该 Skill 的名称或使用
/web-recon触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release — website vulnerability scanner and security audit toolkit
v1.2.0
v1.2.0: Improved skill description for search discoverability. Restructured SKILL.md with clearer 'Why Use This' section, tool columns in scan modules table, and better organization. No functional changes.
v1.1.0
v1.1.0: Security header scoring (10 headers, severity-weighted, color-rated). CORS misconfiguration detection. Port scanning (nmap top 1000). Shodan via SHODAN_API_KEY env var. Screenshot capture (cutycapt/chromium). JSON report output (--json). Resume mode (--resume). Merged webrecon.sh into webscan.sh --quick. Expanded sensitive file checks (30+ paths). Consolidated into single script.
v1.0.1
Fix: removed hardcoded host paths. Scripts now use relative paths (SCRIPT_DIR) and PATH lookups for optional tools.
v1.0.0
Initial release: webscan.sh (10-step security scan), webrecon.sh (light recon), titus-web.sh (secrets scanner)
元数据
常见问题
web-recon 是什么?
Website vulnerability scanner and security audit toolkit. Scan any website for security issues: open ports (nmap), exposed secrets, subdomain enumeration, di... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 541 次。
如何安装 web-recon?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install web-recon」即可一键安装,无需额外配置。
web-recon 是免费的吗?
是的,web-recon 完全免费(开源免费),可自由下载、安装和使用。
web-recon 支持哪些平台?
web-recon 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 web-recon?
由 p0lish(@p0lish)开发并维护,当前版本 v0.1.0。
推荐 Skills