ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Neckr0ik Api Wrapper

v1.0.0

Convert any REST API into an OpenClaw skill automatically. Generates SKILL.md, scripts, and claw.json from OpenAPI spec or URL. Use when you want to quickly...

0· 243·3 current·3 all-time
by@neckr0ik
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (generate OpenClaw skills from OpenAPI) align with the included generator.py and SKILL.md. The code reads OpenAPI specs (local or remote), parses auth info and endpoints, and writes SKILL.md, claw.json, and scripts — exactly the stated capability.
Instruction Scope
SKILL.md instructs CLI usage (neckr0ik-api-wrapper generate/validate/test). The repository includes a generator.py script (no explicit CLI installer); this is a minor mismatch (docs imply a packaged CLI). The runtime instructions focus on fetching/parsing OpenAPI specs and generating files and do not instruct reading unrelated system files or exfiltrating secrets. Generated skills will rely on user-supplied API credentials to test/call endpoints — expected for the purpose.
Install Mechanism
No install spec; this is an instruction-only skill with an included Python script. Nothing is downloaded or extracted at install time. Generator fetches user-specified OpenAPI URLs at runtime (expected). No external install URLs or archive extraction are present.
Credentials
The skill declares no required environment variables or credentials. The generator inspects API security schemes and generates guidance to configure API keys / bearer tokens for the generated skill — appropriate for a wrapper generator. It does not request unrelated service credentials.
Persistence & Privilege
always:false (default) and autonomous invocation not disabled — normal for user-invocable skills. The generator writes files into the chosen output directory (expected behavior) and does not claim system-wide or other-skills configuration privileges.
Assessment
This tool looks coherent for its purpose, but review a few things before using: 1) SKILL.md refers to a CLI name (neckr0ik-api-wrapper) while the bundle contains generator.py — you may need to run the script with Python rather than a preinstalled CLI. 2) Generated skills will require you to supply API credentials (API keys, bearer tokens, OAuth) — never paste sensitive credentials without reviewing the generated code and intended endpoints first. 3) The generator will fetch whatever OpenAPI URL you provide and may make test calls to the target API — only point it at trusted endpoints. 4) Inspect the generated SKILL.md and scripts (especially any generated client code) before running them to ensure they don’t override local files you care about. If you want higher confidence, provide the rest of generator.py (it was truncated) so it can be fully reviewed for hidden network calls or unexpected behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk979rn1vs5srpc0g48e59cbffn82dfs4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments