← 返回 Skills 市场
form2api
作者
longway-code
· GitHub ↗
· v1.0.0
· MIT-0
238
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install form2api
功能描述
Automatically intercept and analyze login-required form submissions to generate reusable API docs and call code for automation and bulk operations.
使用说明 (SKILL.md)
Form2API
All you need to do: send me the form URL, then submit the form once manually. I'll handle the rest.
What it does:
- Injects a network interceptor into the page to capture real API requests on form submission
- Analyzes the request structure, annotating which fields are user input vs fixed values vs auto-generated
- Generates complete API documentation with curl and Python examples
- Enables batch/automated operations without manual form filling
Typical use cases:
- Internal system forms are tedious — you want to create data in bulk via script
- You need to automate a workflow but there's no official API documentation
- You want to understand what APIs a form is actually calling under the hood
How to trigger: Send me the form page URL and say something like "reverse this form" / "find the API for this form" / "I want to automate this form".
Workflow (Agent execution steps)
Step 1: Inject interceptor
After opening the target page, inject the interceptor script via the browser tool's evaluate action:
Read script content from:
\x3Cskill_dir>/scripts/inject_interceptor.js
Then execute it via browser(action=act) evaluate to inject into the page.
On success returns { status: 'injected' }. Returns already_active if already injected.
Step 2: Prompt user to submit the form
Tell the user:
"Interceptor is ready. Please fill out and submit the form normally in the browser, then let me know when done."
Step 3: Read captured results
After user submits, run evaluate to read captured requests:
JSON.stringify(window.__capturedRequests)
Save the result to /tmp/form_api_raw.json.
Step 4: Analyze requests
python3 \x3Cskill_dir>/scripts/analyze_requests.py /tmp/form_api_raw.json
Outputs a ranked list of candidate API requests. Structured result saved to /tmp/form_api_analysis.json.
Step 5: Extract cookies
COOKIE=$(python3 \x3Cskill_dir>/scripts/extract_cookies.py \x3Ctarget_url>)
echo $COOKIE
Cookies are auto-cached in /tmp/form_api_cookies/ for 1 hour. Repeated calls reuse the cache.
Step 6: Generate API documentation
Based on the analysis, using references/output_template.md as reference, generate complete API docs including:
- Endpoint info (URL, method, content-type)
- Request parameter table (user input / fixed value / system-generated)
- Cookie extraction command
- curl and Python call examples
Scripts
| Script | Purpose |
|---|---|
scripts/inject_interceptor.js |
Injected into page to hook fetch/XHR |
scripts/extract_cookies.py |
Standardized cookie extraction with caching |
scripts/analyze_requests.py |
Filter and annotate captured requests |
Notes
- Browser requirement: The target page must already be open and logged in within the current browser session
- Interceptor lifecycle: Interceptor is cleared on page refresh — re-inject if needed
- Multiple submissions:
window.__capturedRequestsaccumulates across submissions; analysis picks the most relevant batch - Cookie expiry: If API returns 401/403, re-extract with
--forceflag - Output format reference:
references/output_template.md
安全使用建议
This skill appears to do what it claims, but it collects very sensitive data (request bodies, response bodies, headers and session cookies) in order to recreate API calls. Before installing/using: 1) Only run against sites you control or where you have explicit permission; do not use on third-party accounts. 2) Review the three included scripts yourself; they will inject JS into pages and extract cookies via Chrome DevTools Protocol. 3) Be aware cookies are cached under /tmp/form_api_cookies for 1 hour — clear or secure that directory if needed. 4) extract_cookies.py requires Chrome running with --remote-debugging-port=9222 and the websocket-client Python package; the skill does not auto-install that dependency. 5) Prefer running this in an isolated environment (dedicated VM/container) to avoid leaking session tokens to other users/processes. If you need stronger guarantees, request changes: explicit dependency declaration, an option to avoid caching cookies to disk, and a clear warning about what data is captured and where it is stored.
功能分析
Type: OpenClaw Skill
Name: form2api
Version: 1.0.0
The skill provides a tool for reverse-engineering web forms by intercepting network traffic and extracting browser cookies. It utilizes `inject_interceptor.js` to hook `fetch` and `XHR` calls and `extract_cookies.py` to retrieve session cookies via the Chrome DevTools Protocol (CDP) at `127.0.0.1:9222`. While these high-risk capabilities are aligned with the stated purpose of API discovery and automation, the programmatic capture of session data and interception of all page traffic are sensitive operations that could be abused. No evidence of intentional data exfiltration or hidden malicious logic was found.
能力评估
Purpose & Capability
The name/description (form → API reverse engineering) matches the provided artifacts: a JS injector to hook fetch/XHR, a request analyzer, and a cookie extraction script. No unrelated environment variables, binaries, or external services are requested.
Instruction Scope
Runtime instructions are explicit: inject the provided JS into the open page, ask the user to submit once, read window.__capturedRequests, analyze and save results, and extract cookies via CDP. This is functionally consistent with the goal, but the interceptor captures full request/response bodies and headers (including auth tokens) and the SKILL.md does not strongly warn about the sensitivity of that data or restrict capture to same-origin requests.
Install Mechanism
This is instruction-only (no installer), so nothing is written to disk by an installer. Note: the Python cookie extractor requires an external package (websocket-client) but there is no install spec or automated dependency declaration — the script prints an error suggesting pip install if missing.
Credentials
Although no environment variables or external credentials are requested, the skill actively extracts session cookies from the browser (via Chrome CDP) and captures headers/bodies that can include sensitive auth tokens. Those credentials are cached in /tmp/form_api_cookies for 1 hour; caching session cookies to a world-accessible tmp location increases risk if run on a multi-user system.
Persistence & Privilege
The skill does not set always:true and does not alter global agent config, which is good. However it writes artifacts to /tmp (captured JSON and cookie cache) and leaves an in-page interceptor active until page refresh. The cookie cache persists for up to an hour by design; this is persistent data containing session tokens and should be considered sensitive.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install form2api - 安装完成后,直接呼叫该 Skill 的名称或使用
/form2api触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of form-to-api – a tool for reverse-engineering web forms into reusable APIs.
- Capture real API requests when a form is submitted, no manual analysis needed.
- Automatically identify which fields are user inputs and which are fixed.
- Generate a structured API document, including curl and Python usage examples.
- Supports cookie extraction and re-use, streamlining automation for authenticated forms.
- Simple workflow: just share the form URL and submit it once; everything else is automated.
元数据
常见问题
form2api 是什么?
Automatically intercept and analyze login-required form submissions to generate reusable API docs and call code for automation and bulk operations. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 238 次。
如何安装 form2api?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install form2api」即可一键安装,无需额外配置。
form2api 是免费的吗?
是的,form2api 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
form2api 支持哪些平台?
form2api 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 form2api?
由 longway-code(@longway-code)开发并维护,当前版本 v1.0.0。
推荐 Skills