Api Endpoint Discovery
PassAudited by ClawScan on May 10, 2026.
Overview
The visible artifacts match a disclosed API endpoint scanner, but it can actively probe websites and has licensing/provenance details users should verify.
Only run this scanner on APIs you own or are authorized to test. Before installing, review the full endpoint_discovery.py source, confirm the install path, and verify EdgeIQ pricing/licensing terms if you plan to use paid features.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running it against a site you do not own or have permission to test could violate terms of service or laws, and active probing may generate noticeable traffic.
The skill is designed to send discovery and brute-force probes to a user-supplied target. This is disclosed and purpose-aligned, but it can create legal or operational risk if used on unauthorized systems.
active techniques (path brute-forcing, parameter enumeration)... Only audit domains you own or have explicit written authorization to scan.
Use it only for domains where you have explicit authorization, and keep thread counts and wordlists appropriate for the target.
The skill may read local licensing information or an email address if you set those values, even though the registry metadata does not declare them.
The registry metadata says there are no required credentials or environment variables, but the code reads a local license key file and EDGEIQ email/license environment variables for paid-feature checks.
LICENSE_FILE = Path.home() / ".edgeiq" / "license.key"... env_key = os.environ.get("EDGEIQ_LICENSE_KEY", "").strip()... email = os.environ.get("EDGEIQ_EMAIL", "").strip().lower()Review what you place in ~/.edgeiq/license.key and EDGEIQ_* environment variables; do not store unrelated secrets there.
Installation may fail or may copy whatever happens to exist at that local path if a user adapts it without checking.
The install instruction copies from a hard-coded local developer-style path rather than a reproducible package source. This is not malicious by itself, but users should verify what directory they are installing from.
cp -r /home/guy/.openclaw/workspace/apps/api-endpoint-discovery ~/.openclaw/skills/api-endpoint-discovery
Install only from a trusted, reviewed copy of the skill and confirm the source directory before copying files into ~/.openclaw/skills.
The visible portions look aligned with the stated purpose, but unshown code could not be reviewed here.
The largest implementation file is not fully visible in the supplied artifact, so this review cannot fully verify all runtime behavior from the provided source text.
"truncated": true
Review the complete endpoint_discovery.py file before installing or running the skill.
A user may be confused about which payment link or price applies before upgrading.
The in-code upgrade message shows different pricing from the SKILL.md description, which advertises Lifetime $39 and Optional Monthly $7. The purchase flow is manual, but pricing terms are inconsistent.
Pro ($9/mo): https://buy.stripe.com/28EbJ3gKv7hb3jS2cg7wA03... Bundle ($39/mo): https://buy.stripe.com/aFabJ3am79pjg6E18c7wA02
Verify pricing and licensing terms with the publisher before paying for Pro, Bundle, or Lifetime access.