Smart API Connector
v3.0.0Connect to any REST API using the agent's built-in web_fetch. Handles authentication headers, JSON payloads, error parsing, and retries. Use when: user wants...
⭐ 0· 86·0 current·0 all-time
by@tommot2
MIT-0
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (connect to REST APIs, handle auth/JSON/retries) aligns with the SKILL.md content: it uses built-in web_fetch, supports auth headers, methods, error handling and response parsing as expected.
Instruction Scope
Instructions primarily use the agent's built-in web_fetch (appropriate). However the SKILL.md also instructs a fallback to exec/curl and shows an inline `exec: API_KEY="your_key" curl ...` example, which expands scope to running shell commands; this contradicts the earlier 'No curl, no dependencies' claim and grants the agent permission to run arbitrary shell execs when web_fetch 'can't handle' a request.
Install Mechanism
Instruction-only skill with no install spec and no files to write — minimal install risk.
Credentials
The doc references an API_KEY environment variable in examples, but the skill declares no required env vars. The env usage appears optional (user-supplied), which is reasonable, but the SKILL.md should have declared that API_KEY is an optional env var. Also the curl fallback pattern (inline env + curl) can expose secrets to process lists on some systems.
Persistence & Privilege
The skill is not always-enabled, does not request persistent presence, and explicitly claims not to persist keys or modify files. No installation-time privileges requested.
Assessment
This instruction-only skill mostly does what it says: use web_fetch to call APIs, show and parse responses, and handle retries. Before installing or using it: 1) ask the publisher to clarify why the README says 'No curl' but also shows a curl fallback; confirm whether the agent will actually run shell execs and under what conditions. 2) Avoid pasting production API keys into chat; prefer short-lived or scoped test keys. 3) If you must use an environment variable, set it in a secure environment rather than sending it in conversation; the curl example (inline env + curl) can expose keys to process listings on some systems. 4) Confirm how the platform enforces the 'never persist API keys' promise if that matters to you. Overall the skill looks coherent with its stated purpose, but validate the curl fallback and secret-handling behavior before trusting it with sensitive credentials.Like a lobster shell, security has layers — review code before you run it.
apiautomationconnectordeveloperhttpintegrationjsonlatestrequestsrest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Smart API Connector v3.0
Install: clawhub install smart-api-connector
REST API integration using built-in tools. No code, no curl, no dependencies.
Language
Detect from user's message language. Default: English.
Quick Start
User provides: API URL + what they want. Agent handles everything.
User: "Hent brukerinfo fra https://api.example.com/v1/users/123"
Agent runs:
web_fetch https://api.example.com/v1/users/123(with auth headers if provided)Returns parsed response.
Authentication
API Key in Header
web_fetch url --headers '{"Authorization": "Bearer KEY", "X-API-Key": "KEY"}'
API Key via Environment Variable
exec: API_KEY="your_key" curl -s -H "Authorization: Bearer $API_KEY" "https://..."
Session-only Keys
API keys provided in conversation are used in-session only. Never persisted to files.
Error Handling
| HTTP Status | Action |
|---|---|
| 200-299 | Parse and return response |
| 429 | Rate limited — wait and retry (max 3 retries) |
| 400 | Bad request — show error, suggest fix |
| 401/403 | Auth failed — check key, permissions |
| 404 | Not found — verify URL |
| 5xx | Server error — retry once, then report |
HTTP Methods
| Method | Use Case |
|---|---|
| GET | Fetch data |
| POST | Create data / send JSON body |
| PUT | Update data |
| DELETE | Remove data |
For POST/PUT: prompt user for JSON body if not provided.
Response Parsing
Always extract and present the useful parts. For JSON APIs:
Response:
Name: John
Email: john@example.com
Created: 2026-03-28
Raw: {first 200 chars if user wants detail}
Security
- Keys are session-only — never written to files
- Prefer environment variables over command-line args
- Scoped/test keys over production secrets
- Show user the exact request before executing (URL + method + headers, not the key value)
Quick Commands
| User says | Action |
|---|---|
| "query {url}" | GET request |
| "POST to {url}" | POST with body |
| "test API {url}" | Request + show response |
| "API health check" | GET and report status |
Guidelines for Agent
- Use web_fetch first — built-in, no dependencies
- Fall back to exec/curl only if web_fetch can't handle the request
- Never persist API keys — session only
- Show request before executing — confirm with user for POST/PUT/DELETE
- Parse responses — extract useful data, don't dump raw JSON
- Handle errors gracefully — retry on 429, explain 401/403
- Match user language in responses
What This Skill Does NOT Do
- Does NOT persist API keys or credentials
- Does NOT require npm packages or external tools
- Does NOT modify any local files
- Does NOT make requests without user knowledge (for POST/PUT/DELETE)
More by TommoT2
- workflow-builder-lite — Build and execute multi-step workflows
- context-brief — Persistent context survival across sessions
- setup-doctor — Diagnose and fix OpenClaw setup issues
Install the full suite:
clawhub install smart-api-connector workflow-builder-lite context-brief setup-doctor
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…