Pentest C2 Operator
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill has authorization gates, but its script appears to generate generic high-severity C2 findings without actually running or measuring C2 tests, so its outputs need review before trust.
Install only if you understand this is a dual-use pentest workflow. Verify the shared dependency, run in dry-run mode first, confirm written authorization and scope, and do not treat the generated High-severity finding as validated evidence without independent test results.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users or downstream workflows could treat a placeholder result as a validated security finding, causing false reports or unnecessary remediation work.
The script builds a generic High-severity finding and placeholder PoC/screenshot without any included code that actually runs C2 tooling or measures defensive detection outcomes.
'title':'Pentest C2 Operator identified a security weakness', ... 'severity':'High', 'description':'Automated and manual testing identified a security condition requiring remediation.', 'proof_of_concept':'python scripts/c2_operator.py --dry-run', 'screenshot':'assets/findings/placeholder.png'
Do not trust generated findings as evidence unless actual test execution and supporting observations are added and reviewed.
Running real C2 or adversary-emulation activity against the wrong target could disrupt systems or violate policy.
The skill is explicitly framed for live dual-use security testing, which is purpose-aligned but high impact and should remain tightly authorized and scoped.
WARNING AUTHORIZED USE ONLY This skill executes real security testing tools against live targets. Use only with written authorization.
Use dry-run first, confirm written authorization, and verify the target is in scope before any live activity.
The runtime behavior may depend on unreviewed local code or fail if the expected shared module is absent.
Core behavior, including scope validation and file handling, depends on a sibling shared module that is not included in the provided manifest.
SHARED_DIR=Path(__file__).resolve().parents[2]/"autonomous-pentester"/"shared" ... from pentest_common import load_payload,render_result,resolve_artifact_path,resolve_output_file,validate_scope,write_placeholder_artifact
Inspect and pin the referenced shared module before use, especially because it controls authorization checks and artifact paths.
Sensitive or untrusted input content could be carried into later reports or downstream workflows.
The script persists the user-provided input payload into generated artifacts, which the SKILL.md says are exported for downstream skill consumption.
payload=load_payload(args.input); ... 'input_payload':payload,'findings':[finding]
Use a narrowly scoped input file, avoid including secrets, and review generated artifacts before sharing or feeding them to other skills.