← Back to Skills Marketplace
95
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install sure-api
Description
Use the we-promise/sure REST API with X-Api-Key auth. Covers accounts, transactions, categories, tags, merchants, imports, holdings, trades, valuations, chat...
Usage Guidance
This skill implements a legitimate-looking client for the Sure API, but there are actionable mismatches you should resolve before trusting it:
- The skill reads SURE_API_KEY and SURE_BASE_URL from /root/.openclaw/workspace/secure/api-fillin.env (and will use that API key for any request). The registry metadata does not declare these required secrets or the config path — ask the publisher to add them to the metadata so you can make an informed decision.
- The included low-level script (scripts/sure_api_request.sh) can call any API endpoint (including destructive ones like user delete/reset) using the stored API key. Prefer using the high-level CLI (which has --yes gates) and only run the raw request script when you understand the consequences.
- The self-update script downloads the OpenAPI YAML from raw.githubusercontent.com and regenerates the local summary. If you or an automated agent runs that update, remote changes to the upstream spec could alter which endpoints the skill exposes; only run updates from a trusted network/source.
- If you will allow autonomous invocation, consider the increased blast radius: an autonomous agent with access to the secure env file and permission to run the update or raw request script could issue arbitrary calls. If you are unsure, keep the skill user-invocable only and do not store the API key in a shared location.
Suggested actions before installing: request updated metadata listing required env vars and config path; verify the secure env file is isolated and accessible only to the skill owner; prefer manual invocation for any write or update operations; and audit the OpenAPI file and allowed endpoints for any destructive actions you don’t want the agent to perform.
Capability Assessment
Purpose & Capability
The skill's name/description match the included code: a CLI, raw request wrapper, OpenAPI spec, and self-update flow for the Sure REST API. However the registry metadata claims no required env vars or config paths while the code and SKILL.md clearly expect SURE_BASE_URL and SURE_API_KEY to be read from /root/.openclaw/workspace/secure/api-fillin.env. The missing declaration of required secrets/config is an incoherence.
Instruction Scope
SKILL.md and the scripts limit actions to the official API and recommend a 'read -> dry-run -> confirm' pattern. Nevertheless the bundle includes sure_api_request.sh which will send arbitrary HTTP METHOD/PATH requests (including potentially destructive endpoints such as user delete/reset) using the stored API key. The self-update script fetches the OpenAPI spec from raw.githubusercontent.com and overwrites the local copy; if run automatically this could change agent behaviour. The instructions reference and access the secure env file path directly (not declared in metadata).
Install Mechanism
There is no install spec (instruction-only installation), so nothing is automatically written or installed at install time. The included sure_openapi_update.sh downloads an OpenAPI YAML from GitHub raw (a well-known host) when invoked; that download is expected for a self-update use case but it means remote content can change the skill's effective API surface when the update is run.
Credentials
The skill needs an API key and base URL (SURE_API_KEY, SURE_BASE_URL) stored in secure/api-fillin.env and the code reads /root/.openclaw/workspace/secure/api-fillin.env, but the package metadata lists no required env vars or config paths. Requiring secret access while not declaring it in metadata is disproportionate and reduces transparency. The requested secrets themselves (API key + base URL) are proportionate to the stated purpose if declared explicitly.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It can be invoked autonomously (default), which is normal; combine that with the earlier concerns (undeclared secrets + raw request capability + update-from-remote) if you plan to allow autonomous invocation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sure-api - After installation, invoke the skill by name or use
/sure-api - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial public release with official Sure API URLs, self-update workflow, live acceptance, and ClawHub publish readiness.
Metadata
Frequently Asked Questions
What is Sure API?
Use the we-promise/sure REST API with X-Api-Key auth. Covers accounts, transactions, categories, tags, merchants, imports, holdings, trades, valuations, chat... It is an AI Agent Skill for Claude Code / OpenClaw, with 95 downloads so far.
How do I install Sure API?
Run "/install sure-api" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Sure API free?
Yes, Sure API is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Sure API support?
Sure API is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Sure API?
It is built and maintained by ashanzzz (@ashanzzz); the current version is v1.0.0.
More Skills