Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
isp-api-tester
v1.0.0ISP 开放平台接口测试 Agent。当用户需要对百望开放平台的 ISP 接口进行自动化测试、生成测试报告时使用此 Skill。整合了 isp-login-skill(认证)、queryDB-skill(数据准备)和 api-test-reporter(测试报告)。
⭐ 0· 11·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (ISP API tester) align with included script behavior: obtaining tokens, signing requests, loading DB fixtures, executing API calls and producing reports. The skill claims to reuse helper scripts from other skills (isp-login-skill, queryDB-skill, api-test-reporter) by referencing paths under ~/.workbuddy; this is plausible but creates an implicit dependency on other skills' scripts being present.
Instruction Scope
SKILL.md instructs running the provided script which will connect to the specified API endpoint and (optionally) to a database per the config. The README contains concrete test credentials, an internal DB host, and example secrets (appSecret/password/userSalt). Running the script with those configs will transmit those credentials to remote endpoints and connect to the database. The instructions also tell the agent to read config files from the project directory—those configs may contain secrets and will be reused across sessions. This broad network and DB access is within testing scope but elevates risk and privacy concerns.
Install Mechanism
No install spec is provided (instruction-only install), so nothing will be fetched or written automatically by an installer. SKILL.md recommends pip installing 'requests' and 'pymysql' which is proportionate to the Python script's needs. Because there's no install step, the main runtime risk comes from executing the included Python script.
Credentials
The skill declares no required environment variables or primary credential, which is consistent; however the SKILL.md and example config embed real-looking appKey/appSecret/username/password/userSalt and a DB host and DB credentials. These are sensitive and unnecessary for evaluating the skill itself — embedding them in documentation increases risk of accidental reuse or credential leakage. The script also accepts arbitrary DB and API endpoints via config, so it can be pointed at unrelated systems if misconfigured.
Persistence & Privilege
always:false and no install routine; the skill does not request permanent platform-level privileges and does not modify other skills' configurations. It reads configuration files from the project directory and writes output reports to the specified output directory, which is expected behavior for a test tool.
What to consider before installing
This skill appears to do what it claims (API testing), but review and control sensitive configs before running. Specific recommendations:
- Do not run the included script with the example configs as-is — they contain exposed test credentials and a DB host. Replace them with credentials you trust or dummy values when experimenting.
- Run the tool in an isolated environment (virtualenv/container) and inspect test_config_xxx.json before use.
- Audit any real API base_url and DB connection values you provide; avoid pointing the tool at production systems unless you intend to test them.
- If you do not trust the source, do not execute the Python script with live credentials; read the script to understand exactly what it sends and logs (it performs network requests and database queries).
- Install dependencies (requests, pymysql) in an isolated interpreter and consider running through a code review or sandbox before use.
If you want higher confidence about safety, provide provenance information (who published the skill), or ask the publisher to remove embedded credentials from documentation.Like a lobster shell, security has layers — review code before you run it.
latestvk974c8wswkg6cac50p811fq2mh84cg8j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.