Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (FastAPI framework) match the files and instructions: installation, quickstart, advanced usage, examples and tests are all consistent with a FastAPI how-to/assistant skill.
Instruction Scope
Instructions tell the AI to run standard local commands (python --version, create venv, pip install, run uvicorn) and to generate/modify project files — this is expected. Notable deviations: recommending a non-standard 'uv' tool (uv venv / uv pip install) and suggesting 'pip config set global.index-url' which modifies global pip configuration; both are beyond minimal scope and could have unintended system-wide effects. The guides also include runnable example code (including auth and JWT) which the AI may generate/execute for the user.
Install Mechanism
No install spec is provided (instruction-only). The skill does not download or install code itself; it instructs the agent to use pip/venv/uvicorn already on the system. This is the lowest-risk install model for a skill.
Credentials
The skill does not request environment variables or external credentials, which matches its purpose. However, the included example security code hard-codes a JWT SECRET_KEY and uses placeholder tokens/credentials (e.g., fake-super-secret-token, hashed password created from literal 'secret'). These are insecure if copied to production; they are not requested as secrets but are embedded in the code samples.
Persistence & Privilege
Skill is not always-enabled and does not request persistent system privileges. It does, however, instruct the agent to run commands that can create files and change pip's global config if the user follows the troubleshooting steps; that is an expected behavior for a project-setup guide but worth noting.
What to consider before installing
This appears to be a genuine FastAPI tutorial/assistant and is generally coherent with its stated purpose. Before installing or executing the example commands: 1) Prefer creating and activating a virtual environment rather than running global pip changes; avoid 'pip config set global.index-url' unless you understand the global effects. 2) Be cautious about the guide's recommendation to install/run a tool named 'uv' — verify that tool's origin before running it. 3) Do not reuse the example SECRET_KEY, fake tokens, or hard-coded passwords in any real environment — move secrets into environment variables or a secrets manager. 4) Review any generated code (especially auth, SECRET_KEY, and DB connection strings) before running it or deploying to production. If you want, I can point out every line that contains potentially insecure practice and suggest safer alternatives (env vars, .env usage, or secrets management).Like a lobster shell, security has layers — review code before you run it.
latestvk9760080bc90kbpthnkf5gmmmn84vh1n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚡ Clawdis