Rate Limit Validator
Tests whether an HTTP endpoint actually enforces rate limiting.
Most rate-limit skills help you add rate limiting. This one helps you check if it's working — or if it's missing entirely.
What it checks
- Whether the server returns HTTP 429 under burst load
- Presence of
Retry-Afterheader - Presence of
X-RateLimit-LimitandX-RateLimit-Remainingheaders - Response time degradation under sustained requests
When to use it
- Before deploying an API or gateway to production
- After adding rate-limit middleware, to confirm it works
- When auditing a third-party service you depend on
- Validating threat model mitigations (e.g. T-IMPACT-002)
Example prompts
- "Test if my gateway has rate limiting"
- "Validate rate limiting on http://localhost:18789"
- "Check if my API throttles requests"
Test script
#!/bin/bash
TARGET="${1:-http://localhost:18789/}"
COUNT="${2:-50}"
TMP="/tmp/ratelimit-test-$$.txt"
echo "Target: $TARGET"
echo "Requests: $COUNT"
echo ""
for i in $(seq 1 $COUNT); do
curl -s -o /dev/null -w "%{http_code}" "$TARGET" >> "$TMP"
echo "" >> "$TMP"
done
TOTAL_200=$(grep -c '200' "$TMP" || echo 0)
TOTAL_429=$(grep -c '429' "$TMP" || echo 0)
echo "Allowed (200): $TOTAL_200"
echo "Throttled (429): $TOTAL_429"
echo ""
HEADERS=$(curl -sI "$TARGET")
echo "$HEADERS" | grep -qi "retry-after" && echo "Retry-After: present" || echo "Retry-After: missing"
echo "$HEADERS" | grep -qi "x-ratelimit" && echo "X-RateLimit: present" || echo "X-RateLimit: missing"
echo ""
if [ "$TOTAL_429" -gt 0 ]; then
echo "Result: rate limiting is active ($TOTAL_429/$COUNT throttled)"
else
echo "Result: no rate limiting detected ($TOTAL_200/$COUNT allowed through)"
fi
rm -f "$TMP"
Notes
- Only sends GET requests, no payloads
- Meant for testing your own deployments, not for attacking others
- In OpenClaw's trust model, rate limiting is a hardening measure, not a security boundary (authenticated callers are trusted operators)