← 返回 Skills 市场
suhteevah

apishield

作者 suhteevah · GitHub ↗ · v1.0.1 · MIT-0
darwinlinuxwin32 ⚠ suspicious
91
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install apishield
功能描述
API endpoint security auditor — scans route definitions for missing auth, rate limiting, CORS issues, and input validation holes
使用说明 (SKILL.md)

\r \r

APIShield -- API Endpoint Security Auditor\r

\r APIShield scans your API route definitions for security vulnerabilities including missing authentication middleware, rate limiting gaps, input validation holes, CORS misconfigurations, and exposed debug endpoints. It supports Express, FastAPI, Flask, Django, Rails, and Next.js. All scanning happens locally using regex-based pattern matching -- no code is sent to external servers.\r \r

Commands\r

\r

Free Tier (No license required)\r

\r

apishield scan [file|directory]\r

One-shot security audit of API route files.\r \r How to execute:\r

bash "\x3CSKILL_DIR>/scripts/apishield.sh" scan [target]\r
```\r
\r
**What it does:**\r
1. Accepts a file path or directory (defaults to current directory)\r
2. Auto-detects the framework (Express, FastAPI, Flask, Django, Rails, Next.js)\r
3. Finds all route definition files (excluding .git/, node_modules/, dist/, build/, vendor/, __pycache__)\r
4. Runs 20+ security checks against each route file\r
5. Outputs findings with: file, line number, check name, severity, description\r
6. Calculates a security score (0-100)\r
7. Free tier: limited to scanning up to 5 route files\r
8. Exit code 0 if score >= 70, exit code 1 if score \x3C 70 or critical issues found\r
\r
**Example usage scenarios:**\r
- "Scan my API routes for security issues" -> runs `apishield scan .`\r
- "Check this Express app for missing auth" -> runs `apishield scan src/routes/`\r
- "Audit my FastAPI endpoints" -> runs `apishield scan app/`\r
- "Are my API endpoints secure?" -> runs `apishield scan .`\r
\r
### Pro Tier ($19/user/month -- requires APISHIELD_LICENSE_KEY)\r
\r
#### `apishield scan [file|directory]` (unlimited)\r
Full security audit with no file limit and all 20+ checks enabled.\r
\r
**How to execute:**\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/apishield.sh" scan [target]\r
```\r
\r
**What it does (beyond free):**\r
1. Unlimited route file scanning\r
2. Full 20+ security checks including rate limit analysis, CORS validation, input validation, CSRF, SQL injection risk\r
3. Detailed remediation advice per finding\r
\r
#### `apishield hooks install`\r
Install git pre-commit hooks that scan staged route files for security issues before every commit.\r
\r
**How to execute:**\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/apishield.sh" hooks install\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Copies lefthook config to project root\r
3. Installs lefthook pre-commit hook\r
4. On every commit: scans staged route files (.js, .ts, .py, .rb) for security issues, blocks commit if critical issues found\r
\r
#### `apishield hooks uninstall`\r
Remove APIShield git hooks.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/apishield.sh" hooks uninstall\r
```\r
\r
#### `apishield report [directory]`\r
Generate a markdown security audit report.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/apishield.sh" report [directory]\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Runs full scan of the directory\r
3. Generates a formatted markdown report with severity breakdown\r
4. Includes per-endpoint findings, security score, and remediation steps\r
5. Output written to APISHIELD-REPORT.md\r
\r
### Team Tier ($39/user/month -- requires APISHIELD_LICENSE_KEY with team tier)\r
\r
#### `apishield inventory [directory]`\r
Generate a complete API endpoint inventory/catalog.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/apishield.sh" inventory [directory]\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Discovers all API endpoints across the codebase\r
3. Catalogs: HTTP method, path, framework, auth status, rate limiting, validation\r
4. Outputs a markdown table of all endpoints\r
5. Useful for API documentation and security reviews\r
\r
#### `apishield compliance [directory]`\r
Map findings to OWASP Top 10 API Security Risks.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/apishield.sh" compliance [directory]\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Runs full security scan\r
