Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Easy run test
v0.0.1Use when user needs to run api test, performance test, load test, stress test, http test etc. 当用户需要运行接口测试、性能测试、负载测试、压力测试、HTTP测试等时使用。 触发词: 接口测试、API测试、性能测试、负载测...
⭐ 0· 85·0 current·0 all-time
by金氧@lamb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is described as an API/performance testing helper and requires the basjoofan binary — that aligns. However, the SKILL.md contains an 'install' stanza that runs a Node one-liner to query GitHub and then downloads a release binary, yet the registry metadata indicated 'No install spec'. Also the install relies on Node being available but 'node' is not listed in required binaries — an inconsistency.
Instruction Scope
The instructions focus on invoking 'basjoofan test' and include example test scripts. They do not instruct reading unrelated files, harvesting credentials, or exfiltrating data. Example scripts reference files for upload (path/to/file) which is expected for load tests but imply the tool will access user-specified file paths when tests include them.
Install Mechanism
SKILL.md contains an install workflow that (a) runs an inline Node command to query the GitHub Releases API for the latest version and (b) downloads a platform/arch-specific binary from a GitHub releases URL. Downloading a binary from GitHub releases is common, but there is no checksum or signature verification, the Node dependency is implicit, and the registry metadata earlier claimed there was no install spec — these are inconsistencies and increase risk.
Credentials
The skill does not request any environment variables or credentials (good). The install metadata sets VERSION/ARCH/OS for templating the download, but these are internal to installation. No secrets or unrelated credentials are requested.
Persistence & Privilege
The skill is not marked 'always' and is user-invocable only. There is no indication it modifies other skills or global agent config. Autonomous invocation is allowed (platform default) and not an additional red flag here.
What to consider before installing
This skill appears to do what it says (run API/performance tests) and requires the 'basjoofan' binary. Before installing: (1) verify the upstream project (https://github.com/basjoofan/core) and its releases are trustworthy, (2) be aware the SKILL.md installer uses an inline Node script to fetch the latest release and then downloads a binary — ensure you have Node if you plan to run that installer and preferably verify checksums/signatures of the downloaded binary, (3) note the registry metadata and the embedded install steps are inconsistent (the registry claimed no install spec), which suggests the package metadata may be incomplete or out of sync, (4) avoid running tests that target internal or sensitive endpoints without reviewing the test scripts (load tests can send arbitrary network traffic and may include file uploads), and (5) consider running the downloaded binary in a sandbox or reviewing the binary on disk before execution. If you need higher assurance, request a signed release or a reproducible build / checksums from the skill author.Like a lobster shell, security has layers — review code before you run it.
latestvk97339ehnb34ch3c3q0jrkztyn83qj7f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🍀 Clawdis
Binsbasjoofan