Oban Designer
PassAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only Oban helper whose guidance is aligned with background job development, but applying its examples can add persistent jobs and change application/database behavior.
This appears safe as an instruction-only skill. Before applying generated code, review the Oban dependency and migrations, test in a non-production environment, check cron schedules, validate webhook destinations and payloads, and carefully review any worker that deletes or bulk-modifies data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the recommended dependency changes the application supply chain.
The skill tells users to add the external Oban package. This is central to the stated purpose, but it still introduces a dependency that should be reviewed and locked by the user's project.
{:oban, "~> 2.18"}Review the resolved package version and lockfile, use trusted package sources, and test the Oban migration in development or staging first.
A generated or copied cleanup worker could delete application records automatically if deployed.
The cleanup worker example performs database deletion. This is purpose-aligned for a background cleanup pattern and scoped to old records, but copied code would mutate production data.
from(t in MyApp.Accounts.UserToken, where: t.inserted_at < ^cutoff) |> Repo.delete_all()
Review deletion criteria, retention periods, backups, and dry-run behavior before scheduling cleanup jobs in production.
If used without validation, webhook jobs could send data to unintended or untrusted endpoints.
The webhook worker example sends a job-provided payload to a job-provided URL. Webhook delivery is an expected background job use case, but destination and payload handling need validation in real applications.
case Req.post(url, json: payload, headers: headers, receive_timeout: 25_000) do
Validate or allowlist webhook destinations, minimize payload contents, and avoid placing sensitive secrets directly in job arguments unless protected appropriately.
Scheduled workers can repeatedly perform actions such as cleanup, metrics collection, or notifications.
The skill documents recurring background jobs. This persistence is expected for Oban cron scheduling, but recurring jobs continue running after deployment until disabled.
{Oban.Plugins.Cron, crontab: [{"0 2 * * *", MyApp.Workers.DailyCleanup}, {"*/5 * * * *", MyApp.Workers.MetricsCollector}]}Confirm cron schedules, job idempotency, and disable/rollback procedures before enabling recurring jobs in production.