← Back to Skills Marketplace
calcium-ion

NewAPI

by Calcium-Ion · GitHub ↗ · v0.1.1 · MIT-0
cross-platform ⚠ suspicious
367
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install newapi
Description
Assistant for newapi (new-api), an open-source unified AI gateway platform (https://github.com/QuantumNous/new-api). Use when the user asks about New API, ma...
Usage Guidance
Before installing or running this skill: 1) Be aware the scripts require NEWAPI_BASE_URL, NEWAPI_ACCESS_TOKEN, and NEWAPI_USER_ID even though the registry metadata doesn't list them — set those only in a secure environment. 2) env.js will load .env from your project root (it searches upward from the current working directory) and from the skill dir — remove or avoid sensitive secrets in project .env files you don't want read. 3) Review the scripts yourself: inject-key can overwrite files atomically and exec-token runs arbitrary shell commands with live secrets substituted; only run apply/exec on files/commands you trust. 4) The skill's sanitizers try to redact secrets but are heuristic — do not rely on them as an absolute guarantee. 5) If you expect the platform to enforce least privilege, ask the publisher to update metadata to declare required env vars explicitly and to document the .env file access behavior clearly before proceeding.
Capability Analysis
Type: OpenClaw Skill Name: newapi Version: 0.1.1 The skill bundle provides management for the New API gateway but includes high-risk capabilities, specifically arbitrary shell command execution and file system modification. The script `exec-token.js` uses `execSync` with `shell: true` to execute commands containing token placeholders, which presents a significant Remote Code Execution (RCE) risk if the command template is manipulated. Additionally, `inject-key.js` allows for reading and atomically overwriting local files. While the bundle contains extensive security instructions and a sanitization module (`sanitize.js`) designed to prevent the AI from seeing or leaking secrets, the inclusion of these powerful execution primitives without strict input validation qualifies as suspicious.
Capability Assessment
Purpose & Capability
The skill's name/description (New API management, tokens, config injection, exec with tokens) aligns with the included scripts. However, the registry metadata declares no required environment variables while the runtime scripts (env.js) require NEWAPI_BASE_URL, NEWAPI_ACCESS_TOKEN, and NEWAPI_USER_ID and will exit if they are missing. That mismatch (metadata vs actual requirements) is an incoherence the user should notice.
Instruction Scope
SKILL.md and docs instruct the agent to avoid exposing keys and not to read .env or clipboard contents, but env.js explicitly loads .env files (project root and skill dir) to populate credentials. The scripts will also read arbitrary config files for scan/apply operations and will atomically overwrite files in apply mode. exec-token runs arbitrary shell commands with a fetched secret substituted into the command — powerful and aligned with purpose, but it requires trust in the script's sanitization and in the target command not to leak the secret elsewhere.
Install Mechanism
There is no install spec and this is instruction-plus-script content (no network downloads at install time). That reduces supply-chain risk; the code is shipped in the skill bundle rather than fetched from an arbitrary URL.
Credentials
The scripts legitimately need three environment values (NEWAPI_BASE_URL, NEWAPI_ACCESS_TOKEN, NEWAPI_USER_ID) to call the New API, but the skill registry metadata lists none — this under-declaration is misleading. Also, env.js will look for a project-root .env (by walking up from process.cwd()) and load it if present, which means the scripts may read user project files and any secrets they contain. That level of file access is more than the metadata suggests and should be confirmed before installing.
Persistence & Privilege
always:false and no modification of other skills or global agent settings. The skill can write to arbitrary files specified by the user (inject-key apply mode) and execute arbitrary shell commands (exec-token) — these are powerful but coherent with the stated purpose; they require user caution and explicit file/command targets.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install newapi
  3. After installation, invoke the skill by name or use /newapi
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.1
Version 0.1.1 - Updated "Security Constraints" section to "Security Guidelines" with clearer, more accessible language. - Added clarifications on the limitations of `scan-config` and best-effort secret redaction. - Reorganized and simplified security guidance for improved readability. - No changes to commands, actions, or file structure.
v0.1.0
Initial release of the "newapi" skill — secure gateway and management for New API. - Provides secure actions for listing models, groups, balance, and managing API tokens. - Enforces strict security rules: never expose or show API keys; always use provided scripts for actions. - Supports commands for secure key copying, config file application, and executing commands with masked tokens. - Includes help and guidance for safe New API usage.
Metadata
Slug newapi
Version 0.1.1
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 2
Frequently Asked Questions

What is NewAPI?

Assistant for newapi (new-api), an open-source unified AI gateway platform (https://github.com/QuantumNous/new-api). Use when the user asks about New API, ma... It is an AI Agent Skill for Claude Code / OpenClaw, with 367 downloads so far.

How do I install NewAPI?

Run "/install newapi" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is NewAPI free?

Yes, NewAPI is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does NewAPI support?

NewAPI is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created NewAPI?

It is built and maintained by Calcium-Ion (@calcium-ion); the current version is v0.1.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments