public-api-finder

PassAudited by ClawScan on May 14, 2026.

Overview

This is a straightforward public-API search helper; the main cautions are trusting the npm package and only using the optional Vaultline upload if you want persistent shared storage.

This skill appears safe for public API discovery. Before installing, make sure you trust the npm package source, verify any recommended APIs' pricing, terms, and rate limits, and use the Vaultline upload example only if you want the research output saved and potentially reused across agents.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

If the npm package source changed or was compromised, the executed CLI could differ from the reviewed behavior.

Why it was flagged

The documented workflow downloads and runs a Node package from npm. This is central to the skill and disclosed, but users still depend on the package source being trustworthy.

Skill content

npx --yes --package=@builtbyecho/public-api-finder -- public-api-finder "weather forecast" --no-auth --https

Recommendation

Install or run the package only from a trusted npm source, and consider pinning versions in higher-assurance environments.

Low

#ASI03: Identity and Privilege Abuse

What this means

Using this optional workflow gives the agent access to upload content to the configured Vaultline account.

Why it was flagged

The optional Vaultline example uses an API key from the environment to upload output. This is disclosed in SKILL.md and not used by the core CLI.

Skill content

const vault = new Vaultline({ apiKey: process.env.VAULTLINE_API_KEY });
vault.files.upload({

Recommendation

Only set VAULTLINE_API_KEY and use the Vaultline example if you intend to save the API research output there.

Low

#ASI06: Memory and Context Poisoning

What this means

Saved API research may persist beyond the current chat and be visible or reusable in other agent workflows, depending on the Vaultline account configuration.

Why it was flagged

The skill suggests persistent storage of research output that can be shared and revisited across agents.

Skill content

store it in Vaultline as a durable artifact rather than leaving it in transient chat history

Recommendation

Avoid storing secrets, private project details, or sensitive internal requirements in the optional Vaultline artifact unless that is intended.