Guide to implement secure API practices including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabi...
Security Analysis
medium confidenceThe skill's instructions are coherent with an API security guide, but the runtime instructions reference secrets (e.g., process.env.JWT_SECRET / JWT_REFRESH_SECRET) while the skill metadata declares no required environment variables — a mismatch worth noting before installation.
The name and description match the content: guidance and code examples for API security (auth, validation, rate limiting, data protection). No unrelated binaries, installs, or services are requested.
SKILL.md contains concrete implementation guidance and code samples that stay on-topic. It references environment secrets (process.env values) and database operations, but does not instruct the agent to read arbitrary host files, call external endpoints outside standard APIs, or exfiltrate data. The instructions are sufficiently prescriptive to be useful; exercise caution when copy-pasting into production.
This is an instruction-only skill with no install spec and no code files executed by the platform. That minimizes install-time risk.
The documentation and code samples reference runtime secrets (JWT_SECRET, JWT_REFRESH_SECRET) and database interactions, but the skill's metadata declares no required environment variables or primary credential. This mismatch could lead to confusion about what secrets must be supplied and how they're protected. Requiring those env vars in metadata (or being explicit that the skill will refer to project environment variables) would be more proportionate.
The skill does not request always:true and is user-invocable only. It does not ask to modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
Guidance
This appears to be a legitimate API security guide with useful code examples, but note the mismatch: the examples reference JWT secrets (process.env.JWT_SECRET, JWT_REFRESH_SECRET) even though the skill metadata doesn't declare required environment variables. Before using or copying code: (1) keep all secrets out of chat—store them in your environment or a secrets manager; (2) verify and adapt examples to your stack (e.g., secure refresh token storage, HttpOnly cookies, CSRF protections); (3) test in staging and rotate secrets after deployment; (4) confirm the agent will not be given raw secret values in conversation or logs if you enable autonomous invocation. If you want stronger assurance, ask the skill author to declare required env vars and to clarify any external endpoints or persistence expected during runtime.
Latest Release
v1.0.0
Initial release: JWT, OAuth2, rate limiting, input validation, OWASP API Top 10
More by @brandonwise
Published by @brandonwise on ClawHub
