Api Quick Tester
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward API testing/mock-data skill, but users should be careful because it can send authenticated and potentially mutating HTTP requests to user-supplied URLs.
This skill looks safe for its stated purpose, but treat it like any API client: use test credentials when possible, double-check URLs and methods before making requests, and be especially careful with production APIs or DELETE/POST/PUT/PATCH operations.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a real API, the tool could create, update, or delete data depending on the endpoint and method chosen.
The skill documents support for HTTP methods that can modify or delete data on real APIs. This is expected for an API tester, but users should avoid running these against production services without intent.
- POST - PUT - PATCH - DELETE
Use safe test environments or confirm the endpoint and method before sending POST, PUT, PATCH, or DELETE requests.
Supplying real credentials lets the tool act with the permissions of those credentials against the chosen API.
The tool can attach Bearer, Basic, or API-key credentials to requests. This is purpose-aligned for API testing and there is no evidence of credential logging or exfiltration, but it is still sensitive authority.
headers['Authorization'] = `Bearer ${parts[0]}`; ... headers['Authorization'] = `Basic ${credentials}`; ... headers[parts[0]] = parts[1];Use short-lived or test credentials where possible, and only send credentials to endpoints you trust.
Some documented commands may fail or require files that were not included in the reviewed package.
The documentation references batch-test.js and graphql.js, but the provided manifest only includes SKILL.md, mock.js, and test.js. This suggests advertised features are incomplete in the reviewed artifacts.
node ~/.openclaw/skills/api-quick-tester/batch-test.js --file api-tests.json ... node ~/.openclaw/skills/api-quick-tester/graphql.js --url
Verify which files are actually installed before relying on batch or GraphQL functionality.