ClawHub

Zyla API Hub Skill

v1.0.7

Zyla API Hub Skill — Turn your OpenClaw AI agent into a real-world operator. Power it with 10,000+ production-ready APIs from Zyla API Hub — instant access to weather, finance, translation, email validation, geolocation, and more.

1· 1.9k·0 current·0 all-time
byzyla-labs@alebrega
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, plugin behavior, CLI scripts, and the primary credential (ZYLA_API_KEY) all consistently relate to calling Zyla API Hub endpoints and browsing the Zyla catalog.
Instruction Scope
SKILL.md and the plugin instruct the agent/user to use local CLI scripts and a browser-based connect flow. The connect flow runs a temporary localhost HTTP server to capture a token (expected for OAuth-style flows). Minor inconsistency: README/SKILL.md claim the key is 'captured automatically and saved to your config', but the plugin writes the token to the process environment (process.env) and returns instructions for the user to add it to ~/.openclaw/openclaw.json — it does not itself persist the key to that file.
Install Mechanism
No external download URLs or archive extraction are used. This is an instruction-only skill with included source files (plugin + scripts) and standard npm dev dependencies (tsx, open). No high-risk install mechanism (no arbitrary remote binary downloads) is present in the provided files.
Credentials
Only ZYLA_API_KEY (primaryEnv) and an optional hub URL (ZYLA_HUB_URL / hubUrl config) are used. These are appropriate and necessary for authenticating to the advertised third‑party API hub; no unrelated secrets or system credentials are requested.
Persistence & Privilege
The skill does not request always:true or other elevated persistent privileges. It starts a short-lived localhost server for OAuth-style callback (bounded by a 5-minute timeout). It does not modify other skills' configs or system-wide settings; it writes the token only into process.env at runtime and asks the user to add it to ~/.openclaw/openclaw.json for persistence.
Assessment
This skill appears to do what it claims: call Zyla API Hub using a ZYLA_API_KEY. Before installing: (1) Verify you trust zylalabs.com (requests will be sent there and calls are billed per use). (2) Be aware the agent/tool can make arbitrary Zyla API calls using your key — those calls can incur charges; consider least-privilege keys or usage limits if available. (3) The connect flow opens your browser and runs a temporary localhost server to receive a callback token — this is typical for OAuth but ensure you’re comfortable with a local callback. (4) The plugin sets the key in process.env (ephemeral); follow the SKILL.md instructions to persist the key to ~/.openclaw/openclaw.json if you want long-term use. (5) If you’re security-conscious, review the plugin/scripts yourself (they’re included) and only install from a trusted distribution source; check for updates and verify the hub URL before entering or enabling credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97372ptg9wcay7esxet08jh1580tjbc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Primary envZYLA_API_KEY

Comments