Web Security Penetration Test

Automates web security penetration testing by performing reconnaissance, vulnerability scanning, exploitation, and generating detailed compliance reports.

This package is coherent with a penetration-testing toolkit, but it includes explicit attack payloads (reverse shells, exfiltration examples, cloud metadata access) that can be destructive or leak data. Only run this skill against systems you are authorized to test. Before installing or running: review and edit config.yaml scope/exclusions; remove or blank any webhook/Jira/SMTP/GitHub tokens if you don't intend to integrate; enable safe defaults (e.g., verify_ssl: true, lower concurrency); do not run scans from your production host or as root—use an isolated VM/container; inspect start.sh and scripts that invoke system commands or open network connections; and obtain written authorization for any external testing. If you want lower risk, use the repo for offline analysis and tests against intentionally vulnerable lab systems (e.g., local VMs or known test targets).

Type: OpenClaw Skill Name: web-security-pentest-skill-complete Version: 1.0.0 The skill bundle provides a comprehensive suite for web penetration testing but contains critical vulnerabilities and high-risk capabilities. Specifically, 'scripts/utils/nmap_wrapper.py' is vulnerable to shell injection because it constructs nmap commands using unsanitized input and executes them via 'subprocess.Popen' with 'shell=True'. While the bundle's intent appears to be legitimate security auditing, it grants the AI agent broad power to execute system commands and perform network attacks, which could be exploited if the agent is subverted.