← Back to Skills Marketplace

rapidapi

Name: rapidapi
Author: web3aivc

by web3aivc · GitHub ↗ · v0.1.0

cross-platform ⚠ suspicious

351

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install rapidapi

Description

Template-driven RapidAPI client with auto-registered actions and a universal call entrypoint

Usage Guidance

This skill appears to implement a legitimate RapidAPI client and only needs your RAPIDAPI_KEY — that is expected. The main risk is that, by default, it allows calls to non-RapidAPI hosts and will include your RAPIDAPI_KEY header on those requests. Before installing or enabling this skill: 1) Audit the templates in templates/*.json to ensure they only target trusted RapidAPI endpoints (or domains you intend to send the key to). 2) Set ALLOW_NON_RAPIDAPI_HOSTS=false (or set allowNonRapidApiHosts=false in config) to block non-RapidAPI hosts unless you explicitly need them. 3) Limit who can call callRapidApi (ad-hoc direct calls) in your environment, since that entrypoint can be used to send the key to arbitrary hosts. 4) Provide the RAPIDAPI_KEY with least privilege and be prepared to rotate it if you suspect it was exposed. If you need higher assurance, request changes so the default is restrictive (deny non-RapidAPI hosts) and document precisely which hosts are allowed.

Capability Analysis

Type: OpenClaw Skill Name: rapidapi Version: 0.1.0 The skill functions as a universal RapidAPI client but contains risky credential-handling logic. Specifically, lib/engine.js is designed to attach the 'X-RapidAPI-Key' to requests, and while it includes a host-validation check, the 'allowNonRapidApiHosts' setting (which defaults to true in index.js and config.example.json) allows the sensitive API key to be sent to any arbitrary host provided in the input. While no clear evidence of intentional malice or hardcoded exfiltration endpoints was found, the capability to direct credentials to non-RapidAPI infrastructure via user-controlled or agent-controlled input poses a high risk of accidental or forced credential leakage.

Capability Assessment

✓ Purpose & Capability

Name, description, and required credential (RAPIDAPI_KEY) match the code and templates. The skill's functions (listActions, callAction, callRapidApi) and template system are consistent with a RapidAPI client.

✓ Instruction Scope

SKILL.md directs use of the packaged index.js APIs and scripts and documents template formats. The runtime instructions do not instruct the agent to read unrelated system files or secrets beyond the declared RAPIDAPI_KEY; the code only reads/writes within the skill's templates directory and uses stdin for the provided scripts.

✓ Install Mechanism

There is no external install/download step; source files are bundled with the skill. No remote URLs or extract actions are used. Node.js 18+ is required (uses global fetch), which is reasonable.

⚠ Credentials

The skill only requires RAPIDAPI_KEY (primary credential), which is appropriate — but it defaults to allowNonRapidApiHosts=true (ALLOW_NON_RAPIDAPI_HOSTS environment/config default true). When host restriction is off, the engine will send the RAPIDAPI_KEY in the X-RapidAPI-Key header to any allowed host. That default increases risk of the key being sent to arbitrary domains (templates shipped include non-.rapidapi.com hosts), so the requested credential may be exposed to hosts outside RapidAPI unless the user sets host restrictions or audits templates.

✓ Persistence & Privilege

The skill does not request permanent system privileges, does not set always:true, and does not modify other skills or global agent settings. It reads and writes files only under its templates directory (scripts/import-endpoint.js creates template files), which is expected for a template-driven client.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install rapidapi
After installation, invoke the skill by name or use /rapidapi
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.0

- Initial release of rapidapi-universal-skill: a minimal, template-driven RapidAPI client. - Auto-registers all RapidAPI action templates from the templates directory. - Provides consistent actions: listActions(), callAction(name, params), and callRapidApi(payload). - Includes helper script (import-endpoint.js) to convert RapidAPI endpoints to templates. - Designed for stable, repeatable calls to RapidAPI endpoints in local scripts or workflows.

Metadata

Slug rapidapi

Version 0.1.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is rapidapi?

Template-driven RapidAPI client with auto-registered actions and a universal call entrypoint. It is an AI Agent Skill for Claude Code / OpenClaw, with 351 downloads so far.

How do I install rapidapi?

Run "/install rapidapi" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is rapidapi free?

Yes, rapidapi is completely free (open-source). You can download, install and use it at no cost.

Which platforms does rapidapi support?

rapidapi is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created rapidapi?

It is built and maintained by web3aivc (@web3aivc); the current version is v0.1.0.

More Skills