Build and validate GraphQL queries, mutations, and schemas. Use when working with GraphQL APIs.

This skill appears coherent with its purpose, but the included shell script is low-quality and has potential safety/correctness issues you should consider before use: - The script uses unquoted variable expansions (e.g., cat $2, grep $2). Passing file paths or URLs with spaces or shell metacharacters could cause unexpected behavior or command injection. Do not run it on untrusted input. - Some functions print literal '$2' and '$3' rather than expanding arguments, so the output may not be useful as-is. - The introspect command issues a curl POST to whichever URL you pass. Only use endpoints you trust and avoid passing URLs that include embedded credentials or tokens. - The script creates a data directory at ~/.local/share/graphql-builder; check its contents if you care about local storage. Recommendations: review and/or fix the script (add proper quoting, use the local variables, and ensure safe handling of input) or run the skill in an isolated environment. If you accept these caveats and trust the author, the skill's footprint is proportionate to its stated functionality.

Type: OpenClaw Skill Name: graphql-builder Version: 3.0.0 The script 'scripts/script.sh' contains multiple shell injection vulnerabilities due to unquoted variables in commands such as 'cat', 'grep', and 'mkdir' (e.g., in cmd_validate and cmd_format). It also includes an 'introspect' command that performs arbitrary network requests via 'curl' to user-provided URLs. While the behavior aligns with the stated GraphQL utility purpose, the lack of input sanitization and the presence of large blocks of empty padding in the script are characteristic of low-quality or potentially risky code.