api-security-best-practices
v1.0.0Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities
⭐ 0· 747·8 current·8 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description accurately describe API security guidance for REST/GraphQL/WebSocket APIs. The examples and steps (JWT, OAuth2, RBAC, input validation, rate limiting, testing) are appropriate for the stated purpose. However, the SKILL.md examples assume access to runtime secrets (process.env.JWT_SECRET, JWT_REFRESH_SECRET), a database (db.*), and npm packages (jsonwebtoken, bcrypt) even though the skill's metadata declares no required credentials, config paths, or dependencies — a documentation/expectation mismatch.
Instruction Scope
The instructions include concrete code that reads environment variables (e.g., process.env.JWT_SECRET, JWT_REFRESH_SECRET) and performs DB operations (storing refresh tokens). The skill metadata declares no required env vars or config paths. That means the skill's instructions expect secrets or DB access but do not declare them, creating a gap: follow-up actions may require providing sensitive values or access that the metadata doesn't warn about.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute. That minimizes immediate risk because nothing will be written or executed by installing the skill itself.
Credentials
Although the registry lists no required environment variables or credentials, the examples explicitly reference secrets (JWT_SECRET, JWT_REFRESH_SECRET), and a database interface (db.*). Requesting or using such secrets would be proportional to implementing authentication, but the lack of declared env requirements is an inconsistency that could lead to accidental secret exposure if users supply credentials without realizing the skill expects them.
Persistence & Privilege
The skill doesn't request persistent/always-on presence (always: false) and does not declare modifications to other skills or system-wide settings. Autonomous invocation is allowed by default, which is normal; this by itself does not raise extra concern.
What to consider before installing
This skill appears to be legitimate API-security guidance, but it contains code examples that assume access to secrets and a database while the skill metadata declares none. Before using it: (1) do not paste real secrets (JWT_SECRET, refresh secrets, DB credentials) into the skill UI or chat — instead test with dummy values; (2) review any generated code locally and ensure dependencies (jsonwebtoken, bcrypt, DB client) are installed from trusted registries; (3) if you plan to run examples against real infrastructure, create least-privilege credentials and rotate them afterward; (4) ask the author or maintainer to update metadata to list required env vars and any configuration assumptions; (5) prefer manual code review or running examples in an isolated environment rather than allowing the agent to access your system environment or secrets automatically.Like a lobster shell, security has layers — review code before you run it.
latestvk97d13bavxat2ypw3hqc7crmx1816ebs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.