技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 33 · 1 current installs · 1 all-time installs
⭐ 0
安装量(当前) 1
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:adisinghstudent/copaw-ai-assistant
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The SKILL.md is coherent with a multi-channel personal assistant framework, but it asks the user to run remote install scripts and to supply many sensitive channel/provider credentials while the registry metadata declares none — and it auto-loads arbitrary Python skills from a local folder, which raises significant operational and credential-handling concerns.
目的
The file describes a full assistant framework (channels, local LLMs, web console) — those capabilities justify needing channel/provider credentials and ability to run user skills. However, the registry metadata declares no required env vars or config paths while the instructions clearly reference many sensitive environment variables (OPENAI_API_KEY, DINGTALK_*, FEISHU_*, DISCORD_BOT_TOKEN, QQ_PASSWORD, etc.), creating a mismatch between claime…
说明范围
Runtime instructions direct the user (or agent) to perform network installs, configure many credentials, and place Python skill files in ~/.copaw/workspace/skills which are auto-loaded and executed. The skill text therefore instructs actions that read/write credentials and execute arbitrary code beyond a simple single-purpose helper.
安装机制
The doc encourages: pip install copaw (reasonable), git clone from GitHub (traceable), and curl | bash from https://copaw.agentscope.io/install.sh and PowerShell iex of remote script — the latter pattern (download-and-exec) is high-risk unless the remote site is verified and audited. The installer domain is not a widely-known release host in the metadata, increasing risk.
证书
Although a multi-channel agent legitimately needs many channel tokens/keys, the skill metadata lists no required env vars while the instructions reference a long list of sensitive variables (API keys, bot tokens, passwords). Declaring none in the registry but instructing use of many is a proportionality and transparency issue; it also encourages placing high-privilege secrets in the environment.
持久
The skill is not always-enabled and doesn't request special platform privileges, but it enables auto-loading/execution of arbitrary Python files from the user's workspace (~/.copaw/workspace/skills). That behavior is intrinsic to the framework but effectively grants any installed skill filesystem and network capabilities under the agent's runtime account — warranting caution.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「copaw-ai-assistant」。简介:Personal AI assistant framework supporting multiple chat channels (DingTalk, Fe…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/adisinghstudent/copaw-ai-assistant/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。