ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Perftest

v3.0.0

Run HTTP performance tests with latency and throughput measurement. Use when benchmarking web services. Requires curl.

0· 240·0 current·0 all-time
by@bytesagain1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (HTTP performance tests) match what is present: SKILL.md documents curl-based commands and the included script implements http, latency, throughput, stress, report, compare. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions and the script only operate on user-supplied URLs/filenames and store data under ~/.local/share/perftest. report/compare will read files provided by the user (e.g., 'report <logfile>' and 'compare <f1 f2') — this is expected but means sensitive local files should not be passed. There is no logic that collects environment variables or contacts fixed external endpoints beyond the user-supplied URLs.
Install Mechanism
No install spec (instruction-only plus a script) — lowest-risk model. The script relies on common Unix tools (curl, awk, head, seq) but does not download or execute remote code.
Credentials
No environment variables or credentials are requested. The script uses $HOME to create ~/.local/share/perftest for data storage, which is proportional to its stated purpose.
Persistence & Privilege
always:false and no special privileges requested. The skill does not modify other skills or system-wide settings; it only writes its own data under the user's home directory.
Assessment
This skill appears to be a straightforward curl-based benchmarking helper. Before installing or running: ensure curl (and common utilities like awk, head, seq) are available; only supply URLs you trust for testing; do not pass sensitive local filenames to report/compare (they will be read). The script writes data to ~/.local/share/perftest. Note there are minor functional bugs (some echo strings use single quotes so variables won't expand) but no signs of hidden endpoints, credential exfiltration, or unexpected network calls. If you need stronger isolation, run the script in a sandbox or container.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f026rgjras4haj24adf6sgd837bar

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments