Skillv1.0.0

ClawScan security

Web Application Penetration Testing Methodology · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 12:45 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only, hub methodology for authorized web-application penetration tests and its requirements and instructions are coherent with that purpose, but it enables active testing and orchestration of other domain skills so operational controls and authorization checks matter.
Guidance: This skill is internally coherent for conducting authorized web-application penetration tests. Before installing or invoking it: (1) ensure you have explicit written authorization for any target and verify scope/allowed techniques; (2) require human oversight (operate browser/proxy) when executing active tests; (3) vet every domain-specific skill the hub calls for their own requirements and do not supply unrelated credentials; (4) prohibit autonomous/unattended runs against live targets in production without formal approvals and logging; and (5) run testing in a controlled environment (test/staging or with backups) to avoid accidental disruption.

Review Dimensions

Purpose & Capability: okThe name and description match the contents: this is a coordinating hub for a full web application pentest that sequences 13 testing areas and delegates to domain skills. Requested tools (Read, Grep, Write; optional Bash/WebFetch) and the 'project directory with engagement artifacts' environment are proportionate for this purpose.
Instruction Scope: noteSKILL.md is an operational methodology that instructs active testing (reconnaissance, proxy-based injection, exploitation) and delegating to other domain skills. It repeatedly states testing must be authorized, and expects a human to operate the browser/proxy, which limits autonomous destructive actions — however the instructions do enable active attack steps, so ensure explicit, documented authorization and human oversight before use.
Install Mechanism: okNo install spec and no code files — lowest-risk model surface. The skill is instruction-only so nothing is written to disk or downloaded by the skill itself.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. This is appropriate for a methodology/hub skill; note that domain-specific skills it invokes may require their own credentials — vet them before providing secrets.
Persistence & Privilege: okalways:false and no special persistence requested. The skill can be invoked autonomously per platform default, which is expected for skills, but because the skill orchestrates active testing, operators should control autonomous execution and require human-in-the-loop approvals.