← Back to Skills Marketplace
Skill Tester
by
Alireza Rezvani
· GitHub ↗
· v2.1.1
· MIT-0
755
Downloads
0
Stars
10
Active Installs
3
Versions
Install in OpenClaw
/install skill-tester
Description
Skill Tester
Usage Guidance
This skill is a plausible QA/meta-skill and includes the right files, but it asks the agent to execute Python scripts (and to run validation across repositories). Before installing or running it:
- Review the full contents of scripts/script_tester.py, scripts/skill_validator.py and scripts/quality_scorer.py to confirm they do only static analysis or safely sandbox execution. Look for uses of subprocess, os.system, socket/network libraries, eval/exec, or code that reads files outside the supplied skill directories.
- If you must run it, do so in an isolated environment (dedicated CI runner or container) with no network access and minimal file permissions so that executing arbitrary skill code cannot reach secrets or other repositories.
- Prefer a mode that performs static checks (AST/import analysis) over actually executing untrusted target scripts; if runtime execution is necessary, require explicit sandboxing (e.g., container, restricted user, seccomp) and timeouts.
- If you control the repo, limit the set of directories passed to the tool and avoid running it with elevated privileges.
Additional information that would reduce concern: code-level evidence that runtime testing uses a robust sandbox (process isolation, network disabled, chroot/container, strict time/resource limits) or that the tool can operate entirely in a static-analysis/dry-run mode without executing target scripts. Conversely, finding direct subprocess/network/file‑exfiltration code in the tester scripts would increase my severity to high.
Capability Analysis
Type: OpenClaw Skill
Name: skill-tester
Version: 2.1.1
The 'skill-tester' bundle is a meta-utility designed for quality assurance and scoring of other OpenClaw skills. While the code is well-documented and aligned with its stated purpose, 'scripts/script_tester.py' implements high-risk functionality by using 'subprocess.run' to execute Python scripts found in target directories to verify their runtime behavior. This capability provides a primitive for local code execution that could be exploited if the AI agent is directed to test a malicious skill bundle. No evidence of intentional malice, data exfiltration, or hardcoded IOCs was found.
Capability Assessment
Purpose & Capability
Name/description (Skill Tester) matches the included artifacts: validator, tester, and scorer scripts plus documentation and sample assets. Files and runtime expectations (reading skill directories, running Python scripts, producing JSON/text reports) are consistent with a QA/meta-skill.
Instruction Scope
The SKILL.md and README explicitly instruct running script_tester.py, skill_validator.py, and quality_scorer.py against arbitrary skill directories and in batch/CI scenarios. That implies executing third‑party Python code (the target skills' scripts) in the agent environment. Execution of untrusted scripts can read any files the agent can access, open network connections, or run subprocesses — SKILL.md mentions timeout protection and 'controlled execution' but does not demonstrate a secure sandbox. This broad runtime scope is the main risk.
Install Mechanism
No install spec (instruction-only) — minimal disk footprint from the platform perspective. The skill bundle includes Python scripts but does not download or extract external archives or run third‑party installers; this is lower install risk.
Credentials
The skill does not request environment variables or credentials (proportional). However, it requires filesystem read access and permission to execute Python in order to perform its function. Those capabilities could be leveraged to access secrets on disk or environment if the skill or the target skills being executed are malicious.
Persistence & Privilege
always=false and there is no indication the skill modifies other skills or global agent configuration. Autonomous invocation is allowed (platform default) but not, by itself, a new risk here — the real concern is what the skill does when invoked (see instruction_scope).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skill-tester - After installation, invoke the skill by name or use
/skill-tester - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.1
v2.1.1: optimization, reference splits
v1.0.1
- Minor update to scripts/skill_validator.py.
- No user-facing documentation or feature changes.
- SKILL.md remains identical; no changes to usage or functionality described.
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Skill Tester?
Skill Tester. It is an AI Agent Skill for Claude Code / OpenClaw, with 755 downloads so far.
How do I install Skill Tester?
Run "/install skill-tester" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Skill Tester free?
Yes, Skill Tester is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Skill Tester support?
Skill Tester is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Skill Tester?
It is built and maintained by Alireza Rezvani (@alirezarezvani); the current version is v2.1.1.
More Skills