Web Shells

Provides diverse web shell samples in PHP, ASP, ASPX, JSP, Python, and Perl for detection, malware analysis, and security testing under authorized conditions.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 19 · 0 current installs · 0 all-time installs

by@PandaAI-1337

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description match the packaged content: the skill contains many web‑shell samples (PHP, ASP/ASPX, JSP, Python, Perl, shell scripts) and the SKILL.md states the SecLists/Web‑Shells source. The registry metadata lists 'Source: unknown' while the SKILL.md points to the SecLists repo (minor metadata inconsistency), but the requested resources and files are proportionate to the stated purpose.

✓

Instruction Scope

The SKILL.md instructs the agent to read/list files from the skill path and includes an example that reads files locally. It explicitly warns about authorized use. The instructions do not direct the agent to execute the shells, collect unrelated system data, or transmit content to external endpoints — they stay within the stated analysis/detection scope.

ℹ

Install Mechanism

No install spec (instruction‑only) — lowest installer risk. Note: the skill includes executable sample scripts (sh, war, JSP, etc.). Although there is no automatic install, those files, if executed by a user or agent, perform command execution, file upload, or filesystem access — so the shipped artifacts are dangerous when run.

✓

Credentials

The skill does not request environment variables, credentials, or config paths. That is proportionate. However several included samples reference system paths (/tmp, C:\, etc.) and contain command execution primitives (cfexecute, eval, dd, shell execution). Those are expected in web‑shell samples but are hazardous if executed on a host.

✓

Persistence & Privilege

No elevated persistence requested. always: false and default autonomous invocation are set (normal). The skill does not attempt to modify other skills or system agent configuration.

Assessment

This skill is coherent for security research: it bundles many real web‑shell samples intended for detection and testing. That also means the files are inherently malicious if executed. Before installing or using it: (1) only use in authorized, legal contexts; (2) open and inspect files before running anything; (3) perform analysis in an isolated environment (air‑gapped VM, container, or sandbox) that you can destroy afterward; (4) never run samples on production or connected networks; (5) if uncertain about provenance, prefer to obtain the original SecLists repository directly from GitHub; and (6) ensure you have written authorization for any testing against third‑party systems.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk977t8wsd01nt8ach7dzcz1t6183a6v0

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

SecLists Web-Shells

Description

Web shell samples for detection and analysis: PHP, ASP, ASPX, JSP, Python, Perl shells. Use for security research and detection system testing.

Source: SecLists/Web-Shells Repository: https://github.com/danielmiessler/SecLists License: MIT

When to Use This Skill

Use this skill when you need:

Web shell detection testing
Security monitoring validation
Malware analysis
IDS/IPS signature testing
Forensics research

⚠️ IMPORTANT: Only use for authorized security testing, bug bounty programs, CTF competitions, or educational purposes.

Key Files in This Skill

PHP shells - Common PHP web shells
ASP/ASPX shells - Microsoft web shells
JSP shells - Java server pages shells
Python shells - Python-based shells
Perl shells - Perl web shells

Usage Example

# Access files from this skill
import os

# Example: Load patterns/payloads
skill_path = "references/Web-Shells"

# List all available files
for root, dirs, files in os.walk(skill_path):
    for file in files:
        if file.endswith('.txt'):
            filepath = os.path.join(root, file)
            print(f"Found: {filepath}")
            
            # Read file content
            with open(filepath, 'r', errors='ignore') as f:
                content = f.read().splitlines()
                print(f"  Lines: {len(content)}")

Security & Ethics

Authorized Use Cases ✅

Authorized penetration testing with written permission
Bug bounty programs (within scope)
CTF competitions
Security research in controlled environments
Testing your own systems
Educational demonstrations

Prohibited Use Cases ❌

Unauthorized access attempts
Testing without permission
Malicious activities
Privacy violations
Any illegal activities

Complete SecLists Collection

This is a curated subset of SecLists. For the complete collection:

Full repository: https://github.com/danielmiessler/SecLists
Size: 4.5 GB with 6,000+ files
All categories: Passwords, Usernames, Discovery, Fuzzing, Payloads, Web-Shells, Pattern-Matching, AI, Miscellaneous

Generated by Skill Seeker | SecLists Web-Shells Collection License: MIT - Use responsibly with proper authorization

Files

11 total

Select a file

Select a file to preview.

Comments

Loading comments…