← Back to Skills Marketplace
OpenClaw API Control
by
Florian Standhartinger
· GitHub ↗
· v0.1.1
· MIT-0
174
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install openclaw-api-control
Description
Control a hosted OpenClaw instance through the OpenClaw as a Service API. Use when the user asks to talk to OpenClaw over API, send a folder or file to OpenC...
Usage Guidance
This package appears to be a straightforward OpenClaw API client and the code matches the documented commands, but there are notable red flags to consider before installing:
- The SKILL.md and script require OPENCLAW_API_KEY (and optionally OPENCLAW_API_BASE_URL / OPENCLAW_INSTANCE_ID), yet the registry metadata listed no required credentials — ask the publisher to correct the registry metadata and explain why it was omitted.
- The script will read and upload local files when you explicitly request 'upload-tree' or similar; it enforces a 5MB per-file limit and skips likely binaries, but it will transmit whatever you point it at to the configured API_BASE_URL. Ensure OPENCLAW_API_BASE_URL is the official endpoint before uploading sensitive files.
- Only provide an API key scoped to the minimum privileges and instances needed; consider creating a test key and rotating it after validating the skill.
- The owner and homepage are unknown. Prefer skills from known publishers or with an audit trail; request provenance (author email, repo, or signed release) and review the full script yourself or have a trusted party do so.
- Because the manifest/metadata mismatch is the primary concern, ask the maintainer to fix the metadata (declare OPENCLAW_API_KEY as a required credential) and re-publish. If you cannot verify the source or correct the metadata, run the skill in a sandboxed environment and avoid uploading sensitive data.
If you want, I can list the exact lines where the code reads OPENCLAW_API_KEY and where file uploads occur so you can inspect them further.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-api-control
Version: 0.1.1
The skill provides a Node.js client (scripts/openclaw_api_client.mjs) to manage remote OpenClaw instances via an API. It includes high-risk capabilities such as recursive local file reading and uploading (upload-tree) and remote command execution (terminal exec) on the target instance. While these behaviors are aligned with the stated purpose in SKILL.md and require a user-provided OPENCLAW_API_KEY, the broad file and network access to the default endpoint (openclaw-as-a-service.com) constitutes a significant attack surface for data exfiltration if misused.
Capability Assessment
Purpose & Capability
The SKILL.md and scripts implement an OpenClaw-as-a-Service API client (instance listing/creation, chat, file uploads, command exec) which matches the skill name/description. However the registry metadata at the top of the report lists no required environment variables or primary credential, while SKILL.md and the script require OPENCLAW_API_KEY (and optionally OPENCLAW_API_BASE_URL and OPENCLAW_INSTANCE_ID). That mismatch between declared registry requirements and the runtime instructions is an incoherence that should be resolved before trusting the skill.
Instruction Scope
The SKILL.md gives concrete commands and the code only performs the described actions: network calls to the configured API_BASE_URL, reading local files only when the user explicitly requests an upload, size limit (5MB) and a text-file heuristic are applied. There are no instructions to read arbitrary shell history or unrelated system files. The agent will need to supply the API key to operate.
Install Mechanism
There is no install spec (instruction-only with an included Node script). Nothing is downloaded from third-party URLs and no installers are run. The runtime risk is limited to executing the included Node script, which is visible in the bundle.
Credentials
The code legitimately requires a bearer API key (OPENCLAW_API_KEY) and optionally OPENCLAW_API_BASE_URL / OPENCLAW_INSTANCE_ID. Those are reasonable for the stated purpose, but the registry metadata inexplicably omitted them; the omission is suspicious. Also note OPENCLAW_API_BASE_URL is configurable — if an attacker or misconfiguration points it at a malicious endpoint, files and messages would be sent there. Treat the API key as sensitive and use a key scoped to minimal privileges/instances.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide settings. Autonomous invocation (disable-model-invocation: false) is the platform default; combined with the other concerns this does not by itself change the verdict.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-api-control - After installation, invoke the skill by name or use
/openclaw-api-control - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.1
Add env var declarations and security metadata to resolve ClawHub scanner flags
v0.1.0
Initial release
Metadata
Frequently Asked Questions
What is OpenClaw API Control?
Control a hosted OpenClaw instance through the OpenClaw as a Service API. Use when the user asks to talk to OpenClaw over API, send a folder or file to OpenC... It is an AI Agent Skill for Claude Code / OpenClaw, with 174 downloads so far.
How do I install OpenClaw API Control?
Run "/install openclaw-api-control" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OpenClaw API Control free?
Yes, OpenClaw API Control is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does OpenClaw API Control support?
OpenClaw API Control is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OpenClaw API Control?
It is built and maintained by Florian Standhartinger (@fstandhartinger); the current version is v0.1.1.
More Skills