Fabric.co API skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a transparent Fabric API helper, but it gives the agent API-key access to read and modify your Fabric workspace.
Install this only if you want the agent to manage your Fabric workspace. Keep the API key scoped and revocable if possible, do not paste it into chat, keep the API base URL trusted, and review any delete, bulk-write, or file-upload actions before they run.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can act on your Fabric account within the permissions of the API key, including reading and creating workspace resources.
The helper authenticates requests with the user's Fabric API key, giving the agent whatever Fabric workspace access that key allows. This is expected for the stated API integration.
const apiKey = process.env.FABRIC_API_KEY; ... headers.set('X-Api-Key', apiKey);Use a scoped or revocable Fabric API key if available, keep it out of prompts/logs, and avoid setting FABRIC_BASE/--base or --with-key to untrusted destinations.
If the agent is instructed incorrectly, it could create duplicate items, modify resources, delete resources, or upload selected file contents through the API.
The helper exposes a general HTTP interface, including mutating methods and arbitrary API paths/URLs. That breadth is useful for a Fabric API skill, but mistaken commands could change or delete workspace data.
parser.add_argument("method", help="HTTP method, e.g. GET/POST/PUT/PATCH/DELETE")
parser.add_argument("target", help="API path (e.g. /v2/notepads) or absolute URL (https://...)")Review or require confirmation for destructive, bulk, upload, or unfamiliar API calls, and keep usage limited to user-requested Fabric resources.