API Rate Limiter Designer
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only API rate-limiting helper is purpose-aligned; users should mainly protect access logs and review any copied commands, dependencies, and production rollout changes.
This skill is safe to use as an instruction-only design aid. Before copying examples, redact sensitive log data, review shell commands, pin and audit any suggested dependencies, configure Redis securely, and test rate-limit changes in staging before production rollout.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If users copy the examples, they may process sensitive or very large log files on their local system.
The skill documents shell pipelines for analyzing local access logs. These commands are read-oriented and purpose-aligned, but they still involve local command execution against user data.
cat access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20Review commands before running them, use copies or samples of logs where possible, and avoid pointing examples at unrelated or privileged files.
Copying the example directly into a project could introduce dependency risk if packages are unpinned or unaudited.
The implementation example references third-party Node packages without versions or lockfiles. This is normal for illustrative code, but users copying it should manage dependency provenance.
const rateLimit = require('express-rate-limit'); const RedisStore = require('rate-limit-redis'); const Redis = require('ioredis');Pin package versions, use a lockfile, check package maintainers and advisories, and review generated implementation code before adopting it.
Users who paste the examples will execute local commands or add runnable service code to their applications.
The skill includes bash examples and implementation snippets. They are disclosed as examples and are central to the stated design/implementation purpose, with no hidden auto-execution shown.
```bash # Analyze access logs for request patterns
Treat all generated commands and code as drafts: inspect them, test in a non-production environment, and adapt paths, Redis settings, and application limits to your environment.
Sensitive operational data could be included in prompts or local analysis if full logs are provided.
The skill expects access-log analysis. Logs may contain IP addresses, endpoints, user identifiers, or attacker-controlled request strings, even though the artifacts do not show persistent memory or sharing.
Understand current API usage patterns: # Analyze access logs for request patterns
Use redacted or sampled logs when possible, avoid including secrets or personal data, and do not treat arbitrary log contents as instructions.
Incorrectly deployed limits could block legitimate API traffic, overload Redis, or cause inconsistent behavior across instances.
The skill provides guidance for global and distributed rate limiting. These controls are purpose-aligned, but a bad configuration can affect many users or instances at once.
Global limits: Protect overall system capacity; For multi-instance deployments, use Redis-backed rate limiting
Test limits in staging, roll out gradually, monitor 429 rates and Redis health, and keep an emergency rollback or bypass plan.