40Medium
The skill promotes insecure CORS configuration
Behavior Analysis
Mismatch detected — The skill's stated purpose implies it 'creates' or provides 'templates' for FastAPI projects, suggesting a project generation or scaffolding capability. However, the actual content consists entirely of code snippets and architectural descriptions, requiring manual implementation rather than automated project creation.
Claims to do
FastAPI Project Templates: Production-ready FastAPI project structures with async patterns, dependency injection, middleware, and best practices for building high-performance APIs.
Actually does
This skill provides extensive Python code examples and architectural patterns for building a FastAPI application. It demonstrates project structure, async database operations with SQLAlchemy, dependency injection, CRUD repositories, a service layer, API endpoints, and JWT-based authentication/authorization. It also includes pytest examples for testing. The skill does not execute any commands, access external data, or contact external URLs; it solely presents code for manual implementation.
Skill Info
Namewshobson/agents/fastapi-templates
Registrygithub
Version03d0b4b9eb4d
PURLpkg:github/wshobson/agents@03d0b4b9eb4d?skill=fastapi-templates
Stars33,659
Installs13,500
Source
SHA-2564ae819c65b5c...
SHA-1dde2940ef3bf...
MD565fa45a89c4d...
TLSH2f62c811d123...
ssdeep192:R1K4C0Gm...
Size15,177 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
Skills.shDocs
npx skills add https://github.com/wshobson/agents --skill fastapi-templatesAssessments (2)
AI Agent Traps ↗Overly permissive CORS configurationmediumdata exfiltration
The `CORSMiddleware` is configured with `allow_origins=["*"]`, which permits cross-origin requests from any domain. This is a significant security risk in production environments, potentially enabling data exfiltration or other client-side attacks if not properly restricted.
100% confidenceline 99
allow_origins=["*"]
Misleading 'production-ready' claimlowdescription mismatch
The skill claims to provide 'production-ready' templates, but includes an `allow_origins=["*"]` CORS configuration which is highly insecure for production and contradicts the 'production-ready' assertion. This could mislead users into deploying insecure configurations.
90% confidenceline 3
description: Create production-ready FastAPI projects...
Description Mismatchmediumdescription mismatch
The skill's stated purpose implies it 'creates' or provides 'templates' for FastAPI projects, suggesting a project generation or scaffolding capability. However, the actual content consists entirely of code snippets and architectural descriptions, requiring manual implementation rather than automated project creation.
85% confidence
The skill content is solely Python code and descriptive text, lacking any executable commands or tools that would 'create' or 'generate' a project structure.
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/wshobson/agents/fastapi-templates)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/wshobson/agents/fastapi-templates"><img src="https://mondoo.com/ai-agent-security/api/badge/github/wshobson/agents/fastapi-templates.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/wshobson/agents/fastapi-templates.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow