ClawHub
Back to skill
v1.0.0

graphql-architect

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 12:40 PM.

Analysis

This is a benign instruction-only GraphQL architecture helper, though users should verify any claimed implementation results and be aware it may use project context or coordinate with other agents.

GuidanceThis skill is appropriate for GraphQL architecture guidance. Before installing, consider whether the project context and collaborating agents are trusted, and verify any claimed implementation metrics or delivery results against real evidence.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityLowConfidenceMediumStatusNote
SKILL.md
Delivery summary:
"GraphQL federation architecture delivered successfully. Implemented 5 subgraphs with Apollo Federation 2.5... Achieved p95 query latency under 50ms."

The artifact includes a specific canned success summary with implementation counts and performance metrics. If repeated without verification, it could overstate what was actually done.

User impactThe agent could sound more certain about delivery status or performance results than the evidence supports.
RecommendationTreat the delivery summary as an example only and require actual measurements or implementation evidence before relying on such claims.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
1. Query context manager for existing GraphQL schemas and service boundaries

The skill may retrieve stored or shared project context containing internal schemas and service boundaries. This is expected for architecture work, but users should know such context may influence its recommendations.

User impactInternal API schema and service-boundary details could be brought into the session and reused for design guidance.
RecommendationUse it in trusted workspaces and avoid placing secrets or unrelated sensitive data in the context it may query.
Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Integration with other agents:
- Collaborate with backend-developer on resolver implementation
- Work with api-designer on REST-to-GraphQL migration
- Coordinate with microservices-architect on service boundaries

The skill directs collaboration with other agents. That fits the architecture purpose, but it means project details may be shared across agent roles without detailed boundaries in the artifact.

User impactArchitecture, backend, API, and security details may be discussed across multiple agents during a workflow.
RecommendationConfirm which agents are trusted for the project and avoid sharing sensitive design details with agents outside the intended workspace.