ClawHub

backend admin develop skill

v1.0.0

Develop and manage backend admin features including RBAC, multi-projects, image upload with S3 integration, dynamic content, system settings, and secure toke...

0· 52·0 current·0 all-time
byzengkang@258468639
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (backend admin development) matches the SKILL.md content: a design/implementation guide for RBAC, projects, image upload, S3 integration, etc. The skill is instruction-only and requests no binaries or credentials in the registry metadata, which is consistent with a documentation/specification artifact.
Instruction Scope
The SKILL.md is purely descriptive and does not instruct an agent to read local files, environment variables, or external endpoints at runtime. However, it recommends implementation choices that are security-relevant (e.g., using SHA256 for password storage and storing auth tokens in localStorage). Those are implementation guidance issues (insecure practices) rather than scope creep, but they should be corrected in any real implementation.
Install Mechanism
No install spec and no code files are present, so nothing will be written to disk or executed by installing the skill. This is the lowest-risk install profile and it aligns with the skill being a documentation/spec file.
Credentials
The registry metadata declares no required env vars or credentials, but the SKILL.md documents deployment environment variables (S3_ENDPOINT, S3_ACCESS_KEY, S3_SECRET_KEY, S3_BUCKET, DATABASE_PATH, etc.). That is expected for a deployment guide, but those S3 credentials are sensitive — the skill itself does not request them, so be cautious about any later step or tool that asks you to supply keys.
Persistence & Privilege
always is false, no install, and the skill doesn't request persistent agent privileges or modify other skills. Autonomous invocation is allowed (the platform default) but does not increase risk here because the skill contains only static documentation.
Assessment
This is a documentation-only skill for building a backend admin system and is internally consistent. It does not request credentials or install code by itself, so installing the skill is low-risk from a supply-chain perspective. Before you use the design or run any code derived from it, review and fix the security recommendations: do NOT store passwords with raw SHA256 (use bcrypt/argon2 with salt), avoid storing long-lived tokens in localStorage (prefer httpOnly secure cookies or short-lived tokens with refresh), enforce server-side validation and anti-virus scanning for uploads, scope and rotate S3 credentials (use least-privilege IAM roles where possible), enable HTTPS/CORS/rate-limiting, and validate/limit file types/sizes. Also confirm that no tool or script you run later will ask you to paste S3_ACCESS_KEY / S3_SECRET_KEY or other secrets into an untrusted UI. If you want more assurance, request the actual implementation code for a security review before deploying to production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fr621nh5r48m4vaxa62f5x1841ycq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments