web-recon

Website vulnerability scanner and security audit toolkit. Scan any website for security issues: open ports (nmap), exposed secrets, subdomain enumeration, directory bruteforce, security header scoring, CORS misconfigurations, SSL/TLS analysis, WordPress vulnerabilities, and more. One command, full report. Pentesting and OSINT reconnaissance for web applications.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "web-recon" with this command: npx skills add p0lish/web-recon

Web Recon

All-in-one web security scanner for pentesting, bug bounty, and security audits.

Scan any target with a single command and get a structured report with findings prioritized by severity. Modular — run the full suite or pick individual steps.

Why Use This

  • One command → full security assessment with prioritized findings
  • 12 scan modules — DNS, ports, fingerprinting, subdomains, directories, secrets, vulnerabilities, headers, CORS, SSL, WordPress, Nuclei templates
  • Security header scoring — instant letter-grade for any site's HTTP security posture
  • Secrets detection — 459 rules covering AWS, GCP, GitHub, Slack, databases, and more
  • Skips missing tools gracefully — works with whatever you have installed
  • Resume mode — pick up where a crashed scan left off
  • JSON + Markdown reports — machine-readable and human-readable output

Quick Start

# Quick scan (recon, fingerprint, secrets, header scoring, report)
scripts/webscan.sh example.com --quick

# Full scan (all 12 steps)
scripts/webscan.sh example.com

# Full scan with JSON output and screenshot
scripts/webscan.sh example.com --json --screenshot

# Resume a crashed scan (skips completed steps)
scripts/webscan.sh example.com --resume

# Single step
scripts/webscan.sh example.com recon
scripts/webscan.sh example.com vulns

# Secrets scan only
scripts/titus-web.sh https://example.com

Output: ~/.openclaw/workspace/recon/<domain>/

Options

FlagDescription
--quickLight scan: recon, fingerprint, secrets, vulns, report
--fullAll steps (default)
--jsonGenerate results.json alongside markdown report
--screenshotCapture homepage screenshot
--resumeSkip steps that already have output files

Environment Variables

VariablePurpose
SHODAN_API_KEYShodan API key for infrastructure intel (falls back to CLI)
OUTDIROverride output directory

Scan Modules

StepWhat it doesTools
reconDNS records, IP geolocation, port scan, Shodan, Wayback URLsnmap, dig, Shodan
fingerprintHTTP headers, tech stack, WAF detection, CMS checkWhatWeb, wafw00f
subdomainsSubdomain enumeration + live probingSubfinder, Amass, httpx
dirsDirectory and file bruteforceGobuster, ffuf
secretsSecrets scan + sensitive file checks (30+ paths)Titus (459 rules)
vulnsSecurity header scoring, CORS check, SSL analysis, vulnerability scanNikto, custom
wpscanWordPress-specific vulnerabilities (auto-skips if not WP)WPScan
nucleiTemplate-based CVE scanningNuclei
sslFull SSL/TLS analysistestssl
screenshotHomepage capturecutycapt/chromium
reportMarkdown + JSON report generation

Security Header Scoring

Scores 10 security headers by severity:

SeverityPointsHeaders
Critical30Strict-Transport-Security, Content-Security-Policy
High20X-Frame-Options
Medium10X-Content-Type-Options, Referrer-Policy, Permissions-Policy
Low5X-XSS-Protection, COOP, CORP, COEP

Rating: 🟢 ≥80% · 🟡 ≥50% · 🟠 ≥25% · 🔴 <25%

Output Structure

~/.openclaw/workspace/recon/<domain>/
├── results.md              # Markdown report with executive summary
├── results.json            # Machine-readable report (--json)
├── screenshot.png          # Homepage capture (--screenshot)
├── dns.txt / geo.json      # DNS records, IP geolocation
├── ports.txt               # nmap port scan results
├── shodan.json             # Shodan infrastructure data
├── header-score.txt        # Security header score card
├── cors.txt                # CORS misconfiguration check
├── whatweb.txt / waf.txt   # Tech fingerprint, WAF detection
├── subdomains-live.txt     # Discovered live subdomains
├── dirs.txt                # Discovered directories/files
├── sensitive-files.txt     # Exposed config/backup files
├── titus.txt               # Leaked secrets/API keys
├── nikto.txt / nuclei.txt  # Vulnerability findings
├── ssl.txt                 # SSL/TLS analysis
└── wpscan.txt              # WordPress scan (if applicable)

Review Priority

  1. header-score.txt — overall security posture at a glance
  2. sensitive-files.txt — any "FOUND" = critical exposure
  3. cors.txt — misconfigured CORS = data theft risk
  4. titus.txt — exposed secrets/API keys
  5. ports.txt — unexpected open ports
  6. nuclei.txt — known CVEs
  7. subdomains-live.txt — forgotten/dev subdomains

Tool Requirements

See references/tools.md for install instructions. Scripts skip missing tools gracefully — you don't need everything installed to get useful results.

Wordlists

See references/wordlists.md. Auto-selects medium wordlists, falls back to smaller if unavailable.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

ZipCracker

The ultimate, high-performance ZIP password cracking suite by Hx0 Team. Empowers the Agent with autonomous CTF-level cracking workflows, dynamic dictionary g...

Registry SourceRecently Updated
0165
Profile unavailable
Security

OSINT Social Analyzer

Investigate a username across 1000+ social media platforms and websites using social-analyzer. Use this skill whenever the user wants to look up, investigate...

Registry SourceRecently Updated
0201
Profile unavailable
Security

RedPincer — AI Red Team Suite

AI/LLM red team testing skill. Point at any LLM API endpoint and run automated security assessments. 160+ attack payloads across prompt injection, jailbreak,...

Registry SourceRecently Updated
0267
Profile unavailable