Api Tester
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could send data or make changes to APIs you specify, including POST, PUT, or DELETE requests.
The skill intentionally exposes broad HTTP methods, headers, and request bodies to user-specified endpoints. This is purpose-aligned for API testing, but non-GET methods can change remote systems if used with live APIs.
Perform structured HTTP/HTTPS requests (GET, POST, PUT, DELETE) with custom headers and JSON body support.
Use explicit endpoints, methods, headers, and bodies; review credentialed or non-GET requests before allowing them to run.
If you provide an API token, the skill can use that token against the destination endpoint you choose.
The documented example supports forwarding user-provided authorization tokens in HTTP headers. The code does not hardcode or store tokens, but any provided token grants the request whatever permissions that API token has.
const headers = { 'Authorization': 'Bearer <token>' };Only send tokens to trusted HTTPS endpoints, use least-privilege test credentials where possible, and avoid sharing production secrets unless necessary.