Architecture Patterns
Security checks across malware telemetry and agentic risk
Overview
This looks like a coherent architecture-guidance skill, with only review notes around optional install commands, copyable payment-adapter example code, and secret-like literals flagged in reference docs.
This appears safe to use as architecture guidance. Before installing, verify the remote source if you use the README install command, inspect any omitted or unreviewed scripts, and treat payment/credential snippets as examples only—not production-ready code.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user follows the README command, they may install whatever is currently at that remote path rather than a pinned, reviewed version.
The README documents a user-run install from an unpinned GitHub path; this is not automatic execution, but users should verify the source and revision before installing.
npx add https://github.com/wpank/ai/tree/main/skills/backend/architecture-patterns
Install from a trusted source, inspect the files first, and prefer a pinned commit or registry-managed install when available.
A developer who copies this template into a live project could trigger real payment operations if they wire it to production credentials.
The template contains copyable code that would create and refund Stripe payments if used with a real API key. It is purpose-aligned as a hexagonal-architecture adapter example and is not shown as automatically executed by the skill.
await this.stripe.paymentIntents.create({ ... }); ... await this.stripe.refunds.create({ ... });Treat the Stripe adapter as illustrative sample code; add explicit approvals, test-mode defaults, idempotency, logging controls, and environment separation before using it in production.
Users might copy example credential values into code, or a real secret could be exposed if the redacted value was not a placeholder.
The static scan flagged a secret-like literal in a reference guide. The provided context suggests documentation/example material, but credential-like strings in published docs should be confirmed as placeholders.
const authToken = [REDACTED]; // HTTP concept
Verify flagged values in the reference docs are fake placeholders, replace realistic secrets with clearly invalid examples, and avoid publishing reusable tokens or passwords.