Back to skill
Skillv1.0.0
ClawScan security
api-test-suite-builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 3:17 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are coherent with an API test-suite generator: it reads project source files, generates test scaffolding, and does not request unrelated credentials or install code from external sources.
- Guidance
- This skill is internally consistent with its stated purpose, but before installing or running it: 1) only run scans and generated tests against development or isolated environments — generated tests include adversarial inputs and may create/delete test data or hit rate limits; 2) review generated test files before executing them, especially any tests that call external services or manipulate data; 3) avoid running the skill on repositories containing production secrets or with credentials loaded into the environment; and 4) on Windows or non-POSIX shells the provided shell commands (find/grep/sed) may not work as written — adapt them or run in a Linux-like environment.
Review Dimensions
- Purpose & Capability
- okName/description (API Test Suite Builder) align with the SKILL.md: it scans repo source files for routes and generates tests. No unrelated environment variables, binaries, or install steps are requested.
- Instruction Scope
- noteThe instructions explicitly tell the agent to scan and read route handler source files (find/grep/etc.) and generate adversarial tests (injection/XSS/rate-limit). This is expected for a test-generator, but it does mean the skill will read project files broadly and produce tests that perform potentially intrusive requests — review generated tests before running them against production systems.
- Install Mechanism
- okInstruction-only skill with no install spec or code to download. Lowest-risk installation footprint; nothing will be written to disk by an installer step.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. The instructions do not request secrets or external tokens. This is proportionate for a static-code-scanning + test-generation tool.
- Persistence & Privilege
- okalways:false and normal model-invocation settings. The skill does not request permanent agent-wide presence or to modify other skills; no elevated persistence privileges are requested.