Node.js API 客户端黄金标准
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: reliable-api-client Version: 1.0.0 The skill provides a robust Node.js API client (reliable-api-client.js) designed for OpenAI-compatible services, featuring multi-endpoint rotation, circuit breaking, and rate limiting. The implementation uses standard Node.js modules (https/http) and follows best practices for reliability without any evidence of data exfiltration, malicious execution, or prompt injection attempts.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you configure real API keys, requests may be made under those keys against the selected API services.
The documented configuration passes API keys into the client. This is expected for an API client, but it means the skill may use delegated service credentials supplied by the user.
apiKeys: ['key1', 'key2', 'key3'], keyStrategy: 'round-robin'
Use least-privileged keys, avoid hard-coding production secrets in shared files, and rotate any key that may have been exposed.
Data you pass to the client can be sent to the API servers you configure.
The skill is designed to send GET/POST requests to user-configured endpoints. This is central to the stated purpose, but endpoint selection determines where request data goes.
endpoints: [
{ url: 'https://api.example.com', priority: 10 },
{ url: 'https://backup.example.com', priority: 5 }
] ... const data = await client.get('/users');
const result = await client.post('/orders', { item: 'test' });Only configure trusted endpoints and review payloads, base URLs, and backup endpoints before using the client with sensitive data.
A Node.js process using the client may remain active while the health-check timer is running.
Creating the endpoint manager starts a recurring timer by default. The visible timer is limited to endpoint health-state maintenance and has a stopHealthCheck method, so this is a notice rather than a concern.
if (this.healthCheck) this.startHealthCheck(); ... this.healthCheckTimer = setInterval(() => {
this.endpoints.forEach(e => this.isHealthy(e.url));
}, this.healthCheckInterval);Call stopHealthCheck() or set healthCheck: false when you do not want a background timer.
For sensitive or production use, you may want to verify that the included file matches the intended upstream project.
The artifact includes a runnable JavaScript helper while the registry source is not identified. There is no remote install step, so this is a provenance note rather than a concern.
Source: unknown ... No install spec — this is an instruction-only skill. ... 1 code file(s): reliable-api-client.js
Review the included JavaScript and obtain or pin it from a trusted source before incorporating it into important systems.