API Integration Skill

Scanned on 2/7/2026

🚨15/100critical

Critical security vulnerabilities including hardcoded credentials, SSRF, weak cryptography, injection vulnerabilities, and missing authentication controls.

Trust Score

15/100

Risk Level

critical

Issues Found

Security Analysis

This code exhibits multiple critical security vulnerabilities that make it extremely dangerous to deploy. The hardcoded API key (sk-1234567890...) and secret password represent immediate credential exposure risks that could lead to unauthorized access to external services. The SSRF vulnerability in fetchUrl() allows attackers to make requests to internal services (localhost, internal IPs) or exfiltrate data to external endpoints without any validation. The deleteUser() function lacks any authentication checks, allowing anyone to delete any user account. The use of MD5 for encryption is cryptographically insecure and provides no real protection. The NoSQL query construction is vulnerable to injection attacks where malicious input could manipulate query logic. Combined, these vulnerabilities create multiple attack vectors for data theft, service disruption, and unauthorized access. The trust score of 15/100 reflects critical risk - this code should NOT be installed or used in any production environment without complete security remediation.

Security Findings

critical - credentials

Hardcoded API key and secret credentials exposed in plaintext

Evidence:

const API_KEY = 'sk-1234567890abcdefghijklmnopqrstuvwxyz';
const SECRET = 'my-super-secret-password-123';

Recommendation: Remove hardcoded credentials. Use environment variables or secure credential management systems (e.g., process.env.API_KEY, AWS Secrets Manager, HashiCorp Vault).

critical - network

Server-Side Request Forgery (SSRF) vulnerability allows arbitrary URL fetching without validation

Evidence:

async function fetchUrl(url) {
  const response = await axios.get(url);
  return response.data;
}

Recommendation: Implement URL allowlist validation, restrict to specific domains/protocols, block internal IP ranges (127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), and use a URL parsing library to validate schemes.

critical - other

Missing authentication and authorization checks on destructive operations

Evidence:

async function deleteUser(userId) {
  await db.users.delete(userId);
  return { success: true };
}

Recommendation: Implement authentication middleware to verify user identity and authorization checks to ensure users can only delete their own accounts or have appropriate admin privileges.

high - other

Use of cryptographically broken MD5 hash algorithm for data encryption

Evidence:

function encryptData(data) {
  return crypto.createHash('md5').update(data).digest('hex');
}

Recommendation: Replace MD5 with secure algorithms. Use bcrypt or argon2 for password hashing, or AES-256-GCM for encryption with proper key management.

high - other

NoSQL injection vulnerability through unsanitized user input in database queries

Evidence:

function queryDatabase(username) {
  const query = { user: { $eq: username } };
  return db.find(query);
}

Recommendation: Validate and sanitize all user inputs. If username can be an object, attackers can inject operators like {$ne: null} to bypass authentication. Ensure username is always a string and use parameterized queries.

medium - network

Unvalidated external network calls can be used for data exfiltration

Evidence:

axios.get(url) with no destination validation

Recommendation: Log all outbound requests, implement network egress filtering, and restrict allowed destination domains to a predefined allowlist.

✅ Good Security Practices

✓Uses standard libraries (axios, crypto) rather than custom implementations
✓Code is readable and not obfuscated

Source Information

ClawHub Page:clawhub.com/skills/api-integration-skill →

Source URL:../demo-skills/api-integration-skill.js

Code Size:1,029 characters

Semgrep Findings:1