Skillv1.0.1

ClawScan security

api2cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 14, 2026, 4:02 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (generate/discover CLIs for REST APIs) matches its instructions, but the runtime guidance asks the agent to run networked installers, clone and build arbitrary repos, manipulate token files, and auto-link into other agents — behaviors that are plausible for this tool but carry non-trivial risk and surprising scope.
Guidance: This skill appears to do what it says (create, install, link, and publish CLIs), but its runtime instructions run high-impact shell commands, download and execute remote installers (bun.sh), clone and build third-party repos, manage token files, and symlink into other agent directories. Before using it: 1) Do not let any agent run the suggested curl | bash installer without first reviewing the script (prefer manual install from a verified source). 2) Require explicit human consent for cloning/building unknown GitHub repos and for any 'npm publish' or 'gh repo create' steps. 3) Inspect ~/.config/tokens/* and ~/.cli/* before and after running commands; back up any secrets. 4) If you want to limit blast radius, run the workflow in a disposable environment or container and avoid automatic 'tokens --show' or auto-detection features. 5) When publishing, follow interactive flows yourself (the docs say the agent should stop and wait for auth); never give the agent unattended access to your GitHub/npm/ClawHub credentials. If you want broader assurance, ask the author for a signed release or a repository you can inspect locally before building.
Findings: [NO_SCAN_FINDINGS] expected: The package is instruction-only; the regex-based scanner had no code files to analyze. This absence of findings is expected but does not imply safety — the SKILL.md itself contains runtime commands that perform network, shell, and filesystem actions.

Review Dimensions

Purpose & Capability: noteThe name/description (api2cli) aligns with what the SKILL.md instructs: scaffold a CLI from an API, bundle/link it, and publish it. The declared capabilities (search, create, bundle, link, publish) are coherent with the files and references provided.
Instruction Scope: concernThe instructions tell the agent to run networked installers (curl -fsSL https://bun.sh/install | bash), clone arbitrary GitHub repos, build/link code, read and write package.json and token files, and symlink SKILL.md into other agent directories (~/.openclaw, ~/.claude, ~/.cursor). They also reference 'API key auto-detection' and commands that list and reveal tokens (tokens --show). These actions go beyond simple 'generate a scaffold' and involve filesystem scanning, credential handling, and executing third-party code — all of which are plausible for the tool but are high-impact operations that an end user should explicitly approve and review step-by-step.
Install Mechanism: concernThere is no formal install spec included (instruction-only), but the README explicitly recommends running a remote install script (bun.sh) via curl|bash. That pattern (downloading and piping a shell script to bash) is a common convenience but high risk because it executes remote code. The skill also advises running npm install/publish and running build steps that execute code from cloned repositories.
Credentials: noteThe skill declares no required env vars or credentials, which matches the registry metadata. However, the instructions assume and instruct the agent to interact with credentialed tooling (gh, npm, clawhub, sundial-hub) and to manage token files at ~/.config/tokens/<app>-cli.txt. That behavior is reasonable for a CLI publisher, but token discovery and the ability to reveal tokens via commands (tokens --show) are sensitive and should be handled explicitly by the user.
Persistence & Privilege: concernalways:false (good). Nonetheless, the workflow instructs creating persistent artifacts and symlinks into other agents' skill directories (e.g., ~/.openclaw/workspace/skills/), and performing git repo creation/push and npm publish flows. Writing into other agent directories and symlinking is coherent for integration, but it modifies other agents' state and could be surprising if done without explicit, local user approval.