Api Integrator
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward API testing and client-generation skill, but it can make credentialed API calls and write generated files, so users should control tokens, endpoints, and output paths carefully.
This skill is reasonable for testing APIs and generating small clients. Before installing or using it, verify the source, use limited-scope tokens, prefer test environments, and manually approve any request that can create, update, or delete data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad API call could change data in a connected service.
The script can send arbitrary HTTP methods, including mutating methods, to user-supplied URLs. This is expected for an API integrator, but it can modify or delete data if used against real services.
parser.add_argument('--method', default='GET', choices=['GET', 'POST', 'PUT', 'DELETE', 'PATCH']Use read-only or test credentials when possible, verify endpoints and methods before running, and require explicit confirmation for POST, PUT, PATCH, or DELETE requests.
Tokens supplied to the tool will be sent to the configured API endpoint and may authorize real account actions.
The tool accepts API keys, bearer tokens, and basic-auth credentials to authenticate requests. This is purpose-aligned, and the code does not show unrelated credential use or exfiltration.
parser.add_argument('--token', help='Auth token/API key') ... parser.add_argument('--password', help='Password for basic auth')Provide least-privilege, service-specific credentials; avoid putting secrets in shared shell history or logs; rotate tokens if exposed.
Users may need to verify the package source and ensure required Python dependencies are installed before use.
The package provenance and setup requirements are lightly documented. This does not show malicious behavior, but it reduces reviewability and may make dependency expectations less clear.
Source: unknown; Homepage: none; Install specifications: No install spec
Install only from trusted registries, review the included script before use, and ensure Python dependencies such as requests come from a trusted environment.