Zyla API Hub Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: zyla-api-hub-skill Version: 1.0.7 The skill is designed to integrate OpenClaw with Zyla API Hub, allowing the AI agent to make API calls. It legitimately reads the `ZYLA_API_KEY` from environment variables or plugin configuration and uses it to authenticate requests to `zylalabs.com`. The `/zyla connect` command initiates a standard OAuth flow by opening a browser to `zylalabs.com` and capturing the API key via a temporary `localhost` callback server, which is a common and secure practice for desktop applications. All network requests are directed to the stated `zylalabs.com` domain, and there is no evidence of unauthorized data exfiltration, malicious execution, persistence mechanisms, or harmful prompt injection attempts in SKILL.md. The dependencies (`tsx`, `open`) are appropriate for the stated functionality.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Zyla API key could end up in chat history, logs, or transcripts, where it may be easier to expose or misuse for billed API calls.
After the localhost connect flow captures the API token, the handler returns a chat message containing a config snippet with the raw token.
apiKey: token,
env: { ZYLA_API_KEY: token }Prefer a flow that stores the key only in OpenClaw's sensitive config store and never prints it in chat; rotate the key if it has already been displayed.
If the agent invokes the tool too freely, it could make unexpected paid calls or use APIs with side effects beyond what the user intended.
The agent tool exposes a broad, raw API caller with arbitrary parameters and mutating HTTP methods, without artifact-shown approval or allow-list controls.
description: "Call any API from the Zyla API Hub marketplace" ... enum: ["GET", "POST", "PUT", "DELETE", "PATCH"] ... additionalProperties: true
Require explicit user confirmation for paid calls and non-GET methods, set quotas/budgets, and consider restricting the tool to approved API IDs or categories.
Information you ask the agent to validate or look up may be transmitted to the API provider.
User-provided API parameters are sent to Zyla API Hub or its upstream APIs, which is expected for this integration but may include emails, locations, or other sensitive inputs.
url += `?${qs}` ... fetchOptions.body = JSON.stringify(args.params) ... const res = await fetch(url, fetchOptions)Only send data you are comfortable sharing with Zyla and the selected API provider; avoid secrets or unnecessary personal data in API parameters.