Skillv1.0.0

ClawScan security

Neckr0ik Api Wrapper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 9:59 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it claims (generate OpenClaw API wrapper skills from OpenAPI specs); minor inconsistencies in documentation vs. included files merit review but there is no clear indication of malicious behavior.
Guidance: This tool looks coherent for its purpose, but review a few things before using: 1) SKILL.md refers to a CLI name (neckr0ik-api-wrapper) while the bundle contains generator.py — you may need to run the script with Python rather than a preinstalled CLI. 2) Generated skills will require you to supply API credentials (API keys, bearer tokens, OAuth) — never paste sensitive credentials without reviewing the generated code and intended endpoints first. 3) The generator will fetch whatever OpenAPI URL you provide and may make test calls to the target API — only point it at trusted endpoints. 4) Inspect the generated SKILL.md and scripts (especially any generated client code) before running them to ensure they don’t override local files you care about. If you want higher confidence, provide the rest of generator.py (it was truncated) so it can be fully reviewed for hidden network calls or unexpected behavior.

Review Dimensions

Purpose & Capability: okThe name/description (generate OpenClaw skills from OpenAPI) align with the included generator.py and SKILL.md. The code reads OpenAPI specs (local or remote), parses auth info and endpoints, and writes SKILL.md, claw.json, and scripts — exactly the stated capability.
Instruction Scope: noteSKILL.md instructs CLI usage (neckr0ik-api-wrapper generate/validate/test). The repository includes a generator.py script (no explicit CLI installer); this is a minor mismatch (docs imply a packaged CLI). The runtime instructions focus on fetching/parsing OpenAPI specs and generating files and do not instruct reading unrelated system files or exfiltrating secrets. Generated skills will rely on user-supplied API credentials to test/call endpoints — expected for the purpose.
Install Mechanism: okNo install spec; this is an instruction-only skill with an included Python script. Nothing is downloaded or extracted at install time. Generator fetches user-specified OpenAPI URLs at runtime (expected). No external install URLs or archive extraction are present.
Credentials: okThe skill declares no required environment variables or credentials. The generator inspects API security schemes and generates guidance to configure API keys / bearer tokens for the generated skill — appropriate for a wrapper generator. It does not request unrelated service credentials.
Persistence & Privilege: okalways:false (default) and autonomous invocation not disabled — normal for user-invocable skills. The generator writes files into the chosen output directory (expected behavior) and does not claim system-wide or other-skills configuration privileges.