Back to skill
Skillv1.0.0
ClawScan security
Casdoor-api-assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 5:27 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only helper that bundles Casdoor API reference and example-generation guidance; its requested footprint (no env vars, no installs, no code execution) matches its stated purpose.
- Guidance
- This skill is a documentation-and-example generator for Casdoor APIs and appears coherent and low-risk. Before using: do not paste real credentials or tokens into an assistant prompt; replace placeholders with your deployment's host and tokens only in a secure environment; review any generated code for correctness (especially auth headers and endpoint paths) before executing; if you plan to share example requests that include real data, sanitize sensitive fields first. The skill can be invoked autonomously by an agent (normal default), so avoid granting it secrets or system-level credentials.
Review Dimensions
- Purpose & Capability
- okThe skill name/description (Casdoor API, Swagger/OpenAPI examples, OIDC/auth debugging) matches the included reference files and SKILL.md workflow. The files enumerate endpoints, example patterns, and an auth debug checklist — all coherent with the declared purpose.
- Instruction Scope
- okSKILL.md instructs the agent to consult the shipped reference files and produce curl/JS/Python examples and follow a deterministic debugging checklist. It does not direct the agent to read unrelated system files, access environment variables, or send data to unexpected external endpoints; placeholders are used for hosts and tokens.
- Install Mechanism
- okNo install spec and no code files are present. Because this is instruction-only, nothing is downloaded or written to disk by the skill package itself.
- Credentials
- okThe skill requires no environment variables or credentials. Example patterns correctly use placeholders like <casdoor-host> and <access-token>, which is appropriate — real credentials would only be needed when the user chooses to run generated requests.
- Persistence & Privilege
- okThe skill is not forced-always and uses normal model invocation defaults. It does not request persistent presence, nor does it attempt to modify other skills or system-wide settings.