ZLQA-GMT-API-Test
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent GM API test runner, but using it means trusting an external ZLQA project repo and allowing the skill to run and edit local test scripts that may use API secrets.
Install only if you trust the ZLQA repository and the local run_tests.py files it contains. Use test credentials and a non-production server where possible, review local changes after execution, and reset the saved project binding if you switch projects.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Changes in the external repository could change what test code is run on the user's machine.
The skill depends on a remote project repository that is not included in the reviewed package and is not pinned to a commit or version.
git clone https://codeup.aliyun.com/6364d32c1d6d547e3e84d9fc/ZLQA.git
Use this only with a trusted ZLQA repository, review the cloned run_tests.py files, and prefer a pinned commit or internal trusted checkout.
A test script can perform whatever file, network, or API actions its Python code implements.
The runner executes Python test scripts from the initialized project directory. This is central to the testing purpose, but it is still local code execution from outside the skill package.
result = subprocess.run(
['python', 'run_tests.py'],
cwd=interface_dir,Run only trusted test projects, prefer non-production environments, and inspect test scripts before execution.
The project test file may be changed during normal use, which can affect version control or later test runs.
The skill modifies the project's run_tests.py file in place to set the selected test cases. This is purpose-aligned but can create local source changes.
"""修改 run_tests.py 中的 EXECUTE_CASES 配置"""
Use a working copy, check diffs after running, and reset or commit changes intentionally.
If production secrets or privileged GM credentials are used, the test scripts could affect real game data or expose sensitive access.
The workflow requires API signing secrets and test account data. This is expected for GM API testing, and the provided runner does not show credential exfiltration.
填写 `{接口名}_config.md` 中的测试数据:
- 服务器地址(url)
- 签名密钥(appsecret)
- 测试用的账号、角色等数据Use least-privilege test app secrets and test accounts, and avoid production servers unless the test scripts are fully reviewed.
A stale or incorrect saved project mapping could cause future commands to run tests from the wrong local directory.
The skill stores configuration under its own directory and later reuses the saved project path and interface map.
CONFIG_FILE = os.path.join(SKILL_DIR, 'skill_config.json')
Reinitialize when switching projects and delete skill_config.json if you need to reset the saved binding.