API Documentation Builder
PassAudited by ClawScan on Apr 30, 2026.
Overview
This instruction-only API documentation helper appears proportionate, but users should review generated docs and avoid providing real credentials despite credential-related examples.
This skill is reasonable to use for generating API documentation from local code. Point it only at code you intend to document, do not paste real tokens or API keys, and review generated Markdown/OpenAPI output before publishing or feeding it into SDK, testing, or gateway tools.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated documentation may repeat misleading or unwanted wording from source comments.
The skill intentionally uses text from source comments as documentation content. This is purpose-aligned, but comments from untrusted or messy code could influence generated descriptions.
Extracts JSDoc comments: Incorporates developer-written descriptions
Review generated documentation before publishing, especially when documenting code from third parties or legacy repositories.
Users could mistake documentation examples for a need to provide real tokens or API keys.
Credential-related signals are present, likely due the API authentication examples. The registry requirements and SKILL.md state no primary credential or environment credential is required, so this is a user-awareness note rather than evidence of privilege abuse.
Capability signals: requires-oauth-token; requires-sensitive-credentials
Do not provide real OAuth tokens, API keys, or secrets to this skill unless a separate, clearly justified workflow requires them.
Incorrect generated documentation could mislead developers or downstream tooling if treated as authoritative.
Generated API specifications can feed downstream automation such as SDK generation, contract tests, or gateway configuration. This is purpose-aligned, but inaccurate generated specs could propagate if published or imported without review.
Generated OpenAPI specs enable: Client generation ... API gateways ... API testing
Validate generated OpenAPI specs and examples against the real implementation before publishing, importing into gateways, or using them for SDK generation.