Node.js API 客户端黄金标准

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a normal user-directed Node.js API client helper, but it will use any API keys and API endpoints you configure.

Before installing or reusing this skill, confirm that the endpoints are trusted and use limited-scope API keys. If you embed it in an application, avoid committing real keys, stop or disable the health-check timer when appropriate, and verify the included JavaScript source for production use.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

If you configure real API keys, requests may be made under those keys against the selected API services.

Why it was flagged

The documented configuration passes API keys into the client. This is expected for an API client, but it means the skill may use delegated service credentials supplied by the user.

Skill content

apiKeys: ['key1', 'key2', 'key3'],
  keyStrategy: 'round-robin'

Recommendation

Use least-privileged keys, avoid hard-coding production secrets in shared files, and rotate any key that may have been exposed.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Data you pass to the client can be sent to the API servers you configure.

Why it was flagged

The skill is designed to send GET/POST requests to user-configured endpoints. This is central to the stated purpose, but endpoint selection determines where request data goes.

Skill content

endpoints: [
    { url: 'https://api.example.com', priority: 10 },
    { url: 'https://backup.example.com', priority: 5 }
  ] ... const data = await client.get('/users');
const result = await client.post('/orders', { item: 'test' });

Recommendation

Only configure trusted endpoints and review payloads, base URLs, and backup endpoints before using the client with sensitive data.

Info

#ASI10: Rogue Agents

What this means

A Node.js process using the client may remain active while the health-check timer is running.

Why it was flagged

Creating the endpoint manager starts a recurring timer by default. The visible timer is limited to endpoint health-state maintenance and has a stopHealthCheck method, so this is a notice rather than a concern.

Skill content

if (this.healthCheck) this.startHealthCheck(); ... this.healthCheckTimer = setInterval(() => {
      this.endpoints.forEach(e => this.isHealthy(e.url));
    }, this.healthCheckInterval);

Recommendation

Call stopHealthCheck() or set healthCheck: false when you do not want a background timer.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

For sensitive or production use, you may want to verify that the included file matches the intended upstream project.

Why it was flagged

The artifact includes a runnable JavaScript helper while the registry source is not identified. There is no remote install step, so this is a provenance note rather than a concern.

Skill content

Source: unknown ... No install spec — this is an instruction-only skill. ... 1 code file(s): reliable-api-client.js

Recommendation

Review the included JavaScript and obtain or pin it from a trusted source before incorporating it into important systems.