by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's description promises a full 'production-ready' API template, but the runtime instructions refer to local scripts and OAuth flows without providing any code, install steps, or credentials — the pieces don't add up and require further vetting before use.
评估建议
Do not run any shell scripts referenced by this SKILL.md unless you can inspect them first. The skill promises many features but includes no code, no repo link, and no credential guidance (OAuth requires client IDs/secrets). Before installing or using: (1) ask the publisher for the source repository or a packaged archive; (2) review any create-api.sh and other scripts for arbitrary commands; (3) verify how secrets (JWT keys, OAuth client secrets) are handled — they should never be requested by a...详细分析 ▾
⚠ 用途与能力
The skill claims a production-ready API with JWT, API keys, OAuth2, RBAC, rate limiting, etc., but there are no code files, no repository/homepage, and no install spec. The SKILL.md expects ./create-api.sh and Node.js/TypeScript to be present, yet those scripts and project contents are not included — this is inconsistent with the stated purpose.
⚠ 指令范围
Instructions tell the agent (or user) to run ./create-api.sh with various flags. Because the script is not bundled or linked, the instructions are vague and leave room for arbitrary shell execution if a similarly named script exists locally. The SKILL.md also references OAuth2 providers (Google, GitHub) which normally require client IDs/secrets, but no guidance is given for obtaining or supplying those credentials.
ℹ 安装机制
There is no install specification (instruction-only), which minimizes automatic disk writes. That said, an instruction-only skill that tells the user or agent to run a local shell script without providing it is suspicious: it either expects local assets that don't exist or assumes the agent will create/obtain them — both are risky in practice.
⚠ 凭证需求
The skill declares no required environment variables or credentials, yet its stated features (OAuth2, API keys, JWT secrets) normally require secrets/config. The absence of any declared env vars or guidance for credential handling is disproportionate to the claimed functionality and suggests missing or incomplete implementation details.
✓ 持久化与权限
The skill does not request persistent privileges (always: false) and does not declare any system-level config paths. It does allow normal autonomous invocation (default), which is expected; this alone is not flagged.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/5
Initial release of Secure API Starter. - Production-ready template for secure API development - Supports JWT, API keys, OAuth2, and session-based authentication - Includes role-based access control and per-user/IP rate limiting - Features input/schema validation, comprehensive logging, and structured error handling - Quick-start scripts and clear Node.js 18+ & TypeScript requirements
● 无害
安装命令 点击复制
官方npx clawhub@latest install secure-api-starter
镜像加速npx clawhub@latest install secure-api-starter --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制