MongoDB Atlas
browse MongoDB Atlas Admin API specifications and execute operations (if credentials provided).
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 1.7k · 1 current installs · 1 all-time installs
byDavid Wang@finishy1995
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the contents: the package includes a full Atlas OpenAPI spec and two Node scripts — one for browsing the spec and one for making API calls. Requiring `node` and Atlas service account credentials (ATLAS_CLIENT_ID, ATLAS_CLIENT_SECRET) is appropriate for this functionality.
Instruction Scope
SKILL.md instructs the agent to run local Node scripts that only read the bundled OpenAPI spec and, when credentials are present, perform live HTTP calls to MongoDB Atlas. The runtime scripts are explicit about when they will modify resources and require interactive approval for POST/PUT/PATCH/DELETE. Note: atlas-call.mjs also reads/writes a local token cache and can use optional env vars (ATLAS_GROUP_ID, ATLAS_API_BASE_URL) not listed as required; these are reasonable but should be noted.
Install Mechanism
No install step or external downloads are used — this is instruction-plus-local-code only. All included files are present in the bundle (large OpenAPI JSON and two scripts). No remote installers, URL downloads, or archives are present.
Credentials
The two required env vars (ATLAS_CLIENT_ID, ATLAS_CLIENT_SECRET) are appropriate for obtaining OAuth tokens via client-credentials flow. The scripts additionally accept optional ATLAS_GROUP_ID and ATLAS_API_BASE_URL (documented in the script) but these were not declared as required — this is low-risk but worth documenting. The skill does not request unrelated credentials.
Persistence & Privilege
The client caches the OAuth access token to disk under ~/.openclaw/.cache/mongodb-atlas/token.json to avoid repeated token requests; it does not persist client secrets. Writing a token cache to the user's home directory is reasonable for an API client but means authentication state persists on disk and should be considered by the user.
Assessment
This skill is coherent with its description: it bundles the Atlas OpenAPI spec and provides Node scripts to browse the spec and (if you provide ATLAS_CLIENT_ID and ATLAS_CLIENT_SECRET) make live API calls. Before installing or using it, consider:
- The tool will perform network calls to your Atlas endpoint and will exchange your service-account credentials for an access token (expected for this purpose). The client secret is used only for the token request and is not stored by the skill.
- A token cache (access_token and expiry) is written to ~/.openclaw/.cache/mongodb-atlas/token.json; if you share the machine, remove that file when finished or run clearCachedToken if needed.
- State-changing HTTP methods (POST/PUT/PATCH/DELETE) require explicit approval in the script and SKILL.md recommends always using --dry-run first. Do not run with --yes in automation unless you intentionally want destructive actions.
If you trust the source and will only use it as a read-only spec browser, you can omit setting the Atlas credentials. If you plan to run live calls, provide service-account credentials with least privilege (a service account scoped only to the projects/operations you intend to use).Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🍃 Clawdis
Binsnode
EnvATLAS_CLIENT_ID, ATLAS_CLIENT_SECRET
SKILL.md
MongoDB Atlas Admin API
Tool to browse OpenAPI specifications for MongoDB Atlas.
Note: If ATLAS_CLIENT_ID and ATLAS_CLIENT_SECRET are configured in the environment, this tool can also execute live API calls. Without credentials, it functions as a read-only documentation browser.
Commands
1. List API Catalog
List all available API categories or filter by keyword.
node {baseDir}/scripts/atlas-api.mjs catalog # list all categories
node {baseDir}/scripts/atlas-api.mjs catalog Clusters
2. Get API Details
Get full endpoint definition (method, path, params) for a specific Operation ID.
node {baseDir}/scripts/atlas-api.mjs detail listClusterDetails
3. Get Schema Definition
Get the data model schema for complex types.
node {baseDir}/scripts/atlas-api.mjs schema "#/components/schemas/ApiError"
4. Execute Live API Calls
Execute real HTTP requests against the Atlas API.
Script: node {baseDir}/scripts/atlas-call.mjs <METHOD> <ENDPOINT> [flags]
⚠️ Mandatory Safety Protocol
For any state-changing operation (POST, PUT, PATCH, DELETE):
- STOP & REVIEW: You MUST NOT execute the command immediately.
- PREVIEW: Use
--dry-runfirst to verify the payload and endpoint. - CONFIRM: Display the full command and JSON body to the user.
- EXECUTE: Only run with
--yesafter receiving explicit user approval.
Usage Examples
1. Read-Only (Safe)
node {baseDir}/scripts/atlas-call.mjs GET groups/{groupId}/clusters
2. Create/Modify (RISKY - Require Approval)
node {baseDir}/scripts/atlas-call.mjs POST groups/{groupId}/clusters \
--data '{"name":"DemoCluster", "providerSettings":{...}}' \
--dry-run
Options
-d, --data <json>: Request body string (ensure proper JSON escaping).-p, --params <json>: Query parameters.--dry-run: Print the request details without executing (Recommended for verification).--yes: Skip interactive confirmation (Use CAREFULLY).
Environment
Requires ATLAS_CLIENT_ID and ATLAS_CLIENT_SECRET to be set.
Core Categories
(Use catalog command to see the full list of 50+ categories)
- Clusters / Cloud Backups
- Projects / Organizations
- Database Users / Custom Database Roles
- Alerts / Alert Configurations
- Monitoring and Logs / Events
- Network Peering / Private Endpoint Services
- Serverless Instances
- Access Tracking / Auditing
Files
4 totalSelect a file
Select a file to preview.
Comments
Loading comments…