Api Test Automation
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: api-test-automation Version: 1.0.0 The skill bundle provides a comprehensive and well-structured API testing automation suite supporting REST and GraphQL. It includes features for performance testing, OpenAPI contract validation, and a local mock server using Starlette and Uvicorn. The code follows standard practices, uses legitimate libraries (e.g., httpx, schemathesis, jinja2), and contains no evidence of malicious intent, data exfiltration, or unauthorized execution logic. All capabilities, including network access and local server hosting, are directly aligned with the tool's stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Misconfigured load tests could generate unwanted traffic or affect service availability.
The performance tester can issue many concurrent requests to the scenario configured by the user. This is central to load testing, but it can stress an API if aimed at production or third-party systems.
semaphore = asyncio.Semaphore(self.concurrency) ... tasks = [_execute() for _ in range(total_requests)] await asyncio.gather(*tasks, return_exceptions=True)
Run load and stress tests only against systems you own or are authorized to test, and set conservative concurrency and request limits.
A broad or production API token could allow tests to read or change real account data.
The client supports bearer-token authentication, which is expected for API testing but means tests may run with the permissions of the provided token.
def set_auth(self, token: str):
"""Set authentication token."""
self.headers["Authorization"] = f"Bearer {token}"Use least-privileged, test-scoped credentials and avoid using production tokens unless the test is explicitly approved.
Dependency behavior may change over time, which can affect reliability or security.
Dependencies are declared with minimum versions rather than exact pins or hashes, so future installs may pull newer package versions than the reviewed artifact expected.
requests>=2.28.0 httpx>=0.24.0 aiohttp>=3.8.0 ... python-dotenv>=1.0.0
Install in a virtual environment and consider using a lockfile or pinned, reviewed dependency versions.
Sensitive test data or credentials sent to the mock server may remain accessible through the request log during the process.
The mock server records headers and request bodies in an in-memory request log. This is useful for test verification, but those fields can contain tokens, cookies, or personal data.
self.request_log.append({
"method": method,
"path": path,
"headers": dict(request.headers),
"body": body.decode() if body else None,Avoid sending real secrets to the mock server, use synthetic data where possible, and call clear_log() when logs are no longer needed.
A local test server may keep listening for the lifetime of the process if it is not stopped.
Calling MockServer.start() runs the mock server in a background daemon thread. This is expected for a local mock service, and the code also provides stop().
self.thread = threading.Thread(target=self.server.run) self.thread.daemon = True self.thread.start()
Bind mock services to localhost unless exposure is intended, and call server.stop() after tests finish.