magic-api-generate
ReviewAudited by ClawScan on May 10, 2026.
Overview
This documentation-only skill is mostly aligned with magic-api, but its sample login code is unsafe for real accounts and should be reviewed before use.
Use this skill as a magic-api reference, not as production-ready security code. Before installing or relying on generated APIs, replace the login example with strong password hashing and safe session handling, restrict the /magic/web console, and carefully review any generated CRUD, upload, export, or cleanup endpoints.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied into a real API, users could end up with weak sessions or accidentally expose sensitive account fields.
The login pattern compares passwords directly, creates a predictable timestamp-based token, and returns the raw user record, which may include password or privilege fields.
if (!user || user.password != body.password) { ... }
var token = "token_" + user.id + "_" + Date.now();
...
return {code: 200, data: {token: token, user: user}};Do not use this authentication template as-is. Use BCrypt or Argon2, random signed session tokens or properly configured JWTs, rate limiting, HTTPS, and return only sanitized user fields.
If the Web UI is exposed or poorly protected, someone with access could create or modify application endpoints.
The framework intentionally allows Web UI-authored scripts to become persisted HTTP endpoints, creating a server-side code execution surface.
通过 Web UI 编写脚本自动生成 HTTP 接口 ... magic-api: web: /magic/web ... resource: location: /data/magic-api
Keep the Web UI disabled or tightly restricted in production, require authentication/IP allow-listing, and version-control/review generated scripts.
Generated endpoints may change or delete real database data if deployed without authorization, validation, and review.
The CRUD examples include direct update and delete operations against database records, which is expected for this API-generation purpose but can be high-impact.
db.update("user", body, "id = ?", path.id);
...
db.delete("user", "id = ?", path.id);Add authentication, authorization, field allow-lists, validation, audit logging, and backups before exposing generated CRUD endpoints.