OpenSkillIndex← back to search
claude-code

Awesome-omni-skill pentest-outbound-interaction-oob-detection

Security assessment skill for outbound interaction and out-of-band (OOB) validation. Use when prompts include SSRF callback confirmation, blind XSS beacons, webhook abuse, XXE/OOB behavior, DNS/HTTP callback correlation, or asynchronous server-side interaction proof. Do not use when vulnerabilities are fully in-band and require no external callback correlation.

install
source · Clone the upstream repo
git clone https://github.com/diegosouzapw/awesome-omni-skill
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/diegosouzapw/awesome-omni-skill "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/testing-security/pentest-outbound-interaction-oob-detection" ~/.claude/skills/diegosouzapw-awesome-omni-skill-pentest-outbound-interaction-oob-detection && rm -rf "$T"
manifest: skills/testing-security/pentest-outbound-interaction-oob-detection/SKILL.md
source content

Outbound Interaction & OOB Detection

Activation Triggers (Positive)

  • ssrf callback
  • blind xss
  • webhook abuse
  • oob
  • dns interaction
  • asynchronous callback
  • xxe out of band

Exclusion Triggers (Negative)

  • fully in-band exploit
  • static code review only
  • report drafting only

Output Schema

  • Callback correlation table: 
    token
    , 
    payload path
    , 
    timestamp
    , 
    source context
  • Validation verdict: 
    confirmed
    , 
    not confirmed
    , 
    inconclusive
  • Follow-on exploitation opportunities from confirmed outbound behavior

Instructions

  1. Generate unique per-test correlation identifiers before sending payloads.
  2. Ensure callback listener scope and retention are sufficient for delayed events.
  3. Correlate callbacks by token, path, and time window before confirmation.
  4. Differentiate noisy background traffic from test-linked interactions.
  5. Use control payloads to reduce false positives.
  6. Pass confirmed primitives to exploit or logic skills with full correlation evidence.

Should Do

  • Treat OOB validation as evidence discipline, not only payload dispatch.
  • Preserve immutable callback logs for auditability.
  • Include both positive and negative control outcomes.

Should Not Do

  • Do not claim confirmation without deterministic correlation.
  • Do not reuse tokens across unrelated tests.
  • Do not expose real secrets in callback payloads.