api-integration - API 集成
PassAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only API integration guide with expected examples for HTTP calls and credential handling, and it shows no hidden code, persistence, or deceptive behavior.
This skill appears safe as an instruction-only API integration reference. Before installing or using it, remember that real API calls can change external accounts or services, so review any endpoint, HTTP method, payload, and credential scope before allowing the agent to send requests.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used against a real service, the agent could make API calls that create, update, or delete data depending on the endpoint and method chosen.
The skill demonstrates a general-purpose HTTP request wrapper with caller-supplied endpoint, method, data, and headers. This is central to API integration, but such requests can have real effects when used with POST, PUT, or DELETE.
def call_api(endpoint, method='GET', data=None, headers=None): ... requests.request(method=method, url=endpoint, json=data, headers=headers)
Use this skill with clear user approval for write or delete operations, and verify endpoint, method, payload, and target service before sending requests.
API secrets or access tokens could grant account access if pasted into prompts, logs, or shared outputs.
The skill includes an OAuth2 token example that handles a client secret and access token. This is expected for an API authentication skill and uses a placeholder endpoint, but credentials are sensitive.
def get_oauth_token(client_id, client_secret): ... 'client_secret': client_secret ... return response.json()['access_token']
Provide only the minimum necessary credentials, avoid sharing secrets in conversation history when possible, and confirm the requested scopes before authorizing API access.