ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Public APIs Skill Creator

公共API/免费API SKILL生成器:从 public-apis/public-apis 自动检索免费 API,按功能推荐并给出最小可用调用示例(curl/Python/JS),并可自动生成自定义名称的 API skill。用户提到“公共API”“免费API”“public APIs”“找接口/找API”“生...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 525 · 0 current installs · 0 all-time installs
by@547895019
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (discover public/free APIs from public-apis and generate examples/skill skeletons) matches the included scripts: listing/searching the public-apis README, generating curl/Python/JS examples, and creating a skill skeleton. No unrelated credentials or external tooling are requested.
!
Instruction Scope
The runtime instructions and scripts stay within the declared purpose but include steps that probe arbitrary discovered URLs (solve_task.sh --try uses curl to fetch the chosen URL and prints the first 500 bytes). That network probing can be used to contact internal/metadata endpoints if a URL points there. The scripts also create files (skill skeletons) and cache API lists on disk. The scripts do not restrict target hosts (no localhost/169.254.169.254 filtering) and will print remote responses, which increases the risk of inadvertent data disclosure.
Install Mechanism
There is no external install/download step. The skill is instruction-and-script-only; all files are bundled with the skill. No installers or remote code downloads are performed by the skill itself, which lowers supply-chain risk.
Credentials
The skill declares no required env vars or credentials. The generated skill skeletons may reference an API_TOKEN for authenticated APIs (reasonable). Scripts use HOME for cache (~/.cache/public-apis-helper) and create files under an OUT_DIR default (/root/.openclaw/workspace/skills). No unrelated secrets are requested, but the generated artifacts and the optional probe will interact with external endpoints and may expose returned data.
Persistence & Privilege
always:false and the skill is user-invocable; it does not attempt to enable itself permanently. However, it writes to disk (cache in the user's home, and skill skeletons by default into /root/.openclaw/workspace/skills). Creating files in that workspace is consistent with a skill-generator, but the hardcoded default of /root/.openclaw/workspace/skills may be surprising and could require elevated permissions or write into sensitive locations if run as root.
What to consider before installing
This skill appears to do what it claims (search public-apis, produce examples, and scaffold skills), but pay attention to two practical risks before running it: 1) Network probing risk: the optional --try probe issues a curl GET to the selected URL and prints response bytes. If an API entry (or a maliciously crafted link) points to an internal endpoint (localhost, cloud instance metadata, or other private services), the probe can retrieve and print sensitive data. Avoid using --try unless you trust the target URLs or run in an isolated environment; consider adding hostname filtering. 2) File write risk: the scripts cache data under ~/.cache and by default write generated skills into /root/.openclaw/workspace/skills. Review or override the --out-dir to a safe location you control, and do not run as root. Recommendations: run the scripts in a sandboxed VM or container, disable --try or inspect links before probing, set OUT_DIR to a non-privileged path, review generated call.sh/python_example.sh before executing them (they will call remote URLs and may require tokens), and avoid enabling autonomous agent execution if you do not want the agent making outbound network calls on its own. If you want to be safer, request that the author add host allowlists/denylists and make the OUT_DIR default configurable to the current user's workspace instead of /root.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97e230zm8cne0fsz599g649x1817kr3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

public-apis-skill-creator

能力

  • 按功能关键词搜索 public-apis 仓库里的免费 API
  • 输出 API 的认证要求、HTTPS、CORS、文档链接
  • 自动生成最小可用示例(curl / Python / JavaScript)
  • 自动生成“公共API/免费API”对应的 skill 包(名称可自定义)
  • 查看并打印 public-apis 全量 API 列表(支持 --top / --json)

用法

1) 按功能找 API

bash {baseDir}/scripts/search_api.sh "weather forecast"

2) 自动推荐 + 生成调用模板(一步到位)

bash {baseDir}/scripts/solve_task.sh "weather api"
# 指定用推荐列表第 2 个 API
bash {baseDir}/scripts/solve_task.sh "weather api" --pick 2
# 可选:尝试对选中 API 做一次 GET 探测
bash {baseDir}/scripts/solve_task.sh "weather api" --pick 2 --try

3) 自动生成对应 skill(支持自定义名称)

bash {baseDir}/scripts/solve_task.sh "weather api" \
  --pick 2 \
  --make-skill \
  --skill-name weather-api-skill

会在 skills/<skill-name>/ 下生成可直接使用的 skill 骨架。

4) 手动生成调用模板

bash {baseDir}/scripts/gen_usage.sh \
  --name "Open-Meteo" \
  --url "https://api.open-meteo.com/v1/forecast?latitude=39.9&longitude=116.4&hourly=temperature_2m" \
  --auth "No"

5) 打印 public-apis 全部列表

bash {baseDir}/scripts/list_all_apis.sh
# 只看前 50 条
bash {baseDir}/scripts/list_all_apis.sh --top 50
# JSON 输出
bash {baseDir}/scripts/list_all_apis.sh --json

典型请求示例

  • "帮我找免费天气 API 并给 Python 示例"
  • "找一个免费汇率 API,要求 HTTPS 且无需 key"
  • "我想做新闻聚合,推荐 3 个 API 并比较"
  • "基于公共API生成一个新免费天气 skill,名称叫 weather-free"

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…