Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
api-test-reporter
v1.0.0Automates API testing from interface docs by generating detailed HTML reports with test cases, parameters, responses, and validation results for JSON POST/GE...
⭐ 0· 10·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the actual code: the repo provides a test runner (run_api_test.py) and an HTML report generator (generate_report.py) that parse configs, run HTTP requests, apply DB fixtures and produce reports. The ability to query a database and inject values is coherent with the stated goal of creating realistic test cases.
Instruction Scope
SKILL.md explicitly instructs the agent to parse docs, optionally connect to a MySQL DB (db_fixture), run the provided Python test runner, and generate HTML output. Those steps are within the stated purpose. However the instructions also hardcode example command-lines and refer to another skill's script path (~/.workbuddy/skills/isp-api-tester/...), which requires the agent to execute local scripts and may cause cross-skill dependencies or unexpected file access if those paths are assumed to exist.
Install Mechanism
There is no install spec or remote download; the skill is instruction + shipped scripts. No archive downloads or external installers were found. Runtime may require pip-installing pymysql/requests which is typical for Python tooling.
Credentials
The skill declares no required env vars, which is reasonable, but multiple example configs embedded in SKILL.md and references/test_config.example.json contain cleartext credentials, IP addresses and DB connection details (e.g., 10.115.96.247 / user jxindependent / password Xj2zCkLJXTkEJ5j and other host examples). Including plausible-looking secrets in shipped examples is a red flag (they may be accidental leaks), and the tool will, if configured, connect to arbitrary internal/external endpoints and databases supplied in config — a powerful capability that must be constrained and justified by the user. The number of credential-like strings in examples is disproportionate for a code sample and should be vetted.
Persistence & Privilege
Skill does not request 'always:true' and does not modify other skills or global agent settings. It runs as a invoked script and has standard runtime behavior; autonomous invocation is allowed by platform default but is not specially privileged here.
What to consider before installing
This skill appears to implement a legitimate API testing/reporting workflow, but exercise caution before running it: 1) Inspect and sanitize any test_config.json you use — do not paste production DB credentials or real user passwords into configs. 2) The shipped SKILL.md and example files contain cleartext DB credentials and IP addresses that look like internal infrastructure — treat them as potential leaked secrets, and verify whether they are valid or stale. 3) The runner will open network connections (HTTP requests to base_url and optional MySQL queries) — run it in an isolated/sandbox environment or on a non-production network to avoid unintended access. 4) If you only need report generation, review generate_report.py separately; if you enable db_fixture, ensure the DB credentials you supply have read-only, minimal access. 5) Confirm the referenced cross-skill path (~/.workbuddy/skills/isp-api-tester/...) before invoking to avoid executing unexpected scripts. If you want, provide sanitized example configs (no secrets) and I can point to the exact lines that contain potential secret leaks and explain how to neutralize them.references/test_config.example.json:6
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97dsam4g20fzmpx863gcjd84x84c753
License
MIT-0
Free to use, modify, and redistribute. No attribution required.