📦 Poc Validator — 漏洞验证

Name: Poc Validator — 漏洞验证
Rating: 1

v0.1.0

自动复现漏洞并回放射探器，动态发送 HTTP 请求，依据状态码与错误回显（如 SQL 注入回显）精准判定漏洞是否存在，秒级输出验证结论。

1· 79·0 当前·0 累计

by @whatyourname12345

安全自动化测试工具 API工具网络工具

下载技能包

最后更新

2026/3/23

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

安全

medium confidence

NULL

评估建议

This skill behaves as advertised (it replays HTTP requests and extracts error traces), but take these precautions before installing or using it: - Ensure you have explicit authorization to test any target. The skill will send arbitrary payloads and has no built-in permission checks; misuse can be illegal. - The package does not declare runtime dependencies: you need python3 and the Python 'requests' library available where the agent runs. - The script disables TLS verification (verify=False) and...

详细分析 ▾

✓ 用途与能力

The name/description (PoC Validator) aligns with the included script and SKILL.md: both replay HTTP requests and extract error snippets (SQLSTATE, syntax errors, etc.). Nothing requested (no env vars or unrelated binaries) appears out-of-scope. Minor omission: the SKILL.md examples invoke `python3` and the script uses the `requests` library, but the registry metadata lists no required binaries or dependencies — this is an implementation detail mismatch that should be declared.

ℹ 指令范围

SKILL.md instructions are narrowly focused on accepting a user-provided URL, method, headers (including Cookie and User-Agent), and payload, running scripts/replay.py, and analyzing the response. It does not instruct the agent to read unrelated files or environment variables. However, it explicitly permits replaying 'malicious payloads' against arbitrary targets and contains no built-in authorization checks or rate limits — this means the skill can be used for unauthorized testing if the agent or user supplies unapproved targets/payloads. The SKILL.md warns against mass scanning/DDoS/unauthorized exploitation but does not enforce safeguards.

ℹ 安装机制

There is no install spec (instruction-only plus a script), which is low-risk. The script requires Python 3 and the third-party 'requests' package, but these requirements are not declared in the registry metadata. No downloads from external URLs or archives are present.

✓ 凭证需求

The skill requests no environment variables or credentials, which is proportionate. Still, the runtime behavior can transmit or capture sensitive data (cookies, auth headers, and full response bodies) from the target. The skill will print response headers/body snippets to stdout (JSON), so secrets obtained from target responses could be exposed in agent logs — this is expected for this class of tool but worth noting.

✓ 持久化与权限

The skill does not request persistent presence (always:false) and does not modify other skills or system configurations. Model-invocation is enabled by default but not excessive here; autonomous invocation combined with lack of authorization checks could increase misuse risk, but that is an operational concern rather than an incoherence in the skill itself.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv0.1.02026/3/22

NULL

● 可疑

安装命令

点击复制

官方npx clawhub@latest install openclaw-poc-validator

镜像加速npx clawhub@latest install openclaw-poc-validator --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库