ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

form2api

Automatically intercept and analyze login-required form submissions to generate reusable API docs and call code for automation and bulk operations.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 85 · 0 current installs · 0 all-time installs
by@longway-code
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (form → API reverse engineering) matches the provided artifacts: a JS injector to hook fetch/XHR, a request analyzer, and a cookie extraction script. No unrelated environment variables, binaries, or external services are requested.
Instruction Scope
Runtime instructions are explicit: inject the provided JS into the open page, ask the user to submit once, read window.__capturedRequests, analyze and save results, and extract cookies via CDP. This is functionally consistent with the goal, but the interceptor captures full request/response bodies and headers (including auth tokens) and the SKILL.md does not strongly warn about the sensitivity of that data or restrict capture to same-origin requests.
Install Mechanism
This is instruction-only (no installer), so nothing is written to disk by an installer. Note: the Python cookie extractor requires an external package (websocket-client) but there is no install spec or automated dependency declaration — the script prints an error suggesting pip install if missing.
!
Credentials
Although no environment variables or external credentials are requested, the skill actively extracts session cookies from the browser (via Chrome CDP) and captures headers/bodies that can include sensitive auth tokens. Those credentials are cached in /tmp/form_api_cookies for 1 hour; caching session cookies to a world-accessible tmp location increases risk if run on a multi-user system.
!
Persistence & Privilege
The skill does not set always:true and does not alter global agent config, which is good. However it writes artifacts to /tmp (captured JSON and cookie cache) and leaves an in-page interceptor active until page refresh. The cookie cache persists for up to an hour by design; this is persistent data containing session tokens and should be considered sensitive.
Assessment
This skill appears to do what it claims, but it collects very sensitive data (request bodies, response bodies, headers and session cookies) in order to recreate API calls. Before installing/using: 1) Only run against sites you control or where you have explicit permission; do not use on third-party accounts. 2) Review the three included scripts yourself; they will inject JS into pages and extract cookies via Chrome DevTools Protocol. 3) Be aware cookies are cached under /tmp/form_api_cookies for 1 hour — clear or secure that directory if needed. 4) extract_cookies.py requires Chrome running with --remote-debugging-port=9222 and the websocket-client Python package; the skill does not auto-install that dependency. 5) Prefer running this in an isolated environment (dedicated VM/container) to avoid leaking session tokens to other users/processes. If you need stronger guarantees, request changes: explicit dependency declaration, an option to avoid caching cookies to disk, and a clear warning about what data is captured and where it is stored.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk974dcrhes72ak6ea7ayhr4smn8358wg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Form2API

All you need to do: send me the form URL, then submit the form once manually. I'll handle the rest.

What it does:

  • Injects a network interceptor into the page to capture real API requests on form submission
  • Analyzes the request structure, annotating which fields are user input vs fixed values vs auto-generated
  • Generates complete API documentation with curl and Python examples
  • Enables batch/automated operations without manual form filling

Typical use cases:

  • Internal system forms are tedious — you want to create data in bulk via script
  • You need to automate a workflow but there's no official API documentation
  • You want to understand what APIs a form is actually calling under the hood

How to trigger: Send me the form page URL and say something like "reverse this form" / "find the API for this form" / "I want to automate this form".

Workflow (Agent execution steps)

Step 1: Inject interceptor

After opening the target page, inject the interceptor script via the browser tool's evaluate action:

Read script content from:
<skill_dir>/scripts/inject_interceptor.js

Then execute it via browser(action=act) evaluate to inject into the page.

On success returns { status: 'injected' }. Returns already_active if already injected.

Step 2: Prompt user to submit the form

Tell the user:

"Interceptor is ready. Please fill out and submit the form normally in the browser, then let me know when done."

Step 3: Read captured results

After user submits, run evaluate to read captured requests:

JSON.stringify(window.__capturedRequests)

Save the result to /tmp/form_api_raw.json.

Step 4: Analyze requests

python3 <skill_dir>/scripts/analyze_requests.py /tmp/form_api_raw.json

Outputs a ranked list of candidate API requests. Structured result saved to /tmp/form_api_analysis.json.

Step 5: Extract cookies

COOKIE=$(python3 <skill_dir>/scripts/extract_cookies.py <target_url>)
echo $COOKIE

Cookies are auto-cached in /tmp/form_api_cookies/ for 1 hour. Repeated calls reuse the cache.

Step 6: Generate API documentation

Based on the analysis, using references/output_template.md as reference, generate complete API docs including:

  • Endpoint info (URL, method, content-type)
  • Request parameter table (user input / fixed value / system-generated)
  • Cookie extraction command
  • curl and Python call examples

Scripts

ScriptPurpose
scripts/inject_interceptor.jsInjected into page to hook fetch/XHR
scripts/extract_cookies.pyStandardized cookie extraction with caching
scripts/analyze_requests.pyFilter and annotate captured requests

Notes

  • Browser requirement: The target page must already be open and logged in within the current browser session
  • Interceptor lifecycle: Interceptor is cleared on page refresh — re-inject if needed
  • Multiple submissions: window.__capturedRequests accumulates across submissions; analysis picks the most relevant batch
  • Cookie expiry: If API returns 401/403, re-extract with --force flag
  • Output format reference: references/output_template.md

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…