ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Freeapi

Connect directly to any API using its OpenAPI spec with local API key storage, ensuring private, middleware-free requests from your machine.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 315 · 0 current installs · 0 all-time installs
bysplicer scorn@numbpill3d
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (direct OpenAPI client with local key storage) align with the included code (index.js) and SKILL.md: it loads specs, builds requests, and uses env vars for auth. There are no unrelated required binaries or external services declared. However, the skill lists many common services and implicitly encourages collecting many keys; while consistent, this breadth is larger than minimal.
!
Instruction Scope
SKILL.md explicitly instructs the agent to ask the user for API keys and to use a write/edit tool to append them to a local .env file. That is within the claimed feature set, but it expands the agent's runtime actions to collecting and permanently storing arbitrary credentials in plaintext. The instructions also give the agent discretion to prompt for missing keys automatically — which could lead to unnecessary key collection if not tightly constrained.
Install Mechanism
No install spec; this is an instruction + code skill. package.json and dependencies are typical (commander, dotenv, inquirer, yaml). Nothing in the install surface downloads code from untrusted URLs or writes unexpected binaries.
!
Credentials
The skill declares no required env vars but the code will read process.env (after dotenv.config()) and uses a heuristic to map OpenAPI security scheme names to environment variable names. It also ships a long SERVICES list and will prompt to store many different service keys in .env. Collecting multiple unrelated credentials and storing them in plaintext is disproportionate and increases exposure. The skill does not declare a primary credential or justify why all listed services might be needed.
Persistence & Privilege
always is false and the skill does not request persistent platform-level privileges or modify other skills. It will write to a local .env file (its expected operation) but does not attempt to change global agent configuration.
What to consider before installing
This skill does what it claims — it runs locally, fetches OpenAPI specs, and will use API keys from your environment or save keys you provide into a .env file — but that same behavior can be risky. Before installing or using it: (1) avoid pasting highly privileged or long-lived master credentials; prefer scoped/least-privilege tokens. (2) Be aware keys are stored in plaintext .env in the working directory — consider using an encrypted secrets manager instead. (3) Only point the tool at OpenAPI specs you trust: the skill will make requests to servers listed in the spec and could contact attacker-controlled endpoints. (4) If you must try it, run in an isolated environment (throwaway workspace or container) and inspect the created .env file. If you want lower risk, request a version that uses a secure secret store or that prompts the user to set env vars manually rather than auto-appending to .env.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97b1c7vmnhj95kfgr4snjgthx81yzsh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

freeAPI: The Sovereign Client

freeAPI is a direct execution engine for OpenClaw. It bypasses middleware, gateways, and data harvesters. With freeAPI, your agent connects directly from localhost to any API using its official OpenAPI/Swagger specification.

Philosophy

  • Sovereign: You own the connection. No third-party server mediates your requests.
  • Private: API keys stay in your local .env file. They are never sent to a gateway.
  • Spec-Driven: Just provide an OpenAPI spec URL or file. freeAPI figures out the rest.

Agent Usage (Natural Language)

Agents should integrate freeAPI seamlessly into the conversation.

1. Onboarding (The "Integral" Method)

Do not ask users to run raw CLI commands unless they prefer it. Instead, guide them conversationally:

  1. Ask: "Which service do you want to connect? (e.g., GitHub, Stripe, OpenAI)"
  2. Prompt: "Please provide your API key for [Service]. I will save it securely to your local .env file."
  3. Action: Use the write or edit tool to append the key to .env.
    • Format: SERVICE_NAME_KEY=value (e.g., GITHUB_TOKEN=ghp_...)
  4. Confirm: "Key saved. You can now use freeAPI with [Service]."

2. Execution

When a user asks to perform an action (e.g., "Check my GitHub issues"):

  1. Locate Spec: Find the OpenAPI spec URL (e.g., https://api.github.com/openapi/v3).
  2. Check Keys: Verify the key exists in .env. If not, trigger the Onboarding flow above.
  3. Run: Use node skills/freeAPI/index.js run with the spec and parameters.

Example Agent Thought Process:

User wants to list Stripe payments. I need the Stripe OpenAPI spec. I'll check .env for STRIPE_SECRET_KEY. It's missing. I will ask the user for it now, then save it, then run the listPayments operation.

User Guide (CLI Fallback)

For power users who prefer the terminal, the CLI is available.

Setup: node skills/freeAPI/index.js setup (Interactive checklist) Run: node skills/freeAPI/index.js run ...

Why Not Middleware?

Middleware services introduce latency, dependency, and privacy risks. freeAPI eliminates these by running entirely on your machine.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…