← Back to Skills Marketplace
Lap Altoroj Rest Api
by
mickmicksh
· GitHub ↗
· v1.0.0
· MIT-0
50
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install lap-altoroj-rest-api
Description
AltoroJ REST API skill. Use when working with AltoroJ REST for login, account, transfer. Covers 12 endpoints.
README (SKILL.md)
AltoroJ REST API
API version: 1.0.2
Auth
ApiKey Authorization in header
Base URL
Not specified.
Setup
- Set your API key in the appropriate header
- GET /login -- verify access
- POST /login -- create first login
Endpoints
12 endpoints across 6 groups. See references/api-spec.lap for full details.
login
| Method | Path | Description |
|---|---|---|
| GET | /login | Check if any user is logged in |
| POST | /login | Login method |
account
| Method | Path | Description |
|---|---|---|
| GET | /account | Returns a list of all the accounts owned by the user |
| GET | /account/{accountNo} | Returns details about a specific account |
| GET | /account/{accountNo}/transactions | Returns the last 10 transactions attached to an account |
| POST | /account/{accountNo}/transactions | Return transactions between 2 specific dates |
transfer
| Method | Path | Description |
|---|---|---|
| POST | /transfer | Transfer money between two accounts |
feedback
| Method | Path | Description |
|---|---|---|
| POST | /feedback/submit | Submit feedback for the bank |
| GET | /feedback/{feedbackId} | Retrieve feedback |
admin
| Method | Path | Description |
|---|---|---|
| POST | /admin/addUser | Add new user |
| POST | /admin/changePassword | Change user password |
logout
| Method | Path | Description |
|---|---|---|
| GET | /logout | Logout from the bank |
Common Questions
Match user requests to endpoints in references/api-spec.lap. Key patterns:
- "List all login?" -> GET /login
- "Create a login?" -> POST /login
- "List all account?" -> GET /account
- "Get account details?" -> GET /account/{accountNo}
- "List all transactions?" -> GET /account/{accountNo}/transactions
- "Create a transaction?" -> POST /account/{accountNo}/transactions
- "Create a transfer?" -> POST /transfer
- "Create a submit?" -> POST /feedback/submit
- "Get feedback details?" -> GET /feedback/{feedbackId}
- "Create a addUser?" -> POST /admin/addUser
- "Create a changePassword?" -> POST /admin/changePassword
- "List all logout?" -> GET /logout
- "How to authenticate?" -> See Auth section
Response Tips
- Check response schemas in references/api-spec.lap for field details
- Create/update endpoints typically return the created/updated object
CLI
# Update this spec to the latest version
npx @lap-platform/lapsh get altoroj-rest-api -o references/api-spec.lap
# Search for related APIs
npx @lap-platform/lapsh search altoroj-rest-api
References
- Full spec: See references/api-spec.lap for complete endpoint details, parameter tables, and response schemas
Generated from the official API spec by LAP
Usage Guidance
This skill appears to describe a legitimate AltoroJ REST API and only asks for one API key, but there are notable gaps and small risks you should address before installing or running it:
- Missing base URL and missing API spec: ask the publisher or vendor for the exact base URL and the full API spec (references/api-spec.lap). Without those, the agent cannot safely form requests.
- Unknown provenance: there is no homepage or source repository. Prefer skills published by a known/verified source for anything that touches banking APIs.
- npx / remote code execution: the SKILL.md suggests using 'npx @lap-platform/lapsh' to fetch the spec. Running npx will execute remote code from npm; only run this after inspecting the package (review its code and maintainers) or obtain the spec from a trusted local copy.
- Protect the API key: only provide ALTOROJ_REST_API_KEY if you trust the skill and the runtime environment. Ensure the key has minimal permissions and can be revoked/rotated.
If the publisher can provide the base URL and embed the API spec in the skill bundle (or point to a verified, reviewable source), and if you confirm the npm package referenced is trustworthy, the remaining concerns would be reduced.
Capability Analysis
Type: OpenClaw Skill
Name: lap-altoroj-rest-api
Version: 1.0.0
The skill bundle is a standard API wrapper for AltoroJ, a well-known intentionally vulnerable web application used for security training. The SKILL.md file defines legitimate banking endpoints (login, account, transfer) and provides instructions for an AI agent to map user requests to these endpoints. While it includes 'npx' commands for updating the API specification via the '@lap-platform/lapsh' package, there is no evidence of malicious intent, data exfiltration, or harmful prompt injection.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description (AltoroJ REST for login/account/transfer) align with requiring an API key (ALTOROJ_REST_API_KEY). However the SKILL.md does not include a base URL or the referenced API spec (references/api-spec.lap) inside the skill bundle, which prevents the agent from calling endpoints directly. Lack of homepage/source provenance is also a gap for a banking-related skill.
Instruction Scope
Runtime instructions are narrowly focused on calling the listed endpoints and setting the API key header, which is expected. But the doc explicitly tells the user/agent to run npx @lap-platform/lapsh to fetch the API spec; that instructs execution of remote code and implicitly trusts an external npm package. The skill does not include the spec it references, so the agent is guided to pull code from the network to get necessary details.
Install Mechanism
No install spec is present (instruction-only), which is low-risk in itself. However the included CLI examples advise running npx to fetch the API spec; npx executes a package from the npm registry (or remote) and can run arbitrary code. The skill does not supply or pin a specific trusted source/URL for the spec, increasing risk if the agent follows that advice.
Credentials
Only one environment variable (ALTOROJ_REST_API_KEY) is required, which is proportionate for an API client. Still, this is a sensitive credential (bank API key) and should be scoped and protected; the package provides no guidance about key scope, rotation, or least privilege.
Persistence & Privilege
The skill does not request always:true, does not include install hooks, and is instruction-only. It does not request persistent system-wide privileges. Autonomous invocation is allowed by platform default but not exceptional here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install lap-altoroj-rest-api - After installation, invoke the skill by name or use
/lap-altoroj-rest-api - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of lap-altoroj-rest-api skill.
- Provides access to 12 AltoroJ REST API endpoints across login, account, transfer, feedback, admin, and logout.
- Supports API key authentication via header.
- Includes setup instructions and endpoint usage patterns.
- Reference to detailed API specification in references/api-spec.lap.
- Requires ALTOROJ_REST_API_KEY environment variable.
Metadata
Frequently Asked Questions
What is Lap Altoroj Rest Api?
AltoroJ REST API skill. Use when working with AltoroJ REST for login, account, transfer. Covers 12 endpoints. It is an AI Agent Skill for Claude Code / OpenClaw, with 50 downloads so far.
How do I install Lap Altoroj Rest Api?
Run "/install lap-altoroj-rest-api" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Lap Altoroj Rest Api free?
Yes, Lap Altoroj Rest Api is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Lap Altoroj Rest Api support?
Lap Altoroj Rest Api is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Lap Altoroj Rest Api?
It is built and maintained by mickmicksh (@mickmicksh); the current version is v1.0.0.
More Skills