KiloClawPowered by OpenClaw
Back to Cookbook
OpenClaw recipe

Python Tool Install Fix for PEP 668

aka “Python Pentest Tool Installs Under PEP 668 (Kali/Debian)

Avoid "externally-managed-environment" with pipx and venv

Modern Kali and Debian mark system Python as externally managed (PEP 668), breaking bare `pip install` workflows. This recipe standardizes pipx for CLI tools and venv for libraries so tool installs stay isolated and the distro stays intact.

House RecipeWork7 min
Try in KiloClawFree 7-day trial

PROMPT

Create a skill called "PEP 668 Python Tool Installer". Inputs I will provide: - OS/distro (Kali/Debian/Ubuntu) - The tool name and whether it is a CLI application or a Python library - The exact pip error output (if any) Task: 1) Choose the correct install method: apt package, pipx, or venv. 2) Output the exact commands to install, verify, and record the installed version. 3) Provide a troubleshooting checklist for PATH issues and venv activation mistakes.

What this fixes

Common symptom:

  • `error: externally-managed-environment`
  • Tool install notes say `pip install ...` but the distro blocks it

Prerequisites

  • Python 3 installed
  • `pipx` installed OR permission to install it via apt
  • A writable HOME directory (for venvs/pipx)

Steps and commands

  1. Install pipx (recommended on Kali):

`sudo apt update && sudo apt install -y pipx`

`pipx ensurepath`

  1. Install a Python CLI tool cleanly:

`pipx install `

Example:

`pipx install semgrep`

  1. If you need a library (not a CLI application), use a venv:

`python3 -m venv .venv`

`source .venv/bin/activate`

`python3 -m pip install -U pip`

`python3 -m pip install `

  1. If you must run a repo-based tool:

`git clone `

`cd `

`python3 -m venv .venv && source .venv/bin/activate`

`python3 -m pip install -r requirements.txt`

  1. Record the installation method:
  • pipx package + version
  • venv requirements.txt hash/lock if applicable

Expected outputs

  • The tool runs from your PATH (pipx) without breaking system packages
  • `pip install` works inside the venv without triggering PEP 668 errors

Common errors and troubleshooting

  • pipx installed but command not found
  • Run `pipx ensurepath` and start a new shell.
  • Confirm `~/.local/bin` is in PATH.
  • Still seeing externally-managed-environment inside a venv
  • You are not using the venv's python/pip. Run `which python3` and `which pip` to verify.
  • Temptation to use `--break-system-packages`
  • This can break distro-managed tooling. Prefer pipx/venv.
  • pipx inject for plugins/extras
  • If a pipx-installed tool needs an optional dependency: `pipx inject `.

References

  • https://www.kali.org/blog/python-externally-managed/
  • https://www.kali.org/docs/general-use/python3-external-packages/
  • https://peps.python.org/pep-0668/
  • https://github.com/RedSiege/EyeWitness/issues/636

Example inputs

  • Tool: eyewitness / semgrep / custom python CLI
  • Install style: pipx (CLI) vs venv (library)
Tags:#pentesting#automation#python#kali#debian#tooling#troubleshooting

Related Recipes

Nuclei Template Doctor

Fix "no templates provided", template drift, and signing surprises

Nuclei scans fail not because the engine is broken but because templates are missing, outdated, filtered out, or failing validation. This recipe diagnoses template path and version problems, performs safe updates, validates templates, and explains a secure workflow for code-template signing.

Work6 min

Rootless (or Almost) Network Scans in Containers

Fix raw-socket "Operation not permitted" without --privileged

Least-privilege setup for running Nmap, MASSCAN, or ZMap inside Docker/Podman/Kubernetes. Solves "requires root privileges" and "Operation not permitted" failures without reaching for --privileged. Includes fallbacks when raw sockets are unavailable.

Work10 min

Bulk Change Airbnb Rates

Update pricing across all your Airbnb listings without clicking through each one

Automate bulk rate changes across multiple Airbnb listings using your Claw. Useful for seasonal pricing updates, last-minute discounts, or syncing rates after a change in your hosting strategy.

Home5 min

Inbox Zero Bot

Email and calendar without leaving your terminal

Full Gmail control via the gog CLI. Read, send, search, organize emails. Create events, set reminders, RSVP to invitations. All from natural language or CLI commands.

Personal5 min setup