首页龙虾技能列表 › Rate Limit Validator — 技能工具

Rate Limit Validator — 技能工具

v1.0.0

[自动翻译] Test whether an HTTP endpoint enforces rate limiting. Sends a burst of requests and checks for 429 responses, Retry-After, and X-RateLimit headers. Us...

0· 309·0 当前·0 累计
by @techris93 (Onyedika Christopher Agada)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/4/11
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
安全
medium confidence
The skill's requirements and instructions match its stated purpose of testing HTTP rate limiting, with only minor inconsistencies and operational caveats to be aware of.
评估建议
This skill is coherent and lightweight, but review these practical points before using it: - Ensure you have explicit permission to run burst tests against the target (testing third-party services without authorization can be abusive or illegal). - The script declares curl as required but also calls bash, seq, grep, and rm; make sure those are available on the host or add them to the declared dependencies. - The provided test is sequential (not concurrent); depending on the gateway's throttling...
详细分析 ▾
用途与能力
Name and description match the runtime instructions: the SKILL.md provides a simple curl-based script to send a burst of GETs and check for 429 and rate-limit headers. The requested binary (curl) is appropriate for the stated task.
指令范围
The runtime script sends repeated requests to a target and checks headers — this stays within the stated purpose. However the script assumes additional utilities (bash, seq, grep, rm) that are not listed in requires.bins. The SKILL.md explicitly notes this is for testing your own deployments, but the instructions do not enforce or verify authorization — an operator must ensure they have permission to test a remote service to avoid abuse/DoS.
安装机制
Instruction-only skill with no install steps or external downloads. This minimizes supply-chain risk.
凭证需求
No environment variables, credentials, or config paths are requested. The level of requested access is proportionate to the stated purpose.
持久化与权限
The skill does not request permanent presence (always: false) or modify other skills or system configs. It runs ad-hoc tests as expected.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/3/3

Initial release of the rate-limit-validator skill. - Tests if an HTTP endpoint enforces rate limiting by sending a burst of requests and analyzing responses. - Checks for HTTP 429 responses, as well as Retry-After and X-RateLimit headers. - Useful for validating API/gateway throttling before production deployment. - Designed to confirm rate limit middleware or to audit third-party services. - Requires curl to run.

● 可疑

安装命令 点击复制

官方npx clawhub@latest install rate-limit-validator
镜像加速npx clawhub@latest install rate-limit-validator --registry https://cn.clawhub-mirror.com

技能文档

Tests whether an HTTP endpoint actually enforces rate limiting.

Most rate-limit skills help you add rate limiting. This one helps you check if it's working — or if it's missing entirely.

What it checks

  • Whether the server returns HTTP 429 under burst load
  • Presence of Retry-After header
  • Presence of X-RateLimit-Limit and X-RateLimit-Remaining headers
  • Response time degradation under sustained requests

When to use it

  • Before deploying an API or gateway to production
  • After adding rate-limit middleware, to confirm it works
  • When auditing a third-party service you depend on
  • Validating threat model mitigations (e.g. T-IMPACT-002)

Example prompts

  • "Test if my gateway has rate limiting"
  • "Validate rate limiting on http://localhost:18789"
  • "Check if my API throttles requests"

Test script

#!/bin/bash
TARGET="${1:-http://localhost:18789/}"
COUNT="${2:-50}"
TMP="/tmp/ratelimit-test-$$.txt"
echo "Target: $TARGET"
echo "Requests: $COUNT"
echo ""
for i in $(seq 1 $COUNT); do
  curl -s -o /dev/null -w "%{http_code}" "$TARGET" >> "$TMP"
  echo "" >> "$TMP"
done
TOTAL_200=$(grep -c '200' "$TMP" || echo 0)
TOTAL_429=$(grep -c '429' "$TMP" || echo 0)
echo "Allowed (200): $TOTAL_200"
echo "Throttled (429): $TOTAL_429"
echo ""
HEADERS=$(curl -sI "$TARGET")
echo "$HEADERS" | grep -qi "retry-after" && echo "Retry-After: present" || echo "Retry-After: missing"
echo "$HEADERS" | grep -qi "x-ratelimit" && echo "X-RateLimit: present" || echo "X-RateLimit: missing"
echo ""
if [ "$TOTAL_429" -gt 0 ]; then
  echo "Result: rate limiting is active ($TOTAL_429/$COUNT throttled)"
else
  echo "Result: no rate limiting detected ($TOTAL_200/$COUNT allowed through)"
fi
rm -f "$TMP"

Notes

  • Only sends GET requests, no payloads
  • Meant for testing your own deployments, not for attacking others
  • In OpenClaw's trust model, rate limiting is a hardening measure,
not a security boundary (authenticated callers are trusted operators)

References

数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务