ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

QA API Tester

v1.0.0

API interface testing and automation. Send HTTP requests, validate responses, chain API calls, generate test scripts (Python requests/pytest, curl, Postman c...

0· 30·0 current·0 all-time
by@zhanghengyi1986-afk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (API testing, generating pytest/requests scripts, curl/Postman) aligns with the instructions. However the declared required binaries list only curl and python3 while the instructions also use jq and invoke pytest (python3 -m pytest) and the requests library — these runtime dependencies are not declared in the metadata, making the registry metadata incomplete and incoherent.
!
Instruction Scope
SKILL.md instructs the agent to run curl commands referencing $TOKEN and to save/run tests in ~/.openclaw/workspace. It suggests using an environment variable TOKEN (and storing tests locally) but requires.env is empty. The doc also pipes curl output to jq (jq usage not declared). The instructions do not ask to read unrelated host files, nor do they exfiltrate to unknown endpoints, but they do assume/require local tooling and environment values that are not declared in the skill manifest.
Install Mechanism
Instruction-only skill with no install spec — low install risk. Nothing will be downloaded or written by an installer, but the skill expects the environment to already have certain tools (see concerns above).
Credentials
The skill does not request credentials in the manifest (requires.env is empty), but the examples and generated scripts rely on API tokens (e.g., $TOKEN) and user-supplied credentials for auth flows. Requesting tokens for the service under test is proportionate, but the manifest should explicitly list expected env vars (e.g., TOKEN, BASE_URL) and any sensitive data practices.
Persistence & Privilege
No elevated privileges or always:true. The skill suggests writing test files to ~/.openclaw/workspace which is the skill's working area; it does not request system-wide changes or modify other skills' configs.
What to consider before installing
This skill appears to genuinely provide API testing helpers, but the metadata is incomplete. Before installing or running it: (1) ensure required tools are present — curl, python3, jq, pytest (or the Python packages requests and pytest) — or be prepared to install them; (2) don't run tests against production systems or provide real credentials until you verify endpoints and test payloads; (3) avoid putting long-lived secrets directly in files under ~/.openclaw/workspace — use ephemeral tokens or CI/service accounts; (4) ask the publisher to update the manifest to list expected env vars (e.g., TOKEN, BASE_URL) and dependencies so you know what the skill truly needs; (5) run the generated scripts in an isolated environment (container or throwaway VM) the first time to confirm behavior. These mismatches look like sloppy metadata rather than malicious intent, but verify dependencies and endpoints before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk972bjqqdyvekpy64ppw7etrad84w5nz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧪 Clawdis
Binscurl, python3

Comments