Back to skill
Skillv1.0.0
ClawScan security
Web Application Fuzzing Automation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 11:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested inputs and instructions align with its stated purpose (automated web fuzzing with Burp-like tooling); it is coherent but contains inherently dangerous payload examples and workflow steps that require responsible, authorized use.
- Guidance
- This skill is coherent for authorized penetration testing but contains concrete attack payloads and instructions to bypass defenses; only use it on targets you explicitly have written permission to test. Before installing or running: (1) confirm written authorization and scope from the owning party, (2) run in an isolated test environment if you lack authorization, (3) ensure you have a licensed Burp Suite or equivalent and that any human-solver or external CAPTCHA services you integrate comply with policies, (4) avoid supplying unrelated credentials or secrets to the skill, and (5) maintain logs and human oversight — automated harvesting/ bypass techniques are high-risk and can cause legal and ethical issues if used improperly.
Review Dimensions
- Purpose & Capability
- okName/description (web fuzzing, enumeration, harvesting, Burp Intruder workflows) match the SKILL.md content. No unrelated environment variables, binaries, or config paths are requested. The explicit dependency on Burp Suite features and HTTP request/response inputs is appropriate for the stated purpose.
- Instruction Scope
- noteSKILL.md provides detailed, operational instructions including attack payloads (SQLi, XSS, command injection, path traversal, RFI), session-handling and CAPTCHA-bypass approaches, and triage guidance. These instructions remain within the described fuzzing and enumeration scope, but they explicitly describe techniques to harvest sensitive data and bypass defenses (CAPTCHA, CSRF, session expiry). That is expected for a penetration-testing skill but increases sensitivity and potential for misuse.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files; lowest risk from install mechanism. It correctly relies on external tooling (Burp Suite) rather than attempting to install arbitrary code.
- Credentials
- okNo environment variables, credentials, or config paths are requested. Required inputs (Burp project/HTTP traffic, target URL, authorization confirmation) are proportionate to the described tasks.
- Persistence & Privilege
- okalways:false and normal agent invocation settings. The skill does not request persistent presence or to modify other skills' configurations. Autonomous invocation is allowed by default but is not combined with other privilege escalations here.