ClawHub

Secure Api Starter

Provides a production-ready API template with JWT, API key, OAuth2 authentication, role-based access control, rate limiting, input validation, logging, and e...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 158 · 1 current installs · 1 all-time installs
by@Sunshine-del-ux
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims a production-ready API with JWT, API keys, OAuth2, RBAC, rate limiting, etc., but there are no code files, no repository/homepage, and no install spec. The SKILL.md expects ./create-api.sh and Node.js/TypeScript to be present, yet those scripts and project contents are not included — this is inconsistent with the stated purpose.
!
Instruction Scope
Instructions tell the agent (or user) to run ./create-api.sh with various flags. Because the script is not bundled or linked, the instructions are vague and leave room for arbitrary shell execution if a similarly named script exists locally. The SKILL.md also references OAuth2 providers (Google, GitHub) which normally require client IDs/secrets, but no guidance is given for obtaining or supplying those credentials.
Install Mechanism
There is no install specification (instruction-only), which minimizes automatic disk writes. That said, an instruction-only skill that tells the user or agent to run a local shell script without providing it is suspicious: it either expects local assets that don't exist or assumes the agent will create/obtain them — both are risky in practice.
!
Credentials
The skill declares no required environment variables or credentials, yet its stated features (OAuth2, API keys, JWT secrets) normally require secrets/config. The absence of any declared env vars or guidance for credential handling is disproportionate to the claimed functionality and suggests missing or incomplete implementation details.
Persistence & Privilege
The skill does not request persistent privileges (always: false) and does not declare any system-level config paths. It does allow normal autonomous invocation (default), which is expected; this alone is not flagged.
What to consider before installing
Do not run any shell scripts referenced by this SKILL.md unless you can inspect them first. The skill promises many features but includes no code, no repo link, and no credential guidance (OAuth requires client IDs/secrets). Before installing or using: (1) ask the publisher for the source repository or a packaged archive; (2) review any create-api.sh and other scripts for arbitrary commands; (3) verify how secrets (JWT keys, OAuth client secrets) are handled — they should never be requested by an unrelated agent; (4) prefer skills that include source or link to a trusted release (e.g., GitHub repo or npm package) and provide explicit install steps. Because of the missing files and vague instructions, treat this skill as incomplete/untrusted until you can review its code.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97f5s2bgrgkn131k2ayn220vs82802p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Secure API Starter

Production-ready secure API template.

Features

  • Authentication - JWT, API keys, OAuth2
  • Authorization - Role-based access control
  • Rate Limiting - Per-user, per-IP
  • Input Validation - Schema validation
  • Logging - Request/response logs
  • Error Handling - Structured errors

Quick Start

# Create API
./create-api.sh my-api

# Add authentication
./create-api.sh my-api --auth jwt

# Add rate limiting
./create-api.sh my-api --rate-limit 100

Auth Methods

  • JWT tokens
  • API keys
  • OAuth2 (Google, GitHub)
  • Session-based

Requirements

  • Node.js 18+
  • TypeScript

Author

Sunshine-del-ux

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…