Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
web-recon
v0.1.0Website vulnerability scanner and security audit toolkit. Scan any website for security issues: open ports (nmap), exposed secrets, subdomain enumeration, di...
⭐ 1· 408·2 current·2 all-time
by@p0lish
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (web recon / vuln scanning) match the included scripts and references: nmap, whatweb, subfinder/amass, gobuster/ffuf, nikto, nuclei, WPScan and a 'titus' secrets scanner are all used. The included wordlists and references align with directory/subdomain discovery and secrets reconnaissance.
Instruction Scope
SKILL.md and scripts are explicit about network scanning, downloading site content, running port scans, querying public APIs (ip-api.com, Shodan if API key provided) and producing reports in ~/.openclaw/workspace/recon/<domain>/. They do not attempt to read unrelated system files, but they do look for wordlists at system paths (/usr/share/seclists, /usr/share/dirb) and may use password lists (references mention password spraying wordlists). This is expected for pentesting but increases potential for misuse.
Install Mechanism
There is no install spec; the skill is instruction+script based and expects the user to have or install third‑party CLI tools. The scripts skip missing tools gracefully. No archive downloads or obscure install URLs are performed by the included scripts themselves (references mention GitHub releases for third‑party tools).
Credentials
The skill does not require secrets. SKILL.md documents an optional SHODAN_API_KEY and OUTDIR. Registry metadata lists no required env vars; the presence of an optional SHODAN API key in documentation is reasonable but should be considered optional. The references to password lists and password-spraying wordlists are relevant to pentesting but also facilitate offensive actions—this increases sensitivity but is coherent with purpose.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configs. It writes scan outputs to a workspace directory under the user's home; that is a normal, limited footprint.
Assessment
This package appears to do what it says (an integrated web reconnaissance tool), but it comes from an unknown owner and will perform intrusive network actions (port scans, directory brute force, secrets discovery) and call public APIs (ip‑api, Shodan if configured). Before installing or running: 1) only scan targets you are explicitly authorized to test (unauthorized scanning may be illegal); 2) review the two scripts yourself (they're included) and run them in a sandbox or isolated environment; 3) be cautious about providing SHODAN_API_KEY; 4) if you don't want password‑spray or brute‑force behavior, avoid installing or supplying wordlists that enable credential attacks. If you want higher assurance, request provenance (homepage or repo) or verify the upstream projects referenced (titus, nuclei, subfinder, etc.) before use.Like a lobster shell, security has layers — review code before you run it.
latestvk976xbcyt414kfn22xg87enb2h82g22vosintvk972je5twkvbkbf46edx5aqhxx829ha3pentestvk972je5twkvbkbf46edx5aqhxx829ha3reconvk972je5twkvbkbf46edx5aqhxx829ha3securityvk972je5twkvbkbf46edx5aqhxx829ha3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.