菜单
Professional web application and API security testing workflows using OWASP Top 10 methodologies.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends an agent's capabilities with specialized knowledge, workflows, or tool integrations.
OpenClaw 安全检测工具,基于安全实践指南验证配置安全、权限隔离、网络策略、日志审计和运行时完整性
OpenClaw 攻击模式检测工具,识别数据外传、反弹Shell、文件泄露、Prompt注入、供应链投毒等高危行为,支持 MITRE ATT&CK 映射
OpenClaw Skills 全方位安全审计工具,检测供应链投毒、Prompt注入、恶意代码模式、权限越权和依赖风险
Implements Manus-style file-based planning for complex tasks. Creates task_plan.md, findings.md, and progress.md. Use when starting complex multi-step tasks, research projects, or any task requiring >5 tool calls. Now with automatic session recovery after /clear.
AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.
| name | seclens-enterprise-web |
| description | Professional web application and API security testing workflows using OWASP Top 10 methodologies. |
Perform comprehensive vulnerability assessments on web applications and APIs (REST/GraphQL) to identify security flaws, logic errors, and compliance issues.
| Profile | Use Case | Characteristics |
|---|---|---|
| Quiet | Production systems, WAF-protected targets | Low request rate, header rotation, timing jitter |
| Standard | Staging environments, time-limited tests | Balanced speed/stealth |
| Aggressive | Internal networks, comprehensive coverage | Maximum parallelism, full payloads |
network_mode: host for complete network access./reports:/datahttpx and whatweb.dirsearch, ffuf, and katana.nuclei and nikto.pip-audit, trivy.burpsuite or zap.sqlmap or custom scripts.references/report-template.md.| Category | Workflow | Primary Tools | Status |
|---|---|---|---|
| A01 Broken Access Control | business_logic_testing | browser_agent, http_repeater, IDOR enumeration | ✅ |
| A02 Cryptographic Failures | vulnerability_assessment | nuclei (crypto tags), manual TLS review | ✅ |
| A03 Injection | vulnerability_assessment | sqlmap, dalfox, nuclei (injection templates) | ✅ |
| A04 Insecure Design | business_logic_testing | manual testing, race condition scripts | ✅ |
| A05 Security Misconfiguration | web_reconnaissance | nuclei (misconfig tags), nikto, httpx | ✅ |
| A06 Vulnerable Components | dependency_scanning | pip-audit, npm-audit, trivy | ✅ |
| A07 Auth Failures | authentication_testing | jwt_analyzer, http_intruder, browser_agent | ✅ |
| A08 Software/Data Integrity | dependency_scanning | trivy (image scan), gitleaks | ✅ |
| A09 Logging Failures | vulnerability_assessment | manual review, log injection testing | ⚠️ Partial |
| A10 SSRF | vulnerability_assessment | nuclei (ssrf tags), interactsh (OOB) | ✅ |
| Category | Tools | Purpose |
|---|---|---|
| Reconnaissance | httpx, katana, gau, waybackurls | Asset discovery, technology fingerprinting |
| Content Discovery | dirsearch, ffuf, gobuster, feroxbuster | Hidden endpoints, directories |
| Vulnerability Scanning | nuclei, nikto, jaeles | Automated CVE/misconfiguration detection |
| Injection Testing | sqlmap, dalfox, xsser | SQL, XSS, command injection |
| API Security | arjun, graphql_scanner, jwt_analyzer | API-specific vulnerabilities |
| Auth Testing | http_intruder, browser_agent | Credential stuffing, session attacks |
| Dependency Scanning | pip-audit, npm-audit, trivy | Third-party component CVEs |
| OOB Detection | interactsh | Blind SSRF, RCE, XXE verification |
| Interactive | burpsuite, zaproxy, browser_agent | Manual testing, complex flows |
| Reporting | pandoc, wkhtmltopdf | PDF/HTML report generation |
references/tools.md - Tool function signatures and parametersreferences/workflows.md - Attack pattern definitionsreferences/report-template.md - Vulnerability report template