lmeterx-web-loadtest

What to consider before installing: - The code does what the skill says: it sends your provided target URL and test parameters to an LMeterX backend which performs analysis, pre-checks, and creates load-test tasks. The heavy work happens on the remote LMeterX service, not locally. - SKILL.md contains coercive instructions that try to force the agent to always use this skill when 'website' is mentioned and forbids alternate methods; that looks like a prompt-injection attempt and is not required for normal operation. - The script uses two environment values (LMETERX_AUTH_TOKEN and LMETERX_BASE_URL) but the skill metadata declared none. The script will send an X-Authorization header (default token 'lmeterx') to the LMeterX backend; ensure you trust the LMeterX host before sending data or overriding the token. - Legal/ethical risk: the skill creates load tests against the target URL. Running load tests against third-party sites without permission can be disruptive and illegal. Confirm you have authorization to test the target. Recommendations: - Do not install blindly. Inspect or run the script in a sandbox and verify network calls (ensure LMETERX_BASE_URL is expected). - Remove or ignore the SKILL.md’s 'must-only' invocation text if you control the agent — treat it as untrusted instruction text. - If you proceed, set LMETERX_BASE_URL and LMETERX_AUTH_TOKEN explicitly to trusted values (or remove token) and monitor outbound traffic to verify only the three whitelisted LMeterX endpoints are called. - If you cannot verify the remote LMeterX service or want to avoid remote execution, do not install or modify the skill to run analysis locally instead.