Is pentest safe?
https://clawhub.ai/Veeramanikandanr48/pentest
This skill is a comprehensive offensive security toolkit packaged as a 'security reviewer'. While it contains no executable code or install-time malice, its reference files embed ready-to-use exploit payloads, credential harvesting commands, privilege escalation techniques, and cloud infrastructure enumeration scripts. The skill requests Bash tool access, and the combination of offensive content with shell execution capability creates significant risk that an LLM agent could be guided into running attacks against unauthorized targets. The 'authorized only' disclaimers provide no technical enforcement.
Category Scores
Findings (9)
HIGH Offensive exploit payloads embedded in reference files -30 ▶
The penetration-testing.md file contains ready-to-use SQL injection payloads, XSS payloads, XXE payloads, command injection strings, and privilege escalation commands. When loaded into an agent's context as 'reference material', these become actionable instructions the agent may execute.
HIGH Bash tool access enables arbitrary command execution -25 ▶
The skill declares 'allowed-tools: Read, Grep, Glob, Bash' and contains extensive shell commands across all reference files. The Bash tool combined with the penetration testing content creates a pathway for the agent to execute offensive security tools (nmap, sqlmap, hashcat, metasploit) on the host system.
HIGH Credential harvesting commands in reference material -25 ▶
The penetration testing reference contains explicit commands for harvesting credentials from the local filesystem and bash history. If the agent follows these instructions during a 'security review', it would access sensitive user data.
MEDIUM Secret extraction patterns optimized for sensitive data -15 ▶
The secret-scanning.md reference contains regex patterns specifically designed to extract API keys, AWS credentials, GitHub tokens, Slack tokens, Stripe keys, JWT tokens, and private keys. While framed as 'detection', these patterns enable systematic extraction of credentials.
MEDIUM Cloud infrastructure enumeration commands -10 ▶
Infrastructure security reference contains commands to enumerate AWS S3 buckets, IAM policies, Azure resources, GCP services, and Kubernetes secrets. These could expose cloud infrastructure to unauthorized access.
MEDIUM Sensitive files accessed during installation -45 ▶
Filesystem monitoring shows that during skill installation, the OpenClaw agent process read .env, .aws/credentials, SSH host keys, and multiple configuration files. While this appears to be the OpenClaw framework behavior rather than the skill itself, it indicates the installation environment accesses sensitive data.
LOW No executable code but runtime execution expected -15 ▶
The skill itself contains no executable code (all markdown), no install hooks, no git hooks, and no symlinks. However, the extensive shell commands in reference files are clearly intended to be executed at runtime via the Bash tool, making this a 'deferred execution' pattern.
MEDIUM Dual-use offensive security toolkit with weak authorization guardrails -70 ▶
While the skill includes 'authorized only' disclaimers and 'rules of engagement', these are soft constraints that an LLM agent may not reliably enforce. The skill provides a complete offensive toolkit (recon, exploitation, privilege escalation, lateral movement, credential harvesting) that could be directed at any target the agent has network access to. The distinction between 'security review' and 'attack' depends entirely on the user's intent and the agent's judgment.
INFO Canary files intact despite sensitive file reads 0 ▶
All canary/honeypot files remained unmodified. The .env and .aws/credentials reads appear to be from the OpenClaw framework initialization, not from the skill content itself.