Awesome Pentest
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill claims to browse penetration-testing resources, but the included scripts do not implement that and instead persistently log arbitrary user inputs locally.
Review this skill carefully before installing. It does not appear to provide the advertised curated pentest resource browsing, and it may save anything you type into its commands under ~/.local/share/awesome-pentest. Do not enter secrets, credentials, client data, or sensitive audit details unless the implementation is fixed and its storage behavior is clearly documented.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could trust the skill for security research or audit planning even though the included implementation does not provide the advertised capability.
The skill advertises browsing curated penetration-testing resources and exploit databases, but the primary run command is not implemented.
run)
echo "TODO: Implement main functionality"Do not rely on this skill for pentest research unless the maintainer provides a working, reviewable implementation that matches the description.
If a user enters passwords, tokens, targets, vulnerability notes, or other sensitive audit information, it may be saved in plaintext logs and later exposed through search, recent, or export commands.
The script creates persistent local storage and records arbitrary user input, including through commands named store, retrieve, check-strength, hash, and rotate, without the SKILL.md clearly disclosing this data retention.
DATA_DIR="${HOME}/.local/share/awesome-pentest"
mkdir -p "$DATA_DIR"
...
echo "$ts|$input" >> "$DATA_DIR/store.log"
...
_log "store" "$input"Avoid entering secrets or sensitive assessment data. The skill should clearly disclose what it stores, avoid plaintext secret logging, and provide cleanup or retention controls.
The skill may not run as described, and users have less assurance about which included script is actually intended to be invoked.
The declared runtime is python3, but the provided implementation files are bash scripts and the registry also says there is no install spec. This creates packaging/provenance ambiguity, although no remote installer or hidden download is shown.
runtime: python3
Ask the publisher to align metadata, install instructions, and executable files, and to document exactly how the skill is run.
An agent or user invoking these extra commands could unintentionally create, search, or export a local history of sensitive security-related inputs.
The larger script exposes data-management functions over the persistent logs, but those functions are not part of the stated pentest-resource browsing purpose and could surface stored sensitive inputs.
export <fmt> Export (json|csv|txt) search <term> Search entries recent Recent activity
Treat the extra commands as untrusted until documented; the skill should narrow commands to the advertised purpose or add explicit user controls and disclosure.