pentest-outbound-interaction-oob-detection

Security assessment skill for outbound interaction and out-of-band (OOB) validation. Use when prompts include SSRF callback confirmation, blind XSS beacons, webhook abuse, XXE/OOB behavior, DNS/HTTP callback correlation, or asynchronous server-side interaction proof. Do not use when vulnerabilities are fully in-band and require no external callback correlation.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "pentest-outbound-interaction-oob-detection" with this command: npx skills add crtvrffnrt/skills/crtvrffnrt-skills-pentest-outbound-interaction-oob-detection

Outbound Interaction & OOB Detection

Activation Triggers (Positive)

  • ssrf callback
  • blind xss
  • webhook abuse
  • oob
  • dns interaction
  • asynchronous callback
  • xxe out of band

Exclusion Triggers (Negative)

  • fully in-band exploit
  • static code review only
  • report drafting only

Output Schema

  • Callback correlation table: token, payload path, timestamp, source context
  • Validation verdict: confirmed, not confirmed, inconclusive
  • Follow-on exploitation opportunities from confirmed outbound behavior

Instructions

  1. Generate unique per-test correlation identifiers before sending payloads.
  2. Ensure callback listener scope and retention are sufficient for delayed events.
  3. Correlate callbacks by token, path, and time window before confirmation.
  4. Differentiate noisy background traffic from test-linked interactions.
  5. Use control payloads to reduce false positives.
  6. Pass confirmed primitives to exploit or logic skills with full correlation evidence.

Should Do

  • Treat OOB validation as evidence discipline, not only payload dispatch.
  • Preserve immutable callback logs for auditability.
  • Include both positive and negative control outcomes.

Should Not Do

  • Do not claim confirmation without deterministic correlation.
  • Do not reuse tokens across unrelated tests.
  • Do not expose real secrets in callback payloads.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

pentest-exploit-execution-payload-control

No summary provided by upstream source.

Repository SourceNeeds Review
15-crtvrffnrt
General

pentest-business-logic-abuse

No summary provided by upstream source.

Repository SourceNeeds Review
13-crtvrffnrt
General

pentest-gemini-az

No summary provided by upstream source.

Repository SourceNeeds Review
12-crtvrffnrt
General

pentest-input-protocol-manipulation

No summary provided by upstream source.

Repository SourceNeeds Review
12-crtvrffnrt