by 安全扫描
OpenClaw
安全
high confidenceThe skill's code, instructions, and requirements are consistent with a scope-checked pentesting helper that warns about authorization and defaults to dry-run; nothing requests unrelated credentials or installs arbitrary code.
评估建议
This skill appears coherent for authorized pentesting, but before running it: (1) verify you have written authorization and use --dry-run first; (2) inspect the shared module (autonomous-pentester/shared/pentest_common) to see what external tools or network actions it performs during non-dry-run runs; (3) run tests in an isolated environment and point outputs to a safe folder; (4) confirm scope.json accurately represents authorized targets. If you cannot review the shared helpers, avoid running ...详细分析 ▾
✓ 用途与能力
Name, description, SKILL.md and the script all align: the skill scaffolds auth/session testing, references common pentest tools, and does not request unrelated credentials or system access.
ℹ 指令范围
The SKILL.md and script enforce scope validation and require --i-have-authorization for live runs and provide a dry-run mode, which limits accidental active testing. Note: the script imports shared helpers (pentest_common) from an external 'autonomous-pentester/shared' location — those helper functions could invoke external tools or network activity during a non-dry-run run, so review that shared module before executing live tests.
✓ 安装机制
No install spec (instruction-only plus a small script) — nothing is downloaded or written during install, reducing risk.
✓ 凭证需求
No environment variables, credentials, or config paths are requested. The script reads scope and input payload files (declared in CLI) which is proportional to its purpose.
✓ 持久化与权限
always is false and the skill does not request permanent presence or modify other skills. It only writes artifacts to the specified output path when run.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/3/1
Initial release of pentest-auth-bypass skill. - Tests authentication and session management for bypass and account takeover scenarios. - Validates brute-force resistance, session integrity, and MFA enforcement. - Supports dry-run mode and requires explicit authorization flag for live tests. - Outputs findings and artifacts in standard formats for integration. - Aligns to PTES, OWASP WSTG, NIST, and MITRE ATT&CK standards. - Includes legal notice: authorized use only.
● 无害
安装命令 点击复制
官方npx clawhub@latest install pentest-auth-bypass
镜像加速npx clawhub@latest install pentest-auth-bypass --registry https://cn.clawhub-mirror.com
技能文档
Stage
- PTES: 5
- MITRE: T1110, T1550
Objective
Validate brute-force resistance, session integrity, and MFA enforcement.
必填 Workflow
- 验证 scope 之前 任何 活跃 action 和 reject out-的-scope targets.
- Run 仅 authorized checks aligned 到 PTES, OWASP WSTG, NIST SP 800-115, 和 MITRE ATT&CK.
- 写入 findings 在...中 canonical finding_schema 格式 带有 reproducible PoC notes.
- Honor dry-run mode 和 require explicit --i-有-authorization 对于 live execution.
- 导出 deterministic artifacts 对于 downstream skill consumption.
Execution
python skills/pentest-auth-bypass/scripts/auth_bypass.py --scope scope.json --target --input --output --format json --dry-run
Outputs
auth-findings.json有效-sessions.jsonauth-attack-举报.json
References
references/tools.mdskills/autonomous-pentester/shared/scope_schema.jsonskills/autonomous-pentester/shared/finding_schema.json
Legal 和 Ethical Notice
WARNING AUTHORIZED USE ONLY
This skill executes real security testing tools against live targets.
Use only with written authorization.数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制