← Back to Skills Marketplace
1824
Downloads
0
Stars
5
Active Installs
2
Versions
Install in OpenClaw
/install yapi
Description
Query and sync YApi interface documentation. Use when user mentions "yapi 接口文档", YAPI docs, asks for request/response details, or needs docs sync. Also trigg...
Usage Guidance
This skill appears to do what it says: call the yapi CLI (or use the @leeguoo/yapi-mcp npm package) and read your YApi config/auth files to fetch and sync interface docs. Before installing or using it: (1) confirm you trust the @leeguoo/yapi-mcp package (inspect its npm/GitHub source) because the fallback uses npx which runs remote code; (2) be aware the skill reads ~/.yapi/config.toml and ~/.yapi-mcp/auth-*.json (these can contain tokens) — avoid running it with highly privileged accounts unless you trust the environment; (3) if you want to reduce runtime risk, preinstall a vetted yapi CLI or a pinned version of the npm package instead of using npx -y; (4) expect the docs-sync commands to create/update .yapi/*.json files in your project directory — review those outputs before committing them.
Capability Analysis
Type: OpenClaw Skill
Name: yapi
Version: 1.0.1
The skill is classified as suspicious due to its reliance on `npx -y` to download and execute an external package (`@leeguoo/yapi-mcp`) from npm, which introduces a supply chain risk. Additionally, the skill instructs the agent to read local configuration files (`~/.yapi/config.toml`) using `rg` and perform file write operations during documentation synchronization, granting significant file system access. While these actions are aligned with the stated purpose of YApi documentation management, they represent high-risk capabilities that could be exploited by a compromised `npx` package or a sophisticated prompt injection, even though the `SKILL.md` itself does not contain explicit malicious instructions.
Capability Assessment
Purpose & Capability
The name/description (YApi docs query & sync) match the instructions: invoking the yapi CLI or the @leeguoo/yapi-mcp package, resolving api/project IDs, fetching JSON, and running docs-sync. Required files/paths referenced (~/.yapi/config.toml and ~/.yapi-mcp/auth-*.json) are directly relevant to locating the configured base_url and authentication state.
Instruction Scope
SKILL.md explicitly instructs reading the user's YApi config and auth cache and running yapi commands (whoami, login, search, docs-sync). These actions are within the task scope, but reading auth-cache files is sensitive (they may contain credentials/tokens) — the instructions do not attempt to exfiltrate them, but they do rely on local credential files.
Install Mechanism
There is no install spec (instruction-only). The guidance prefers a local yapi binary and falls back to 'npx -y @leeguoo/yapi-mcp'. Using npx executes code fetched from the npm registry on demand, which is common but carries the usual risk of executing third-party package code each run; consider pinning or preinstalling a vetted version if you want to avoid on-the-fly downloads.
Credentials
The skill requests no environment variables and does not require unrelated credentials. It references config and auth cache files in the user's home (appropriate for YApi operations). Those files are sensitive, so access is proportionate but should be treated as sensitive.
Persistence & Privilege
always is false and autonomous invocation is allowed (platform default). The skill's documented behavior may write project-local binding and mapping files (.yapi/docs-sync.json, .yapi.docs-sync.*) during syncs, which is expected and limited to the working project directory. It does not request system-wide or other-skills configuration changes.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install yapi - After installation, invoke the skill by name or use
/yapi - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Prefer using the global yapi CLI; if missing, fallback to npx for command execution.
- Streamlined workflow steps for authentication, URL matching, and data fetching.
- Clarified command usage, including direct npx alternatives and project/category resolution.
- Updated docs sync instructions to emphasize binding mode and dry-run before syncing.
- Revised config and cache path guidance; expanded tool dependencies for sync/rendering.
- Added stronger recommendations for correct interface creation and field placement.
v1.0.0
yapi 1.0.0 initial release
- Enables querying and syncing YApi interface documentation based on YApi URLs or keywords.
- Detects valid YApi URLs by matching against configured base_url in ~/.yapi/config.toml.
- Guides installation and authentication for yapi CLI, including login and config setup.
- Provides CLI usage examples for searching, binding, and syncing API docs.
- Summarizes API details including method, path, headers, request/response schema, and examples.
- Outlines best practices for reliable API interface creation and documentation syncing.
Metadata
Frequently Asked Questions
What is Yapi?
Query and sync YApi interface documentation. Use when user mentions "yapi 接口文档", YAPI docs, asks for request/response details, or needs docs sync. Also trigg... It is an AI Agent Skill for Claude Code / OpenClaw, with 1824 downloads so far.
How do I install Yapi?
Run "/install yapi" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Yapi free?
Yes, Yapi is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Yapi support?
Yapi is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Yapi?
It is built and maintained by 郭立lee (@leeguooooo); the current version is v1.0.1.
More Skills