isp-api-tester
Security checks across malware telemetry and agentic risk
Overview
This looks like a legitimate ISP API testing skill, but it embeds real-looking service credentials and can run unbounded database/API actions, so it needs review before use.
Install only if you trust the publisher and can use isolated test credentials. Before running it, replace or rotate any embedded secrets, verify the endpoint is a test environment, use a read-only database account, review all SQL and API methods in the config, and treat generated reports as sensitive business data.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using or copying the skill may use shared credentials, expose test-account authority, or send credentials/tokens over an unencrypted test endpoint.
The skill documents real-looking ISP account/app credentials and a plain-HTTP endpoint instead of only requiring user-scoped secrets. These credentials are used for token generation and signed API access.
"base_url": "http://opapi.test.51baiwang.com/router/rest" ... "appKey": "1000139" ... "password": "Aa123456." ... "appSecret": "1bccbe47-917e-4374-8fe9-85b44fecab84"
Replace embedded credentials with user-provided, scoped test credentials; rotate any real exposed secrets; prefer HTTPS endpoints if available; and declare required credentials in metadata.
A mistaken or malicious config could read more data than intended or modify/delete database records if the database account has those privileges.
Database SQL is taken directly from the test configuration and executed with the configured database account; the visible code does not restrict it to SELECT queries or require review.
sql = q.get("sql", "") ... cur.execute(sql)Use a read-only database account, require explicit user review of every SQL query, and enforce SELECT-only or allowlisted queries in the runner.
The skill can perform whatever signed ISP API calls are placed in the test config, including potentially state-changing calls if configured that way.
The runner builds and sends signed requests to the configured API endpoint and method. This is central to an API testing skill, but it is powerful if pointed at production or non-idempotent methods.
base_url = meta["base_url"].rstrip("/") ... parts.append("method=" + meta["method"]) ... requests.post(url, json=body, headers=headers, timeout=timeout)Keep configs limited to approved test endpoints and non-destructive test cases, and review method names and request bodies before execution.
Behavior may depend on local versions of other skills or packages that were not reviewed in this artifact set.
The documentation references other skill scripts and unpinned pip packages, while the provided install metadata has no dependency declarations.
`~/.workbuddy/skills/isp-login-skill/scripts/isp_auth.py` ... `~/.workbuddy/skills/queryDB-skill/scripts/db_query.py` ... `~/.workbuddy/skills/api-test-reporter/scripts/generate_report.py` ... `pip install requests pymysql`
Verify and pin required package versions, and review any referenced cross-skill scripts before using them with credentials or test data.
Generated report files may contain invoice, tax, account, or other business data and could be shared or retained unintentionally.
The skill intentionally stores raw test results and report data, and its test data may come from real database records.
`test_results_<method>_<timestamp>.json`:原始结果 ... `__REPORT_DATA__.js`:报告数据文件 ... 正向用例的入参必须来自数据库真实数据
Store reports in a controlled location, avoid committing them to source control, and sanitize or delete outputs after testing.