rapidapi
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your RapidAPI key could be disclosed to an unintended HTTPS host or used against APIs you did not mean to authorize.
The request destination is derived from input.host, and the RapidAPI key is attached to that request. With the skill's default non-RapidAPI host allowance, a mistaken or manipulated direct call can send the key outside the intended provider boundary.
const url = new URL(`https://${input.host}${input.path}`); ... "X-RapidAPI-Key": rapidApiKey, "X-RapidAPI-Host": input.hostDefault to an explicit host allowlist or set allowNonRapidApiHosts=false where possible, and require user approval before calling any new host.
An agent could make POST, PUT, DELETE, or other mutation-capable requests to third-party APIs using your RapidAPI key if prompted or misled.
The engine executes caller-selected HTTP methods and bodies through fetch. This broad escape-hatch bypasses the safer template action flow and can perform state-changing API calls.
const method = (input.method || "GET").toUpperCase(); ... response = await fetch(url.toString(), { method, headers, body, signal: controller.signal });Restrict the direct entrypoint, implement a method allowlist, prefer reviewed templates, and require explicit confirmation for non-GET or non-template calls.
Users may believe stronger safety controls are enforced than the supplied code actually provides.
The README presents these as security defaults, but the provided engine accepts the caller's method and does not show a body-size check; only the timeout limit is clearly implemented.
- Method allow-list - Body size and timeout limits
Either implement the documented method and body-size limits or update the documentation to accurately describe the real safeguards and defaults.