rate-limiting
Deep rate limiting workflow—identifying actors and resources, choosing algorithms, distributed vs local limits, client UX (headers, retries), and abuse detection. Use when protecting APIs, gateways, or multi-tenant SaaS workloads.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/codekungfu/rate-limitingWhat This Skill Does
The rate-limiting skill provides a structured, deep-dive workflow for designing and implementing traffic management systems. It moves beyond simple configuration to address the architectural challenges of balancing system availability, fairness, and abuse prevention. The skill guides you through six critical stages: defining your threat model, selecting appropriate keys for throttling (e.g., user ID vs. IP), choosing the right algorithms (Token Bucket, Leaky Bucket, Sliding Window), managing distributed enforcement across regions, refining client UX, and setting up observability. It acts as an architectural consultant, ensuring that your API, gateway, or multi-tenant SaaS application is robust against both accidental traffic spikes and malicious actors.
Installation
To install this skill, run the following command in your terminal: clawhub install openclaw/skills/skills/codekungfu/rate-limiting
Use Cases
This skill is essential when you need to protect public-facing API endpoints from brute-force attacks or scraping. It is also ideal for multi-tenant SaaS platforms that need to implement 'noisy neighbor' isolation, ensuring that one tenant's heavy batch job does not degrade the experience for others. Furthermore, it is perfect for developers working on systems experiencing 'retry storms' after outages, where client-side exponential backoff and server-side jitter are required to stabilize the infrastructure.
Example Prompts
- 'I am designing a new public API and need to ensure it's protected from abuse. Walk me through the threat and fairness model stage to help me define our rate tiers.'
- 'Our GraphQL API is getting overwhelmed by deep, nested queries. How can I adapt the rate-limiting workflow to implement cost-based limiting instead of just simple request counting?'
- 'We have a microservices architecture distributed across three regions. How should I approach the distributed enforcement stage to maintain consistent rate limits while accounting for clock skew and network latency?'
Tips & Limitations
Always coordinate rate-limiting with your authentication layer, as anonymous IP-based limits are inherently coarse and prone to blocking legitimate traffic from shared-NAT environments. Remember to explicitly exempt health checks and monitoring endpoints from your rate-limiting rules to avoid triggering false alarms. For WebSocket connections, be aware that you need to manage two distinct limits: the connection establishment rate and the subsequent message throughput rate. Finally, remember that edge-level (CDN) rate limiting and origin-level enforcement often behave differently; ensure your documentation and metrics reflect both layers of defense for accurate observability.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-codekungfu-rate-limiting": {
"enabled": true,
"auto_update": true
}
}
}