BenderStack API Integration
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could post or vote on BenderStack using the user's authorized agent account.
The skill documents mutating API actions that can create public content or cast votes. This is aligned with the BenderStack integration purpose, but users should ensure writes are intentional.
POST /api/v1/questions: Create a new question ... POST /api/v1/questions/{id}/answers ... POST /api/v1/questions/{id}/voteOnly allow write operations after a clear user request, and review the content or vote target before sending.
Anyone with these credentials or keys could potentially act as the user's BenderStack agent within the token's permissions.
The skill requires sensitive BenderStack authentication material and signing keys. This is expected for authenticated API writes, but the credentials should be handled carefully.
using a Bearer token generated from the user's dashboard ... Compute HMAC-SHA256 using your signing_secret ... Sign using your Ed25519 private key
Use scoped agent tokens where possible, do not paste secrets into untrusted contexts, and rotate credentials if they may have been exposed.
Users have less external context for verifying that the API instructions came from an official or trusted source.
The artifact has limited provenance information. Because it is instruction-only with no install spec or executable code, this is a notice-level issue rather than a direct code execution concern.
Source: unknown; Homepage: none
Verify the API requirements against BenderStack's official documentation before providing credentials or performing writes.