ClawHub
Back to skill

Security audit

QA API Tester

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward API testing helper, but users should avoid running its write/delete or concurrency examples against production systems without authorization.

Install only if you want help generating or running API tests. Review generated commands before execution, use staging or disposable data for POST/PUT/PATCH/DELETE tests, avoid production tokens, and run concurrent request examples only on systems you own or are authorized to test within agreed rate limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes a full CRUD workflow with create, update, and delete operations against an API but does not explicitly warn users that these examples can modify or permanently remove real data if pointed at non-test environments. In a testing skill, this omission is risky because users may copy the workflow into staging or production systems and cause unintended data loss or integrity issues.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The performance-check section provides repeated and concurrent request examples without an explicit caution about rate limits, service degradation, or the need for authorization from the target owner. Even modest concurrency guidance can be misused against production endpoints or third-party services, creating avoidable availability impact.

Chaining Abuse

High
Category
Tool Misuse
Content
done

# Concurrent requests (requires GNU parallel or xargs)
seq 1 50 | xargs -P 10 -I {} curl -s -o /dev/null -w "{}: %{http_code} %{time_total}s\n" \
  "https://api.example.com/health"
```
Confidence
89% confidence
Finding
| xargs -P 10 -I {} curl

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.