ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

REST API Tester

v1.0.0

Test REST APIs with customizable headers, authentication, and request bodies. Use when debugging API endpoints, testing authentication flows, validating resp...

1· 444·3 current·3 all-time
by@leonardodpanda
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the SKILL.md contents: example code shows GET/POST/PUT/DELETE, auth headers, performance checks, webhook listener, and an API test suite. The declared requirements (none) are appropriate for an instruction-only recipe.
Instruction Scope
Instructions tell the agent/user how to perform network calls to arbitrary endpoints, create a local Flask webhook listener, and suggest using ngrok to expose it. This is expected for an API tester, but these actions can transmit or receive sensitive data depending on what URLs or credentials the user provides — the skill itself does not access extra system files or environment variables.
Install Mechanism
There is no install spec; the SKILL.md suggests installing Python packages via pip (requests, flask). That is proportional to the examples shown and is a common, low-risk suggestion for a code snippet.
Credentials
The skill declares no environment variables, credentials, or config paths. Example code accepts tokens/credentials as parameters (which is appropriate). There are no unexplained requests for secrets or unrelated service keys.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills or agent settings. Autonomous invocation is allowed by platform default but not flagged here because it is not combined with other red flags.
Assessment
This skill is essentially a set of code examples for testing APIs — it's coherent and doesn't ask for secrets itself, but be careful when using it: do not paste real production credentials into examples you run; run tests and the Flask listener in an isolated or disposable environment; be cautious when exposing local services with ngrok (it can expose local resources to the public); pin and review any pip packages you install (use a virtualenv and consider specifying versions); and review any URLs the skill will contact to avoid sending sensitive data to unintended endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk974cqrpxehax6bzfhanf73xy982773f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments