← Back to Skills Marketplace
809
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install strapi
Description
Manage Strapi CMS content through the official @strapi/client SDK. CRUD on collection types, single types, and media files. Upload files to media library. In...
Usage Guidance
This skill appears coherent and implements a Strapi client CLI as claimed. Before installing: 1) Confirm the skill source/author (homepage is missing and owner ID is unknown). 2) Use a Strapi API token with the minimum permissions you need (prefer a read-only token if you only need inspection). 3) Be aware the skill runs local Node commands (npx tsx ...) and may cause npx to fetch dev tooling at runtime — run in an isolated environment or review package-lock.json first. 4) Schema-write and layout-write operations are destructive and should only be used on development/local instances (the docs already warn about this). 5) Ask the publisher to clarify the install metadata that claims to 'create' a node binary — it looks like a packaging/manifest inconsistency but not an indicator of malicious behavior.
Capability Analysis
Type: OpenClaw Skill
Name: strapi
Version: 1.0.0
The skill is classified as suspicious due to several risky capabilities that could be exploited via prompt injection or malicious user input. Specifically, `src/handlers/files.ts` allows reading arbitrary local files (`readFileSync`) and downloading files from arbitrary URLs (`fetch`), then uploading their content to the configured Strapi instance. This creates a significant data exfiltration risk. Additionally, `src/index.ts` exposes a `fetch` domain that enables raw HTTP requests to any path on the `STRAPI_BASE_URL`, which could be abused for unauthorized actions or reconnaissance. While these capabilities align with the stated purpose of a comprehensive Strapi management tool, they represent high-risk attack surfaces without clear malicious intent within the skill's code itself.
Capability Assessment
Purpose & Capability
Name/description match the code and handlers. Required env vars (STRAPI_API_TOKEN, STRAPI_BASE_URL) and the node runtime are appropriate and necessary for using @strapi/client. Declared permissions (network) and the documented capabilities (CRUD, media upload, schema introspection, i18n) align with the implementation.
Instruction Scope
SKILL.md and instructions.md direct the agent to run the local CLI wrapper (npx tsx src/index.ts) and to use only the declared environment variables. The instructions do not ask the agent to read unrelated system files or exfiltrate data to third-party endpoints. Raw fetch functionality is limited to Strapi endpoints (via the client).
Install Mechanism
The package is a normal Node skill (package.json depends on @strapi/client). No arbitrary external download URLs are used. However, the install spec in metadata is unusual: it lists an install item with kind 'node' and package '.' that declares it 'creates' a 'node' binary — that mapping is incoherent (you wouldn't install the Node runtime from the skill package). Also runtime usage expects 'tsx' (a devDependency) invoked via npx, which may cause npx to fetch packages at runtime. These are implementation/packaging oddities rather than indicators of malicious behavior, but worth confirming.
Credentials
Only two environment values are required: STRAPI_API_TOKEN (primary credential) and STRAPI_BASE_URL. Both are necessary and proportionate for accessing a Strapi API. There are no unrelated secrets requested.
Persistence & Privilege
Skill does not request always:true and does not declare any system-wide config changes. Its manifest and instructions operate within the skill's own directory and runtime; autonomous invocation is permitted (platform default) but not combined with elevated privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install strapi - After installation, invoke the skill by name or use
/strapi - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release: Manage Strapi CMS content via the official @strapi/client SDK.
- Supports CRUD operations for collection types, single types, and media files.
- Enables schema introspection, form layout configuration, and draft/publish workflow.
- Manage users, roles, permissions, authentication, locales, and localized content.
- Upload files to the media library and handle translations/localization.
- Requires STRAPI_API_TOKEN and STRAPI_BASE_URL environment variables.
Metadata
Frequently Asked Questions
What is Strapi CMS?
Manage Strapi CMS content through the official @strapi/client SDK. CRUD on collection types, single types, and media files. Upload files to media library. In... It is an AI Agent Skill for Claude Code / OpenClaw, with 809 downloads so far.
How do I install Strapi CMS?
Run "/install strapi" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Strapi CMS free?
Yes, Strapi CMS is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Strapi CMS support?
Strapi CMS is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Strapi CMS?
It is built and maintained by Ilya R. (@ilya-ryzhov); the current version is v1.0.0.
More Skills