← Back to Skills Marketplace
982
Downloads
1
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install swagger-skill
Description
智能 Swagger API 查询和调用工具。通过自然语言指令直接查询接口详情、调用 API,无需繁琐的交互步骤。
Usage Guidance
What to consider before installing/using this skill:
- It is coherent with its description: it loads a Swagger/OpenAPI document and issues HTTP requests to the APIs it finds. The required node runtime and axios/form-data deps match that purpose.
- The skill auto-installs npm dependencies by running npm init and npm install in the skill folder the first time it runs. That will write files and fetch packages from the npm registry — run it in a controlled environment (sandbox/container) if you are concerned about additional code being installed.
- The skill will perform arbitrary HTTP requests to URLs you provide — this is necessary to call APIs but can be abused to reach internal endpoints (SSRF-like exposure). Do NOT supply sensitive machine credentials or environment tokens (e.g., cloud metadata tokens, admin credentials) to the skill unless you fully trust the runtime and the target API.
- You may want to inspect the full index.js (the uploaded snippet shows a truncated upload function) to ensure there are no unexpected behaviors or logging/exfiltration paths before running it with real credentials.
- If you want to reduce risk: run the skill in an isolated container, avoid pasting production secrets into the CLI, and prefer calling it against known external Swagger endpoints rather than internal network addresses.
If you want, I can: (1) review the remaining/truncated portion of index.js for any networking or file I/O not yet shown, (2) list the exact npm commands it will run, or (3) suggest a hardened execution checklist for running this skill safely.
Capability Analysis
Type: OpenClaw Skill
Name: swagger-skill
Version: 1.0.1
The skill is classified as suspicious due to its inherent risky capabilities, which could be exploited by a malicious agent prompt. Specifically, the `uploadFile` function in `index.js` allows reading arbitrary local files (e.g., sensitive configuration or credential files) from the filesystem via `fs.createReadStream` for upload. While this is an intended feature for file uploads, it provides a powerful primitive for data exfiltration if the agent is instructed to read sensitive paths and send them to an attacker-controlled endpoint. Additionally, the skill uses `child_process.execSync` for dependency installation in `index.js`, which, while not directly vulnerable to user input in this context, is a risky primitive. The core functionality of making arbitrary network requests to user-specified URLs (`fetchSwaggerSpec`, `callAPI`) also presents a risk for SSRF or data exfiltration if abused by an agent.
Capability Assessment
Purpose & Capability
Name and description (Swagger/OpenAPI query and call) align with the code and SKILL.md. Requiring node and using axios/form-data is expected for this functionality. The code implements indexing, searching, calling, token/cookie auth and a CLI as described.
Instruction Scope
Runtime instructions and code only perform Swagger spec fetching, indexing, search and HTTP calls. They do not attempt to read unrelated host files or request unrelated credentials. Important caveat: the skill will make arbitrary network requests to URLs provided by the user (the Swagger spec URL and any API endpoints it calls), which means it can access internal network endpoints (e.g., metadata services, internal APIs) if given those URLs or if an agent is instructed to use them.
Install Mechanism
There is no external install spec, but index.js will auto-initialize package.json and run npm install via execSync if dependencies are missing. This writes files and downloads packages from the npm registry at runtime. That behavior is documented in SKILL.md (it claims to auto-install axios and form-data), but it raises moderate risk because it executes shell commands and pulls third-party packages at runtime.
Credentials
The skill does not request environment variables, credentials, or config paths in the registry metadata. It accepts user-supplied tokens/cookies for the APIs it calls (which is appropriate). There are no unrelated credentials required.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. It does write package.json and install deps in its own directory at first run (self-contained). It does not alter other skills' configurations or system-wide settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install swagger-skill - After installation, invoke the skill by name or use
/swagger-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
swagger-skill 1.0.1
- 使用说明优化:无需手动安装依赖(axios、form-data),首次运行会自动检测并安装,自动配置 package.json(含 "type": "module")。
- 安装文档中新增自动初始化和依赖处理说明,提升使用便捷性。
- 其余功能和接口保持兼容。
v1.0.0
swagger-skill 1.0.0 初始发布
- 提供一键查询、自然语言搜索和智能 API 调用,无需繁琐交互流程
- 支持完整接口信息展示,包括参数、请求体、响应和数据模式定义
- 兼容 OpenAPI 3.0 和 Swagger 2.0,支持多种认证方式(Token、Cookie、或无需认证)
- 内置分层缓存机制,高效索引和 O(1) 接口详情查找
- 丰富 API:快速加载规范、搜索、获取详情、自然语言调用和文件上传等
- 提供交互式 CLI 工具,便于快速操作
Metadata
Frequently Asked Questions
What is swagger-skill?
智能 Swagger API 查询和调用工具。通过自然语言指令直接查询接口详情、调用 API,无需繁琐的交互步骤。 It is an AI Agent Skill for Claude Code / OpenClaw, with 982 downloads so far.
How do I install swagger-skill?
Run "/install swagger-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is swagger-skill free?
Yes, swagger-skill is completely free (open-source). You can download, install and use it at no cost.
Which platforms does swagger-skill support?
swagger-skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created swagger-skill?
It is built and maintained by MinusGod (@minusgod); the current version is v1.0.1.
More Skills