Interop Forge
v0.1.1Integration architect for multi-app monorepos — shared contracts, API-first design with OpenAPI, cross-app auth, auto-generated SDKs, and full MCP server sca...
⭐ 0· 373·0 current·0 all-time
byGuilherme Favaron@guifav
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (interop architect for monorepos) matches the SKILL.md: it inspects repo manifests, generates TypeScript packages, OpenAPI specs, SDKs, and MCP server scaffolding. The declared binaries in claw.json (node, npx, git) align with those tasks.
Instruction Scope
The skill's mandatory planning and survey steps legitimately instruct the agent to read repo manifest files (package.json, turbo.json, pnpm-workspace.yaml, etc.). It explicitly states it will not read or modify .env or credential files directly. Because the skill orchestrates file creation across the repo, it will write many files (packages, specs, server scaffolds) — this is expected for its purpose but worth auditing.
Install Mechanism
Instruction-only skill (no install spec, no code files). This is low-risk: nothing is downloaded or written by an installer as part of the skill itself. Runtime actions (npm/pnpm/yarn install) are performed by generated project scripts, not the skill installer.
Credentials
The skill does not require environment variables to run. SKILL.md documents that generated code may reference environment variables (OPENROUTER_API_KEY, SUPABASE_URL/ANON_KEY, GCP_PROJECT_ID, GOOGLE_APPLICATION_CREDENTIALS) via process.env in the generated artifacts. That is coherent for generated SDKs and server code, but you should ensure secrets are not embedded into generated files or committed to VCS.
Persistence & Privilege
Skill is not always-enabled and is user-invocable; it does not request elevated or persistent platform privileges. claw.json lists filesystem and network permissions (expected for a scaffolding/SDK generator).
Assessment
This skill appears coherent with its stated goal. Before installing or running it: 1) Run it in a disposable branch or clone so generated files don't pollute main branches. 2) Inspect all generated files (packages, OpenAPI specs, SDKs, MCP servers) before executing any generated scripts. 3) Ensure no secrets (service-account JSON, API keys) end up in generated code or committed to the repo; the skill states it will reference env vars via process.env but you should verify it never inlines secrets. 4) Review package.json and any third-party dependencies the generated code pulls in before running installs (npm/pnpm/yarn). 5) Because the source/homepage are not provided, exercise extra caution: validate the generated code quality and network calls (endpoints) before using in production. If you want higher assurance, ask the skill author for a repository/homepage or request a code sample of generated artifacts to audit first.Like a lobster shell, security has layers — review code before you run it.
latestvk97cvtc4j6md0brr9x6gdgzma183f8n9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.