Use undici for HTTP requests, fetch, connection pooling, proxies, Mock testing, interceptors, caching.
PassAudited by ClawScan on May 16, 2026.
Overview
This is a benign documentation skill for the undici HTTP library, with normal cautions around package installation, proxy credentials, and app-wide HTTP settings.
This skill appears safe as a reference-only undici guide. Before copying examples, make sure you intend any global HTTP configuration, keep proxy credentials out of source code, and install dependencies from trusted, pinned sources where possible.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package adds third-party code to the user's project.
The skill instructs users to install an external npm package. This is purpose-aligned for an undici reference skill, but package installation is still a supply-chain step users should perform from a trusted source.
npm i undici
Install undici from the official npm registry, consider pinning a version, and follow normal dependency-audit practices.
If copied into an application, these snippets may change how all fetch or dispatcher-based requests behave in that Node.js process.
The documentation shows examples that replace or configure process-wide HTTP-related behavior. This is legitimate undici usage, but it can affect more code than a local request call.
install(); // After this, global fetch/FormData/WebSocket/EventSource are from undici
Prefer local dispatchers where practical, and only use global installation or setGlobalDispatcher() when the app-wide effect is intended.
Proxy credentials could be exposed if placed directly in source code or logs.
The skill includes proxy authentication examples. This is expected for ProxyAgent documentation, but it involves credentials and should not be copied with real secrets hardcoded.
token: `Basic ${Buffer.from('user:pass').toString('base64')}`Use environment variables or a secrets manager for real proxy tokens, and avoid committing credentials to code.