ClawHub

Api Test Automation

Security checks across malware telemetry and agentic risk

Overview

This is a coherent API testing skill, with expected network testing and mock-server behavior, but users should run it only against authorized test systems and avoid sending real secrets through captured mock requests.

Install this only in a development or test environment, pin and audit dependencies before CI use, run load or contract tests only against systems you own or are authorized to test, and avoid sending real credentials or sensitive payloads through the mock server unless you are comfortable with them being captured in its in-memory request log.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The example text says it uses a mock GraphQL client, but the code constructs a real client configured for an external HTTPS endpoint. This mismatch can mislead users into believing the example is offline/safe while actually encouraging outbound connectivity, which is risky in security-sensitive, air-gapped, or policy-restricted environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill is specifically for API, contract, mock, and performance testing, all of which can generate real traffic against target services and potentially stress them. Omitting warnings about outbound requests, concurrency, and possible impact on third-party or production systems increases the risk of accidental scanning, service degradation, or policy violations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The server records every request's headers, body, path, and query parameters into `request_log` without redaction or limits. In an API testing context, those fields commonly contain credentials, tokens, cookies, API keys, personal data, or proprietary payloads, so the mock server can become a sink for sensitive data that is later exposed through logs, test artifacts, memory inspection, or unintended reuse.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This module provides built-in load, stress, and spike testing that can generate large volumes of HTTP traffic, but it contains no user-facing warning, target restrictions, or safety guardrails before exercising external endpoints. In an API test automation skill, that capability is expected, but without explicit safeguards it can be misused against third-party services or production systems, causing denial-of-service-like impact or violating acceptable-use policies.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal