Dub.co Links API
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only Dub API skill matches its stated purpose, but it uses a Dub API key and can create, update, or delete workspace short links.
Install only if you want the agent to manage Dub short links. Before using update, delete, or bulk operations, double-check the workspace, link IDs, and payloads, and provide a Dub API key with the narrowest permissions available.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could delete or change live short links in the authenticated Dub workspace when asked to perform those operations.
The skill documents authenticated destructive and bulk API operations. This is consistent with its stated link-management purpose, but users should verify targets before allowing delete or bulk changes.
`DELETE /links/bulk` - Deletes up to 100 links.
Use this skill only with the intended Dub workspace and confirm link IDs, filters, and bulk lists before any update or delete request.
Anyone using the configured API key through the agent may be able to view or modify links allowed by that Dub token.
The skill requires a Dub API key for authenticated workspace access. This is expected for the integration and no artifact shows token logging or unrelated credential use, but the credential grants account-level authority for link operations.
**Auth**: Bearer token required ... `Authorization: Bearer <DUB_API_KEY>`
Use a least-privilege Dub API key if available, keep it out of chat transcripts, and rotate it if it is exposed.