Senior Backend
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using a third-party or untrusted OpenAPI file could lead to unsafe generated backend code being added to a project.
OpenAPI schema pattern text is inserted directly into a generated TypeScript regex literal. A malicious or malformed spec could break generated code or inject unexpected TypeScript before the generated backend code is reviewed and run.
if 'pattern' in s:
zod += f'.regex(/{s["pattern"]}/)'Only scaffold from trusted specs, review generated diffs before running or committing them, and update the generator to safely escape regex literals, quote property names, and serialize untrusted strings.
A poorly scoped load test could cause outages, rate-limit violations, or account/API abuse reports.
The load tester continuously sends requests with user-configurable concurrency for the requested duration. This is expected for load testing but can disrupt services if aimed at production or third-party endpoints.
with ThreadPoolExecutor(max_workers=self.concurrency) as executor:
...
while not self.stop_event.is_set():
result = client.request(self.url, self.method, self.body)Run load tests only with permission, start with low concurrency, prefer staging environments, and confirm duration and target URL before execution.
If pointed at the wrong database or used with overly privileged credentials, the tool could expose schema details or enable risky migration actions.
The workflow uses database connection strings, which may carry privileged access to real application data and schema state. This is purpose-aligned for backend migration analysis but crosses an important permission boundary.
python scripts/database_migration_tool.py --connection $DATABASE_URL --analyze
Use read-only credentials for analysis, use staging databases first, back up data before migrations, and avoid placing production secrets directly in shell history.
Users may have less ability to verify who maintains the scripts or compare them against an upstream project.
The package provenance is not clearly linked to a public source or homepage. This is not evidence of malicious behavior, but users have less context for trusting the included helper scripts.
Source: unknown Homepage: none
Inspect the included scripts before use and prefer pinned, auditable sources for production automation.