Submit Audit

Submit a new behavioral security audit for a skill.

POST https://audit-engine.oathe.ai/api/submit

Submit a skill repository for behavioral security scanning.

Request Body

skill_url string required
GitHub or ClawHub URL. Accepts https://github.com/{user}/{repo}, https://clawhub.ai/{user}/{skill}, or https://github.com/{user}/{repo}/tree/{branch}/{path} for monorepo subdirectories.
notification_email string optional
Email address to notify when the audit completes or fails.
force_rescan boolean optional
Set to true to bypass deduplication and force a fresh scan.
If the same skill_url was submitted before, the existing audit_id is returned with deduplicated: true. Pass force_rescan: true to override.

Idempotency

Pass an Idempotency-Key header to enable safe retries. If a request with the same key and body is sent again within 24 hours, the original response is returned from cache.

Idempotency-Key request header optional
Unique string (max 256 characters) identifying this logical submission. Use a UUID or deterministic hash of the submission context.

If the same key is reused with a different request body, the server returns 422. If the original request is still processing, the server returns 409.

Recommended for CI/CD pipelines where network retries may duplicate requests. Generate one key per pipeline run to guarantee exactly-once submission.

Example

curl -X POST https://audit-engine.oathe.ai/api/submit \
  -H "Content-Type: application/json" \
  -d '{
    "skill_url": "https://github.com/user/repo",
    "notification_email": "[email protected]"
  }'

Subdirectory Example

To audit a single skill inside a monorepo, use a /tree/ URL pointing to the subdirectory:

curl -X POST https://audit-engine.oathe.ai/api/submit \
  -H "Content-Type: application/json" \
  -d '{
    "skill_url": "https://github.com/user/monorepo/tree/main/skills/my-skill"
  }'

Response 201

{
  "audit_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "queue_position": 1,
  "notification_email": "[email protected]"
}

Deduplicated Response 200

{
  "audit_id": "existing-audit-id",
  "deduplicated": true
}