Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
LLM Tester
v1.0.0LLM 模型对比测试工具。支持多模型批量对比测试,自动记录耗时、Token 消耗、成功率,生成 JSON 格式对比报告。当需要评估不同 LLM 模型在特定任务上的表现时使用。
⭐ 0· 30·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (LLM model comparison/benchmarking) matches the included script: it loads samples and prompts, calls an LLM HTTP API, records timing/tokens, and writes a JSON report. Default model names (qwen...) and the behaviour are consistent with the stated purpose. Note: the registry metadata claims no required environment variables, but both SKILL.md and the script require DASHSCOPE_API_KEY and optionally LLM_API_BASE — this metadata omission is an incoherence.
Instruction Scope
SKILL.md instructs running scripts/llm_benchmark.py with sample and prompt directories and to set DASHSCOPE_API_KEY; the script performs only the expected actions (reads .txt files, formats prompts, posts to API_BASE, aggregates results, and writes a report). It does not access other system files or extra env vars. Note: it will transmit sample contents (up to 2000 characters per sample) to an external HTTP API — expected for a benchmarking tool but important for privacy.
Install Mechanism
No install spec is provided (instruction-only install), and dependencies are minimal (requests). The skill includes scripts/requirements.txt and instructs pip install -r, which is reasonable. No downloads from arbitrary URLs or extraction behavior present.
Credentials
The script requires DASHSCOPE_API_KEY and supports overriding LLM_API_BASE; both are proportional to an HTTP-based LLM client. However, registry metadata incorrectly lists 'Required env vars: none' while both SKILL.md and scripts use DASHSCOPE_API_KEY — this mismatch is a practical risk (user may not realize a secret is needed). Also, providing the API key and sample data will send potentially sensitive content to the external service, so confirm trustworthiness of the key/endpoint before use.
Persistence & Privilege
The skill does not request permanent/always-on presence, does not modify other skills or system configurations, and does not add privileged behaviour. It only runs when invoked.
What to consider before installing
This tool appears to do what it says: it reads .txt samples and prompts, posts formatted prompts to an HTTP LLM API, collects timing/token info, and writes a JSON report. Before installing or running: 1) Be aware you must set DASHSCOPE_API_KEY (the registry metadata incorrectly omitted this); without it the script will fail. 2) The default API endpoint (LLM_API_BASE) is https://coding.dashscope.aliyuncs.com; confirm you trust that service — your sample texts (up to 2000 chars each) and prompts are sent to it. Avoid sending sensitive data unless you control or trust the endpoint. 3) Install the dependency (requests) in a controlled environment (pip install -r scripts/requirements.txt). 4) If you prefer not to use the default endpoint, set LLM_API_BASE to a trusted API or proxy that you control. 5) If you need higher assurance, review the API provider's privacy/security terms or run benchmarking against local/self-hosted models.Like a lobster shell, security has layers — review code before you run it.
latestvk971w6vga6j2w3hpqfs7t30za584teyc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.