Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
security-test-suite
v1.0.2Performs automated security assessments including vulnerability scans, OWASP Top 10 checks, CVE detection, pen-testing, SSL audits, and API security testing...
⭐ 0· 49·0 current·0 all-time
by@guo5404
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The registry metadata and skill name advertise a 'security-test-suite' with vulnerability scans, OWASP checks, CVE detection, and pentesting. The SKILL.md, however, documents a 'Web Health & Quality Assurance Suite' focused on availability, SSL monitoring, and QA. That mismatch is material: a pentesting/security scanner would reasonably require different tooling, code, and credentials. Additionally, the SKILL.md references many scripts (scripts/*.py) that are not present in the package, which makes the claimed capabilities unsupported by the provided files.
Instruction Scope
Runtime instructions tell the agent to execute local scripts (availability_check.py, web_health_check.py, input_validator.py, endpoint_verifier.py, etc.) with options that include --auth, --cookie, --proxy, --methods (including PUT/DELETE), and --payloads. These options allow potentially intrusive or state-changing requests. The SKILL.md doesn't instruct reading arbitrary system files or environment variables, but it does instruct running non-bundled scripts and using payload files and auth tokens supplied to the commands — which could be used for pen-testing. The instructions are also internally inconsistent (referencing scripts that are not bundled), granting broad operational discretion without the actual implementation.
Install Mechanism
There is no install spec and no code files in the package (instruction-only). That minimizes on-disk install risk, but it also means the skill is incomplete: it instructs running scripts that aren't included. Lack of an install mechanism is appropriate for a pure-instructions skill but here highlights incompleteness rather than safety.
Credentials
The skill declares no required environment variables or credentials. The SKILL.md accepts auth tokens, cookies, proxies, and payload files as CLI arguments, which is reasonable for a monitoring/testing toolkit. However, given the skill's advertised scope (CVE detection / pentesting) one might expect additional credentials or tooling; the absence of declared credentials combined with the advertising mismatch is suspicious but not definitive on its own.
Persistence & Privilege
The skill does not request 'always' presence and uses the platform defaults for invocation. It does not attempt to modify other skills or system-wide configuration in the provided materials.
What to consider before installing
Do not install or run this skill without more information. The skill's name/description claim active security testing and pentesting capabilities, but the included SKILL.md documents a web-health/QA toolkit and references Python scripts that are not included in the package — this mismatch could be sloppy packaging or intentional. Before proceeding: (1) ask the publisher for the missing scripts/source code and a verifiable author/source/homepage; (2) verify the actual code to ensure no hidden exfiltration, backdoors, or destructive tests; (3) if you plan to run any tests, obtain explicit written authorization from target owners and run first in an isolated, non-production environment; (4) be cautious with options that accept auth tokens, cookies, proxies, payloads, and HTTP methods like PUT/DELETE—these can change target state; (5) prefer skills with a clear, verifiable source (GitHub/org releases) and included code that matches the documentation. If you cannot get the source or the author, treat the skill as incomplete/untrusted and avoid use.Like a lobster shell, security has layers — review code before you run it.
latestvk979est33jvpeppfxpkz0e17b183rmwe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.