Security Tester
v1.0.0Security testing for web applications and APIs based on OWASP standards. Identify common vulnerabilities (injection, auth bypass, XSS, CSRF, IDOR), generate...
⭐ 0· 40·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and included test matrices (OWASP Top 10, API Security) match the instructions and reference documents. The actions described (IDOR, XSS, SQLi, CSRF, SSRF, auth testing) are appropriate for a security-testing skill.
Instruction Scope
SKILL.md tells the agent to run many live tests (curl loops, brute-force attempts, payload injection including a 'DROP TABLE' payload, SSRF checks targeting metadata IPs). It also invokes tools and commands (python3, base64, nmap, openssl, jwt decoding, curl, shell loops) and references environment variables ($URL, $USER_A_TOKEN, $NORMAL_USER_TOKEN, $JWT) that are not declared. These instructions can be destructive or invasive if run against production or without authorization and grant broad operational discretion to the user/agent.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing will be written to disk by an installer. This reduces some risk compared to an arbitrary download/install, but runtime commands may still execute local binaries.
Credentials
The SKILL.md expects multiple runtime inputs and secrets (URL, various bearer tokens, JWTs) but requires.env lists none and the registry metadata declares no primary credential. This mismatch is important: the skill relies on user-provided credentials and target URLs but does not declare or document them as required variables. Additionally, the instructions include tests that may attempt to reach internal services (169.254.169.254) — access to cloud metadata is sensitive and must be intentionally authorized.
Persistence & Privilege
The skill is not always-included and does not request special persistence or system-wide configuration changes. Autonomous model invocation is enabled (platform default); combine this with the above concerns when deciding whether to allow autonomous runs.
What to consider before installing
This skill appears to be a legitimate OWASP-based security-testing guide, but take these precautions before installing or running it:
- Only run tests against targets you own or have explicit authorization to test. Many included checks are intrusive (SQLi payloads that include 'DROP TABLE', brute-force login attempts, DoS-style loops, SSRF tests targeting cloud metadata) and can cause data loss, account lockout, or legal issues.
- The SKILL.md expects runtime inputs (URL, bearer tokens, JWTs, API tokens) and uses tools (python3, base64, nmap, openssl) but the registry metadata does not declare these environment variables or binary requirements — the skill will implicitly depend on them. Ask the publisher to explicitly list required env vars and binaries.
- Consider running tests in a safe staging environment or with rate limits and non-destructive payloads first. Remove obviously destructive payloads (e.g., DROP TABLE) from automated runs.
- If you allow autonomous invocation, restrict its scope or disable autonomous execution until you confirm what inputs it will use. Autonomous operation combined with undisclosed credentials/targets increases risk.
- Verify legal/organizational approval and have backups/incident contacts ready before running active tests. If you need higher confidence, request the publisher to add a clear requires.env section, explicit warnings about destructive tests, and non-destructive default test mode.Like a lobster shell, security has layers — review code before you run it.
latest
Security Tester
Test web application and API security based on OWASP standards.
OWASP Top 10 (2021) Test Matrix
Reference: https://owasp.org/Top10/
| # | Category | CWE | Key Tests |
|---|---|---|---|
| A01 | Broken Access Control | CWE-284 | IDOR, privilege escalation, force browse, CORS |
| A02 | Cryptographic Failures | CWE-310 | TLS config, password storage, sensitive data exposure |
| A03 | Injection | CWE-74 | SQLi, XSS, command injection, LDAP injection |
| A04 | Insecure Design | CWE-501 | Business logic flaws, missing rate limits |
| A05 | Security Misconfiguration | CWE-16 | Default creds, verbose errors, unnecessary features |
