← Back to Skills Marketplace
770
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install public-apis-skill-creator
Description
公共API/免费API SKILL生成器:从 public-apis/public-apis 自动检索免费 API,按功能推荐并给出最小可用调用示例(curl/Python/JS),并可自动生成自定义名称的 API skill。用户提到“公共API”“免费API”“public APIs”“找接口/找API”“生...
Usage Guidance
This skill appears to do what it claims (search public-apis, produce examples, and scaffold skills), but pay attention to two practical risks before running it: 1) Network probing risk: the optional --try probe issues a curl GET to the selected URL and prints response bytes. If an API entry (or a maliciously crafted link) points to an internal endpoint (localhost, cloud instance metadata, or other private services), the probe can retrieve and print sensitive data. Avoid using --try unless you trust the target URLs or run in an isolated environment; consider adding hostname filtering. 2) File write risk: the scripts cache data under ~/.cache and by default write generated skills into /root/.openclaw/workspace/skills. Review or override the --out-dir to a safe location you control, and do not run as root. Recommendations: run the scripts in a sandboxed VM or container, disable --try or inspect links before probing, set OUT_DIR to a non-privileged path, review generated call.sh/python_example.sh before executing them (they will call remote URLs and may require tokens), and avoid enabling autonomous agent execution if you do not want the agent making outbound network calls on its own. If you want to be safer, request that the author add host allowlists/denylists and make the OUT_DIR default configurable to the current user's workspace instead of /root.
Capability Analysis
Type: OpenClaw Skill
Name: public-apis-skill-creator
Version: 1.0.0
The skill is classified as suspicious due to multiple critical shell injection vulnerabilities (RCE risks) and prompt injection risks. Specifically, `scripts/create_skill.sh` directly interpolates user-controlled input (like API URLs and descriptions) into generated shell scripts and markdown files without proper sanitization, allowing for arbitrary command execution and prompt injection in the newly created skill. Similarly, `scripts/gen_usage.sh` and `scripts/solve_task.sh` (especially with the `--try` flag) directly interpolate API URLs into `curl` commands, creating shell injection vulnerabilities that could lead to RCE if exploited by a malicious input or a compromised API source.
Capability Assessment
Purpose & Capability
The name/description (discover public/free APIs from public-apis and generate examples/skill skeletons) matches the included scripts: listing/searching the public-apis README, generating curl/Python/JS examples, and creating a skill skeleton. No unrelated credentials or external tooling are requested.
Instruction Scope
The runtime instructions and scripts stay within the declared purpose but include steps that probe arbitrary discovered URLs (solve_task.sh --try uses curl to fetch the chosen URL and prints the first 500 bytes). That network probing can be used to contact internal/metadata endpoints if a URL points there. The scripts also create files (skill skeletons) and cache API lists on disk. The scripts do not restrict target hosts (no localhost/169.254.169.254 filtering) and will print remote responses, which increases the risk of inadvertent data disclosure.
Install Mechanism
There is no external install/download step. The skill is instruction-and-script-only; all files are bundled with the skill. No installers or remote code downloads are performed by the skill itself, which lowers supply-chain risk.
Credentials
The skill declares no required env vars or credentials. The generated skill skeletons may reference an API_TOKEN for authenticated APIs (reasonable). Scripts use HOME for cache (~/.cache/public-apis-helper) and create files under an OUT_DIR default (/root/.openclaw/workspace/skills). No unrelated secrets are requested, but the generated artifacts and the optional probe will interact with external endpoints and may expose returned data.
Persistence & Privilege
always:false and the skill is user-invocable; it does not attempt to enable itself permanently. However, it writes to disk (cache in the user's home, and skill skeletons by default into /root/.openclaw/workspace/skills). Creating files in that workspace is consistent with a skill-generator, but the hardcoded default of /root/.openclaw/workspace/skills may be surprising and could require elevated permissions or write into sensitive locations if run as root.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install public-apis-skill-creator - After installation, invoke the skill by name or use
/public-apis-skill-creator - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: search/list public-apis, generate usage snippets, auto-generate custom-named API skills, support --pick selection
Metadata
Frequently Asked Questions
What is Public APIs Skill Creator?
公共API/免费API SKILL生成器:从 public-apis/public-apis 自动检索免费 API,按功能推荐并给出最小可用调用示例(curl/Python/JS),并可自动生成自定义名称的 API skill。用户提到“公共API”“免费API”“public APIs”“找接口/找API”“生... It is an AI Agent Skill for Claude Code / OpenClaw, with 770 downloads so far.
How do I install Public APIs Skill Creator?
Run "/install public-apis-skill-creator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Public APIs Skill Creator free?
Yes, Public APIs Skill Creator is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Public APIs Skill Creator support?
Public APIs Skill Creator is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Public APIs Skill Creator?
It is built and maintained by 547895019 (@547895019); the current version is v1.0.0.
More Skills