Burp Suite — 实用工具
v1.0.1集成. 管理 数据, records, 和 自动化 workflows. Use when 用户 wants interact 使用 Burp Suite 数据.
0· 122·0 当前·0 累计
by 安全扫描
OpenClaw
安全
medium confidenceThe skill's instructions are coherent with a Burp Suite integration that uses the Membrane CLI, but there are a few practical inconsistencies and third‑party trust decisions the user should review before installing.
评估建议
Before installing: 1) Understand that this skill delegates auth and data access to the Membrane service — confirm where Burp project data and HTTP traffic will be stored, retention policies, and who can access it. 2) The SKILL.md omits that npm/node are required; installing the CLI requires running `npm install -g` which executes third‑party code — prefer installing in an isolated environment or using a vetted package version, and verify the package author on npm and the referenced GitHub repo. ...详细分析 ▾
ℹ 用途与能力
The skill claims to integrate Burp Suite and all runtime steps use the Membrane CLI (connect, action list/run), which is consistent with the stated purpose. However, the SKILL metadata lists no required binaries while the runtime instructions require npm/node to install the Membrane CLI — this is an omission that should be corrected.
✓ 指令范围
Instructions are limited to installing the Membrane CLI, authenticating via Membrane, creating/using a connector for Burp Suite, discovering/creating actions, and running actions. They do not ask the agent to read arbitrary local files or environment variables beyond authentication flows. The guidance to use browser-based login and to exchange one-time codes in headless environments is expected for this workflow.
ℹ 安装机制
Install is instruction-only but directs the user to run `npm install -g @membranehq/cli@latest`. Installing a global npm package is a moderate-risk operation (it executes third‑party code on the host). The package is from the public npm registry and the SKILL references a GitHub repository and a homepage, which reduces concern, but the skill should have declared that npm/node are required.
✓ 凭证需求
No environment variables or additional credentials are requested by the skill; authentication is performed by Membrane via an interactive/browser flow. That is proportionate to the purpose. Note: relying on a third-party service (Membrane) means Burp data and auth are delegated to that service — users should verify its access controls and data retention policies.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills or system-wide settings, and is user-invocable. Autonomous invocation is allowed by default (disable-model-invocation=false), which is normal. Nothing in the instructions implies persistent or hidden elevation of privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install burp-suite
镜像加速npx clawhub@latest install burp-suite --registry https://cn.longxiaskill.com 镜像可用