ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

API Docs Generator

v1.0.0

从代码注释自动生成 API 文档,支持 OpenAPI/Swagger 格式,输出 JSON 或 YAML。

0· 328·1 current·1 all-time
by@sunshine-del-ux
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes automated parsing of source comments, route detection, support for many frameworks, OpenAPI/Swagger generation and Postman export. The only code file (api-docs-generator.sh) writes a hard-coded OpenAPI JSON and does not parse input sources or implement any framework-specific logic. The README examples call a command name (api-docs-generator) while the repo supplies api-docs-generator.sh — a naming/installation mismatch. This is disproportionate: the requested/installed artifacts do not match the advertised capability.
Instruction Scope
The SKILL.md gives CLI usage examples that would read a source directory and produce documentation, but it does not instruct the agent to read unrelated files, environment variables, or send data externally. However, because the actual script is a stub, the documentation examples are misleading; a user or agent expecting real parsing would be surprised. There are no instructions that clearly exfiltrate data.
Install Mechanism
No install specification or network downloads are present; the skill is instruction-only with a small bundled shell script. This is low install risk (nothing downloaded from external URLs).
Credentials
The skill declares no required environment variables, credentials, or config paths. The SKILL.md and the included script do not request secrets or unrelated credentials.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It does not modify other skills or system-wide configuration in the provided materials.
What to consider before installing
This package advertises a powerful automatic API-docs generator but includes only a tiny shell script that emits a static OpenAPI JSON — it does not implement the parsing, framework support, or route detection described. Treat it as a stub or placeholder rather than a working tool. Before installing or running it on real projects: (1) inspect the script (you already can — it's short) to confirm behavior; (2) do not run untrusted tools against sensitive repositories without sandboxing, because a real implementation that parses code might read secrets or upload data; (3) ask the publisher for the actual implementation or a source repo/release artifacts; (4) prefer skills with verifiable install instructions or known upstream releases. The current mismatch is a quality/accuracy concern (suspicious) rather than a clear malicious indicator, but exercise caution.

Like a lobster shell, security has layers — review code before you run it.

apivk97ac4svw0bp77d96pa9j5b7h5824n9ddocsvk97ac4svw0bp77d96pa9j5b7h5824n9ddocumentationvk97ac4svw0bp77d96pa9j5b7h5824n9dlatestvk97ac4svw0bp77d96pa9j5b7h5824n9dopenapivk97ac4svw0bp77d96pa9j5b7h5824n9dswaggervk97ac4svw0bp77d96pa9j5b7h5824n9d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis

Comments