Secure Api Starter
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a brief API-template guide, but its quick-start references a script that is not included, so verify any script before running it.
This skill does not show malicious behavior in the provided artifacts. Treat it as incomplete documentation rather than a ready-to-run template unless the missing generator script is supplied and reviewed. Do not run ./create-api.sh from an arbitrary directory without verifying the file.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could accidentally run an unrelated or untrusted local script if they follow the command without confirming what ./create-api.sh is.
The quick-start depends on a local helper script, but the supplied artifact set contains no code files, so the implementation and provenance of that setup step are not reviewable here.
./create-api.sh my-api
Only run create-api.sh after confirming where it came from and reviewing its contents; the package should include the referenced script or adjust the documentation.