技能详情(站内镜像,无评论)
作者:Muhammad Mazhar Saeed @0x-professor
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v0.1.0
统计:⭐ 0 · 527 · 3 current installs · 3 all-time installs
⭐ 0
安装量(当前) 3
🛡 VirusTotal :良性 · OpenClaw :良性
Package:0x-professor/pentest-auth-bypass
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :良性
OpenClaw 评估
The skill's code, instructions, and requirements are consistent with a scope-checked pentesting helper that warns about authorization and defaults to dry-run; nothing requests unrelated credentials or installs arbitrary code.
目的
Name, description, SKILL.md and the script all align: the skill scaffolds auth/session testing, references common pentest tools, and does not request unrelated credentials or system access.
说明范围
The SKILL.md and script enforce scope validation and require --i-have-authorization for live runs and provide a dry-run mode, which limits accidental active testing. Note: the script imports shared helpers (pentest_common) from an external 'autonomous-pentester/shared' location — those helper functions could invoke external tools or network activity during a non-dry-run run, so review that shared module before executing live tests.
安装机制
No install spec (instruction-only plus a small script) — nothing is downloaded or written during install, reducing risk.
证书
No environment variables, credentials, or config paths are requested. The script reads scope and input payload files (declared in CLI) which is proportional to its purpose.
持久
always is false and the skill does not request permanent presence or modify other skills. It only writes artifacts to the specified output path when run.
综合结论
This skill appears coherent for authorized pentesting, but before running it: (1) verify you have written authorization and use --dry-run first; (2) inspect the shared module (autonomous-pentester/shared/pentest_common) to see what external tools or network actions it performs during non-dry-run runs; (3) run tests in an isolated environment and point outputs to a safe folder; (4) confirm scope.json accurately represents authorized targets. If…
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Pentest Auth Bypass」。简介:Test authentication and session management controls for bypass and account take…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/0x-professor/pentest-auth-bypass/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: pentest-auth-bypass
description: Test authentication and session management controls for bypass and account takeover scenarios.
---
# Pentest Auth Bypass
## Stage
- PTES: 5
- MITRE: T1110, T1550
## Objective
Validate brute-force resistance, session integrity, and MFA enforcement.
## Required Workflow
1. Validate scope before any active action and reject out-of-scope targets.
2. Run only authorized checks aligned to PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK.
3. Write findings in canonical finding_schema format with reproducible PoC notes.
4. Honor dry-run mode and require explicit --i-have-authorization for live execution.
5. Export deterministic artifacts for downstream skill consumption.
## Execution
```bash
python skills/pentest-auth-bypass/scripts/auth_bypass.py --scope scope.json --target <target> --input <path> --output <path> --format json --dry-run
```
## Outputs
- `auth-findings.json`
- `valid-sessions.json`
- `auth-attack-report.json`
## References
- `references/tools.md`
- `skills/autonomous-pentester/shared/scope_schema.json`
- `skills/autonomous-pentester/shared/finding_schema.json`
## Legal and Ethical Notice
```text
WARNING AUTHORIZED USE ONLY
This skill executes real security testing tools against live targets.
Use only with written authorization.
```