Web Security Client-Side Scanner 1773654191
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only front-end security testing workflow, with normal caution needed because it can run web scans and handle test credentials or tokens.
Install/use this skill only for websites you own or are explicitly authorized to test. Define target and scope up front, use dedicated test credentials, keep scan volume moderate, verify any local/custom tools before running them, and redact secrets from the final report.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Scans may touch many pages, appear in server logs, or trigger defensive monitoring if run too broadly.
The skill directs the agent toward active web enumeration and scanning tools. This is expected for a front-end security assessment, but it can generate traffic and should remain scoped and authorized.
**Tools to use:** `curl`, `wget`, browser DevTools, `gau`, `waybackurls`, `hakrawler`, `katana`, `subfinder`, `httpx`, `nuclei`, custom scripts in `TOOLS_DIR`
Use only on authorized targets, define the exact scope, start with passive checks, and approve any noisy scanner templates before use.
The agent may see or use test credentials, cookies, JWTs, or other session data while assessing the application.
The skill may use login credentials and inspect browser/session storage during authenticated testing. That is purpose-aligned, but it involves sensitive account/session material.
`LOGIN` | Login URL or credentials (if authenticated testing is in scope) ... Check storage usage: `localStorage`, `sessionStorage`, `IndexedDB`, cookies
Use dedicated low-privilege test accounts, avoid pasting production passwords when possible, and redact secrets or tokens from reports.
Results and safety depend partly on whatever local tools or scripts the user provides.
The skill can rely on local custom scripts that are not included or version-pinned in the artifact. This is not suspicious by itself, but users should trust and review those tools separately.
custom scripts in `TOOLS_DIR`
Use known, maintained scanner installations and review any custom scripts before allowing the agent to run them.
A user could mistakenly run testing against a site they are not allowed to assess.
The skill states authorization as a premise. This is a useful safety constraint, but the user should ensure it is actually true for the chosen target.
- This assessment is authorized by the asset owner
Explicitly confirm ownership or written authorization before running the assessment.