Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ctf Web
v1.0.0Provides web exploitation techniques for CTF challenges. Use when solving web security challenges involving XSS, SQLi, SSTI, SSRF, CSRF, XXE, file upload byp...
⭐ 0· 106·0 current·0 all-time
by@gandli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (web CTF exploitation) aligns with the provided files: many vulnerability classes, payloads, and tooling hints are present. It does not request environment variables or automated installers, which is reasonable for a reference-only skill. Note: SKILL.md claims compatibility requiring a filesystem-based agent, bash/Python3 and internet access — this is consistent with running the supplied examples but gives the skill capability to run local commands and install tools if an agent follows instructions.
Instruction Scope
SKILL.md and included documents contain many direct exploit examples that perform network callbacks or exfiltrate data to external URLs (e.g., webhook.site, attacker.com), and describe hosting attacker JWKS endpoints, posting data to external servers, and running tooling that interacts with targets. Those instructions go beyond passive guidance and, if executed by an agent with network access, could leak data or interact with third parties. Additionally, a prompt-injection pattern ('ignore-previous-instructions') was detected inside SKILL.md which could indicate an attempt to manipulate agent behavior.
Install Mechanism
There is no automated install spec (instruction-only), so nothing will be written or executed on disk by default. However the README contains manual install commands (pip, apt, brew, go install, ysoserial) which instruct the operator or an agent to download and run third-party tools from the internet. Because installs are manual in the docs, risk is lower than an automated download/install, but an agent that follows instructions could install networked tools.
Credentials
The skill does not request credentials, environment variables, or config paths. That is proportionate for a reference/cheat-sheet style skill. Caveat: the content explicitly instructs attackers to obtain and misuse credentials and identity tokens in many examples — the skill itself does not request them, but its instructions target such secrets.
Persistence & Privilege
No 'always: true' or other persistent installation is requested. The skill is instruction-only and does not claim to modify other skills or system-wide settings. Autonomous invocation is allowed by platform defaults, which combined with the instruction content could increase risk — consider restricting autonomous invocation for this skill.
Scan Findings in Context
[ignore-previous-instructions] unexpected: A prompt-injection pattern was found in SKILL.md metadata. This phrase is not expected in a benign cheat-sheet and could be an attempt to manipulate the agent's instruction processing. Review the SKILL.md header and any hidden metadata before allowing automated execution.
What to consider before installing
This skill appears to be a detailed CTF web-exploitation reference (XSS, SQLi, SSRF, JWT attacks, etc.) and is internally consistent with that purpose. However: (1) it contains many runnable examples that exfiltrate data or instruct hosting attacker endpoints — do not allow an agent with network access and command execution to run those examples on your behalf; (2) the SKILL.md contains a detected prompt-injection string — treat that as suspicious and inspect the file before use; (3) the docs instruct installing many third-party tools from the internet — perform installs only in an isolated lab or sandbox; (4) avoid enabling autonomous invocation for this skill unless you trust the author and have constrained the agent's network/command permissions. If you want to proceed, request the author's provenance, review the SKILL.md for any hidden or contradictory metadata (e.g., 'user-invocable' mismatch), run the skill offline or in a VM, and disable network access for the agent unless explicitly needed for a controlled test.auth-and-access.md:423
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97a9tpfdyc59xg5b3aqbmq1m583w7s2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.