Websocket Tester
PassAudited by ClawScan on May 2, 2026.
Overview
This is a coherent instruction-only WebSocket testing skill, with the main caution that its load-testing and authenticated examples should only be used on endpoints you are authorized to test.
This skill appears safe to install as an instruction-only WebSocket testing aid, but treat its commands like real network tests. Only target endpoints you are authorized to test, set clear limits for any load test, and use test credentials or narrowly scoped tokens for authenticated WebSocket checks.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could unintentionally stress or disrupt a production or third-party WebSocket service.
The skill intentionally supports concurrent WebSocket load testing. This is purpose-aligned, but it can generate significant traffic if used with high parameters or against systems the user does not control.
description: ... load test concurrent connections ... async def load_test(url, num_connections, duration_sec, messages_per_sec):
Run load tests only against systems you own or have permission to test, use conservative limits, and confirm the target, connection count, duration, and message rate before running.
The user's environment may execute an externally sourced CLI package when following the example.
The example uses npx, which may download and execute the wscat package if it is not already installed. This is a common, purpose-aligned setup pattern, but the package version is not pinned in the artifact.
npx wscat -c "wss://$HOST/ws"
Prefer installing a trusted, pinned version of the WebSocket testing tool, or review the package source before using npx.
If a broad or sensitive token is used, the test connection may have access to protected account or application data.
The skill includes an authenticated WebSocket connection example using a bearer token. This is expected for testing authenticated endpoints, but it involves delegated account access.
extra_headers={'Authorization': f'Bearer {TOKEN}'}Use a test account or narrowly scoped token, avoid pasting secrets into shared chats, and do not log or publish token-bearing requests.