3. Maps each finding to relevant OWASP API Security Top 10 categories\r
4. Produces a compliance report showing coverage and gaps\r
5. Categories: Broken Object-Level Auth, Broken Authentication, Excessive Data Exposure, Lack of Resources & Rate Limiting, Broken Function-Level Auth, Mass Assignment, Security Misconfiguration, Injection, Improper Asset Management, Insufficient Logging\r
\r
## Detected Security Issues\r
\r
APIShield checks for 20+ security issues across 6 frameworks:\r
\r
| Check | Description | Severity |\r
|-------|-------------|----------|\r
| Missing Auth Middleware | Routes without authentication middleware | Critical |\r
| Debug Endpoints Exposed | /debug, /test, /admin without auth | Critical |\r
| SQL Injection Risk | String interpolation in SQL queries | Critical |\r
| Sensitive Data Exposure | Routes returning passwords/tokens/secrets | High |\r
| Missing Rate Limiting | Public endpoints without rate limit middleware | High |\r
| CORS Misconfiguration | Access-Control-Allow-Origin: * or overly permissive CORS | High |\r
| Missing Input Validation | Routes accepting req.body/params without validation | High |\r
| Missing CSRF Protection | State-changing endpoints without CSRF tokens | High |\r
| Overly Permissive Methods | app.all() or wildcard method handlers | Medium |\r
| Error Handling Leaks | Routes that might expose stack traces | Medium |\r
| Missing HTTP Security Headers | No helmet/security headers middleware | Medium |\r
| Insecure Direct Object Refs | Route params used directly in DB queries | Medium |\r
\r
## Configuration\r
\r
Users can configure APIShield in `~/.openclaw/openclaw.json`:\r
\r
```json\r
{\r
  "skills": {\r
    "entries": {\r
      "apishield": {\r
        "enabled": true,\r
        "apiKey": "YOUR_LICENSE_KEY_HERE",\r
        "config": {\r
          "severityThreshold": "high",\r
          "excludePatterns": ["**/node_modules/**", "**/dist/**", "**/.git/**"],\r
          "reportFormat": "markdown"\r
        }\r
      }\r
    }\r
  }\r
}\r
```\r
\r
## Important Notes\r
\r
- **Free tier** works immediately with no configuration (limited to 5 route files)\r
- **All scanning happens locally** -- no code is sent to external servers\r
- **License validation is offline** -- no phone-home or network calls\r
- Supports Express, FastAPI, Flask, Django, Rails, and Next.js\r
- Git hooks use **lefthook** which must be installed (see install metadata above)\r
- Exit codes: 0 = secure (score >= 70), 1 = issues found (for CI/CD integration)\r
\r
## Error Handling\r
\r
- If lefthook is not installed and user tries `hooks install`, prompt to install it\r
- If license key is invalid or expired, show clear message with link to https://apishield.pages.dev/renew\r
- If a file is binary, skip it automatically with no warning\r
- If no route files found in target, report clean scan with info message\r
- If framework cannot be auto-detected, try all framework patterns\r
\r
## When to Use APIShield\r
\r
The user might say things like:\r
- "Scan my API routes for security issues"\r
- "Check if my endpoints have authentication"\r
- "Are my Express routes secure?"\r
- "Audit my FastAPI endpoints for vulnerabilities"\r
- "Generate an API security report"\r
- "Check for CORS misconfigurations"\r
- "Find endpoints missing rate limiting"\r
- "Map my API security to OWASP Top 10"\r
- "Generate an API inventory"\r
- "Set up security checks on my commits"\r
- "Check for SQL injection risks in my routes"\r
- "Find debug endpoints that are exposed"\r
安全使用建议
This skill appears coherent with its stated purpose, but review these points before installing: (1) The Pro/Team features require a license key (APISHIELD_LICENSE_KEY) stored in environment or ~/.openclaw/openclaw.json — keep that file secure. (2) Installing hooks will modify or create lefthook.yml in your repository and install lefthook; pre-commit hooks will source and run the skill's shell scripts from ~/.openclaw/skills/apishield on every commit — only install hooks if you trust the skill directory. (3) The license validator optionally honors CLAWHUB_JWT_SECRET for signature checks (not declared in the manifest); if you set that env var it will be used for verification. (4) The scanner runs local grep/find pattern matches only (no observed network telemetry), but you should still review the shipped scripts and test in a safe repo/CI before enabling hooks across active projects. If you need higher assurance, ask the publisher for reproducible build provenance or a signed release artifact.
