Api Tmp
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: api-tmp Version: 1.0.0 The 'api-tmp' skill bundle is a comprehensive, documentation-only reference for 147 REST APIs across various categories like AI, payments, and CRM. It provides authentication patterns, endpoint examples (primarily using curl), and detailed guides on common integration pitfalls (e.g., 'auth.md', 'webhooks.md', and 'resilience.md'). The instructions in 'SKILL.md' explicitly state that the skill is for documentation purposes only and that users are responsible for managing their own credentials and executing commands. No malicious code, data exfiltration patterns, or harmful prompt injections were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Copying examples without review could send messages, emails, create records, update accounts, or incur provider charges.
The skill documents curl commands that would perform real external actions if run with valid credentials. This is purpose-aligned API reference material, and SKILL.md frames it as documentation, but users should not run mutating examples casually.
curl -X POST "https://api.twilio.com/2010-04-01/Accounts/$TWILIO_SID/Messages.json" ... -d "To=+15559876543" ... -d "Body=Hello from Twilio!"
Use sandbox/test credentials where possible, review every POST/PUT/PATCH/DELETE request, and require explicit user approval before running any command that changes an account or contacts other people.
If real secrets are inserted, commands authenticate to the user's third-party accounts and may have whatever privileges those keys grant.
The documentation shows how to use service credentials and secrets. This is expected for an API reference and the examples use environment-variable placeholders rather than hardcoded keys.
-H "Authorization: Bearer $CLERK_SECRET_KEY"
Use least-privilege API keys, prefer test environments, avoid pasting secrets into shared contexts, and rotate any credential accidentally exposed.
Users may have less certainty that the package identity, version, and publisher match what they intended to install.
The included SKILL.md identifies a different slug/version than the evaluated registry entry, which lists `api-tmp` version `1.0.0`, and the source is unknown. Because this is instruction-only with no code or install script, this is a provenance note rather than evidence of malicious behavior.
slug: api version: 1.3.4 homepage: https://clawic.com/skills/api
Verify the publisher, homepage, slug, and version before relying on the skill, especially before using examples with production credentials.