Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
testcase-generator
v2.0.1Generates comprehensive test cases from MySQL/Redis data. Invoke when user wants to create test cases for an API endpoint.
⭐ 0· 72·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (generate test cases from MySQL/Redis data) aligns with the included code and SKILL.md: the skill reads application.yaml, extracts DB/Redis connection info, reads table schema/data and Redis keys, then emits test-case JSON. However the registry metadata declares no required environment variables or credentials even though the skill is explicitly designed to consume DB credentials (from config or ${VAR:default} env substitutions). This mismatch is noteworthy.
Instruction Scope
SKILL.md instructs the agent to read Controller/Service/Entity source code and service configuration and to run scripts that will connect to databases and Redis and read data. The included data_reader.py supports executing arbitrary SQL (execute_query) and scanning Redis keys (SCAN) and will resolve ${VAR:default} environment expressions. Those actions are within the stated purpose but also give the skill ability to access sensitive secrets and arbitrarily query the data store; the instructions do not contain explicit safeguards (e.g., non-production enforcement, read-only mode).
Install Mechanism
There is no install spec (instruction-only skill plus a single Python script). That keeps attack surface lower than remote downloads or package installs. The script does import third-party libs (pymysql, redis) but only warns if they are missing.
Credentials
The skill metadata declares no required env vars or primary credential, yet the runtime expects to find DB/Redis credentials in application YAML or via environment variable substitution. The script will read environment variables referenced in configs (via ${VAR:default}) and will therefore access secrets if present. The mismatch between declared requirements (none) and actual behavior (needs DB/Redis creds) is an incoherence and a privacy risk.
Persistence & Privilege
always is false and the skill does not request persistent or elevated platform privileges. It does not attempt to modify other skills or global agent settings.
What to consider before installing
This skill will search project config files, resolve environment-variable placeholders, and connect to MySQL and Redis to read schemas and data (and can run arbitrary SQL). That is consistent with generating test cases but it means the skill can access sensitive credentials and production data. Before installing or running it: 1) Inspect application.yaml and the provided data_reader.py yourself; confirm no unexpected network calls or hardcoded endpoints. 2) Do not point it at production databases — use a sanitized or read-only replica. 3) Ensure you trust the skill source (owner unknown) or run in an isolated environment/container. 4) Verify that any database connections are read-only and consider removing or disabling execute_query if you only want SELECTs. 5) Ask the publisher to update registry metadata to explicitly declare required credentials and intended safeguards. If you cannot validate these, treat the skill as potentially risky and avoid running it against sensitive systems.Like a lobster shell, security has layers — review code before you run it.
latestvk97anacct3ra55d02a7pcx593583g8th
License
MIT-0
Free to use, modify, and redistribute. No attribution required.