← Back to Skills Marketplace
longway-code

form2api

by longway-code · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
238
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install form2api
Description
Automatically intercept and analyze login-required form submissions to generate reusable API docs and call code for automation and bulk operations.
README (SKILL.md)

Form2API

All you need to do: send me the form URL, then submit the form once manually. I'll handle the rest.

What it does:

  • Injects a network interceptor into the page to capture real API requests on form submission
  • Analyzes the request structure, annotating which fields are user input vs fixed values vs auto-generated
  • Generates complete API documentation with curl and Python examples
  • Enables batch/automated operations without manual form filling

Typical use cases:

  • Internal system forms are tedious — you want to create data in bulk via script
  • You need to automate a workflow but there's no official API documentation
  • You want to understand what APIs a form is actually calling under the hood

How to trigger: Send me the form page URL and say something like "reverse this form" / "find the API for this form" / "I want to automate this form".

Workflow (Agent execution steps)

Step 1: Inject interceptor

After opening the target page, inject the interceptor script via the browser tool's evaluate action:

Read script content from:
\x3Cskill_dir>/scripts/inject_interceptor.js

Then execute it via browser(action=act) evaluate to inject into the page.

On success returns { status: 'injected' }. Returns already_active if already injected.

Step 2: Prompt user to submit the form

Tell the user:

"Interceptor is ready. Please fill out and submit the form normally in the browser, then let me know when done."

Step 3: Read captured results

After user submits, run evaluate to read captured requests:

JSON.stringify(window.__capturedRequests)

Save the result to /tmp/form_api_raw.json.

Step 4: Analyze requests

python3 \x3Cskill_dir>/scripts/analyze_requests.py /tmp/form_api_raw.json

Outputs a ranked list of candidate API requests. Structured result saved to /tmp/form_api_analysis.json.

Step 5: Extract cookies

COOKIE=$(python3 \x3Cskill_dir>/scripts/extract_cookies.py \x3Ctarget_url>)
echo $COOKIE

Cookies are auto-cached in /tmp/form_api_cookies/ for 1 hour. Repeated calls reuse the cache.

Step 6: Generate API documentation

Based on the analysis, using references/output_template.md as reference, generate complete API docs including:

  • Endpoint info (URL, method, content-type)
  • Request parameter table (user input / fixed value / system-generated)
  • Cookie extraction command
  • curl and Python call examples

Scripts

Script Purpose
scripts/inject_interceptor.js Injected into page to hook fetch/XHR
scripts/extract_cookies.py Standardized cookie extraction with caching
scripts/analyze_requests.py Filter and annotate captured requests

Notes

  • Browser requirement: The target page must already be open and logged in within the current browser session
  • Interceptor lifecycle: Interceptor is cleared on page refresh — re-inject if needed
  • Multiple submissions: window.__capturedRequests accumulates across submissions; analysis picks the most relevant batch
  • Cookie expiry: If API returns 401/403, re-extract with --force flag
  • Output format reference: references/output_template.md
Usage Guidance
This skill appears to do what it claims, but it collects very sensitive data (request bodies, response bodies, headers and session cookies) in order to recreate API calls. Before installing/using: 1) Only run against sites you control or where you have explicit permission; do not use on third-party accounts. 2) Review the three included scripts yourself; they will inject JS into pages and extract cookies via Chrome DevTools Protocol. 3) Be aware cookies are cached under /tmp/form_api_cookies for 1 hour — clear or secure that directory if needed. 4) extract_cookies.py requires Chrome running with --remote-debugging-port=9222 and the websocket-client Python package; the skill does not auto-install that dependency. 5) Prefer running this in an isolated environment (dedicated VM/container) to avoid leaking session tokens to other users/processes. If you need stronger guarantees, request changes: explicit dependency declaration, an option to avoid caching cookies to disk, and a clear warning about what data is captured and where it is stored.
Capability Analysis
Type: OpenClaw Skill Name: form2api Version: 1.0.0 The skill provides a tool for reverse-engineering web forms by intercepting network traffic and extracting browser cookies. It utilizes `inject_interceptor.js` to hook `fetch` and `XHR` calls and `extract_cookies.py` to retrieve session cookies via the Chrome DevTools Protocol (CDP) at `127.0.0.1:9222`. While these high-risk capabilities are aligned with the stated purpose of API discovery and automation, the programmatic capture of session data and interception of all page traffic are sensitive operations that could be abused. No evidence of intentional data exfiltration or hidden malicious logic was found.
Capability Assessment
Purpose & Capability
The name/description (form → API reverse engineering) matches the provided artifacts: a JS injector to hook fetch/XHR, a request analyzer, and a cookie extraction script. No unrelated environment variables, binaries, or external services are requested.
Instruction Scope
Runtime instructions are explicit: inject the provided JS into the open page, ask the user to submit once, read window.__capturedRequests, analyze and save results, and extract cookies via CDP. This is functionally consistent with the goal, but the interceptor captures full request/response bodies and headers (including auth tokens) and the SKILL.md does not strongly warn about the sensitivity of that data or restrict capture to same-origin requests.
Install Mechanism
This is instruction-only (no installer), so nothing is written to disk by an installer. Note: the Python cookie extractor requires an external package (websocket-client) but there is no install spec or automated dependency declaration — the script prints an error suggesting pip install if missing.
Credentials
Although no environment variables or external credentials are requested, the skill actively extracts session cookies from the browser (via Chrome CDP) and captures headers/bodies that can include sensitive auth tokens. Those credentials are cached in /tmp/form_api_cookies for 1 hour; caching session cookies to a world-accessible tmp location increases risk if run on a multi-user system.
Persistence & Privilege
The skill does not set always:true and does not alter global agent config, which is good. However it writes artifacts to /tmp (captured JSON and cookie cache) and leaves an in-page interceptor active until page refresh. The cookie cache persists for up to an hour by design; this is persistent data containing session tokens and should be considered sensitive.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install form2api
  3. After installation, invoke the skill by name or use /form2api
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of form-to-api – a tool for reverse-engineering web forms into reusable APIs. - Capture real API requests when a form is submitted, no manual analysis needed. - Automatically identify which fields are user inputs and which are fixed. - Generate a structured API document, including curl and Python usage examples. - Supports cookie extraction and re-use, streamlining automation for authenticated forms. - Simple workflow: just share the form URL and submit it once; everything else is automated.
Metadata
Slug form2api
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is form2api?

Automatically intercept and analyze login-required form submissions to generate reusable API docs and call code for automation and bulk operations. It is an AI Agent Skill for Claude Code / OpenClaw, with 238 downloads so far.

How do I install form2api?

Run "/install form2api" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is form2api free?

Yes, form2api is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does form2api support?

form2api is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created form2api?

It is built and maintained by longway-code (@longway-code); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments