Api Tmp
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a documentation-only API reference, but its examples cover real account credentials and actions that could spend money or post externally if copied and run.
This looks safe to install as documentation, but treat its curl snippets as examples only. Verify the package source and version, use sandbox or least-privilege credentials, and get explicit approval before running any command that sends messages, posts publicly, changes account data, handles payments, or contacts production APIs.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Copying examples without review could send messages, emails, create records, update accounts, or incur provider charges.
The skill documents curl commands that would perform real external actions if run with valid credentials. This is purpose-aligned API reference material, and SKILL.md frames it as documentation, but users should not run mutating examples casually.
curl -X POST "https://api.twilio.com/2010-04-01/Accounts/$TWILIO_SID/Messages.json" ... -d "To=+15559876543" ... -d "Body=Hello from Twilio!"
Use sandbox/test credentials where possible, review every POST/PUT/PATCH/DELETE request, and require explicit user approval before running any command that changes an account or contacts other people.
If real secrets are inserted, commands authenticate to the user's third-party accounts and may have whatever privileges those keys grant.
The documentation shows how to use service credentials and secrets. This is expected for an API reference and the examples use environment-variable placeholders rather than hardcoded keys.
-H "Authorization: Bearer $CLERK_SECRET_KEY"
Use least-privilege API keys, prefer test environments, avoid pasting secrets into shared contexts, and rotate any credential accidentally exposed.
Users may have less certainty that the package identity, version, and publisher match what they intended to install.
The included SKILL.md identifies a different slug/version than the evaluated registry entry, which lists `api-tmp` version `1.0.0`, and the source is unknown. Because this is instruction-only with no code or install script, this is a provenance note rather than evidence of malicious behavior.
slug: api version: 1.3.4 homepage: https://clawic.com/skills/api
Verify the publisher, homepage, slug, and version before relying on the skill, especially before using examples with production credentials.