magic-api-generate

magic-api 国产接口快速开发框架。通过 Web UI 编写脚本自动映射为 HTTP 接口，无需 Controller/Service/Dao。当用户提到 magic-api、接口快速开发、低代码接口、动态接口生成、magic-script 时触发此技能。适用于 Spring Boot 集成、数据库操作、脚...

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 1 · 174 · 2 current installs · 2 all-time installs

byAndy@webx32

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name and description describe a low-code/dynamic HTTP interface generator for Java/Spring; the SKILL.md and reference files provide examples, configuration, and scripts that match that purpose. Nothing in the package asks for unrelated credentials, binaries, or system paths that don't belong to such a framework.

ℹ

Instruction Scope

The instructions and examples legitimately include database access, file upload/save to disk, HTTP outbound calls, cache usage, and importing Java classes (e.g., java.security.MessageDigest, cn.hutool.http.HttpUtil). These are expected for a script-driven framework but mean scripts can perform arbitrary local I/O, DB modifications, and network calls. The SKILL.md does not instruct the agent to read unrelated system files or exfiltrate secrets, but the framework's script APIs provide the ability to do so if misused—recommend reviewing any scripts before enabling and restricting the Web UI.

✓

Install Mechanism

Instruction-only skill with no install spec and no code files to execute during install. This minimizes installer risk; nothing is downloaded or written by an install step.

✓

Credentials

The skill declares no required environment variables, credentials, or config paths. Example content references typical application configuration (spring.datasource in application.yml) which is expected for a framework that interacts with databases; no unrelated secrets are being requested by the skill itself.

✓

Persistence & Privilege

always is false and the skill is user-invocable/autonomously callable by default (normal). The skill does not request persistent installation or modification of other skills or global agent settings.

Assessment

This skill is documentation/instructions for the magic-api framework and appears coherent with that purpose. Before using it in a real project: (1) Restrict or disable the framework's Web UI in production (the docs even advise this). (2) Review and audit any scripts you store or accept from others — the scripting API can run Java code, access files, databases, and outbound HTTP which could be abused to leak data or modify your system. (3) Use secure practices the docs mention but sometimes show insecure defaults—do not use MD5 for passwords (use bcrypt/Argon2), validate and sanitize file uploads and inputs, and use parameterized queries. (4) Protect database credentials and cache/backing stores used by magic-api. If you plan to allow others to author scripts, run them in a restricted/sandboxed environment and perform code review before enabling endpoints.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk974he2qnq5ghk2kq6yqre9tyn82qcry

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

magic-api 技能

magic-api 是基于 Java 的接口快速开发框架，通过 Web UI 编写脚本自动生成 HTTP 接口，无需定义 Controller、Service、Dao、Mapper、XML、VO 等 Java 对象。

快速开始

Maven 依赖

<dependency>
    <groupId>org.ssssssss</groupId>
    <artifactId>magic-api-spring-boot-starter</artifactId>
    <version>2.2.2</version>
</dependency>

application.yml 配置

server:
  port: 9999

magic-api:
  web: /magic/web              # Web UI 入口
  resource:
    location: /data/magic-api  # 脚本存储位置（可改为 classpath: 只读模式）

访问 Web UI

http://localhost:9999/magic/web

核心概念

内置对象

对象	说明	示例
`request`	HTTP 请求参数	`request.name`
`path`	URL 路径参数	`path.id`
`body`	请求体 JSON	`body.name`
`db`	数据库操作	`db.select()`
`log`	日志输出	`log.info()`
`cache`	缓存操作	`cache.set()`
`response`	HTTP 响应	`response.setHeader()`

脚本语法

magic-api 使用 magic-script 脚本语言，语法类似 JavaScript：

// 变量定义
var name = request.name;
var id = path.id;

// 条件判断
if (name) {
    log.info("用户名: " + name);
}

// 返回结果
return {code: 200, data: list};

数据库操作

查询

// 查询列表
var list = db.select("select * from user");

// 带参数查询
var list = db.select("select * from user where status = ?", 1);

// 查询单条
var user = db.selectOne("select * from user where id = ?", id);

// 查询单值
var count = db.selectValue("select count(*) from user");

// 分页查询
var page = db.page("select * from user", 1, 10);
// 返回: {list: [...], total: 100, pageSize: 10, pageNumber: 1}

增删改

// 插入（返回影响行数）
var affected = db.insert("user", {name: "张三", age: 25});

// 插入并返回自增ID
var id = db.insert("user", {name: "张三"}, true);

// 更新
var affected = db.update("user", {name: "李四"}, "id = ?", 1);

// 删除
var affected = db.delete("user", "id = ?", 1);

事务

db.transaction(() => {
    var orderId = db.insert("orders", order, true);
    db.update("product", {stock: stock - 1}, "id = ?", productId);
});

HTTP 接口配置

请求方法映射

方法	用途	示例路径
GET	查询	`/api/user/:id`
POST	新增	`/api/user`
PUT	更新	`/api/user/:id`
DELETE	删除	`/api/user/:id`

参数获取

// URL 路径参数: /api/user/:id
var id = path.id;

// Query 参数: /api/user?name=xxx
var name = request.name;

// 请求体 JSON
var body = request.body;
var username = body.username;

// 请求头
var token = request.header("Authorization");

常用模式

RESTful CRUD

// GET /api/user/:id - 查询单个
var user = db.selectOne("select * from user where id = ?", path.id);
return user ? {code: 200, data: user} : {code: 404, msg: "用户不存在"};

// GET /api/user - 查询列表
return {code: 200, data: db.select("select * from user")};

// POST /api/user - 新增
var id = db.insert("user", body, true);
return {code: 200, data: {id: id}, msg: "创建成功"};

// PUT /api/user/:id - 更新
db.update("user", body, "id = ?", path.id);
return {code: 200, msg: "更新成功"};

// DELETE /api/user/:id - 删除
db.delete("user", "id = ?", path.id);
return {code: 200, msg: "删除成功"};

条件查询

var sql = "select * from user where 1=1";
var params = [];

if (request.name) {
    sql += " and name like ?";
    params.push("%" + request.name + "%");
}
if (request.status) {
    sql += " and status = ?";
    params.push(request.status);
}

return db.select(sql, ...params);

登录认证

// 登录
var user = db.selectOne("select * from user where username = ?", body.username);
if (!user || user.password != body.password) {
    return {code: 401, msg: "用户名或密码错误"};
}

var token = "token_" + user.id + "_" + Date.now();
cache.set("token:" + token, user.id, 86400);
return {code: 200, data: {token: token, user: user}};

// 认证拦截（放在需要登录的接口开头）
var token = request.header("Authorization");
var userId = cache.get("token:" + token);
if (!userId) return {code: 401, msg: "请先登录"};

高级功能

详见参考文档：

语法参考 - 完整语法、内置函数、模块导入
数据库操作 - 多数据源、分页、事务
业务示例 - 登录认证、文件上传、导出等

注意事项

安全性 - 生产环境关闭 Web UI 或限制 IP 访问
版本控制 - 脚本目录建议 Git 管理
密码加密 - 使用 MD5/BCrypt，不要明文存储
SQL 注入 - 使用参数化查询 ? 占位符
性能 - 复杂逻辑拆分多个接口，避免单脚本过长

官方资源

文档：https://www.ssssssss.org/magic-api/
GitHub：https://github.com/ssssssss-team/magic-api
Gitee：https://gitee.com/ssssssss-team/magic-api
在线演示：https://magic-api.ssssssss.org.cn

Files

4 total

Select a file

Select a file to preview.

Comments

Loading comments…