ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Slingdata.io API Spec

v1.0.0

Build REST API specifications for Sling data extraction. Use when creating API specs, configuring authentication (OAuth, API key, Bearer token, HMAC), settin...

1· 369·0 current·0 all-time
byFritz Larco@flarco
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim to build API specs; the files and examples are entirely about authentication types, pagination, response processing, queues, incremental sync, and dynamic endpoints — all coherent with an API-spec builder. The skill does not request unrelated binaries or credentials in its registry metadata.
Instruction Scope
SKILL.md and the included docs instruct how to author specs and show example runtime actions (parse/test). The docs reference secrets.* and env.* placeholders and include examples that set environment variables (e.g., env.LAST_UPDATE, OVERRIDE_START_DATE). That behavior is expected for a spec authoring tool, but you should understand that specs created from this guidance can read and require credential values and may write to environment/state at runtime — review any spec before executing it.
Install Mechanism
No install spec and no code files to execute — this is instruction-only. No remote downloads or package installs are present in the bundle.
Credentials
The documentation documents many auth types (OAuth2, AWS sigv4, HMAC, API keys, basic, device flow) and uses placeholders like {secrets.*} and {env.*}. The skill package itself does not request credentials, which is appropriate for a generic spec library, but users will need to supply relevant credentials when running generated specs. Be cautious about which secrets you provide to any runtime that executes specs built from these documents.
Persistence & Privilege
The skill is not always-installed and does not declare elevated privileges. It does not modify other skills or system-wide agent configuration. The documentation describes persisting sync state as part of normal replication workflows — expected for this domain.
Assessment
This bundle is documentation and examples for authoring Sling-style REST API extraction YAML specs — it contains no executables. It does, however, show how specs can consume secrets (secrets.*) and environment variables and how processors can write env.* and persisted sync state. Before using or running any spec created from these docs: (1) inspect specs for any endpoints or external URLs you don't trust, (2) avoid embedding real credentials directly in spec files, (3) only provide the minimal credentials required for a given source (don't reuse high-privilege AWS keys), and (4) treat specs from untrusted authors like code — they can cause the runtime to contact arbitrary external APIs and leak data if misconfigured. If you plan to allow an agent to invoke specs autonomously, restrict which specs it can run and which credentials it may access.

Like a lobster shell, security has layers — review code before you run it.

latestvk976nvbwb73qacr3tthn60rfwd81xd8f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments