Api Gateway Starter
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill claims to be a production-ready API gateway, but the included script only prints messages and does not implement the advertised security features.
Review this carefully before installing. The artifacts look like a placeholder rather than a real API gateway, so do not use it to protect services or configure production authentication until the missing implementation and setup details are provided.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could incorrectly believe a real security gateway is running and protecting services when no such protection is implemented.
These are security-critical production claims, but the only included implementation, gateway.sh, merely echoes status text and does not implement a gateway, authentication, rate limiting, caching, monitoring, load balancing, or TLS.
Production-ready API Gateway with everything you need. ... **Authentication** - JWT, OAuth2, API keys ... **Rate Limiting** ... **SSL/TLS** - Automatic cert management
Do not rely on this as a production gateway. Require real implementation files, tests, configuration, and deployment documentation before use.
Installation or runtime behavior may not match what the registry metadata suggests.
The prose requirements are not reflected in the registry requirement declarations or an install spec, so setup expectations are unclear even though no unsafe install behavior is shown.
## Requirements - Node.js 18+ - Redis (optional)
Treat the package as incomplete until requirements and installation steps are declared and supported by actual implementation artifacts.
If a real secret is used in the example command, it may be exposed locally outside the skill.
The documented auth setup passes a JWT secret on the command line. That is purpose-aligned for configuring authentication, but real secrets passed this way can appear in shell history or process listings.
./gateway.sh auth jwt --secret your-secret
Use safer secret handling, such as environment variables, protected config files, or a secrets manager, if this skill is ever made functional.