ClawHub

APITester Agent-Driven API Testing

v1.0.0

Test API endpoints and document responses. Define tests in plain English, run them, get formatted results. Agent-driven Postman alternative.

0· 770·10 current·10 all-time
byShadow Rose@theshadowrose
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (agent-driven API testing) align with the included JavaScript implementation and SKILL.md examples. The skill does not request unrelated credentials, binaries, or config paths; the code implements HTTP(S) requests, result collection, variable chaining, and report formatting which matches the stated feature set.
Instruction Scope
SKILL.md limits behavior to running tests defined in YAML and generating reports. It does not instruct the agent to read unrelated files or env vars. However, tests are user-provided and may cause the agent to make arbitrary outbound HTTP requests (including to internal endpoints) and submit arbitrary request bodies, so test definitions themselves are a potential vector for accidental data leakage if they include secrets or target attacker-controlled endpoints.
Install Mechanism
No install spec or remote downloads; this is effectively instruction-only with a bundled JS file. Nothing is fetched from external URLs during install, which minimizes supply-chain risk. The single included source file is small and readable.
Credentials
The skill declares no required environment variables or credentials (proportional). Still, test definitions may legitimately contain sensitive tokens/credentials for the APIs being tested; users should avoid embedding long-lived secrets in shared test YAMLs and ensure sensitive values are stored/managed appropriately outside of public test definitions.
Persistence & Privilege
always is false and the skill does not request permanent platform-level privileges or modify other skills. The code does not persist data to disk (fs is imported but not used), so it does not create long-lived on-disk credentials or change agent configuration.
Assessment
This skill appears to be a straightforward API tester and is internally coherent. Before installing: (1) review any YAML test files you run — they can make arbitrary HTTP requests and may send sensitive data; do not include secrets in public/shared tests, use environment-specific secret management where possible; (2) run tests in a controlled environment or sandbox if you need to avoid contacting internal services or leaking data; (3) if you plan to run this in CI or with real credentials, audit the included src/api-tester.js (it is small and readable) and ensure network egress rules meet your policies. Minor note: the source requires 'fs' but doesn't use it; harmless but worth auditing if you modify the code.

Like a lobster shell, security has layers — review code before you run it.

apivk973z60sy50vqcmskrhxpw1crs82q2f3api-testervk973z60sy50vqcmskrhxpw1crs82q2f3debuggingvk973z60sy50vqcmskrhxpw1crs82q2f3httpvk973z60sy50vqcmskrhxpw1crs82q2f3latestvk973z60sy50vqcmskrhxpw1crs82q2f3testingvk973z60sy50vqcmskrhxpw1crs82q2f3validationvk973z60sy50vqcmskrhxpw1crs82q2f3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments