技能详情(站内镜像,无评论)
作者:Muhammad Mazhar Saeed @0x-professor
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v0.1.0
统计:⭐ 1 · 458 · 3 current installs · 3 all-time installs
⭐ 1
安装量(当前) 3
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:0x-professor/pentest-active-directory
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill's stated purpose (AD pentest orchestration) matches its contents, but it relies on an undeclared shared module and omits expected runtime dependencies—review the shared code and run only in dry-run/isolated environments before giving it authorization to execute live tests.
目的
Name/description align with files and references (BloodHound, SharpHound, Impacket, mimikatz, etc.). The included script is an orchestrator that produces canonical artifacts and enforces scope/authorization. Minor mismatch: metadata lists no required binaries while the skill clearly needs a Python runtime and (for real testing) external pentest tools; this is plausible but should be declared.
说明范围
SKILL.md and the script enforce scope validation, dry-run behavior, and explicit --i-have-authorization for live runs, which is good. However the runtime script imports pentest_common from a shared path (skills/autonomous-pentester/shared) that is not included in the package metadata shown; load_payload, validate_scope and other helpers are opaque here and could perform additional file/network/credential access. You should inspect that shared …
安装机制
No install spec (instruction-only with a Python script) — lowest installer risk. Nothing is downloaded or written by an installer step in the registry manifest.
证书
No environment variables, credentials, or config paths are requested in metadata or SKILL.md. This is conservative, but real AD pentesting would normally require credentials and external tools; this skill instead expects input payloads and a shared helper. Confirm where credentials or tool invocations would actually occur before granting access.
持久
always:false and no indications the skill modifies other skills or system-wide settings. The skill writes output artifacts when run (unless dry-run) but does not request permanent presence or elevated platform privileges.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Pentest Active Directory」。简介:Assess Active Directory identity attack paths including roasting, relay, and de…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/0x-professor/pentest-active-directory/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: pentest-active-directory
description: Assess Active Directory identity attack paths including roasting, relay, and delegation abuse.
---
# Pentest Active Directory
## Stage
- PTES: 6
- MITRE: TA0006, TA0008
## Objective
Map and validate AD privilege escalation and movement paths.
## Required Workflow
1. Validate scope before any active action and reject out-of-scope targets.
2. Run only authorized checks aligned to PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK.
3. Write findings in canonical finding_schema format with reproducible PoC notes.
4. Honor dry-run mode and require explicit --i-have-authorization for live execution.
5. Export deterministic artifacts for downstream skill consumption.
## Execution
```bash
python skills/pentest-active-directory/scripts/active_directory.py --scope scope.json --target <target> --input <path> --output <path> --format json --dry-run
```
## Outputs
- `ad-findings.json`
- `ad-attack-paths.json`
- `ad-report.json`
## References
- `references/tools.md`
- `skills/autonomous-pentester/shared/scope_schema.json`
- `skills/autonomous-pentester/shared/finding_schema.json`
## Legal and Ethical Notice
```text
WARNING AUTHORIZED USE ONLY
This skill executes real security testing tools against live targets.
Use only with written authorization.
```