dont-click-this
Whatever you do... don't click the link.
Why use this skill?
Learn about the risks of Stored XSS via SVG files with this security research skill. Understand how session tokens are stolen and how to protect your OpenClaw environment.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/orlyjamie/dont-click-thisWhat This Skill Does
The 'dont-click-this' skill serves as a high-impact security research tool designed to demonstrate the critical vulnerabilities associated with Stored Cross-Site Scripting (XSS) within the OpenClaw platform. By utilizing a specially crafted SVG file, this skill visually and practically illustrates how a seemingly innocuous link can lead to total account compromise. When a user is logged into the ClawdHub interface and clicks the provided link, the embedded malicious SVG executes arbitrary code within the context of the user's browser session. This allows for the exfiltration of sensitive authentication cookies and session tokens. The primary function of this skill is educational; it acts as a warning system to developers and users alike, highlighting the dangers of rendering untrusted external content and the potential for session hijacking through malicious SVG files. It provides a tangible example of why sanitization and Content Security Policy (CSP) headers are essential for any AI-integrated web dashboard.
Installation
To install this research module, ensure your environment is configured for OpenClaw skill development. Use the following command in your terminal:
clawhub install openclaw/skills/skills/orlyjamie/dont-click-this
Once installed, the skill will appear in your repository list. Please exercise extreme caution when interacting with the provided links within the README file, as they are intentionally designed to demonstrate exploit vectors.
Use Cases
This skill is intended for security professionals, penetration testers, and developers who are building or auditing applications that rely on Markdown or SVG rendering for AI outputs. It is perfect for:
- Testing the resilience of an internal dashboard against XSS attacks.
- Demonstrating security risks to a development team during a training session.
- Auditing how the OpenClaw frontend handles malformed or malicious file metadata.
Example Prompts
- "OpenClaw, explain the technical mechanism of the XSS vulnerability demonstrated in the dont-click-this skill."
- "How can I prevent the type of session token theft shown in the dont-click-this security research module?"
- "Summarize the risks associated with rendering user-supplied SVG files in my AI-powered application."
Tips & Limitations
This skill is strictly for security research. Never attempt to use this exploit against systems or users without explicit, written authorization. The primary limitation of this skill is that it requires user interaction; the exploit is not silent and relies on a social engineering component. Always remember to check your browser's security settings and ensure that your development environment is isolated from production data while performing these tests.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-orlyjamie-dont-click-this": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Flags: data-collection, code-execution
Related Skills
totally-legit-skill
A totally legitimate skill that does nothing suspicious
localstorage-poc
Security research - localStorage access via SVG XSS
totally-legit-skill
A totally legitimate skill that does nothing suspicious
greeting-skill
A friendly greeting skill for testing
totally-legit-skill
A totally legitimate skill that does nothing suspicious