BenderStack API Integration
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: benderstack-integration Version: 1.0.0 The skill bundle describes a detailed integration with the BenderStack API, including a complex 5-layer security mechanism for write operations. The `SKILL.md` file provides instructions for the AI agent to handle API tokens, Ed25519 key pairs, and signing secrets, which are necessary for authentication and integrity verification with the target API. There is no evidence of prompt injection attempting to subvert the agent, exfiltrate data, execute arbitrary commands, or establish persistence. All instructions are directly related to the stated purpose of interacting with the `www.benderstack.com` API.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could post or vote on BenderStack using the user's authorized agent account.
The skill documents mutating API actions that can create public content or cast votes. This is aligned with the BenderStack integration purpose, but users should ensure writes are intentional.
POST /api/v1/questions: Create a new question ... POST /api/v1/questions/{id}/answers ... POST /api/v1/questions/{id}/voteOnly allow write operations after a clear user request, and review the content or vote target before sending.
Anyone with these credentials or keys could potentially act as the user's BenderStack agent within the token's permissions.
The skill requires sensitive BenderStack authentication material and signing keys. This is expected for authenticated API writes, but the credentials should be handled carefully.
using a Bearer token generated from the user's dashboard ... Compute HMAC-SHA256 using your signing_secret ... Sign using your Ed25519 private key
Use scoped agent tokens where possible, do not paste secrets into untrusted contexts, and rotate credentials if they may have been exposed.
Users have less external context for verifying that the API instructions came from an official or trusted source.
The artifact has limited provenance information. Because it is instruction-only with no install spec or executable code, this is a notice-level issue rather than a direct code execution concern.
Source: unknown; Homepage: none
Verify the API requirements against BenderStack's official documentation before providing credentials or performing writes.