lmeterx-web-loadtest
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is a real load-testing integration, but it pushes the agent to run it automatically on broad website mentions, uses a built-in service token, and can create load-test tasks against arbitrary URLs without clear user authorization checks.
Install only if you intend to use LMeterX and will test websites or APIs you own or are authorized to load test. Before running it, replace the default token with your own scoped credential, confirm the target and concurrency settings, and avoid using it on private sites unless you are comfortable sending page/API details to the LMeterX backend.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could run a load-testing workflow when you only intended to discuss, summarize, or inspect a website URL.
This instruction makes broad website mentions trigger this skill exclusively, even when the user may not have asked for a load test.
Whenever a user mentions "website," "webpage," "load testing," or provides a URL that appears to be a website ... you must—and may only—use this specific Skill.
Limit activation to explicit load-testing requests and remove exclusive/highest-priority routing language.
A mistaken or unauthorized URL could lead to traffic against a third-party website or its APIs, potentially causing disruption or policy violations.
The skill encourages immediate creation of load-testing tasks for arbitrary website URLs without requiring confirmation, target ownership, or authorization checks.
When a user provides a **webpage/website URL**, the script executes immediately to perform: Page Analysis + API Pre-checks + Batch Creation of Load Testing Tasks. No health checks are required.
Require explicit confirmation, target ownership/authorization, and clear test limits before creating any load-test task.
Large load tests could generate significant traffic and harm availability of a site or API.
The documented limits permit up to 5,000 concurrent users, which is a high-impact load-testing setting if applied to an unapproved target.
`--concurrent-users` | 10 ... concurrent users (1-5000)
Use conservative defaults, require explicit user approval for high concurrency, and document safe-use constraints.
Load-test tasks may be created under a shared or default agent identity, making permissions, accountability, and revocation unclear.
The script falls back to a built-in LMeterX token instead of requiring a user-provided, declared credential.
LMETERX_AUTH_TOKEN: str = os.getenv("LMETERX_AUTH_TOKEN") or "lmeterx"Declare the required credential in metadata, require a per-user token, and avoid shipping a shared default token.
The target URL and generated API test details may be processed by the LMeterX service.
The script sends analysis and task-creation requests to an external LMeterX backend by default.
LMETERX_BASE_URL: str = os.getenv("LMETERX_BASE_URL", "https://lmeterx.openxlab.org.cn")Only use the skill for URLs and API details you are comfortable sending to the configured LMeterX backend.
If the analyzed page or generated test configuration contains sensitive values, they could be included in requests to the external load-testing service.
Pre-check requests forward generated API headers, cookies, and request bodies to the LMeterX backend. This appears purpose-aligned, but users should notice the data flow.
"headers": cfg.get("headers", []), "cookies": cfg.get("cookies", []), "request_body": cfg.get("request_body", "")Avoid using the skill on private/internal applications unless you have reviewed what data will be sent and trust the LMeterX backend.