| A06 | Vulnerable Components | CWE-1035 | Outdated libs, known CVEs |
| A07 | Auth Failures | CWE-287 | Brute force, weak passwords, session fixation |
| A08 | Data Integrity Failures | CWE-502 | Insecure deserialization, unsigned updates |
| A09 | Logging Failures | CWE-778 | Missing audit logs, log injection |
| A10 | SSRF | CWE-918 | Server-side request forgery |
Security Test Case Generation
For each API endpoint or page, apply this checklist:
A01: Access Control Testing (OWASP-AT)
# IDOR: Access another user's resource
curl -H "Authorization: Bearer $USER_A_TOKEN" \
"$URL/api/users/USER_B_ID/profile"
# Expected: 403 Forbidden
# Horizontal privilege escalation
curl -H "Authorization: Bearer $NORMAL_USER_TOKEN" \
"$URL/api/admin/users"
# Expected: 403 Forbidden
# Force browsing (unauthenticated)
curl "$URL/api/internal/config"
# Expected: 401 Unauthorized
# CORS misconfiguration
curl -H "Origin: https://evil.com" -I "$URL/api/data"
# Check: Access-Control-Allow-Origin should NOT be * or evil.com
# HTTP method tampering
curl -X DELETE -H "Authorization: Bearer $READONLY_TOKEN" \
"$URL/api/items/1"
# Expected: 403 if user lacks delete permission
A03: Injection Testing
# SQL Injection (OWASP-DV-005)
# Reference: CWE-89
PAYLOADS=(
"' OR '1'='1"
"' OR '1'='1' --"
"'; DROP TABLE users; --"
"' UNION SELECT null,null,null --"
"1' AND SLEEP(5) --"
)
for p in "${PAYLOADS[@]}"; do
echo "Testing: $p"
curl -s -o /dev/null -w "%{http_code} %{time_total}s" \
"$URL/api/search?q=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$p'))")"
echo
done
# XSS (OWASP-DV-001)
# Reference: CWE-79
XSS_PAYLOADS=(
'<script>alert(1)</script>'
'<img src=x onerror=alert(1)>'
'"><svg onload=alert(1)>'
"javascript:alert(1)"
'<body onload=alert(1)>'
)
# Command Injection (CWE-78)
CMD_PAYLOADS=(
'; ls -la'
'| cat /etc/passwd'
'$(whoami)'
'`id`'
)
A07: Authentication Testing
# Brute force protection (OWASP-AT-004)
for i in $(seq 1 20); do
STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-X POST "$URL/api/login" \
-H "Content-Type: application/json" \
-d "{\"username\":\"admin\",\"password\":\"wrong$i\"}")
echo "Attempt $i: $STATUS"
# After 5-10 attempts, should see 429 or account lockout
done
# Session fixation
# 1. Get session before login
# 2. Login
# 3. Verify session ID changed after login
# JWT vulnerabilities
# Check: alg=none bypass, weak secret, missing expiry
echo "$JWT" | cut -d. -f2 | base64 -d 2>/dev/null | python3 -m json.tool
Vulnerability Report Template
## 🛡️ Security Finding
**Title**: [CWE-XXX] Brief description
**Severity**: 🔴 Critical / 🟠 High / 🟡 Medium / 🟢 Low / ℹ️ Info
**CVSS 3.1**: X.X ({vector_string})
**CWE**: CWE-XXX ({cwe_name})
**OWASP**: A0X:2021 ({category})
**Affected**: {endpoint / component}
### Description
What the vulnerability is and why it matters.
### Proof of Concept
Step-by-step reproduction with exact commands/requests.
### Impact
- Confidentiality: {High/Medium/Low/None}
- Integrity: {High/Medium/Low/None}
- Availability: {High/Medium/Low/None}
### Remediation
Specific fix recommendations with code examples.
### References
- OWASP: {link}
- CWE: {link}
CVSS 3.1 Quick Scoring (Reference: https://www.first.org/cvss/)
| Severity | Score | Example |
|---|---|---|
| 🔴 Critical | 9.0-10.0 | Unauthenticated RCE, mass data breach |
| 🟠 High | 7.0-8.9 | SQLi with data access, auth bypass |
| 🟡 Medium | 4.0-6.9 | Stored XSS, IDOR with limited data |
| 🟢 Low | 0.1-3.9 | Reflected XSS requiring interaction |
| ℹ️ Info | 0.0 | Version disclosure, missing headers |
Security Headers Check
# Check response headers
curl -sI "$URL" | grep -iE "strict-transport|content-security|x-frame|x-content-type|x-xss|referrer-policy|permissions-policy"
# Expected headers:
# Strict-Transport-Security: max-age=31536000; includeSubDomains
# Content-Security-Policy: default-src 'self'
# X-Frame-Options: DENY or SAMEORIGIN
# X-Content-Type-Options: nosniff
# Referrer-Policy: strict-origin-when-cross-origin
# Permissions-Policy: camera=(), microphone=()
References
For detailed testing procedures per category:
- OWASP Top 10 detailed tests: See
references/owasp-top10-tests.md - API-specific security: See
references/api-security.md
Comments
Loading comments...