Api Bridge
PassAudited by ClawScan on May 11, 2026.
Overview
This is a coherent instruction-only API scaffolding skill, but generated integrations may use credentials and create tools that call or modify third-party APIs.
This skill appears safe to install as an instruction-only scaffolding helper. Before running generated code, review the endpoints it exposes, use low-privilege credentials, avoid enabling unnecessary write/delete actions, and add authentication or webhook signature checks for any generated server.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the generated integration is connected with real credentials, the agent or user could create or change records in the target API.
The generated MCP/API client example includes an authenticated POST operation, showing that generated tools may mutate external API data.
async def create_item(name: str, description: str = "") ... resp = await client.post(f"{BASE_URL}/items", ...)Review generated tools before enabling them, remove unnecessary write/delete endpoints, and require user approval for mutating API calls.
Credentials used with generated integrations may grant access to the user's third-party services.
The skill is designed to generate integrations that use delegated API credentials; this is purpose-aligned but sensitive.
Handles auth (API key, OAuth2, Bearer token)
Use least-privilege tokens, avoid broad account-level credentials, and rotate tokens if generated code is shared or exposed.
A poorly reviewed generated server or webhook could accept unexpected requests or expose API-backed actions to the wrong caller.
MCP servers and webhook handlers create communication boundaries between agents, local services, and external providers; the provided artifact does not include detailed boundary or origin-validation guidance.
Auto-create MCP servers, API clients, and webhook handlers.
Add authentication, webhook signature verification, network binding restrictions, and clear permissions before deploying generated servers or handlers.