Api Contract Auditor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a read-only API document review tool; the main caution is that it can read local files you point it at and save a report.
This skill is reasonable for read-only API contract reviews. Before using it, choose a narrow input path, avoid folders containing secrets or unrelated private files, and review the generated report before making any API or production changes.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run a local script that reads the selected API material and writes a report file.
The skill may ask the agent to run a local Python helper and write a report. This is disclosed and purpose-aligned, but users should ensure the input and output paths are intentional.
如运行环境允许 shell / exec,可使用:`python3 "{baseDir}/scripts/run.py" --input <输入文件> --output <输出文件>`Run it only on intended documentation or examples, and choose the output path carefully; use stdout or dry-run behavior when handling sensitive material.
If pointed at a broad or private directory, the generated report may include names or headings from sensitive files.
When given a directory, the helper recursively samples local text/code-like files and uses filenames/headings in the report. This fits an API contract audit, but the selected directory may contain sensitive internal material.
for path in root.rglob("*") ... if path.suffix.lower() in {".md",".txt",".json",".yaml",".yml",".py",".js",".ts",".csv",".tsv",".sh"}:Point the tool at a narrow API-docs directory, redact secrets before use, and avoid using repository roots or personal folders unless that content is intended for review.