技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.1
统计:⭐ 0 · 155 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:ayalili/env-secure-manager
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill's stated purpose (secure env/secret management) mostly matches its code, but there are implementation inconsistencies and environment-access behaviors not declared in metadata that merit caution before installing.
目的
Name/description (AES-256 secret storage, redaction, permissions) align with the included code: the module encrypts/decrypts values, redacts secrets from text, and can load environment variables. However SKILL.md claims 'lightweight no dependencies' yet the code imports zod and std modules from deno.land; also the metadata declares no required env vars but the code reads/writes an OPENCLAW_ENV_ENCRYPTION_KEY environment variable.
说明范围
The SKILL.md documents loadFromEnv, set/get/redact actions, which matches code. But the implementation reads Deno.env.toObject() (iterates process environment) and will set Deno.env.set('OPENCLAW_ENV_ENCRYPTION_KEY', ...) when auto-generating a key. The metadata did not declare that the skill will read or write environment variables. Reading all env entries (even though it filters by prefix) and writing a process env variable are broader scope…
安装机制
No install spec in registry, but the code includes remote imports from deno.land (zod and std modules). Fetching runtime dependencies from deno.land is common for Deno but it means remote code will be downloaded/executed at runtime — moderate supply-chain risk compared to fully local code.
证书
The skill declares no required env vars, yet init() will read OPENCLAW_ENV_ENCRYPTION_KEY and may write it to the process environment. loadFromEnv iterates the entire environment (via Deno.env.toObject()) and will import keys with a given prefix. This behavior is proportionate to a secret manager only if callers expect the skill to access process env; but that access is not declared and could expose many environment variables if the prefix is …
持久
The skill does not request 'always:true' and does not modify other skills. It does call Deno.env.set to persist the auto-generated encryption key into the process environment, which changes runtime state and could influence other components. This is not necessarily malicious but is a persistence/side-effect the user should be aware of.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「env-secure-manager」。简介:Secure environment variable & secret management with AES-256 encryption, auto-r…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/ayalili/env-secure-manager/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。