ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

waf-validator-skills

v1.0.0

WAF Rule Validator - Tool for testing and validating WAF security rules

1· 51·0 current·0 all-time
by@realguoxiufeng
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description describe a WAF testing tool and the SKILL.md contains build/run instructions, options, test-case formats and examples for GoTestWAF and the wallarm/gotestwaf Docker image — these are coherent with a WAF rule validator.
Instruction Scope
Instructions explicitly direct building and running a scanner that generates malicious requests against targets (via ./gotestwaf or Docker). The SKILL.md does not instruct reading unrelated system files or environment variables, but it does enable network scanning and request generation — ensure you have authorization to test any target.
Install Mechanism
This is an instruction-only skill with no install spec or code files. No downloads or install scripts are included in the package itself, which reduces installation risk. The README references building locally or pulling an existing Docker image.
Credentials
The skill declares no required environment variables or credentials. It mentions runtime dependencies (Go 1.24+, Chrome) but does not request unrelated secrets or system config paths — requirements are proportionate to the stated functionality.
Persistence & Privilege
always is false and the skill is user-invocable; model invocation is allowed (the platform default). Note: because the skill can initiate scans, granting autonomous invocation could allow the agent to run network tests without further consent — consider limiting autonomous use if undesired.
Assessment
This skill is essentially documentation/instructions for GoTestWAF and a Docker image (wallarm/gotestwaf). Before using it: 1) Confirm you have explicit legal authorization to run security tests against any target (unauthorized scanning is illegal). 2) Verify the upstream project/image (wallarm/gotestwaf) and, if possible, inspect source code or the Docker image provenance before executing. 3) Ensure Go 1.24, Docker, and optional Chrome are installed in an isolated/test environment to avoid accidental impact. 4) Because the skill can trigger network scans, avoid enabling autonomous invocation unless you trust the skill and its operator. 5) No secrets are requested by the skill, but do not supply unrelated credentials when following its examples.

Like a lobster shell, security has layers — review code before you run it.

latestvk976gmg5z87561n4t20f7z9wc984e891
51downloads
1stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@realguoxiufeng
latest
Download

WAF Rule Validator Skill

Purpose

WAF Rule Validator 是一个用于评估 Web 应用安全解决方案(WAF、API 网关、IPS)的工具。它通过生成恶意请求来测试安全防护规则的有效性,支持 REST、GraphQL、gRPC、SOAP、XMLRPC 等多种 API 协议。

When to Activate

  • When user needs to test WAF rule effectiveness
  • When running security validation against web application firewalls
  • When evaluating API gateway security protections
  • When performing penetration testing on WAF deployments
  • When benchmarking WAF block rate performance

Features

  • Multi-protocol support: REST, GraphQL, gRPC, SOAP, XMLRPC
  • Multiple encoding methods: Base64, URL, JSUnicode, Plain, XML Entity
  • Multiple injection points: URL path, URL params, headers, body, JSON, HTML form
  • OpenAPI integration: Generate request templates from OpenAPI specs
  • Automatic WAF detection: Identifies Akamai, F5, Imperva, ModSecurity and more
  • Multiple report formats: PDF, HTML, JSON, DOCX assessment reports

Workflow

Build

  1. Build the Go binary: 
    make gotestwaf_bin
# or
go build -o gotestwaf ./cmd/gotestwaf

Basic Scanning

  1. Run a basic scan against target: 
    ./gotestwaf --url=http://target-url --noEmailReport

Advanced Usage

  1. For specific protocols or configurations:
    • gRPC testing: --grpcPort 9000
    • OpenAPI: --openapiFile api.yaml
    • Custom test cases: --testCasesPath ./custom-testcases

Analyze Results

  1. Review the generated report in reports/ directory

Test Case Format

Test cases are defined in YAML:

payload:
  - "malicious string 1"
  - "malicious string 2"
encoder:
  - Base64Flat
  - URL
placeholder:
  - URLPath
  - JSONRequest
type: SQL Injection

Each file generates len(payload) × len(encoder) × len(placeholder) test requests.

Supported Encoders

EncoderDescription
Base64Base64 encoding
Base64FlatBase64 without padding
URLURL encoding
JSUnicodeJavaScript Unicode encoding
PlainNo encoding
XML EntityXML entity encoding

Supported Placeholders

PlaceholderDescription
URLPathURL path
URLParamURL parameter
HeaderHTTP header
UserAgentUser-Agent header
RequestBodyRequest body
JSONBodyJSON request body
JSONRequestJSON request
HTMLFormHTML form
HTMLMultipartFormMultipart form
SOAPBodySOAP message body
XMLBodyXML request body
gRPCgRPC request
GraphQLGraphQL request
RawRequestRaw HTTP request

Configuration Options

--url string              Target URL (required)
--grpcPort uint16         gRPC port
--graphqlURL string       GraphQL URL
--openapiFile string      OpenAPI spec file path
--testCasesPath string    Test cases directory (default: "testcases")
--testCase string         Run only specified test case
--testSet string          Run only specified test set
--httpClient string       HTTP client type: chrome, gohttp (default: "gohttp")
--workers int             Concurrent workers (default: 5)
--blockStatusCodes ints   HTTP status codes for blocked requests (default: [403])
--passStatusCodes ints    HTTP status codes for passed requests (default: [200,404])
--blockRegex string       Regex to identify blocked responses
--passRegex string        Regex to identify passed responses
--reportFormat strings    Report format: none, json, html, pdf, docx (default: [pdf])
--reportPath string       Report output directory (default: "reports")
--reportName string       Report filename
--noEmailReport           Save report locally instead of sending email
--wafName string          WAF product name (default: "generic")
--skipWAFIdentification   Skip WAF detection
--version                 Show version information

Examples

Basic scan

./gotestwaf --url=http://localhost:8080 --noEmailReport

gRPC testing

./gotestwaf --url=http://localhost --grpcPort 9000 --noEmailReport

OpenAPI driven testing

./gotestwaf --url=http://api.example.com --openapiFile ./api.yaml --noEmailReport

Docker usage

docker pull wallarm/gotestwaf
docker run --rm --network="host" -v ${PWD}/reports:/app/reports \
    wallarm/gotestwaf --url=http://target-url --noEmailReport

Requirements

  • Go 1.24+
  • Chrome browser (optional, for PDF report generation)

Project Structure

.
├── cmd/gotestwaf/          # Main entry point
├── internal/
│   ├── config/             # Configuration management
│   ├── db/                 # Test case database
│   ├── payload/            # Payload encoding
│   │   ├── encoder/        # Encoder implementations
│   │   └── placeholder/    # Placeholder implementations
│   ├── scanner/            # Scanning logic and clients
│   ├── openapi/            # OpenAPI parser
│   └── report/             # Report generation
├── pkg/                    # Exported packages
├── testcases/              # Default test cases
└── tests/integration/      # Integration tests

Notes

  • This project is based on GoTestWAF from Wallarm
  • Test cases in testcases/owasp/ are true-positive (should be blocked)
  • Test cases in testcases/false-pos/ are true-negative (should pass)
  • Reports are saved to reports/ directory by default

License

MIT License - based on the original GoTestWAF project.

Comments

Loading comments...