← 返回 Skills 市场

Yapi

Name: Yapi
Author: leeguooooo

作者郭立lee · GitHub ↗ · v1.0.1

cross-platform ⚠ suspicious

1824

总下载

当前安装

版本数

在 OpenClaw 中安装

/install yapi

功能描述

Query and sync YApi interface documentation. Use when user mentions "yapi 接口文档", YAPI docs, asks for request/response details, or needs docs sync. Also trigg...

安全使用建议

This skill appears to do what it says: call the yapi CLI (or use the @leeguoo/yapi-mcp npm package) and read your YApi config/auth files to fetch and sync interface docs. Before installing or using it: (1) confirm you trust the @leeguoo/yapi-mcp package (inspect its npm/GitHub source) because the fallback uses npx which runs remote code; (2) be aware the skill reads ~/.yapi/config.toml and ~/.yapi-mcp/auth-*.json (these can contain tokens) — avoid running it with highly privileged accounts unless you trust the environment; (3) if you want to reduce runtime risk, preinstall a vetted yapi CLI or a pinned version of the npm package instead of using npx -y; (4) expect the docs-sync commands to create/update .yapi/*.json files in your project directory — review those outputs before committing them.

功能分析

Type: OpenClaw Skill Name: yapi Version: 1.0.1 The skill is classified as suspicious due to its reliance on `npx -y` to download and execute an external package (`@leeguoo/yapi-mcp`) from npm, which introduces a supply chain risk. Additionally, the skill instructs the agent to read local configuration files (`~/.yapi/config.toml`) using `rg` and perform file write operations during documentation synchronization, granting significant file system access. While these actions are aligned with the stated purpose of YApi documentation management, they represent high-risk capabilities that could be exploited by a compromised `npx` package or a sophisticated prompt injection, even though the `SKILL.md` itself does not contain explicit malicious instructions.

能力评估

✓ Purpose & Capability

The name/description (YApi docs query & sync) match the instructions: invoking the yapi CLI or the @leeguoo/yapi-mcp package, resolving api/project IDs, fetching JSON, and running docs-sync. Required files/paths referenced (~/.yapi/config.toml and ~/.yapi-mcp/auth-*.json) are directly relevant to locating the configured base_url and authentication state.

ℹ Instruction Scope

SKILL.md explicitly instructs reading the user's YApi config and auth cache and running yapi commands (whoami, login, search, docs-sync). These actions are within the task scope, but reading auth-cache files is sensitive (they may contain credentials/tokens) — the instructions do not attempt to exfiltrate them, but they do rely on local credential files.

ℹ Install Mechanism

There is no install spec (instruction-only). The guidance prefers a local yapi binary and falls back to 'npx -y @leeguoo/yapi-mcp'. Using npx executes code fetched from the npm registry on demand, which is common but carries the usual risk of executing third-party package code each run; consider pinning or preinstalling a vetted version if you want to avoid on-the-fly downloads.

✓ Credentials

The skill requests no environment variables and does not require unrelated credentials. It references config and auth cache files in the user's home (appropriate for YApi operations). Those files are sensitive, so access is proportionate but should be treated as sensitive.

✓ Persistence & Privilege

always is false and autonomous invocation is allowed (platform default). The skill's documented behavior may write project-local binding and mapping files (.yapi/docs-sync.json, .yapi.docs-sync.*) during syncs, which is expected and limited to the working project directory. It does not request system-wide or other-skills configuration changes.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install yapi
安装完成后，直接呼叫该 Skill 的名称或使用 /yapi 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

- Prefer using the global yapi CLI; if missing, fallback to npx for command execution. - Streamlined workflow steps for authentication, URL matching, and data fetching. - Clarified command usage, including direct npx alternatives and project/category resolution. - Updated docs sync instructions to emphasize binding mode and dry-run before syncing. - Revised config and cache path guidance; expanded tool dependencies for sync/rendering. - Added stronger recommendations for correct interface creation and field placement.

v1.0.0

yapi 1.0.0 initial release - Enables querying and syncing YApi interface documentation based on YApi URLs or keywords. - Detects valid YApi URLs by matching against configured base_url in ~/.yapi/config.toml. - Guides installation and authentication for yapi CLI, including login and config setup. - Provides CLI usage examples for searching, binding, and syncing API docs. - Summarizes API details including method, path, headers, request/response schema, and examples. - Outlines best practices for reliable API interface creation and documentation syncing.

元数据

Slug yapi

版本 1.0.1

许可证 —

累计安装 5

当前安装数 5

历史版本数 2

常见问题

Yapi 是什么？

Query and sync YApi interface documentation. Use when user mentions "yapi 接口文档", YAPI docs, asks for request/response details, or needs docs sync. Also trigg... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1824 次。

如何安装 Yapi？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install yapi」即可一键安装，无需额外配置。

Yapi 是免费的吗？

是的，Yapi 完全免费（开源免费），可自由下载、安装和使用。

Yapi 支持哪些平台？

Yapi 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Yapi？

由郭立lee（@leeguooooo）开发并维护，当前版本 v1.0.1。