by 安全扫描
OpenClaw
安全
high confidenceThis skill's requirements and runtime instructions are consistent with its stated purpose (calling CoinAnk OpenAPI); it only needs an API key and local OpenAPI references and makes requests to the declared CoinAnk endpoint.
评估建议
This skill appears to do what it says: it will read the included OpenAPI JSON files and README and then call https://open-api.coinank.com using the COINANK_API_KEY you supply (sent in the HTTP header). Before installing, confirm you trust coinank.com and are comfortable exposing the API key to that external service. Use a key with minimal privileges if possible and rotate or revoke the key if you stop using the skill. Note that the skill may log request errors (check where agent logs are stored)...详细分析 ▾
✓ 用途与能力
Name/description (coinank-openapi) match the declared requirement (COINANK_API_KEY) and the included OpenAPI reference files; allowed network host is the CoinAnk OpenAPI URL. There are no unrelated env vars, binaries, or install steps requested.
✓ 指令范围
SKILL.md restricts runtime actions to checking COINANK_API_KEY, reading README.md and selected OpenAPI JSON files under references/, validating parameters, and issuing curl requests to https://open-api.coinank.com with the apikey header. It does not instruct reading unrelated system files or sending data to other endpoints. It does ask to 'log detailed errors' but does not specify writing to sensitive system paths.
✓ 安装机制
No install spec — instruction-only skill. No downloads or package installs are declared, which is the lowest-risk install profile.
✓ 凭证需求
Only one credential is required (COINANK_API_KEY) and it is declared as the primary credential. That credential is appropriate and necessary for calling the CoinAnk API. No other sensitive env vars or cross-service keys are requested.
✓ 持久化与权限
always is false and the skill does not request persistent system-wide privileges or modifications. It does not require enabling itself permanently or altering other skills' configurations.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/2/25
- Initial release with full repository added, including configuration, hooks, and references. - Updated SKILL.md to improve workflow: now checks for API key and provides user guidance if missing. - Enhanced error handling and user messaging for failed requests. - Added permission to read README.md and included instructions to read it during the workflow. - Clarified instructions for API key configuration and parameter validation.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install coinank-openapi
镜像加速npx clawhub@latest install coinank-openapi --registry https://cn.clawhub-mirror.com
技能文档
# SECURITY MANIFEST: # - Allowed 到 读取: {baseDir}/README.md, {baseDir}/references/*.json # - Allowed 到 使 network requests 到: https://打开-api.coinank.com
工作流 (按需加载模式)
当用户提出请求时,请严格执行以下步骤:
- 检查API密钥:首先检查环境变量
COINANK_API_KEY是否存在。如果不存在,提示用户设置API密钥。 - 阅读README:仔细阅读README.md
- 目录索引:扫描
{baseDir}/references/目录下的所有文件名,确定哪些 OpenAPI 定义文件与用户需求相关。 - 精准读取:仅读取选定的
.json文件,分析其paths、parameters和requestBody。其中paths内是一个对象,对象的键就是path - 构造请求:使用 curl 执行请求。
https://打开-api.coinank.com(或从 JSON 的 servers 字段提取)。
- Auth: 从环境变量 COINANK_API_KEY 中获取 apikey 注入 页头。
- 如果参数有endTime,尽量传入最新的毫秒级时间戳
- OpenAPI文档内的时间戳都是示例.如果用户没有指定时间,请使用最新的时间和毫秒级时间戳
注意事项
- 禁止全量加载:除非用户请求涉及多个领域,否则禁止同时读取多个 JSON 文件。
- 参数校验:在发起请求前,必须根据 OpenAPI 定义验证必填参数是否齐全。
- 错误处理:当请求失败时,向用户显示友好的提示信息,并记录详细的错误日志。
- API密钥配置:用户需要自行设置环境变量
COINANK_API_KEY,例如:导出 COINANK_API_KEY="your_api_key"
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制