Web Security Client-Side Scanner 1773654191
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: web-front-scanner-1773654191 Version: 1.0.0 The skill bundle (SKILL.md) provides a comprehensive framework for conducting client-side security assessments, including reconnaissance, static analysis, and vulnerability validation. It instructs the agent to utilize several high-risk network and security tools such as `nuclei`, `subfinder`, `katana`, and `gau`. While the instructions emphasize non-destructive testing and require user authorization, the inclusion of these broad network and execution capabilities—even when plausibly needed for the stated purpose of a security audit—meets the specific criteria for a suspicious classification. No evidence of intentional malicious behavior, such as data exfiltration or backdoors, was identified.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Scans may touch many pages, appear in server logs, or trigger defensive monitoring if run too broadly.
The skill directs the agent toward active web enumeration and scanning tools. This is expected for a front-end security assessment, but it can generate traffic and should remain scoped and authorized.
**Tools to use:** `curl`, `wget`, browser DevTools, `gau`, `waybackurls`, `hakrawler`, `katana`, `subfinder`, `httpx`, `nuclei`, custom scripts in `TOOLS_DIR`
Use only on authorized targets, define the exact scope, start with passive checks, and approve any noisy scanner templates before use.
The agent may see or use test credentials, cookies, JWTs, or other session data while assessing the application.
The skill may use login credentials and inspect browser/session storage during authenticated testing. That is purpose-aligned, but it involves sensitive account/session material.
`LOGIN` | Login URL or credentials (if authenticated testing is in scope) ... Check storage usage: `localStorage`, `sessionStorage`, `IndexedDB`, cookies
Use dedicated low-privilege test accounts, avoid pasting production passwords when possible, and redact secrets or tokens from reports.
Results and safety depend partly on whatever local tools or scripts the user provides.
The skill can rely on local custom scripts that are not included or version-pinned in the artifact. This is not suspicious by itself, but users should trust and review those tools separately.
custom scripts in `TOOLS_DIR`
Use known, maintained scanner installations and review any custom scripts before allowing the agent to run them.
A user could mistakenly run testing against a site they are not allowed to assess.
The skill states authorization as a premise. This is a useful safety constraint, but the user should ensure it is actually true for the chosen target.
- This assessment is authorized by the asset owner
Explicitly confirm ownership or written authorization before running the assessment.