功能分析
Type: OpenClaw Skill Name: apishield Version: 1.0.1 APIShield is a legitimate API security auditing tool that performs local regex-based scanning of route definitions to identify vulnerabilities like missing authentication, SQL injection risks, and CORS misconfigurations. The core logic in `scripts/auditor.sh` and `scripts/patterns.sh` uses standard grep-based pattern matching to analyze source code without executing it or sending it to external servers. The skill includes features for git pre-commit hooks and OWASP compliance reporting, and its license validation in `scripts/license.sh` is a standard offline JWT-based implementation. No evidence of data exfiltration, malicious execution, or prompt injection was found.
能力标签
requires-oauth-tokenrequires-sensitive-credentials
能力评估
Purpose & Capability
Name/description match the requested binaries (git, bash, python3, jq), the primary credential (APISHIELD_LICENSE_KEY) is appropriate for a license-gated product, and the brew install of lefthook aligns with the advertised pre-commit hook feature.
Instruction Scope
Runtime instructions and scripts perform local filesystem scanning via grep/find and pattern matching as claimed; they read ~/.openclaw/openclaw.json to locate a stored license key. No network transmit code (curl/wget) or telemetry was found. Note: pre-commit hooks will source the shipped scripts from the skill directory at commit time (see persistence_privilege).
Install Mechanism
Install spec only requests lefthook via Homebrew, a well-known tool used for git hooks. The skill does not download arbitrary archives or execute remote installers.
Credentials
Only APISHIELD_LICENSE_KEY is required/declared and is appropriate. The code optionally consults ~/.openclaw/openclaw.json (declared in metadata). The license module references CLAWHUB_JWT_SECRET (used only for optional signature verification) but that env var is not declared in requires.env—this is optional and not required for normal operation, but it is a referenced secret the skill may use if present.
Persistence & Privilege
always:false and model invocation is allowed (default). The 'hooks install' command modifies repository lefthook.yml and runs lefthook install so the skill attains persistence at the git-hook level: installed hooks will source scripts from the skill directory (~/.openclaw/skills/apishield) and execute scans on every commit. This behavior is expected for a pre-commit scanner but is a privileged action that means future commits will execute the skill's shell code.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install apishield
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /apishield 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Fix: declare all deps, JWT signature verification, configPaths
v1.0.0
Initial release of APIShield – API endpoint security auditor. - Scans API route files for missing authentication, rate limiting gaps, CORS misconfigurations, input validation issues, CSRF, SQL injection risk, and more. - Supports Express, FastAPI, Flask, Django, Rails, and Next.js frameworks. - Provides free and paid tiers: free tier audits up to 5 files; Pro and Team tiers offer unlimited scans and extra features (git hooks, reports, OWASP mapping, endpoint inventory). - All scanning and license validation done locally; no code is sent to external servers. - Includes CLI commands for scanning, report generation, git hook setup, endpoint inventory, and compliance mapping. - Outputs findings with severity ratings, remediation advice, and security scores.
元数据
Slug apishield
版本 1.0.1
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 2
常见问题

apishield 是什么?

API endpoint security auditor — scans route definitions for missing auth, rate limiting, CORS issues, and input validation holes. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 91 次。

如何安装 apishield?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install apishield」即可一键安装,无需额外配置。

apishield 是免费的吗?

是的,apishield 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

apishield 支持哪些平台?

apishield 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux, win32)。

谁开发了 apishield?

由 suhteevah(@suhteevah)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论