KiloClawPowered by OpenClaw
Back to Cookbook

Python Pentest Tool Installs Under PEP 668 (Kali/Debian)

Avoid "externally-managed-environment" with pipx and venv

Modern Kali and Debian mark system Python as externally managed (PEP 668), breaking bare `pip install` workflows. This recipe standardizes pipx for CLI tools and venv for libraries so tool installs stay isolated and the distro stays intact.

House RecipeWork7 min

PROMPT

Create a skill called "PEP 668 Python Tool Installer". Inputs I will provide: - OS/distro (Kali/Debian/Ubuntu) - The tool name and whether it is a CLI application or a Python library - The exact pip error output (if any) Task: 1) Choose the correct install method: apt package, pipx, or venv. 2) Output the exact commands to install, verify, and record the installed version. 3) Provide a troubleshooting checklist for PATH issues and venv activation mistakes.

What this fixes

Common symptom:

  • `error: externally-managed-environment`
  • Tool install notes say `pip install ...` but the distro blocks it

Prerequisites

  • Python 3 installed
  • `pipx` installed OR permission to install it via apt
  • A writable HOME directory (for venvs/pipx)

Steps and commands

  1. Install pipx (recommended on Kali):

`sudo apt update && sudo apt install -y pipx`

`pipx ensurepath`

  1. Install a Python CLI tool cleanly:

`pipx install `

Example:

`pipx install semgrep`

  1. If you need a library (not a CLI application), use a venv:

`python3 -m venv .venv`

`source .venv/bin/activate`

`python3 -m pip install -U pip`

`python3 -m pip install `

  1. If you must run a repo-based tool:

`git clone `

`cd `

`python3 -m venv .venv && source .venv/bin/activate`

`python3 -m pip install -r requirements.txt`

  1. Record the installation method:
  • pipx package + version
  • venv requirements.txt hash/lock if applicable

Expected outputs

  • The tool runs from your PATH (pipx) without breaking system packages
  • `pip install` works inside the venv without triggering PEP 668 errors

Common errors and troubleshooting

  • pipx installed but command not found
  • Run `pipx ensurepath` and start a new shell.
  • Confirm `~/.local/bin` is in PATH.
  • Still seeing externally-managed-environment inside a venv
  • You are not using the venv's python/pip. Run `which python3` and `which pip` to verify.
  • Temptation to use `--break-system-packages`
  • This can break distro-managed tooling. Prefer pipx/venv.
  • pipx inject for plugins/extras
  • If a pipx-installed tool needs an optional dependency: `pipx inject `.

References

  • https://www.kali.org/blog/python-externally-managed/
  • https://www.kali.org/docs/general-use/python3-external-packages/
  • https://peps.python.org/pep-0668/
  • https://github.com/RedSiege/EyeWitness/issues/636

Example inputs

  • Tool: eyewitness / semgrep / custom python CLI
  • Install style: pipx (CLI) vs venv (library)
Tags:#pentesting#automation#python#kali#debian#tooling#troubleshooting

Related Recipes

Nuclei Template Doctor

Fix "no templates provided", template drift, and signing surprises

Nuclei scans fail not because the engine is broken but because templates are missing, outdated, filtered out, or failing validation. This recipe diagnoses template path and version problems, performs safe updates, validates templates, and explains a secure workflow for code-template signing.

Work6 min

Rootless (or Almost) Network Scans in Containers

Fix raw-socket "Operation not permitted" without --privileged

Least-privilege setup for running Nmap, MASSCAN, or ZMap inside Docker/Podman/Kubernetes. Solves "requires root privileges" and "Operation not permitted" failures without reaching for --privileged. Includes fallbacks when raw sockets are unavailable.

Work10 min

Anti-AI Slop Filter

Keep your content off the AI slop list

Have your Claw periodically check the AI Slop Wiki and build a living filter of patterns to avoid. Every piece of content your Claw creates runs through this filter first, so you never publish anything that reads like generic AI-generated filler.

Creative2 min

Render Hang Triage

A playbook for "stops at the same frame" and "freeze mid-render" failures

Renders freeze at a consistent percentage or frame — often caused by a bad clip, a heavy effect, a Fusion comp issue, or "stop render on error" settings. This recipe classifies the failure pattern and gives you a structured triage plan instead of blind re-exports.

Creative3 min