ClawHub

Pentest Api Attacker

v0.1.0

Test APIs against OWASP API Security Top 10 including discovery, auth abuse, and protocol-specific checks.

1· 820·6 current·6 all-time
byMuhammad Mazhar Saeed@0x-professor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name and description claim active testing against the OWASP API Top 10 (discovery, auth abuse, protocol checks). The repo contains a single script that enforces scope/authorization checks and writes placeholder artifacts, but does not implement the scanning/fuzzing logic or invoke the external tools referenced in references/tools.md. That discrepancy (promised active testing vs implemented placeholder behavior) is incoherent and should be explained by the author.
Instruction Scope
SKILL.md instructs a safe workflow (validate scope, require explicit --i-have-authorization, honor dry-run) and uses deterministic outputs. The execution example matches the provided script. However, the script imports shared functions from skills/autonomous-pentester/shared/pentest_common.py (via a sys.path insertion). The shared module is out-of-bundle here and could contain additional behavior; inspect it to confirm the runtime scope is limited to authorized testing and that no unrelated file reads/exfiltration occur.
Install Mechanism
No install spec is provided (instruction-only with one bundled script). Nothing is downloaded or written during an install step — this is the lowest-risk pattern for install mechanism.
Credentials
The skill does not request any environment variables, credentials, or config paths. The script requires only command-line arguments (scope, target, input/output). This is proportionate to the stated purpose.
Persistence & Privilege
always is false and the skill does not request permanent presence or attempt to modify other skills' configuration. Autonomous invocation is allowed (platform default) but is not combined here with other high-risk attributes.
What to consider before installing
This package appears to be a scaffold that enforces scope and authorization and then writes placeholder artifacts rather than actually running the pentesting tools it advertises. Before installing or running it: 1) Verify the origin/author since the source is unknown. 2) Inspect the shared module referenced at skills/autonomous-pentester/shared/pentest_common.py (not included here) — it may contain the real network/testing logic or sensitive operations. 3) Confirm you understand whether real attack tooling is intentionally omitted (is this a dry-run-only helper?) and, if you plan to run live tests, only do so with written authorization and in an isolated/test environment. 4) If you expect active scanning (kiterunner, restler, jwt_tool, etc.), request evidence from the author showing how and where those tools are invoked; rely on signed releases or an authoritative source before granting execution privileges.

Like a lobster shell, security has layers — review code before you run it.

latestvk975p44y6aajww5632px5eyzb5821xjh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Pentest API Attacker

Stage

  • PTES: 5
  • MITRE: T1190

Objective

Enumerate and test API endpoints and business logic attack vectors.

Required Workflow

  1. Validate scope before any active action and reject out-of-scope targets.
  2. Run only authorized checks aligned to PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK.
  3. Write findings in canonical finding_schema format with reproducible PoC notes.
  4. Honor dry-run mode and require explicit --i-have-authorization for live execution.
  5. Export deterministic artifacts for downstream skill consumption.

Execution

python skills/pentest-api-attacker/scripts/api_attacker.py --scope scope.json --target <target> --input <path> --output <path> --format json --dry-run

Outputs

  • api-endpoints.json
  • api-findings.json
  • api-attack-report.json

References

  • references/tools.md
  • skills/autonomous-pentester/shared/scope_schema.json
  • skills/autonomous-pentester/shared/finding_schema.json

Legal and Ethical Notice

WARNING AUTHORIZED USE ONLY
This skill executes real security testing tools against live targets.
Use only with written authorization.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…