Back to skill
Skillv1.0.0
ClawScan security
Api Design · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 2:51 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only API design guidance skill whose requested footprint (no installs, no credentials, no code) matches its stated purpose.
- Guidance
- This skill is a static, instruction-only guideline for REST API design and is internally consistent with its description. Because it has no install step and asks for no credentials, it presents minimal platform risk. Before using in production: (1) review the recommendations to ensure they match your architecture and security policies, (2) remember these are guidelines—adapt pagination, pagination types, and error formats to your data volume and client needs, and (3) validate any generated API contract/code against your org's compliance and auth requirements. If you plan to let an autonomous agent use this skill, note that autonomous invocation is allowed by default on the platform, but this particular skill does not request extra privileges or secrets.
Review Dimensions
- Purpose & Capability
- okThe name and description (REST API design patterns) align with the SKILL.md content, which contains guidelines for resource naming, status codes, pagination, filtering, error responses, versioning, and rate limiting. The skill does not request unrelated binaries, credentials, or config paths.
- Instruction Scope
- okThe SKILL.md is a static guideline document for API design. It does not instruct the agent to read files, access environment variables, call external endpoints, or perform system-level actions. Activation guidance is limited to design/review scenarios and does not grant broad discretionary data collection.
- Install Mechanism
- okThere is no install specification and no code files. Nothing is written to disk or downloaded by the skill at install time, which minimizes risk.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. There is no disproportionate credential access relative to its stated purpose.
- Persistence & Privilege
- okThe skill is not forced-always and is user-invocable; autonomous invocation is allowed by default but there are no elevated privileges requested. The skill does not request modifying other skills or system-wide settings.