ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

api-test

API接口文档助手。用于编写REST API文档、定义接口规范、生成接口说明。当需要编写API文档、接口规范时触发。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 66 · 0 current installs · 1 all-time installs
by@2367961075
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes an API documentation assistant. The included Python file (Skill.py), however, implements a generic HTTP client that can call arbitrary URLs with GET/POST and send JSON payloads. Making arbitrary external requests is not necessary for producing static API docs and is not mentioned in the skill description or SKILL.md.
!
Instruction Scope
Runtime instructions (SKILL.md) only describe documenting APIs and do not instruct the agent to call external endpoints. The actual code will perform network calls when invoked. This is a scope mismatch: the instructions do not disclose the network I/O behavior present in the code.
Install Mechanism
There is no install spec (instruction-only plus a code file). The code imports the 'requests' library but the skill does not declare this dependency. Lack of declared dependencies may cause runtime failures or hide additional requirements, but there is no installer or external download URL—so installation risk is low.
!
Credentials
No environment variables or credentials are declared, yet the skill can perform arbitrary outbound HTTP requests and send data in requests. That capability could be used to exfiltrate data if the agent passes sensitive content to the skill. The network-capable behavior is not justified by the declared purpose.
Persistence & Privilege
always is false (default) and the skill may be invoked autonomously (platform default). Autonomous invocation combined with undeclared network-capable code raises the blast radius, but autonomy alone is not unusual. Consider restricting autonomous runs or requiring explicit user invocation until the code is verified.
What to consider before installing
This skill's description promises an API documentation assistant, but the bundled Skill.py is a generic HTTP client able to call arbitrary URLs and send JSON. Before installing: 1) Ask the author why the skill needs to perform arbitrary HTTP requests and to document that behavior in SKILL.md. 2) Request that network behavior and required dependencies (requests) be declared. 3) If network calls are necessary (e.g., to fetch live examples), limit them to well-known endpoints and add allow-listing; otherwise remove or disable network capability. 4) If you proceed, run the skill in a sandboxed environment, disable autonomous invocation where possible, and review or audit the code to ensure it won't send sensitive data to external servers. If you cannot verify the intent and code, treat the skill as untrusted and do not install it in environments with sensitive data.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.3
Download zip
latestvk97bmhjy3feqs7fn1mc75qecgx83q7jv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

API接口文档

版本:V1.0 更新日期:YYYY-MM-DD 维护人:XXX

接口概览

模块接口数负责人
用户模块5@xxx
订单模块8@xxx
支付模块4@xxx

通用说明

认证方式

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…