Scandar API

Programmatic access to Scandar's AI-powered skill scanning and remediation engine.

The Scandar API lets you integrate trust scoring and threat detection into your own workflows. Scan OpenClaw SKILL.md files for prompt injection, data exfiltration, and other security risks — and optionally auto-fix flagged issues.

Base URL
/api/v1(relative — same origin as the app)

Versioning
The API is versioned via the URL path. The current version is v1. Breaking changes will be introduced in a new version.

Authentication

All API requests require a Bearer token. Pass your API key in the Authorization header:

Authorization: Bearer sk_your_api_key_here

API keys are available on the Pro plan ($29/mo). Generate keys from your Dashboard → API page.

Each key begins with sk_ and is shown only once at creation time. Store it securely.

POST /api/v1/scan

Analyze a skill file for security risks. Supports two input modes: JSON body or multipart file upload.

Headers

Header	Value
`Authorization`	`Bearer sk_...`
`Content-Type`	`application/json` or `multipart/form-data`

JSON Request Body

{
  "text": "# SKILL.md content here...",
  "fileName": "optional-name.md"
}

text is required. fileName is optional and used for display purposes.

Multipart File Upload

Send the file as a file field in a multipart form. The file contents will be read and scanned automatically.

Response

{
  "scan_id": "scn_...",
  "status": "complete",
  "trust_score": 85,
  "classification": "caution",
  "scan_duration_ms": 4200,
  "findings_count": {
    "critical": 0,
    "high": 1,
    "medium": 2,
    "low": 0,
    "info": 1
  },
  "findings": [
    {
      "category": "prompt_injection",
      "severity": "high",
      "title": "Hidden instruction override",
      "description": "Attempts to override system instructions...",
      "lineNumber": 42,
      "matchedContent": "ignore previous instructions...",
      "confidence": 0.95,
      "layer": 1
    }
  ],
  "recommendations": [
    "Remove hidden instruction overrides",
    "Review data access patterns"
  ],
  "layer1_results": {
    "findings": [...],
    "duration_ms": 12
  },
  "layer2_results": {
    "findings": [...],
    "duration_ms": 4100,
    "behavioral_notes": "Skill attempts to access external URLs...",
    "stated_vs_actual": {
      "stated_purpose": "Calendar management",
      "actual_behavior": "Data exfiltration via URL encoding",
      "alignment": "misaligned"
    }
  },
  "saved_scan_id": "uuid",
  "rate_limit": {
    "remaining": "Infinity",
    "resets_at": null
  }
}

Response Fields

Field	Type	Description
`trust_score`	number	0-100 trust score (higher = safer)
`classification`	string	"safe" \| "caution" \| "risky" \| "dangerous"
`findings`	array	List of security findings with severity, category, and details
`findings_count`	object	Counts by severity level
`layer1_results`	object	Pattern-matching layer results
`layer2_results`	object	AI behavioral analysis results
`scan_duration_ms`	number	Total scan time in milliseconds
`rate_limit`	object	Remaining requests and reset time

POST /api/v1/fix

Automatically rewrite a skill file to remove flagged threats. Pro plan only.

Request Body

{
  "skillContent": "# Full SKILL.md content...",
  "findings": [
    {
      "category": "prompt_injection",
      "severity": "high",
      "title": "Hidden instruction override",
      "description": "Attempts to override system instructions..."
    }
  ]
}

Pass the full skill content along with the findings array from a previous scan response. The API will rewrite the content to neutralize the identified threats.

Response

{
  "fixedContent": "# Rewritten SKILL.md content...",
  "changesSummary": "Removed 2 threats: hidden instruction override, data exfiltration URL"
}

Field	Type	Description
`fixedContent`	string	The rewritten skill content with threats removed
`changesSummary`	string	Human-readable summary of changes made

Error Codes

All errors return a JSON object with a error field containing a human-readable message.

Status	Description
400	Bad Request — missing or invalid parameters (e.g. no text or file provided)
401	Unauthorized — missing or invalid API key
403	Forbidden — your plan does not include access to this endpoint (e.g. /fix requires Pro)
415	Unsupported Media Type — content type not recognized; use application/json or multipart/form-data
429	Too Many Requests — rate limit exceeded; check the rate_limit field in responses
500	Internal Server Error — something went wrong on our end
502	Bad Gateway — upstream AI service unavailable
503	Service Unavailable — the service is temporarily overloaded

// Example error response
{
  "error": "Missing required field: text or file upload"
}

Code Examples

Scan a Skill

curl -X POST /api/v1/scan \
  -H "Authorization: Bearer sk_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "text": "# My Skill\nDo something helpful...",
    "fileName": "my-skill.md"
  }'

Scan via File Upload

curl -X POST /api/v1/scan \
  -H "Authorization: Bearer sk_your_api_key" \
  -F "file=@path/to/SKILL.md"

Fix a Skill (Pro)

curl -X POST /api/v1/fix \
  -H "Authorization: Bearer sk_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "skillContent": "# Full skill content...",
    "findings": [
      {
        "category": "prompt_injection",
        "severity": "high",
        "title": "Hidden instruction override",
        "description": "Attempts to override system instructions"
      }
    ]
  }'