Api Gateway Starter
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: api-gateway-starter Version: 1.0.0 The skill bundle appears to be a non-functional placeholder or template for an API gateway. The shell script `gateway.sh` only contains echo statements for demonstration purposes, and while the `SKILL.md` documentation describes advanced features like JWT and Redis integration, no actual implementation or malicious logic exists in the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could incorrectly believe a real security gateway is running and protecting services when no such protection is implemented.
These are security-critical production claims, but the only included implementation, gateway.sh, merely echoes status text and does not implement a gateway, authentication, rate limiting, caching, monitoring, load balancing, or TLS.
Production-ready API Gateway with everything you need. ... **Authentication** - JWT, OAuth2, API keys ... **Rate Limiting** ... **SSL/TLS** - Automatic cert management
Do not rely on this as a production gateway. Require real implementation files, tests, configuration, and deployment documentation before use.
Installation or runtime behavior may not match what the registry metadata suggests.
The prose requirements are not reflected in the registry requirement declarations or an install spec, so setup expectations are unclear even though no unsafe install behavior is shown.
## Requirements - Node.js 18+ - Redis (optional)
Treat the package as incomplete until requirements and installation steps are declared and supported by actual implementation artifacts.
If a real secret is used in the example command, it may be exposed locally outside the skill.
The documented auth setup passes a JWT secret on the command line. That is purpose-aligned for configuring authentication, but real secrets passed this way can appear in shell history or process listings.
./gateway.sh auth jwt --secret your-secret
Use safer secret handling, such as environment variables, protected config files, or a secrets manager, if this skill is ever made functional.