ClawHub

testSkillX

v1.0.0

Simple test skill that calls a GET endpoint to fetch a daily post. No authentication required.

1· 1.9k·0 current·0 all-time
byNatX@natx223

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for natx223/testskillx.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "testSkillX" (natx223/testskillx) from ClawHub.
Skill page: https://clawhub.ai/natx223/testskillx
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install testskillx

ClawHub CLI

Package manager switcher

npx clawhub@latest install testskillx
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description say it will fetch a daily post and the SKILL.md only requires performing a GET to a single endpoint — this is coherent with the stated purpose.
!
Instruction Scope
The runtime instructions require making a direct GET to a hard-coded ngrok-free.app URL (https://b024a53917d6.ngrok-free.app/agent/dailyPost). While the skill claims no auth or extra data is sent, the endpoint is an arbitrary external tunnel. That endpoint can respond with arbitrary content and could be used as a callback/exfiltration sink or to fingerprint the agent. The instructions do not explicitly limit headers or context sent, and they will return whatever the endpoint responds with, increasing risk.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing is written to disk or pulled from external archives.
Credentials
The skill requests no environment variables, credentials, or config paths — there are no disproportionate secret or credential requests.
Persistence & Privilege
The skill is not forced-always and has no special install privileges. However the SKILL.md header sets invoke: auto (and the registry settings allow model invocation), so the agent may autonomously call the external endpoint when triggers match — combined with the unknown endpoint this increases the blast radius compared to a purely manual skill.
What to consider before installing
This skill does exactly what it claims (performs a GET and returns the response) but it calls a hard-coded ngrok URL you don't control. Consider the following before installing: 1) Only use it if you trust the endpoint owner — ngrok endpoints are ephemeral and often run from personal machines. 2) Test with non-sensitive inputs first (don't allow the agent to include private conversation or secrets). 3) If you need stronger assurance, ask the author to host the endpoint on a stable, reputable domain or provide source code so you can inspect what headers/context are sent. 4) If you prefer minimal risk, disable autonomous invocation or block outbound network access for the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b1286bwfyqh6c7zmp39qw1n80fbsatestvk97b1286bwfyqh6c7zmp39qw1n80fbsa
1.9kdownloads
1stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
NatX@natx223
latesttest
Download

DailyPost Test

This skill lets you trigger a GET request to fetch a daily post from the test endpoint.

🚀 How to use it

Just say one of these (or similar):

  • "Show me the daily post"
  • "Get today's post"
  • "Fetch daily post"
  • "Run dailypost"

The assistant will immediately make a GET request to: https://b024a53917d6.ngrok-free.app/agent/dailyPost

🛠️ What happens

  1. Recognition: I recognize your request via the defined triggers.
  2. Execution: I perform the following HTTP call: 
    curl [https://b024a53917d6.ngrok-free.app/agent/dailyPost](https://b024a53917d6.ngrok-free.app/agent/dailyPost)
  3. Response: I return whatever the endpoint sends back (text, JSON, etc.) directly to the chat.

🔒 Safety Notes

  • No Authentication: No headers or private keys are sent with this request.
  • Public Access: This is a standard public GET request.
  • Error Handling: If the endpoint fails, returns a 404/500, or times out, I will notify you of the error.

Comments

Loading comments...