ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Webhook Tester

Webhook testing and debugging tool. Send test webhook payloads to any URL, simulate various webhook events (GitHub, Stripe, Slack), inspect responses, and lo...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 37 · 0 current installs · 0 all-time installs
by@bytesagain
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a small webhook tester (commands: send, github, ping, history). The provided script contains a much larger, generic-sounding command surface (check, validate, generate, lint, explain, convert, export, stats, search, etc.). That mismatch suggests the code may be a generic template or repurposed script rather than the narrow webhook tool advertised.
!
Instruction Scope
SKILL.md claims a WEBHOOK_TESTER_DIR env var to configure data directory, but the script shown ignores that and hardcodes DATA_DIR to ${HOME}/.local/share/webhook-tester. The SKILL.md exposes only webhook-related commands, while the script reads/writes many log files and exposes unrelated operations — instructions and implementation are not aligned.
Install Mechanism
No install spec is provided (instruction-only), but a shell script is included in the bundle. This is lower risk than a remote download, but unusual: the presence of executable code with no install instructions means the script could be executed by the agent or user without an explicit vetted install step. Review the full script before running.
Credentials
The skill requests no credentials or privileged env vars (good). However SKILL.md references WEBHOOK_TESTER_DIR while the script uses a hardcoded $HOME path — this inconsistency could cause confusion or unexpected file writes under the user's home directory (~/.local/share/webhook-tester). No other env/credential escalation observed in the provided snippet.
Persistence & Privilege
The script creates and writes logs under ~/.local/share/webhook-tester — persistent but scoped to the user's home. The skill is not marked always:true and does not request system-wide config changes in the visible code. Persistence is expected for a tester that records history.
What to consider before installing
Do not run or install this skill without reviewing the rest of scripts/script.sh in full. Specific checks to perform before using: - Inspect the remainder of scripts/script.sh (the file was truncated) for any network calls (curl, wget, nc, openssl s_client, or similar) and note destinations; confirm they only target user-specified webhook endpoints, not hard-coded external servers. - Verify how the 'send', 'github', and 'ping' commands are implemented and whether they use external endpoints or leak data to bytesagain.com or other hosts. - Confirm whether the script honors an environment variable for the data dir (SKILL.md mentions WEBHOOK_TESTER_DIR but the script hardcodes $HOME/.local/share/webhook-tester); if you want control, update the script to respect WEBHOOK_TESTER_DIR before running. - Run the script in a sandboxed environment (or container) first to observe behavior and ensure it doesn't transmit unexpected data. - Because documentation and implementation disagree, treat this package as untrusted until a full code review confirms it only performs the advertised webhook testing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk9792m11qa2djmzza33kcz1ksh8316tv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Webhook Tester

Test webhooks. Send payloads. Debug integrations. No deployment needed.

Commands

  • send <url> <json_payload> — Send webhook POST
  • github <url> [event] — Simulate GitHub webhook
  • ping <url> — Send test ping
  • history — View recent webhook sends

Usage Examples

webhook-tester send https://myapp.com/webhook '{"event":"test"}'
webhook-tester github https://myapp.com/hooks push
webhook-tester ping https://myapp.com/health

Powered by BytesAgain | bytesagain.com

When to Use

  • as part of a larger automation pipeline
  • when you need quick webhook tester from the command line

Output

Returns logs to stdout. Redirect to a file with webhook-tester run > output.txt.

Configuration

Set WEBHOOK_TESTER_DIR environment variable to change the data directory. Default: ~/.local/share/webhook-tester/

Powered by BytesAgain | bytesagain.com Feedback & Feature Requests: https://bytesagain.com/feedback

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…