← Back to Skills Marketplace
numbpill3d

Freeapi

by splicer scorn · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
529
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install freeapi
Description
Connect directly to any API using its OpenAPI spec with local API key storage, ensuring private, middleware-free requests from your machine.
README (SKILL.md)

freeAPI: The Sovereign Client

freeAPI is a direct execution engine for OpenClaw. It bypasses middleware, gateways, and data harvesters. With freeAPI, your agent connects directly from localhost to any API using its official OpenAPI/Swagger specification.

Philosophy

  • Sovereign: You own the connection. No third-party server mediates your requests.
  • Private: API keys stay in your local .env file. They are never sent to a gateway.
  • Spec-Driven: Just provide an OpenAPI spec URL or file. freeAPI figures out the rest.

Agent Usage (Natural Language)

Agents should integrate freeAPI seamlessly into the conversation.

1. Onboarding (The "Integral" Method)

Do not ask users to run raw CLI commands unless they prefer it. Instead, guide them conversationally:

  1. Ask: "Which service do you want to connect? (e.g., GitHub, Stripe, OpenAI)"
  2. Prompt: "Please provide your API key for [Service]. I will save it securely to your local .env file."
  3. Action: Use the write or edit tool to append the key to .env.
    • Format: SERVICE_NAME_KEY=value (e.g., GITHUB_TOKEN=ghp_...)
  4. Confirm: "Key saved. You can now use freeAPI with [Service]."

2. Execution

When a user asks to perform an action (e.g., "Check my GitHub issues"):

  1. Locate Spec: Find the OpenAPI spec URL (e.g., https://api.github.com/openapi/v3).
  2. Check Keys: Verify the key exists in .env. If not, trigger the Onboarding flow above.
  3. Run: Use node skills/freeAPI/index.js run with the spec and parameters.

Example Agent Thought Process:

User wants to list Stripe payments. I need the Stripe OpenAPI spec. I'll check .env for STRIPE_SECRET_KEY. It's missing. I will ask the user for it now, then save it, then run the listPayments operation.

User Guide (CLI Fallback)

For power users who prefer the terminal, the CLI is available.

Setup: node skills/freeAPI/index.js setup (Interactive checklist) Run: node skills/freeAPI/index.js run ...

Why Not Middleware?

Middleware services introduce latency, dependency, and privacy risks. freeAPI eliminates these by running entirely on your machine.

Usage Guidance
This skill does what it claims — it runs locally, fetches OpenAPI specs, and will use API keys from your environment or save keys you provide into a .env file — but that same behavior can be risky. Before installing or using it: (1) avoid pasting highly privileged or long-lived master credentials; prefer scoped/least-privilege tokens. (2) Be aware keys are stored in plaintext .env in the working directory — consider using an encrypted secrets manager instead. (3) Only point the tool at OpenAPI specs you trust: the skill will make requests to servers listed in the spec and could contact attacker-controlled endpoints. (4) If you must try it, run in an isolated environment (throwaway workspace or container) and inspect the created .env file. If you want lower risk, request a version that uses a secure secret store or that prompts the user to set env vars manually rather than auto-appending to .env.
Capability Analysis
Type: OpenClaw Skill Name: freeapi Version: 1.0.0 The skill is suspicious due to multiple critical vulnerabilities. The `SKILL.md` explicitly instructs the AI agent to solicit API keys from the user and save them to the local `.env` file using a `write` or `edit` tool. This creates a direct prompt injection vector, allowing an attacker to instruct the agent to write arbitrary, potentially malicious, content into `.env`. Furthermore, the `index.js` script's `executeRequest` function loads OpenAPI specifications from arbitrary URLs or local files and then heuristically injects environment variables (including sensitive API keys loaded from `.env`) into outgoing HTTP requests based on security scheme names in the spec. This combination allows for easy data exfiltration: a malicious OpenAPI spec could define a security scheme matching a sensitive environment variable (e.g., `AWS_SECRET_ACCESS_KEY`) and then send that key to an attacker-controlled endpoint.
Capability Assessment
Purpose & Capability
The name/description (direct OpenAPI client with local key storage) align with the included code (index.js) and SKILL.md: it loads specs, builds requests, and uses env vars for auth. There are no unrelated required binaries or external services declared. However, the skill lists many common services and implicitly encourages collecting many keys; while consistent, this breadth is larger than minimal.
Instruction Scope
SKILL.md explicitly instructs the agent to ask the user for API keys and to use a write/edit tool to append them to a local .env file. That is within the claimed feature set, but it expands the agent's runtime actions to collecting and permanently storing arbitrary credentials in plaintext. The instructions also give the agent discretion to prompt for missing keys automatically — which could lead to unnecessary key collection if not tightly constrained.
Install Mechanism
No install spec; this is an instruction + code skill. package.json and dependencies are typical (commander, dotenv, inquirer, yaml). Nothing in the install surface downloads code from untrusted URLs or writes unexpected binaries.
Credentials
The skill declares no required env vars but the code will read process.env (after dotenv.config()) and uses a heuristic to map OpenAPI security scheme names to environment variable names. It also ships a long SERVICES list and will prompt to store many different service keys in .env. Collecting multiple unrelated credentials and storing them in plaintext is disproportionate and increases exposure. The skill does not declare a primary credential or justify why all listed services might be needed.
Persistence & Privilege
always is false and the skill does not request persistent platform-level privileges or modify other skills. It will write to a local .env file (its expected operation) but does not attempt to change global agent configuration.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install freeapi
  3. After installation, invoke the skill by name or use /freeapi
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of freeAPI: The Sovereign Client - Enables direct execution of OpenAPI/Swagger endpoints from localhost, with no middleware or gateways involved. - Keeps API keys fully private by storing them only in your local `.env` file. - Provides a guided, conversational method for onboarding and key management—no CLI commands unless preferred. - Automatically fetches OpenAPI specs and handles requests based on natural language prompts. - Includes CLI support for advanced or power users as an alternative interface.
Metadata
Slug freeapi
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Freeapi?

Connect directly to any API using its OpenAPI spec with local API key storage, ensuring private, middleware-free requests from your machine. It is an AI Agent Skill for Claude Code / OpenClaw, with 529 downloads so far.

How do I install Freeapi?

Run "/install freeapi" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Freeapi free?

Yes, Freeapi is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Freeapi support?

Freeapi is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Freeapi?

It is built and maintained by splicer scorn (@numbpill3d); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments