← 返回 Skills 市场
770
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install public-apis-skill-creator
功能描述
公共API/免费API SKILL生成器:从 public-apis/public-apis 自动检索免费 API,按功能推荐并给出最小可用调用示例(curl/Python/JS),并可自动生成自定义名称的 API skill。用户提到“公共API”“免费API”“public APIs”“找接口/找API”“生...
安全使用建议
This skill appears to do what it claims (search public-apis, produce examples, and scaffold skills), but pay attention to two practical risks before running it: 1) Network probing risk: the optional --try probe issues a curl GET to the selected URL and prints response bytes. If an API entry (or a maliciously crafted link) points to an internal endpoint (localhost, cloud instance metadata, or other private services), the probe can retrieve and print sensitive data. Avoid using --try unless you trust the target URLs or run in an isolated environment; consider adding hostname filtering. 2) File write risk: the scripts cache data under ~/.cache and by default write generated skills into /root/.openclaw/workspace/skills. Review or override the --out-dir to a safe location you control, and do not run as root. Recommendations: run the scripts in a sandboxed VM or container, disable --try or inspect links before probing, set OUT_DIR to a non-privileged path, review generated call.sh/python_example.sh before executing them (they will call remote URLs and may require tokens), and avoid enabling autonomous agent execution if you do not want the agent making outbound network calls on its own. If you want to be safer, request that the author add host allowlists/denylists and make the OUT_DIR default configurable to the current user's workspace instead of /root.
功能分析
Type: OpenClaw Skill
Name: public-apis-skill-creator
Version: 1.0.0
The skill is classified as suspicious due to multiple critical shell injection vulnerabilities (RCE risks) and prompt injection risks. Specifically, `scripts/create_skill.sh` directly interpolates user-controlled input (like API URLs and descriptions) into generated shell scripts and markdown files without proper sanitization, allowing for arbitrary command execution and prompt injection in the newly created skill. Similarly, `scripts/gen_usage.sh` and `scripts/solve_task.sh` (especially with the `--try` flag) directly interpolate API URLs into `curl` commands, creating shell injection vulnerabilities that could lead to RCE if exploited by a malicious input or a compromised API source.
能力评估
Purpose & Capability
The name/description (discover public/free APIs from public-apis and generate examples/skill skeletons) matches the included scripts: listing/searching the public-apis README, generating curl/Python/JS examples, and creating a skill skeleton. No unrelated credentials or external tooling are requested.
Instruction Scope
The runtime instructions and scripts stay within the declared purpose but include steps that probe arbitrary discovered URLs (solve_task.sh --try uses curl to fetch the chosen URL and prints the first 500 bytes). That network probing can be used to contact internal/metadata endpoints if a URL points there. The scripts also create files (skill skeletons) and cache API lists on disk. The scripts do not restrict target hosts (no localhost/169.254.169.254 filtering) and will print remote responses, which increases the risk of inadvertent data disclosure.
Install Mechanism
There is no external install/download step. The skill is instruction-and-script-only; all files are bundled with the skill. No installers or remote code downloads are performed by the skill itself, which lowers supply-chain risk.
Credentials
The skill declares no required env vars or credentials. The generated skill skeletons may reference an API_TOKEN for authenticated APIs (reasonable). Scripts use HOME for cache (~/.cache/public-apis-helper) and create files under an OUT_DIR default (/root/.openclaw/workspace/skills). No unrelated secrets are requested, but the generated artifacts and the optional probe will interact with external endpoints and may expose returned data.
Persistence & Privilege
always:false and the skill is user-invocable; it does not attempt to enable itself permanently. However, it writes to disk (cache in the user's home, and skill skeletons by default into /root/.openclaw/workspace/skills). Creating files in that workspace is consistent with a skill-generator, but the hardcoded default of /root/.openclaw/workspace/skills may be surprising and could require elevated permissions or write into sensitive locations if run as root.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install public-apis-skill-creator - 安装完成后,直接呼叫该 Skill 的名称或使用
/public-apis-skill-creator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: search/list public-apis, generate usage snippets, auto-generate custom-named API skills, support --pick selection
元数据
常见问题
Public APIs Skill Creator 是什么?
公共API/免费API SKILL生成器:从 public-apis/public-apis 自动检索免费 API,按功能推荐并给出最小可用调用示例(curl/Python/JS),并可自动生成自定义名称的 API skill。用户提到“公共API”“免费API”“public APIs”“找接口/找API”“生... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 770 次。
如何安装 Public APIs Skill Creator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install public-apis-skill-creator」即可一键安装,无需额外配置。
Public APIs Skill Creator 是免费的吗?
是的,Public APIs Skill Creator 完全免费(开源免费),可自由下载、安装和使用。
Public APIs Skill Creator 支持哪些平台?
Public APIs Skill Creator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Public APIs Skill Creator?
由 547895019(@547895019)开发并维护,当前版本 v1.0.0。
推荐 Skills