REST API Tester
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken target, method, spec, or iteration count could modify an API, delete data, or generate unwanted traffic.
The documented interface can issue mutating HTTP methods, read a request body from a file, run repeated requests, and test all endpoints from a spec. This is aligned with API testing but can change data or create load if used on live systems.
`--method GET|POST|PUT|DELETE|PATCH`, `--body-file path.json`, `--benchmark`, `--spec openapi.json --test-all`
Use staging or test accounts when possible, confirm non-GET methods and `--test-all` runs, and keep benchmark iteration counts reasonable.
If a real token is used with a production API or an unintended URL, the request may act with that token's privileges.
The skill supports sending bearer or other authorization headers to the chosen endpoint. That is expected for API testing, but it means user-provided credentials can authorize real account actions.
`--headers '{"Authorization":"Bearer token123"}'`Use least-privilege test tokens, verify the destination URL before sending credentials, and avoid using production credentials unless necessary.
Generated reports or verbose outputs may retain sensitive API response content and could expose it if shared.
The script captures response bodies and prepares response previews for HTML reporting. API responses can include private data, tokens, or business records.
`"body": response_body` ... `body_preview = json.dumps(r["body_json"], indent=2)[:2000]`
Review reports before sharing, avoid report generation for sensitive responses, and store/delete report files according to your data handling needs.
A user could misread the requirements section and underestimate that the tool will make outbound network calls to the requested API endpoints.
The documentation clearly describes making user-directed API requests, so the 'No external API calls' line is ambiguous and appears to mean no hidden third-party calls rather than no network requests at all.
`Send requests, validate responses...` ... `No external API calls`
Treat the skill as a network-capable API client and verify each target URL before use.