Pentest Auth Bypass
ReviewAudited by ClawScan on May 10, 2026.
Overview
This pentest skill has authorization checks, but its script appears to produce canned high-severity auth-bypass findings instead of evidence-backed tests.
Install only if you understand this is a dual-use pentest workflow. Before using it, review the missing shared helper, run only with written authorization and a verified scope file, and treat generated findings and session artifacts as untrusted until they are backed by real test evidence.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or downstream workflow could trust a false High-severity vulnerability report and take unnecessary or disruptive remediation actions.
The script's build_finding function returns a fixed High-severity weakness with only a dry-run command as PoC; the supplied code does not show actual auth/session/MFA testing to support that report.
'title':'Pentest Auth Bypass identified a security weakness', ... 'severity':'High', ... 'proof_of_concept':'python scripts/auth_bypass.py --dry-run'
Do not rely on the generated findings unless the skill is updated to perform real checks and include evidence-backed PoC details; clearly label placeholder output as such.
If used outside written authorization, auth testing can affect real accounts or services.
The skill is explicitly dual-use security testing against authentication controls, but it also discloses authorization and scope requirements.
Validate brute-force resistance, session integrity, and MFA enforcement. ... WARNING AUTHORIZED USE ONLY
Use only on in-scope systems with written permission, run dry-run first, and confirm the target scope file before any live execution.
The reviewed artifacts do not fully show how critical safety checks and file handling behave at runtime.
Important behavior such as scope validation, payload loading, and output path resolution is delegated to a shared helper outside the provided skill files.
SHARED_DIR=Path(__file__).resolve().parents[2]/"autonomous-pentester"/"shared" ... from pentest_common import ... validate_scope
Review and trust the referenced pentest_common helper before installation, or require the skill to package and declare that dependency.
Sensitive test inputs, credentials, or session-related data could be retained in local artifacts and reused by later workflows.
The script loads a user-supplied input path, defaulting to the current directory, and writes the loaded payload into generated artifacts.
p.add_argument('--input',default='.') ... 'input_payload':payload,'findings':[finding]Use a sanitized, narrow input file or directory, write outputs to a protected location, and remove artifacts containing session or credential material after use.