Skills
skills/onewave-ai/claude-skills/api-load-tester/Gen Agent Trust Hub

api-load-tester

Warn

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill constructs and executes shell commands (using tools like hey, ab, and curl) by directly interpolating user-provided inputs such as URLs, HTTP methods, headers, and request bodies in Step 4.
  • [DATA_EXFILTRATION]: The skill requests sensitive information including API keys and Bearer tokens to perform authenticated tests. These secrets are sent to user-specified URLs, which could lead to credential theft if the target URL is attacker-controlled.
  • [REMOTE_CODE_EXECUTION]: The skill generates Lua scripts for the wrk benchmarking tool based on user-supplied parameters. This dynamic code generation could allow for execution of arbitrary code within the tool's context.
  • [EXTERNAL_DOWNLOADS]: The skill is configured to fetch and install the hey load testing utility from its official GitHub repository if the tool is not already available on the local system.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 10, 2026, 05:26 PM