ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Testing & QA Toolkit: Integration, Chaos, and Contract Testing for Multi-Agent Systems

v1.0.0

Agent Testing & QA Toolkit: Integration, Chaos, and Contract Testing for Multi-Agent Systems. Comprehensive testing toolkit for agent commerce systems: unit...

0· 15·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill advertises integration testing against 'real GreenHelix APIs', chaos injection, contract validation and CI/CD integration — capabilities that typically require network access, service endpoints, and API credentials. However the skill declares no required environment variables, credentials, binaries, or install steps. That absence is inconsistent with the described purpose and suggests the metadata is incomplete or inaccurate.
Instruction Scope
SKILL.md is an extensive guide with classes and procedures for running integration and chaos tests. The provided excerpt is conceptual and does not show explicit commands that read unrelated files or secrets, but the guide's intent (running chaos tests, integration against real APIs, recording/playback) implies actions that could be destructive or require sensitive credentials. The file does not appear to instruct the agent to exfiltrate unrelated system data, but the full text should be reviewed for any steps that access shell history, private keys, or other system-level secrets.
Install Mechanism
This is an instruction-only skill with no install specification and no code files to write to disk. That is the lowest install risk and is consistent with being a guide rather than executable software.
!
Credentials
Given the skill's stated goal of running integration tests against GreenHelix APIs, it would normally require API keys, service endpoints, or other credentials. The skill declares no environment variables or primary credential. This mismatch could be benign (the guide may expect the user to supply credentials ad hoc), but it is a red flag because sensitive secrets are likely needed to follow many chapters — the skill metadata should declare what credentials it expects and why.
Persistence & Privilege
The skill does not request always: true and does not modify system configuration. It is user-invocable and allows model invocation (the platform default); those are expected for a guide-like skill and are not excessive on their own.
What to consider before installing
This skill is an extensive how‑to for running integration, chaos, and contract tests, but the package metadata lacks provenance and does not declare the credentials or endpoints you will almost certainly need. Before installing or using it: 1) Inspect the full SKILL.md yourself for any commands that read files, environment variables, or invoke external endpoints; 2) Do not paste production credentials into examples — prefer test accounts, isolated environments, or sandbox GreenHelix endpoints; 3) Confirm the source/author or request a homepage/repo to review code samples and examples; 4) If you plan to run chaos tests, run them in isolated staging environments with clear rollback and monitoring; 5) If the guide asks you to set env vars or secrets, require the author to declare them in the skill metadata so you can reason about needed privileges. If you want, provide the full SKILL.md text (or sections with code/examples) and I can re-check for specific commands that access secrets, call external endpoints, or perform destructive actions.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk97cyc8c149yrztpaq3t7v8dv184hyh2chaos-testingvk97cyc8c149yrztpaq3t7v8dv184hyh2ci-cdvk97cyc8c149yrztpaq3t7v8dv184hyh2contract-testingvk97cyc8c149yrztpaq3t7v8dv184hyh2greenhelixvk97cyc8c149yrztpaq3t7v8dv184hyh2guidevk97cyc8c149yrztpaq3t7v8dv184hyh2latestvk97cyc8c149yrztpaq3t7v8dv184hyh2openclawvk97cyc8c149yrztpaq3t7v8dv184hyh2qavk97cyc8c149yrztpaq3t7v8dv184hyh2testingvk97cyc8c149yrztpaq3t7v8dv184hyh2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments