ClawHub

FastAPI Production Engineering

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only FastAPI engineering guide with some broad prompts and copy-paste caveats, but no evidence of hidden execution, data theft, persistence, or destructive behavior.

Safe to install as a documentation and code-pattern skill. Before applying generated changes, review diffs carefully, especially authentication, CORS, TrustedHostMiddleware, file uploads, secrets, Docker, CI, and database migration settings; replace placeholder or wildcard values with project-specific secure configuration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
83% confidence
Finding
The Quick Start includes short, generic trigger phrases like 'add authentication' and 'prepare for production' that are broad enough to match normal user requests unintentionally. In agent ecosystems where skills are auto-invoked by phrase matching, this can cause the skill to activate when the user did not explicitly intend to use it, leading to incorrect context injection or unexpected actions.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill exposes very broad natural-language triggers such as 'set up a new FastAPI project' and 'review my API security' without clear scoping, confirmation, or safety boundaries. In an agentic environment, this can cause over-broad invocation and unintended actions on the wrong project, environment, or sensitive codebase, especially when combined with commands that imply code generation or security review.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal