技能详情(站内镜像,无评论)
作者:Bloom Protocol @bloomprotocol
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v2.0.1
统计:⭐ 0 · 1.2k · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:bloomprotocol/bloom
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill's core purpose (analyze chat to produce a supporter identity) is plausible, but there are notable mismatches and risky behaviors (auto-install from GitHub, undeclared env vars including a default JWT secret, and potential upload of analysis to an external API) that should be reviewed before installing.
目的
The skill's declared permissions in SKILL.md (read:conversations, network:external, crypto:wallet) match the described features (analyze messages, create dashboard, optional wallet). However the registry summary at the top lists no required binaries/env vars while SKILL.md lists node/npx and README references env vars (JWT_SECRET, DASHBOARD_URL, NETWORK). This mismatch between metadata and runtime requirements is confusing and reduces trust.
说明范围
SKILL.md promises 'raw conversation text stays local' but the wrapper (execute.sh) locates session files and invokes a script that — per the README and SKILL.md — can contact Bloom API and store an identity card. The wrapper also auto-creates a .env and may enable networked dashboard/storage. The instructions therefore potentially allow sending derived (and possibly sensitive) data off-device despite the 'local' claim; the TypeScript analyzer …
安装机制
execute.sh auto-clones a GitHub repo (github.com/unicornbloom/bloom-identity-skill) and runs npm install on first run. Cloning from GitHub is a common pattern (moderate risk), but auto-installing code and running npm dependencies without explicit user approval during invocation increases risk. There are no downloads from opaque hosts or archive extracts, which is good, but the repo owner is unknown and the installed JavaScript may perform arbi…
证书
Registry metadata declared no required env vars, yet README and the wrapper reference/produce a .env with JWT_SECRET, DASHBOARD_URL, BLOOM_API_URL, NETWORK and rely on OPENCLAW_USER_ID. Creating a default JWT_SECRET value ('default_secret_change_me') is dangerous: if the service accepts tokens signed with that default secret, it could allow token forgery or impersonation. The skill requests permission to read conversations and to use network/c…
持久
The skill does write into ~/.openclaw/workspace and creates a .env in the cloned skill directory; it auto-installs itself into the user's workspace on first run. It is not marked always:true and does not modify other skills, so persistence level is moderate and expected for a skill wrapper. Still, auto-writing files and creating credentials (even defaults) should be noted.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Bloom Supporter Identity」。简介:Discover your supporter personality and find AI tools you'll love. Get personal…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/bloomprotocol/bloom/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。