Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
API Doc Generator
v1.0.0Automatically generate OpenAPI/Swagger API documentation by analyzing function signatures and extracting parameter and return types from Python, JavaScript,...
⭐ 0· 587·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (generate OpenAPI/Swagger from code) matches the skill's name and instructions, and the skill requests no unrelated credentials or system access. However the embedded implementation is highly simplistic (a single regex) and does not substantiate the claimed multi-language, type-aware support; helper functions (e.g., extractParams) are referenced but not provided. The capability is therefore overclaimed compared to what is shown.
Instruction Scope
SKILL.md is narrowly scoped to generating OpenAPI output and does not instruct the agent to read unrelated files, access environment variables, or transmit data externally. But the runtime guidance is minimal and vague about how code is supplied, how complex types or DTOs are handled, and how return types are inferred — giving the skill wide interpretive latitude that could produce incorrect results.
Install Mechanism
There is no install spec and no code files to be written to disk; this is an instruction-only skill, which reduces installation risk.
Credentials
The skill declares no required environment variables, credentials, or config paths — proportional for a documentation generator. Nothing asks for unrelated secrets or system credentials.
Persistence & Privilege
The skill is not marked always:true and does not request persistent/system-wide changes. It is user-invocable and can be invoked autonomously (platform default), which is expected for skills.
What to consider before installing
This skill is plausible but under-specified. The embedded implementation is a tiny JavaScript snippet that uses a crude regex and references undefined helpers (so it cannot actually handle the multi-language, type-aware extraction the description promises). Before installing or using it: (1) don't assume accuracy — test the skill on non-sensitive sample code and manually review generated OpenAPI output; (2) ask the publisher for the full implementation or source code and for details on how it handles complex types, annotations, and language-specific idioms; (3) avoid submitting confidential code to the skill until you confirm where parsing/execution happens (locally vs. external); and (4) prefer a skill that documents its parsing strategy, limitations, and test coverage. If you want a ready-to-use tool, consider well-known, open-source generators with visible implementations rather than this minimal, overpromising instruction-only skill.Like a lobster shell, security has layers — review code before you run it.
apivk97aw233x2e181xexz024rgh4181j6z7docvk97aw233x2e181xexz024rgh4181j6z7latestvk97aw233x2e181xexz024rgh4181j6z7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.