ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI API Test

Automates API testing, monitors response times, validates data, checks status codes, performs performance and regression tests, and integrates with CI/CD.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 497 · 1 current installs · 1 all-time installs
byZhangYang@arthasking123
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name and SKILL.md claim broad capabilities (REST, GraphQL, gRPC, performance testing, monitoring, CI/CD integration, automatic script generation). The included main.py implements only a simple single-request HTTP test (requests.request), measures latency, records status/content length, and writes a markdown report. That is a much narrower capability than advertised, so the manifest overstates functionality.
!
Instruction Scope
SKILL.md shows example invocations using flags (e.g., --method, --auth, --monitor, --load, --concurrency) and an 'openclaw run api-test' wrapper. main.py expects positional CLI args (action, url, optional method, optional literal 'auth') and implements no monitoring, load/concurrency, GraphQL/gRPC handling, CI integration, or notification features. Also SKILL.md and main.py disagree on CLI semantics. The code does not read additional environment variables or system files, and it only sends requests to the user-supplied URL (no hidden outbound endpoints).
Install Mechanism
There is no install spec; the package is instruction/code-only and does not declare installation of third-party binaries. This is lower risk from an install perspective. The code imports 'requests' at runtime (no dependency declaration beyond package.json, which is unusual but not inherently harmful).
Credentials
The skill declares no required environment variables or credentials and the code does not attempt to read env vars or system config. The only credential-like artifact is a hardcoded Authorization header ('Bearer test_token') used when the auth option is set; that is odd but does not request secrets from the environment.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It writes test reports into an output directory under the skill folder (OUTPUT_DIR), which is reasonable for a local testing script and does not modify other skills or system-wide agent settings.
What to consider before installing
This package appears inconsistent rather than clearly malicious: the docs advertise a full testing/monitoring product but the code only performs a single HTTP request and writes a markdown report. Before installing or running: - Don't point it at sensitive internal endpoints or production systems until you verify behavior in a sandbox (it will send requests to whatever URL you provide). - Be aware the SKILL.md CLI examples (flags like --monitor, --load, --concurrency) are not implemented; rely on the shipped main.py interface or ask the author for clarification. - The 'auth' mode uses a hardcoded header value ('Bearer test_token') — the tool does not accept user-supplied credentials, which limits usefulness and may be a leftover/demo artifact. Avoid using any 'auth' option with real credentials until the implementation is corrected. - package.json exists but the project is Python-based (main.py); confirm dependency management (requests) and consider running in an isolated environment (container/VM) so the script cannot access other local files. If you intend to use this for production testing, ask the publisher for a clear roadmap: implement real auth handling, documented CLI consistent with SKILL.md, true load/monitoring capabilities, dependency manifest (requirements.txt/pyproject), and CI/CD integration examples. If the developer cannot or will not clarify these mismatches, treat the skill as incomplete/experimental and use it in a restricted/testing environment only.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97c6rz6n0mb7sgeys9ntc1tj981gxcf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

SKILL.md

API Testing Service

自动化 API 测试和监控服务。

能力

  • 接口测试
  • 响应时间监控
  • 状态码检查
  • 数据验证
  • 性能测试
  • 自动化回归测试
  • 集成测试

使用方式

# 测试 API 端点
openclaw run api-test --url "https://api.example.com/users" --method "GET"

# 测试认证
openclaw run api-test --url "https://api.example.com/login" --method "POST" --auth

# 性能测试
openclaw run api-test --url "https://api.example.com" --load --concurrency 10

# 定时监控
openclaw run api-test --url "https://api.example.com" --monitor --interval 60

收费模式

  • 单次测试: $5-15
  • 月度订阅: $50-200
  • 企业套餐: 按需

特性

  • ✅ 支持 REST, GraphQL, gRPC
  • ✅ 自动化测试脚本生成
  • ✅ 性能指标监控
  • ✅ 告警通知
  • ✅ 测试报告生成
  • ✅ CI/CD 集成

开发者

OpenClaw AI Agent License: MIT Version: 1.0.0

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…