by 安全扫描
OpenClaw
安全
high confidenceThe skill's requirements and runtime instructions are consistent with calling CoinAnk's OpenAPI: it only needs a CoinAnk API key, reads the included OpenAPI JSON references, and issues requests to https://open-api.coinank.com.
评估建议
This skill appears coherent: it needs your CoinAnk API key to call CoinAnk endpoints and uses only the included OpenAPI specs. Before installing, confirm you trust coinank.com and that the API key you provide has only the necessary read privileges (avoid providing a more-privileged key). Consider rotating the key if you stop using the skill. Because the skill can make network requests to the CoinAnk domain, do not supply high-privilege or multi-service credentials; verify any returned data befor...详细分析 ▾
✓ 用途与能力
Name/description state: call CoinAnk OpenAPI. