api-test
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is presented as an API documentation helper, but its included code is an arbitrary GET/POST API-calling tool, which is broader and less clearly disclosed than the stated purpose.
Review this carefully before installing. It appears to be marketed as an API documentation assistant, but the code can make arbitrary external API requests. Use it only if that behavior is intended, and prefer a version that clearly asks for confirmation and limits where requests can be sent.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked unexpectedly, the agent could send data to arbitrary web endpoints or make API calls beyond what a user would expect from a documentation helper.
The code allows arbitrary user-supplied URLs, headers, query parameters, and POST bodies. That is a broad network/API-calling tool, but the skill is described as an API documentation assistant rather than an API execution tool.
url = params.get("url") ... headers = params.get("headers", {}) ... data = params.get("data", {}) ... requests.get(url, headers=headers, params=url_params, timeout=timeout) ... requests.post(url, headers=headers, params=url_params, json=data, timeout=timeout)Only use this if you want an API-calling/testing tool. Add explicit user confirmation, restrict allowed hosts and methods, and update the description to disclose network API calls.
Users may install or invoke the skill expecting only writing assistance, not arbitrary outbound API requests.
The user-facing description says the skill writes REST API documentation and interface specifications, but the included Python file implements external API fetching. This mismatch can cause users to trust it as documentation-only while it has network action capability.
description: API接口文档助手。用于编写REST API文档、定义接口规范、生成接口说明。当需要编写API文档、接口规范时触发。
Align the public description and SKILL.md with the actual behavior, or remove the network-calling code if the skill is intended to be documentation-only.