API Design Principles
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing from an unverified remote path could pull content different from the reviewed artifact if the source changes.
The README documents a remote GitHub-based install path while the registry lists no formal install spec. This appears user-directed, but users should verify the repository and version before installing from it.
npx add https://github.com/wpank/ai/tree/main/skills/backend/api-design-principles
Prefer installing from the registry-reviewed package or a pinned, trusted commit/tag, and review remote contents before running install commands.
If copied into a real service unchanged, the API may allow overly broad cross-origin browser access.
The template is labeled production-ready but defaults to wildcard CORS. The comment does disclose that production configuration is needed, so this is a deployment-hardening note rather than deceptive behavior.
Production-ready REST API template ... allow_origins=["*"], # Configure for production
Before production use, restrict CORS to explicit trusted origins, methods, and headers, and review all template defaults.