ClawHub

Ocli Api

Turn any OpenAPI/Swagger API into CLI commands and call them. Search endpoints with BM25, check parameters, execute — no MCP server needed.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 31 · 0 current installs · 0 all-time installs
byValerii Kovalskii@vakovalskii
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description say 'turn OpenAPI into CLI commands' and the skill requires the 'ocli' binary; that is coherent. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to run ocli commands (search, inspect, execute) against OpenAPI specs. This stays within the declared purpose, but those commands enable the agent to make arbitrary HTTP requests to whatever API base URL/profile is configured — which can access internal endpoints or accept user-supplied tokens. The instructions do not tell the agent to read unrelated local files, but they do encourage parsing JSON responses and supplying request parameters, which could include sensitive values if provided.
Install Mechanism
This is an instruction-only skill (no install spec). The SKILL.md asks users to 'npm install -g openapi-to-cli' in the setup example. That's reasonable for an instruction-only skill, but npm packages run arbitrary code at install/runtime — you should verify the openapi-to-cli package and its provenance before installing.
Credentials
The skill declares no required env vars, yet the setup examples show supplying a bearer token via --api-bearer-token "$TOKEN". This is not inherently malicious, but it's a mismatch: the skill will expect the user (or agent) to provide API tokens for target APIs even though no primaryEnv is declared. Ensure tokens are least-privilege and not left in environments the agent can read unintentionally.
Persistence & Privilege
always is false, no config paths or system-wide modifications are requested. The skill does not request elevated or permanent presence.
Assessment
This skill is a thin adapter that tells the agent to call the ocli CLI to discover and call OpenAPI endpoints. Before installing or using it: (1) verify and trust the 'openapi-to-cli' npm package (review its repository and release source); (2) only configure API profiles with least-privilege tokens and avoid putting high-privilege secrets in environment variables the agent can access; (3) be aware the agent will be able to make arbitrary HTTP calls to any configured base URL — avoid pointing it at sensitive internal services unless you intend that access; (4) pin package versions or install from a known-good release to reduce supply-chain risk.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk979kaxs95xssbmwng4kqhzbq9832v5s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔌 Clawdis
Binsocli

SKILL.md

ocli — OpenAPI to CLI

Call any HTTP API described by an OpenAPI/Swagger spec as CLI commands. No MCP server, no code generation, no JSON schemas in context.

When to use

  • You need to call a REST API (internal, cloud, SaaS)
  • You have an OpenAPI or Swagger spec (URL or local file)
  • You want minimal token overhead (1 tool, ~158 tokens/turn)

Setup (one-time)

npm install -g openapi-to-cli

ocli profiles add <name> \
  --api-base-url <BASE_URL> \
  --openapi-spec <SPEC_URL_OR_PATH> \
  --api-bearer-token "$TOKEN"

ocli use <name>

Workflow

  1. Search for the right command: 
    ocli commands --query "your task description" --limit 5
  2. Check parameters of the chosen command: 
    ocli <command> --help
  3. Execute the command: 
    ocli <command> --param1 value1 --param2 value2
  4. Parse the JSON response and act on the result.

Search options

# BM25 natural language search
ocli commands --query "upload file to storage" --limit 5

# Regex pattern search
ocli commands --regex "users.*post" --limit 10

# List all commands
ocli commands

Multiple APIs

# Switch active profile
ocli use github

# Or specify per-call
ocli repos_get --profile github --owner octocat --repo Hello-World

Guardrails

  • Always search before guessing a command name.
  • Always check --help before calling a command you haven't used before.
  • Never fabricate parameter names — use the ones from --help output.
  • If a command returns an error, read the response body before retrying.

Failure handling

  • Command not found: re-search with different keywords or use --regex.
  • Missing required parameter: run --help and add the missing flag.
  • 401/403: check that the profile has a valid token (ocli profiles show <name>).
  • Spec not loaded: run ocli profiles add again with --openapi-spec to refresh cache.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…