ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Business API Recorder

v1.0.0

通过Chrome扩展记录目标系统业务流程的完整API调用,生成详细接口文档和实现方案辅助AI重构。

0· 284·2 current·2 all-time
by@sihan2017

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sihan2017/business-api-recorder.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Business API Recorder" (sihan2017/business-api-recorder) from ClawHub.
Skill page: https://clawhub.ai/sihan2017/business-api-recorder
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install business-api-recorder

ClawHub CLI

Package manager switcher

npx clawhub@latest install business-api-recorder
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, README, SKILL.md, and the included scripts all implement a Chrome-injected network monitor that intercepts fetch and XHR and exports logs. Declared OpenClaw capabilities (browser, write, exec) align with the described workflow. Dependencies and files are proportionate to the task.
Instruction Scope
Instructions explicitly direct the agent to control a browser, inject the provided network-monitor.js, run business flows, and export window.__OPENCLAW_NETWORK_LOG__. This stays within the stated purpose, but SKILL.md also mentions 'explore system security boundaries' which implies active probing—this increases ethical/legal risk and should only be done with authorization. The monitoring script records headers and bodies (including Authorization tokens or PII) which is expected for API recording but sensitive.
Install Mechanism
No install spec; the skill is instruction + local scripts bundled with the package. The included get-monitor.sh simply outputs the monitoring script for injection. There are no external download URLs or archive extraction steps.
Credentials
The skill requests no environment variables or external secrets. It will, however, capture HTTP headers and request/response bodies from the browser context (which can include auth tokens, cookies, passwords, or personal data). Capturing that data is functionally necessary for full API recording but is high-sensitivity — the bundle does not anonymize or redact logs.
Persistence & Privilege
always is false and the skill does not request permanent agent-level privileges or modify other skills/system configs. It relies on browser control capabilities; autonomous invocation is allowed by default but not exceptional here.
Assessment
This skill appears to do exactly what it says: inject a monitoring script into Chrome to capture fetch/XHR and produce API logs and documentation. Before installing or running it, consider the following: 1) Legal/ethical: only run against systems you own or where you have explicit permission—the README even suggests 'explore security boundaries', which could be intrusive. 2) Sensitive data: the script records request/response bodies and headers (including Authorization tokens, cookies, form data, PII). Treat generated logs as highly sensitive, avoid sharing them, and redact tokens/passwords before storing or sending them elsewhere. 3) Trust: the source/homepage is not authoritative; you can inspect the included network-monitor.js (it is readable and does not perform external network exfiltration), but if you plan to use it in production, verify the code and consider adding automatic redaction of Authorization/cookie headers. 4) Operational: the workflow requires enabling a browser extension and OpenClaw gateway/token—ensure those tokens are managed securely. If any of the above is a concern, do not run this skill until you obtain explicit authorization, review and modify the script to redact sensitive fields, or run it in an isolated/test environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk979wbhz0mhnfwvr7yph7fkst582rr2w
284downloads
0stars
1versions
Updated 23h ago
v1.0.0
MIT-0
@sihan2017
latest
Download

Business API Recorder

通过Chrome扩展控制浏览器,打开目标系统网址,分析业务场景并完整记录API调用,为AI重构生成完整实现文档。

作者: 周坚
邮箱: zhoujdev@163.com
版本: 1.0.0
许可证: MIT

适用场景

  • 分析内部办公系统的业务流程
  • 记录业务表单的完整API调用链
  • 为AI重构业务功能获取真实接口数据
  • 生成API接口文档和数据字典
  • 探索系统的安全边界和运行机制

效果预览

完成一次业务分析后,将输出:

  1. API调用日志 - 完整的请求/响应记录(JSON格式)
  2. 完整实现文档 - 按模板生成,包含:
    • 业务流程(主流程 + 分支场景)
    • API接口清单(请求/响应参数)
    • 数据字典(枚举值、树形结构)
    • 业务规则(验证约束)
    • 前端实现要点
    • 错误处理
    • 参考示例
    • 抓包日志样本

这些文档可以直接用于AI重构该业务功能。

Comments

Loading comments...