api-test-runner

The skill mostly does what it says (API testing + TestRail reporting) but its metadata omits required credentials and the runtime sends full request/response data (headers/bodies) to an external TestRail endpoint and will execute requests found in provided OpenAPI specs — both create notable privacy/SSRF/exfiltration risks.

This skill appears to implement API testing and TestRail reporting, but take these precautions before installing: - Expect to provide TESTRAIL_URL, TESTRAIL_USER, and TESTRAIL_API_KEY (the package metadata does not declare these — that's an inconsistency). Only use TestRail credentials for an account with minimal permissions for testing. - The tool uploads full request/response headers and bodies to TestRail. If your API responses or request headers contain secrets (Authorization: Bearer ..., cookies, API keys, PII), those will be sent to the TestRail instance. Consider not using real credentials in tests, or modify the code to redact/mask sensitive headers/bodies before reporting. - Running this against OpenAPI specs that point to internal services can cause requests to internal endpoints (SSRF/internal network access). Run it in a controlled environment (network-restricted sandbox) or review/override the 'servers' URLs in the spec before running. - Review the included scripts/run.py source yourself or with a security engineer. If you proceed, run with a test/dedicated TestRail project and monitor outgoing requests. Also request that the publisher update the registry metadata to declare required env vars and document what fields are transmitted. Given these gaps and the exfiltration potential, treat the skill as suspicious until the above issues are addressed.