Zyla API Hub Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill mostly matches its API-hub purpose, but it gives the agent broad paid API-calling power and can expose the Zyla API key in chat.
Install only if you are comfortable letting the agent make Zyla API calls that may be billed per use. Use a dedicated Zyla key, monitor quota and billing, keep the default Zyla hub URL unless you intentionally change it, avoid sending sensitive personal data unless needed, and require explicit confirmation for paid or non-GET API calls.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Zyla API key could end up in chat history, logs, or transcripts, where it may be easier to expose or misuse for billed API calls.
After the localhost connect flow captures the API token, the handler returns a chat message containing a config snippet with the raw token.
apiKey: token,
env: { ZYLA_API_KEY: token }Prefer a flow that stores the key only in OpenClaw's sensitive config store and never prints it in chat; rotate the key if it has already been displayed.
If the agent invokes the tool too freely, it could make unexpected paid calls or use APIs with side effects beyond what the user intended.
The agent tool exposes a broad, raw API caller with arbitrary parameters and mutating HTTP methods, without artifact-shown approval or allow-list controls.
description: "Call any API from the Zyla API Hub marketplace" ... enum: ["GET", "POST", "PUT", "DELETE", "PATCH"] ... additionalProperties: true
Require explicit user confirmation for paid calls and non-GET methods, set quotas/budgets, and consider restricting the tool to approved API IDs or categories.
Information you ask the agent to validate or look up may be transmitted to the API provider.
User-provided API parameters are sent to Zyla API Hub or its upstream APIs, which is expected for this integration but may include emails, locations, or other sensitive inputs.
url += `?${qs}` ... fetchOptions.body = JSON.stringify(args.params) ... const res = await fetch(url, fetchOptions)Only send data you are comfortable sharing with Zyla and the selected API provider; avoid secrets or unnecessary personal data in API parameters.