Is api-dev safe?

https://clawhub.ai/gitgoodordietrying/api-dev

85
SAFE

This is a legitimate API development reference skill containing educational examples for curl testing, OpenAPI spec generation, mock servers, and Express scaffolding. It contains no prompt injection, no hidden payloads, no obfuscated code, and no exfiltration mechanisms. The only risks are inherent to its purpose: executable code examples that an agent could run, and curl patterns that reference auth tokens and file uploads. Canary files were untouched and no suspicious network or process activity was detected.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (9)

LOW Skill requests binary tool dependencies -5

The metadata requires anyBins: curl, node, python3. While these are standard development tools and the requirement is transparent, they expand the agent's execution surface when the skill is active.

LOW Broad scope of executable examples -5

The skill contains complete runnable scripts (bash test runner, Python test suite, Python mock server, Express.js server) that an agent could execute verbatim. While educational, an imprecise agent could run these without user confirmation.

MEDIUM JWT token decode pattern exposes token contents -10

The JWT inspection snippet decodes and displays token payloads. If an agent uses this on a real token, the decoded contents (user ID, roles, expiry) would be displayed in the conversation, which could be a minor exposure risk in shared contexts.

LOW Authorization header examples reference $TOKEN variable -5

Multiple curl examples use -H "Authorization: Bearer $TOKEN" which would send the user's actual token to example.com if executed as-is (though example.com is a safe sink).

LOW File upload example references local files -10

The form upload example (curl -F "[email protected]") could send local files to an external endpoint if an agent substitutes a real URL and filename.

LOW npx commands would download and execute remote packages -10

Two npx commands (redocly/cli and wscat) would download packages from npm and execute them. While these are legitimate tools, they introduce a supply-chain risk if npm packages are compromised.

LOW Process kill command in debugging patterns -5

The debugging section includes a command to kill processes by port, which could terminate unrelated services if executed carelessly.

INFO npm install in scaffolding section -5

The Express scaffolding section instructs npm init -y && npm install express, which modifies the filesystem and downloads packages. This is expected behavior for the skill's purpose.

INFO Runtime environment reads sensitive paths -15

Filesystem monitoring showed reads of ~/.env, ~/.aws/credentials, ~/.profile, ~/.bashrc during install. These are attributable to the OpenClaw agent runtime initialization, not the skill itself. The skill's own install was clean.