Api Tester
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: api-tester Version: 1.0.0 The OpenClaw AgentSkills bundle 'api-tester' is designed to perform structured HTTP/HTTPS requests, functioning as a basic API client. The `index.js` file implements this functionality using Node.js's built-in `http` and `https` modules, allowing configurable methods, endpoints, headers, and bodies. The `SKILL.md` documentation accurately describes its purpose and usage without any prompt injection attempts or instructions for malicious behavior. There is no evidence of intentional harmful actions such as data exfiltration, unauthorized execution, persistence mechanisms, or obfuscation. While the capability to make arbitrary network requests could be misused by a malicious user of the agent, the skill itself merely provides the stated functionality without inherent malicious intent or exploitable vulnerabilities in its implementation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could send data or make changes to APIs you specify, including POST, PUT, or DELETE requests.
The skill intentionally exposes broad HTTP methods, headers, and request bodies to user-specified endpoints. This is purpose-aligned for API testing, but non-GET methods can change remote systems if used with live APIs.
Perform structured HTTP/HTTPS requests (GET, POST, PUT, DELETE) with custom headers and JSON body support.
Use explicit endpoints, methods, headers, and bodies; review credentialed or non-GET requests before allowing them to run.
If you provide an API token, the skill can use that token against the destination endpoint you choose.
The documented example supports forwarding user-provided authorization tokens in HTTP headers. The code does not hardcode or store tokens, but any provided token grants the request whatever permissions that API token has.
const headers = { 'Authorization': 'Bearer <token>' };Only send tokens to trusted HTTPS endpoints, use least-privilege test credentials where possible, and avoid sharing production secrets unless necessary.