技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 2 · 101 · 0 current installs · 0 all-time installs
⭐ 2
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:apsntian/secretclaw
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill's code largely matches its stated purpose (serve a one-time HTTPS form and save the submitted secret to OpenClaw config), but the package metadata omits required binaries and the agent is given the ability to overwrite any OpenClaw config key (including other services' tokens); those mismatches and privileges warrant caution.
目的
The SKILL.md/README claim no required binaries or env vars, but the script requires two external binaries at runtime: 'cloudflared' (to create the HTTPS tunnel) and 'openclaw' (to run 'openclaw config set'). Declaring none is an incoherence in the metadata. The script also writes workspace/TUNNELS.md — expected for a tunnel manager, but something the metadata did not enumerate.
说明范围
Runtime instructions and the included Python implement exactly the advertised workflow: start local HTTP server, open Cloudflare Quick Tunnel, return a one-time URL, accept a secret, call 'openclaw config set <config_key> <value>', then shut down. However the agent (and anyone who can access the URL while it's live) can set any OpenClaw config key supplied to the script (examples explicitly include 'channels.discord.token' and arbitrary skill …
安装机制
There is no install spec (instruction-only skill with an included script), so nothing is downloaded or written by an installer. The runtime does rely on local binaries ('cloudflared' and 'openclaw'), but there is no package fetch from unknown URLs. No extraction of remote archives is performed by the skill itself.
证书
The skill declares no required env vars but needs binaries present; this mismatch is problematic (user must ensure cloudflared and openclaw are installed). The script does not request unrelated credentials, nor does it exfiltrate the submitted secret to developer-owned servers; however the secret traverses Cloudflare's Quick Tunnel (the request goes through Cloudflare infrastructure) and the skill can write arbitrary config keys inside OpenCla…
持久
always:false (normal). The script writes and updates workspace/TUNNELS.md and runs a cloudflared process while live; entries are removed on shutdown. It does not autonomously enable itself or change other skills' code, but it can modify OpenClaw configuration (via 'openclaw config set'), which is expected for its purpose but is a privileged action regarding agent configuration.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「SecretClaw」。简介:Securely input API keys and sensitive values into OpenClaw without typing them …。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/apsntian/secretclaw/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。