Skillv1.0.0

ClawScan security

api-designer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 17, 2026, 6:36 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only API design/OpenAPI documentation skill composed of normative guidance files; its assets, requirements, and runtime instructions are internally consistent and proportionate to the stated purpose.
Guidance: This skill is documentation and templates for API design and does not request credentials or install code, so it carries low inherent risk. Before using outputs in production, review generated OpenAPI specs, security recommendations, and example URLs (they use example.com placeholders) to ensure they meet your org's policies. If you later combine this skill with code-generation or deployment skills, avoid supplying secret keys or environment variables to the agent without review. If you want higher assurance, ask the publisher for provenance (homepage or author) or test the skill on non-production projects first.

Purpose & Capability: okName/description match the content: all files are API design guidance (REST patterns, pagination, versioning, OpenAPI, error handling). The skill requires no binaries, credentials, or config paths that would be unrelated to designing APIs.
Instruction Scope: okSKILL.md confines the agent to produce resource models, endpoint specs, OpenAPI 3.1 output, and related design artifacts. It references only local documentation files included in the bundle and does not instruct reading system files, environment variables, or sending data to external endpoints.
Install Mechanism: okNo install step or remote downloads — instruction-only skill. Nothing is written to disk or executed by an installer as part of installation.
Credentials: okThe skill requests no environment variables, credentials, or config paths. There are no disproportionate secret requests relative to its purpose.
Persistence & Privilege: okalways is false and the skill is user-invocable (default). It does not request elevated persistence or modify other skills or system settings.