メニュー
Professional web application and API security testing workflows using OWASP Top 10 methodologies.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends an agent's capabilities with specialized knowledge, workflows, or tool integrations.
OpenClaw 安全检测工具,基于安全实践指南验证配置安全、权限隔离、网络策略、日志审计和运行时完整性
OpenClaw 攻击模式检测工具,识别数据外传、反弹Shell、文件泄露、Prompt注入、供应链投毒等高危行为,支持 MITRE ATT&CK 映射
OpenClaw Skills 全方位安全审计工具,检测供应链投毒、Prompt注入、恶意代码模式、权限越权和依赖风险
Implements Manus-style file-based planning for complex tasks. Creates task_plan.md, findings.md, and progress.md. Use when starting complex multi-step tasks, research projects, or any task requiring >5 tool calls. Now with automatic session recovery after /clear.
AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.
| name | seclens-enterprise-web |
| description | Professional web application and API security testing workflows using OWASP Top 10 methodologies. |
Perform comprehensive vulnerability assessments on web applications and APIs (REST/GraphQL) to identify security flaws, logic errors, and compliance issues.
| Profile | Use Case | Characteristics |
|---|---|---|
| Quiet | Production systems, WAF-protected targets | Low request rate, header rotation, timing jitter |
| Standard | Staging environments, time-limited tests | Balanced speed/stealth |
| Aggressive | Internal networks, comprehensive coverage | Maximum parallelism, full payloads |
network_mode: host for complete network access./reports:/datahttpx and whatweb.dirsearch, ffuf, and katana.nuclei and nikto.pip-audit, trivy.burpsuite or zap.sqlmap or custom scripts.references/report-template.md.| Category | Workflow | Primary Tools | Status |
|---|---|---|---|
| A01 Broken Access Control | business_logic_testing | browser_agent, http_repeater, IDOR enumeration | ✅ |
| A02 Cryptographic Failures | vulnerability_assessment | nuclei (crypto tags), manual TLS review | ✅ |
| A03 Injection | vulnerability_assessment | sqlmap, dalfox, nuclei (injection templates) | ✅ |
| A04 Insecure Design | business_logic_testing | manual testing, race condition scripts | ✅ |
| A05 Security Misconfiguration | web_reconnaissance | nuclei (misconfig tags), nikto, httpx | ✅ |
| A06 Vulnerable Components | dependency_scanning | pip-audit, npm-audit, trivy | ✅ |
| A07 Auth Failures | authentication_testing | jwt_analyzer, http_intruder, browser_agent | ✅ |
| A08 Software/Data Integrity | dependency_scanning | trivy (image scan), gitleaks | ✅ |
| A09 Logging Failures | vulnerability_assessment | manual review, log injection testing | ⚠️ Partial |
| A10 SSRF | vulnerability_assessment | nuclei (ssrf tags), interactsh (OOB) | ✅ |
| Category | Tools | Purpose |
|---|---|---|
| Reconnaissance | httpx, katana, gau, waybackurls | Asset discovery, technology fingerprinting |
| Content Discovery | dirsearch, ffuf, gobuster, feroxbuster | Hidden endpoints, directories |
| Vulnerability Scanning | nuclei, nikto, jaeles | Automated CVE/misconfiguration detection |
| Injection Testing | sqlmap, dalfox, xsser | SQL, XSS, command injection |
| API Security | arjun, graphql_scanner, jwt_analyzer | API-specific vulnerabilities |
| Auth Testing | http_intruder, browser_agent | Credential stuffing, session attacks |
| Dependency Scanning | pip-audit, npm-audit, trivy | Third-party component CVEs |
| OOB Detection | interactsh | Blind SSRF, RCE, XXE verification |
| Interactive | burpsuite, zaproxy, browser_agent | Manual testing, complex flows |
| Reporting | pandoc, wkhtmltopdf | PDF/HTML report generation |
references/tools.md - Tool function signatures and parametersreferences/workflows.md - Attack pattern definitionsreferences/report-template.md - Vulnerability report template