ClawHub

OpenAPI to CLI

v1.0.0

Generate CLI tools from OpenAPI specs. Built for AI agents who hate writing curl commands.

3· 1.6k·1 current·1 all-time
byAaron Levin@awlevin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name and SKILL.md describe generating CLIs from OpenAPI specs and show using a 'uvx openapi2cli generate' command — that aligns with requiring a 'uvx' binary. However the install metadata asks to install a pip package named 'uv', while the SKILL.md links to a PyPI/GitHub project called 'openapi2cli'. The package name mismatch is unexpected and unexplained.
Instruction Scope
Instructions are focused on running 'uvx openapi2cli generate' against local files or remote OpenAPI URLs and using generated CLIs with env/flag-based auth. The SKILL.md does not instruct reading unrelated system files or secrets beyond user-provided API keys. It does require network fetches of specs (expected for this purpose).
!
Install Mechanism
Install uses pip to install a package named 'uv' which will create a 'uvx' binary. This is moderate-risk (pip packages run arbitrary code at install time). More importantly, the 'uv' package name does not match the referenced project ('openapi2cli') or the GitHub/PyPI links in SKILL.md, which suggests either a typo, a misconfiguration, or a potential typosquat/supply-chain vector. No direct download URLs are used, which is better than arbitrary archives, but the package name ambiguity is problematic.
Credentials
The skill declares no required environment variables or credentials. The SKILL.md shows how a generated CLI could accept API keys via env vars or flags, which is reasonable and not a mismatch. The skill does not request unrelated credentials or paths.
Persistence & Privilege
Skill does not request always:true and does not modify other skills or system-wide settings. Normal autonomous invocation is allowed (default). No additional persistence or elevated privileges are requested.
What to consider before installing
This skill's behavior (using 'uvx' to generate CLIs from OpenAPI specs) is coherent with its description, but the install spec is inconsistent: it asks to pip-install a package named 'uv' while the README/links reference 'openapi2cli' on PyPI/GitHub. Before installing, verify the correct package name and origin: search PyPI for 'openapi2cli' and for 'uv' and inspect the package owner/release files. If you cannot confirm that the 'uv' package is the official provider of the 'uvx' tool linked in the repo, treat this as a potential typo-squatting or supply-chain risk. Prefer to: (1) install only from the confirmed project (e.g., pip install openapi2cli if that's the project), (2) review the package source code or repository and release artifacts, (3) run installation in an isolated environment (container/VM) to limit impact, or (4) decline installation until the publisher clarifies the package mapping.

Like a lobster shell, security has layers — review code before you run it.

latestvk978yds1dc2fgn1ahbsrcay61x80m4f1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔧 Clawdis
Binsuvx

Comments