Backend
Build reliable backend services with proper error handling, security, and observability.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 3 · 2.4k · 11 current installs · 11 all-time installs
byIván@ivangdavila
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description ('Build reliable backend services...') match the SKILL.md content (error handling, timeouts, retries, observability, security hygiene). There are no unrelated requirements (no binaries, env vars, or config paths) that would be disproportionate to the stated purpose.
Instruction Scope
SKILL.md is a high-level guidelines/checklist for best practices. It does not instruct the agent to read files, exfiltrate data, call external endpoints, or access credentials. References to 'secrets from environment or vault' are prescriptive advice, not runtime instructions to retrieve secrets.
Install Mechanism
No install spec and no code files are present. Because this is instruction-only, nothing is written to disk or installed—this is the lowest-risk install profile.
Credentials
The skill declares no required environment variables or credentials. Although the guidance mentions using environment/vault for secrets (appropriate advice), the skill does not request or depend on any credentials, which is proportionate.
Persistence & Privilege
always is false and the skill does not request persistent system presence or modify other skills/config. The skill is user-invocable and may be invoked autonomously (platform default) but that is not excessive for an instruction-only guideline.
Assessment
This skill is a safe, purely advisory checklist for backend engineering practices — it doesn't access files, install code, or ask for secrets. If you install it, expect the agent to reference these guidelines when advising or generating code; review any generated code or runtime actions the agent proposes before allowing them to execute or providing credentials to external tools.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚙️ Clawdis
OSLinux · macOS · Windows
SKILL.md
Error Handling
- Never expose stack traces to clients—log internally, return generic message
- Structured error responses: code, message, request ID—enables debugging without leaking
- Fail fast on bad input—validate at entry point, not deep in business logic
- Unexpected errors: 500 + alert—expected errors: appropriate 4xx
Input Validation
- Validate everything from outside—query params, headers, body, path params
- Whitelist valid input, don't blacklist bad—reject unknown fields
- Validate early, before any processing—save resources, clearer errors
- Size limits on all inputs—prevent memory exhaustion attacks
Timeouts Everywhere
- Database queries: set timeout, typically 5-30s
- External HTTP calls: connect timeout + read timeout—don't wait forever
- Overall request timeout—gateway or middleware level
- Background jobs: max execution time—prevent zombie processes
Retry Patterns
- Exponential backoff: 1s, 2s, 4s, 8s...—prevents thundering herd
- Add jitter: randomize delay—prevents synchronized retries
- Idempotency keys for non-idempotent operations—safe to retry
- Circuit breaker for failing dependencies—stop hammering, fail fast
Database Practices
- Connection pooling: reuse connections—creating is expensive
- Transactions scoped minimal—hold locks briefly
- Read replicas for read-heavy workloads—separate read/write traffic
- Prepared statements always—SQL injection prevention, query plan cache
Caching Strategy
- Cache invalidation strategy decided upfront—TTL, event-based, or both
- Cache at right layer: query result, computed value, HTTP response
- Cache stampede prevention—lock or probabilistic early expiration
- Monitor hit rate—low hit rate = wasted resources
Rate Limiting
- Per-user/IP limits on expensive operations—login, signup, search
- Different limits for different operations—read vs write
- Return Retry-After header—tell clients when to retry
- Rate limit early in request pipeline—save resources
Health Checks
- Liveness: is process running—restart if fails
- Readiness: can handle traffic—remove from load balancer if fails
- Startup probe for slow-starting services—don't kill during init
- Health checks fast and cheap—don't hit database on every probe
Graceful Shutdown
- Stop accepting new requests first—drain load balancer
- Wait for in-flight requests to complete—with timeout
- Close database connections cleanly—prevent connection leaks
- SIGTERM handling: graceful; SIGKILL after timeout
Logging
- Structured logs (JSON)—parseable by log aggregators
- Request ID in every log—trace request across services
- Log level appropriate: debug for dev, info/error for prod
- Sensitive data never logged—passwords, tokens, PII
API Design
- Versioning strategy from day one—path (/v1/) or header
- Pagination for list endpoints—cursor or offset; include total count
- Consistent response format—same envelope everywhere
- Meaningful status codes—201 for create, 204 for delete, 404 for not found
Security Hygiene
- Secrets from environment or vault—never in code or config files
- Dependencies updated regularly—automated with Dependabot/Renovate
- Principle of least privilege—service accounts with minimal permissions
- Authentication and authorization separated—who you are vs what you can do
Observability
- Metrics: request count, latency percentiles, error rate—the RED method
- Distributed tracing for microservices—follow request across services
- Alerting on symptoms, not causes—high error rate, not CPU usage
- Dashboards for operational visibility—know normal to spot abnormal
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…