Skillv0.1.0

ClawScan security

FastAPI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 14, 2026, 4:35 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is a coherent FastAPI tutorial and code-generator, but it contains a few surprising or unsafe recommendations (a third‑party 'uv' tool suggestion, a permanent global pip config change) and an embedded hard-coded JWT SECRET_KEY that make it worth extra caution before use.
Guidance: This appears to be a genuine FastAPI tutorial/assistant and is generally coherent with its stated purpose. Before installing or executing the example commands: 1) Prefer creating and activating a virtual environment rather than running global pip changes; avoid 'pip config set global.index-url' unless you understand the global effects. 2) Be cautious about the guide's recommendation to install/run a tool named 'uv' — verify that tool's origin before running it. 3) Do not reuse the example SECRET_KEY, fake tokens, or hard-coded passwords in any real environment — move secrets into environment variables or a secrets manager. 4) Review any generated code (especially auth, SECRET_KEY, and DB connection strings) before running it or deploying to production. If you want, I can point out every line that contains potentially insecure practice and suggest safer alternatives (env vars, .env usage, or secrets management).

Review Dimensions

Purpose & Capability: okName/description (FastAPI framework) match the files and instructions: installation, quickstart, advanced usage, examples and tests are all consistent with a FastAPI how-to/assistant skill.
Instruction Scope: noteInstructions tell the AI to run standard local commands (python --version, create venv, pip install, run uvicorn) and to generate/modify project files — this is expected. Notable deviations: recommending a non-standard 'uv' tool (uv venv / uv pip install) and suggesting 'pip config set global.index-url' which modifies global pip configuration; both are beyond minimal scope and could have unintended system-wide effects. The guides also include runnable example code (including auth and JWT) which the AI may generate/execute for the user.
Install Mechanism: okNo install spec is provided (instruction-only). The skill does not download or install code itself; it instructs the agent to use pip/venv/uvicorn already on the system. This is the lowest-risk install model for a skill.
Credentials: noteThe skill does not request environment variables or external credentials, which matches its purpose. However, the included example security code hard-codes a JWT SECRET_KEY and uses placeholder tokens/credentials (e.g., fake-super-secret-token, hashed password created from literal 'secret'). These are insecure if copied to production; they are not requested as secrets but are embedded in the code samples.
Persistence & Privilege: okSkill is not always-enabled and does not request persistent system privileges. It does, however, instruct the agent to run commands that can create files and change pip's global config if the user follows the troubleshooting steps; that is an expected behavior for a project-setup guide but worth noting.