Node.js API 客户端黄金标准

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

If you configure real API keys, requests may be made under those keys against the selected API services.

Why it was flagged

The documented configuration passes API keys into the client. This is expected for an API client, but it means the skill may use delegated service credentials supplied by the user.

Skill content

apiKeys: ['key1', 'key2', 'key3'],
  keyStrategy: 'round-robin'

Recommendation

Use least-privileged keys, avoid hard-coding production secrets in shared files, and rotate any key that may have been exposed.

NoteHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

Data you pass to the client can be sent to the API servers you configure.

Why it was flagged

The skill is designed to send GET/POST requests to user-configured endpoints. This is central to the stated purpose, but endpoint selection determines where request data goes.

Skill content

endpoints: [
    { url: 'https://api.example.com', priority: 10 },
    { url: 'https://backup.example.com', priority: 5 }
  ] ... const data = await client.get('/users');
const result = await client.post('/orders', { item: 'test' });

Recommendation

Only configure trusted endpoints and review payloads, base URLs, and backup endpoints before using the client with sensitive data.

NoteHigh Confidence

ASI10: Rogue Agents

What this means

A Node.js process using the client may remain active while the health-check timer is running.

Why it was flagged

Creating the endpoint manager starts a recurring timer by default. The visible timer is limited to endpoint health-state maintenance and has a stopHealthCheck method, so this is a notice rather than a concern.

Skill content

if (this.healthCheck) this.startHealthCheck(); ... this.healthCheckTimer = setInterval(() => {
      this.endpoints.forEach(e => this.isHealthy(e.url));
    }, this.healthCheckInterval);

Recommendation

Call stopHealthCheck() or set healthCheck: false when you do not want a background timer.

NoteMedium Confidence

ASI04: Agentic Supply Chain Vulnerabilities

What this means

For sensitive or production use, you may want to verify that the included file matches the intended upstream project.

Why it was flagged

The artifact includes a runnable JavaScript helper while the registry source is not identified. There is no remote install step, so this is a provenance note rather than a concern.

Skill content

Source: unknown ... No install spec — this is an instruction-only skill. ... 1 code file(s): reliable-api-client.js

Recommendation

Review the included JavaScript and obtain or pin it from a trusted source before incorporating it into important systems.