← Back to Skills Marketplace
726
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install tarkov-api
Description
Security-focused Tarkov.dev + optional EFT Wiki operations for hardcore Escape from Tarkov players. Use when users want reliable EFT data lookups (items, pri...
Usage Guidance
This skill appears to do what it says: query api.tarkov.dev and optionally the EFT wiki, and convert results into gamer-friendly recommendations. Before installing: (1) only use --allow-unsafe-endpoint if you trust the alternate host; the script refuses non-official endpoints by default, which is good; (2) when using stash-value, only point to data files you control — do not pass paths to sensitive local files you wouldn't want included in requests or printed output; (3) it's pure Python stdlib (no third-party downloads), so review the single script if you want extra assurance; (4) if you enable autonomous agent invocation, remember the agent could call the skill and cause outbound requests (this is standard behavior). If you need higher assurance, run the script locally in a sandbox and inspect network traffic or the source before granting runtime access.
Capability Analysis
Type: OpenClaw Skill
Name: tarkov-api
Version: 1.0.2
The skill is classified as suspicious due to a Local File Inclusion (LFI) vulnerability in the `stash-value` command within `scripts/tarkov_api.py`. The script directly reads the file path provided by the `--items-file` argument without validation or sandboxing, allowing a prompt-injected AI agent to potentially read arbitrary files on the system (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). While the skill's overall design and documentation (`SKILL.md`, `references/security-model.md`) emphasize security and explicitly forbid malicious actions like remote code execution, this LFI risk constitutes a significant vulnerability that could lead to sensitive data exposure.
Capability Assessment
Purpose & Capability
Name/description (Tarkov data + wiki) aligns with included script and docs: the code only calls the Tarkov GraphQL endpoint and the EFT fandom wiki API, exposes item/status/task/price commands, and documents those features. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
SKILL.md and the Python script keep scope narrow and include explicit security rules (use api.tarkov.dev by default, bound limits, avoid executing remote code). One practical scope note: stash-value reads a user-supplied file path and will parse and use its contents — this is expected for stash snapshots but means the user should not point the skill at sensitive local files.
Install Mechanism
No install spec; skill is instruction + a single Python script that uses only stdlib modules (urllib, json, csv, etc.). No downloads, package installs, or external installers are present.
Credentials
No environment variables, secrets, or external credentials are required. The code does not read extraneous env vars. Network access is limited to the declared endpoints (with an explicit --allow-unsafe-endpoint override required to contact other hosts).
Persistence & Privilege
Skill is not marked always:true and does not request persistent system-wide changes. It does not modify other skills or system config. Autonomous invocation remains enabled by platform default (no unusual privilege in the skill itself).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tarkov-api - After installation, invoke the skill by name or use
/tarkov-api - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Harden wiki usage policy: wiki calls are now conditional (not default), added outbound request notice, and clarified API-first behavior with minimal-purpose wiki validation.
v1.0.1
Add Data Sources & Attribution section (Tarkov.dev API + EFT Wiki), clarify citation and minimal-excerpt guidance, and reinforce in-game verification after patches.
v1.0.0
Initial release: secure Tarkov.dev + EFT wiki workflows, raid-kit recommendations, map risk, stash value, trader flip, and task/wiki reference support.
Metadata
Frequently Asked Questions
What is Tarkov API + Wiki Hardcore Assistant?
Security-focused Tarkov.dev + optional EFT Wiki operations for hardcore Escape from Tarkov players. Use when users want reliable EFT data lookups (items, pri... It is an AI Agent Skill for Claude Code / OpenClaw, with 726 downloads so far.
How do I install Tarkov API + Wiki Hardcore Assistant?
Run "/install tarkov-api" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Tarkov API + Wiki Hardcore Assistant free?
Yes, Tarkov API + Wiki Hardcore Assistant is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Tarkov API + Wiki Hardcore Assistant support?
Tarkov API + Wiki Hardcore Assistant is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Tarkov API + Wiki Hardcore Assistant?
It is built and maintained by ColeZ (@cole-z); the current version is v1.0.2.
More Skills