Fixture
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: fixture Version: 1.0.0 The 'fixture' skill bundle is a legitimate utility for generating and managing test data fixtures. It stores data locally in the user's home directory (~/.fixture/) and provides standard CLI operations like creating, seeding, and exporting datasets. The implementation in scripts/script.sh uses safe practices, such as passing arguments via environment variables to embedded Python scripts to avoid shell injection. While the SQL export functionality in the export command lacks sanitization (making the resulting SQL file potentially unsafe if executed blindly), this is a common functional limitation rather than a sign of malice. No evidence of data exfiltration, unauthorized network access, or persistence mechanisms was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill runs local script code that can create, modify, or delete local fixture data.
The skill explicitly runs a bundled shell script with embedded Python. This is central to the CLI fixture purpose and is not hidden, but it is still local code execution.
Run commands via: `bash scripts/script.sh <command> [arguments...]`
Use it only from the trusted skill source and review destructive commands before allowing the agent to run them.
A mistaken command could overwrite an output file or clear stored fixture records.
The CLI exposes file import/export and deletion-style fixture reset operations. These are disclosed and fit the tool’s purpose, but they should remain user-directed.
`load --file`, `dump --output`, `export --output`, and `reset --confirm`
Confirm file paths and avoid using `reset --confirm` unless you intentionally want to clear the fixture store.
The skill may fail or behave differently if the expected local bash/Python environment is unavailable or unusual.
The metadata does not declare runtime binaries even though SKILL.md lists Python 3.8+ and bash as prerequisites. This is an under-declared setup requirement, not evidence of hidden behavior.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
Ensure bash and Python 3.8+ are available before use.
Fixture data remains on disk and can later be listed, dumped, or exported.
The skill maintains persistent local fixture and template data that can be reused by later commands. This is disclosed and expected, but users should avoid storing sensitive real data unintentionally.
All fixtures are stored in JSONL format at `~/.fixture/data.jsonl`. Templates are stored at `~/.fixture/templates.json`.
Use mock or non-sensitive data where possible, and reset or delete ~/.fixture/ when you no longer need the stored fixtures.