ClawHub

picoclaw-self-pen-testing

v0.0.1

Picoclaw-only local posture-review skill focused on read-only findings and safe operator remediation guidance.

0· 21·0 current·0 all-time
by@davida-ps

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for davida-ps/picoclaw-self-pen-testing.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "picoclaw-self-pen-testing" (davida-ps/picoclaw-self-pen-testing) from ClawHub.
Skill page: https://clawhub.ai/davida-ps/picoclaw-self-pen-testing
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install davida-ps/picoclaw-self-pen-testing

ClawHub CLI

Package manager switcher

npx clawhub@latest install picoclaw-self-pen-testing
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description say 'local posture-review' and the package contains a small Node-based engine and CLI that reads a profile JSON and emits findings. Declared requirement of node and optional PICOCLAW_HOME are appropriate and proportional. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions require an explicit --profile path and the CLI only reads that file, runs in-memory checks, and prints JSON. This matches the stated read-only scope. Minor note: SKILL.md/README mention a python utils/validate_skill.py validation command that is not included in the package—this is a documentation/test mismatch but not a runtime risk. Also: because the tool reads whatever profile path you supply, do not point it at files containing secrets unless you intend local inspection.
Install Mechanism
No install spec is provided (instruction-only skill) and the package includes only small JS modules and a script; nothing is downloaded or executed from remote URLs. This is low-risk for installation.
Credentials
The skill requires no credentials or sensitive environment variables. The manifest declares an optional PICOCLAW_HOME only. There are no unexpected required env vars or keys.
Persistence & Privilege
always is false, the package states 'Read-only/on-demand; no scheduler is installed', and the code does not write to system paths or modify other skills. It runs on-demand with no autonomous persistence requested.
Assessment
This package appears coherent and read-only: it only parses the JSON profile file you explicitly pass and prints findings. Before installing, verify the package source (homepage/owner) and license (AGPL implications for redistribution). Run the included unit test locally (node test/self_pen_test.test.mjs) to confirm behavior. Note the README references a python validation script that isn't packaged—ignore or supply your own validator. Most importantly, only point --profile at files you intend to inspect (do not feed it arbitrary sensitive files), and review the small JS files yourself if you want to be certain they only read and summarize the profile. If you need stronger guarantees, run the CLI in a sandboxed environment or with a copy of the profile that has secrets redacted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f5fmgdv2mda5apw57yn4ys985k67d
21downloads
0stars
1versions
Updated 4h ago
v0.0.1
MIT-0
@davida-ps
latest
Download

Picoclaw Posture Review (separate package)

Purpose: keep Picoclaw posture-review checks isolated from the broader guardian package so moderation-sensitive checks can be versioned/published independently.

Scope

This skill only performs local, read-only posture-review analysis against an existing Picoclaw posture profile.

It flags:

  • public Web UI exposure
  • disabled UI auth
  • unrestricted workspace/tooling
  • unsigned verification mode
  • MCP trust-boundary review needs
  • scheduler persistence review
  • plaintext secret markers
  • multi-channel auth review

Usage

node scripts/self_pen_test.mjs --profile ~/.picoclaw/security/clawsec/current-profile.json

Validation

python utils/validate_skill.py skills/picoclaw-self-pen-testing
node skills/picoclaw-self-pen-testing/test/self_pen_test.test.mjs

Comments

Loading comments...