Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Apifox Exporter
v2.0.0导入 Apifox 导出的 OpenAPI JSON,递归展开引用,按模块分组整理并输出清晰的接口文档,支持多项目管理。
⭐ 0· 133·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's name/description (Apifox export) match the actual code and runtime requirements: it uses Playwright to automate a browser session, listens for downloads, and transforms exported OpenAPI JSON into a formatted text document. The dependency on Playwright and the included scripts are expected and proportionate.
Instruction Scope
SKILL.md and skill.yaml instruct the agent to launch the provided scripts, install Node/Playwright, open the Apifox site, and either perform full browser automation or accept a manually exported JSON. The instructions reference only the Apifox site and local filesystem paths required for operation; they do not attempt to read unrelated system files or reach unexpected external endpoints.
Install Mechanism
There is no opaque remote install URL; installation uses npm and Playwright (npx playwright install chromium), which will download official browser artifacts. No custom downloads from unknown hosts or URL shorteners are present.
Credentials
The skill requests no secrets or external credentials. However it persistently stores a browser profile (cookies/session data) under ~/.openclaw/workspace/script/apifox/chrome-profile and writes output to the user's Desktop—these artifacts can contain authentication tokens and exported API data, so the persistence is functionally necessary but sensitive.
Persistence & Privilege
The skill will create directories and files in the user's home (workspace/script/apifox, chrome-profile, and Desktop output). always:false is set (normal). The persistent browser profile enables saved login state (convenient) but increases the sensitivity of the files it creates; the skill does not attempt to modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it says: it automates the Apifox web UI (via Playwright), saves a persistent browser profile, captures the exported JSON, and formats it into a text doc on your Desktop. Before installing: 1) Be aware the skill will create a chrome-profile directory under ~/.openclaw/workspace/script/apifox which will contain cookies/session tokens—delete it if you want to revoke saved logins. 2) The skill will write files to your Downloads/workspace and Desktop; verify these locations are acceptable. 3) Installation requires npm and Playwright (which downloads Chromium binaries from official sources). 4) Consider running the scripts manually the first time (npm install; npx playwright install chromium; node script/auto-export-playwright.js) to observe behavior, and run in a controlled account if you are concerned about stored credentials. 5) Note a minor portability bug: the Playwright script uses process.env.USERPROFILE (Windows) without a HOME fallback—verify paths are correct on your OS. If you need lower risk, use the '半自动' (semi-automatic) flow that requires manually exporting the JSON and avoids saved browser profile.script/auto-export-playwright.js:364
Shell command execution detected (child_process).
script/auto-export.js:28
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9715r5zncrachjwdr5hv8c88n836grf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.