json

Verified·Scanned 2/18/2026

This skill provides guidance for working with JSON data structures, schema validation, serialization, and API response patterns. No security-relevant behaviors detected.

from clawhub.ai·v016667b·2.9 KB·0 installs
Scanned from 1.0.0 at 016667b · Transparency log ↗
$ vett add clawhub.ai/ivangdavila/json

Schema & Validation

  • Always validate against JSON Schema before processing untrusted input—don't assume structure
  • Define schemas for API responses—catches contract violations early
  • Use additionalProperties: false to reject unknown fields in strict contexts

Naming & Consistency

  • Pick one convention and stick to it—camelCase for JS ecosystems, snake_case for Python/Ruby
  • Avoid mixed conventions in same payload—userId alongside user_name confuses consumers
  • Use plural for collections: "users": [] not "user": []

Null Handling

  • Distinguish "field is null" from "field is absent"—they mean different things
  • Omit optional fields entirely rather than sending null—reduces payload, clearer intent
  • Document which fields are nullable in schema—don't surprise consumers

Dates & Times

  • Always use ISO 8601: "2024-01-15T14:30:00Z"—no ambiguous formats like "01/15/24"
  • Include timezone or use UTC with Z suffix—local times without zone are useless
  • Timestamps as strings, not epoch integers—human-readable, no precision loss

Numbers & IDs

  • Large IDs as strings: "id": "9007199254740993"—JavaScript loses precision above 2^53
  • Money as string or integer cents—never float: "price": "19.99" or "price_cents": 1999
  • Avoid floats for anything requiring exactness—currency, coordinates with precision

Structure Best Practices

  • Keep nesting shallow—3 levels max; flatten or split into related endpoints
  • Consistent envelope for APIs: {"data": ..., "meta": ..., "errors": ...}
  • Paginate large arrays—never return unbounded lists; include next/prev links or cursor

API Response Patterns

  • Errors as structured objects: {"code": "INVALID_EMAIL", "message": "...", "field": "email"}
  • Include request ID in responses for debugging: "request_id": "abc-123"
  • Return created/updated resource in response—saves client a follow-up GET

Serialization

  • toJSON() method silently overrides output—Date becomes string, custom classes may surprise
  • Map, Set, BigInt don't serialize—need custom replacer function
  • Circular references throw—detect cycles before stringify or use libraries like flatted
  • Strip sensitive data before serializing—don't rely on client to ignore extra fields

Parsing Safety

  • __proto__ key can pollute prototypes—sanitize input or use Object.create(null)
  • Parse in try/catch—malformed JSON from external sources is common
  • Reviver function for type reconstruction: dates, BigInt, custom types

Unicode

  • Emoji need surrogate pairs in escapes: 😀 = \uD83D\uDE00—single \u1F600 invalid
  • Control chars U+0000–U+001F must be escaped—pasted text may contain invisible ones
  • BOM at file start breaks parsing—strip \uFEFF from file input