ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Easy run test

v0.0.1

Use when user needs to run api test, performance test, load test, stress test, http test etc. 当用户需要运行接口测试、性能测试、负载测试、压力测试、HTTP测试等时使用。 触发词: 接口测试、API测试、性能测试、负载测...

0· 96·0 current·0 all-time
by金氧@lamb
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is described as an API/performance testing helper and requires the basjoofan binary — that aligns. However, the SKILL.md contains an 'install' stanza that runs a Node one-liner to query GitHub and then downloads a release binary, yet the registry metadata indicated 'No install spec'. Also the install relies on Node being available but 'node' is not listed in required binaries — an inconsistency.
Instruction Scope
The instructions focus on invoking 'basjoofan test' and include example test scripts. They do not instruct reading unrelated files, harvesting credentials, or exfiltrating data. Example scripts reference files for upload (path/to/file) which is expected for load tests but imply the tool will access user-specified file paths when tests include them.
!
Install Mechanism
SKILL.md contains an install workflow that (a) runs an inline Node command to query the GitHub Releases API for the latest version and (b) downloads a platform/arch-specific binary from a GitHub releases URL. Downloading a binary from GitHub releases is common, but there is no checksum or signature verification, the Node dependency is implicit, and the registry metadata earlier claimed there was no install spec — these are inconsistencies and increase risk.
Credentials
The skill does not request any environment variables or credentials (good). The install metadata sets VERSION/ARCH/OS for templating the download, but these are internal to installation. No secrets or unrelated credentials are requested.
Persistence & Privilege
The skill is not marked 'always' and is user-invocable only. There is no indication it modifies other skills or global agent config. Autonomous invocation is allowed (platform default) and not an additional red flag here.
What to consider before installing
This skill appears to do what it says (run API/performance tests) and requires the 'basjoofan' binary. Before installing: (1) verify the upstream project (https://github.com/basjoofan/core) and its releases are trustworthy, (2) be aware the SKILL.md installer uses an inline Node script to fetch the latest release and then downloads a binary — ensure you have Node if you plan to run that installer and preferably verify checksums/signatures of the downloaded binary, (3) note the registry metadata and the embedded install steps are inconsistent (the registry claimed no install spec), which suggests the package metadata may be incomplete or out of sync, (4) avoid running tests that target internal or sensitive endpoints without reviewing the test scripts (load tests can send arbitrary network traffic and may include file uploads), and (5) consider running the downloaded binary in a sandbox or reviewing the binary on disk before execution. If you need higher assurance, request a signed release or a reproducible build / checksums from the skill author.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🍀 Clawdis
Binsbasjoofan
latestvk97339ehnb34ch3c3q0jrkztyn83qj7f
96downloads
0stars
1versions
Updated 3w ago
v0.0.1
MIT-0
金氧@lamb
latest
Download

API test

通过 basjoofan test [OPTIONS] [NAME] 来运行测试脚本。

Quick Reference

参数说明必需默认值
--tasks, -t并发数量1
--duration, -d测试时长(秒)或分钟(例如:60s, 1m)-
--number, -n测试次数1
--path, -p测试脚本路径当前路径
--record, -r是否记录测试结果-
--stat, -s是否输出统计信息false

命令选择决策树

用户想运行测试脚本
├─ 接口测试 → basjoofan test name 测试方法名为name的接口测试
├─ 性能测试 → basjoofan test name -t 100 -d 1m 测试方法名为name的接口测试,并发数量为100,测试时长为1分钟

使用示例

让我们开始一个简单的接口测试,测试方法名为get,这是一个GET请求。

let host = "httpbin.org";

rq get`
  GET https://{host}/get
`[status == 200]

test get {
  let response = get->;
  response.status
}

这个脚本保存为.fan为后缀名的文件,例如get.fan。 如果用户想运行测试脚本 ├─ 接口测试 → basjoofan test get 测试方法名为get的接口测试 ├─ 性能测试 → basjoofan test get -t 100 -d 1m -s 测试方法名为get的接口测试,并发数量为100,测试时长为1分钟,输出统计信息

这是一个POST请求

let host = "httpbin.org";

rq post`
  POST https://{host}/post
`[status == 200]

test post {
  let response = post->;
  response.status
}

这是一个POST请求,请求体为application/x-www-form-urlencoded格式。

let host = "httpbin.org";

rq post`
  POST https://{host}/post
Content-Type: application/x-www-form-urlencoded

key: value
`[status == 200]

test post {
  let response = post->;
  response.status
}

这是一个POST请求,请求体为multipart/form-data格式。

let host = "httpbin.org";

rq post`
  POST https://{host}/post
  Content-Type: multipart/form-data

  key: value
  file: @path/to/file
`[status == 200]

test post {
  let response = post->;
  response.status
}

这是一个POST请求,请求体为application/json格式。

let host = "httpbin.org";

rq post`
  POST https://{host}/post
  Content-Type: application/json

  {
    "name": "Gauss",
    "age": 6,
    "address": {
      "street": "19 Hear Sea Street",
      "city": "DaLian"
    },
    "phones": [
      "+86 13098767890",
      "+86 15876567890"
    ]
  }
`[status == 200]

test post {
  let response = post->;
  response.status
}

Comments

Loading comments...