Skylv Api Resilience Handler

PassAudited by ClawScan on May 1, 2026.

Overview

The skill mostly does what it claims, but it stores local error history and may display API-key troubleshooting advice, so users should avoid logging or exposing secrets.

This appears safe for its stated purpose as a local API error helper. Before installing, review the complete JavaScript file if possible, avoid logging secrets or full sensitive error payloads, and do not let an agent display API keys in chat or shared terminal output.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The visible code looks purpose-aligned, but users cannot rely on this excerpt alone to verify the full script contents.

Why it was flagged

The provided code artifact is marked truncated, so the visible review cannot manually inspect the entire executable file, even though the static scan reported clean.

Skill content

"...[truncated]", "truncated": true

Recommendation

Review the complete api_error_handler.js file from the installed package before use, especially if the agent will run it automatically.

Low

#ASI03: Identity and Privilege Abuse

What this means

API keys could be accidentally revealed if a user or agent follows the example and shares the output.

Why it was flagged

For auth errors, the tool may print advice that points users or agents toward inspecting an API key. The code does not execute this command itself, but following it could expose a credential in console output or chat context.

Skill content

fix: 'Check API key validity, regenerate if compromised, verify scopes.', example: 'Verify: openclaw config get api.key'

Recommendation

Verify credentials through safe account or secret-management workflows, and do not paste API keys into prompts, logs, or shared terminals.

Low

#ASI06: Memory and Context Poisoning

What this means

Error messages sometimes contain tokens, customer data, URLs, or other sensitive details that could remain on disk and be shown later.

Why it was flagged

The log command persists user-provided error text and context in a local file, keeping the last 100 entries for later statistics and display.

Skill content

const LOG_FILE = '.api-errors.json'; ... error: errorText, context: context || '' ... JSON.stringify(errors.slice(-100), null, 2)

Recommendation

Avoid logging secrets or sensitive payloads, sanitize error text before logging, and delete .api-errors.json if it contains private information.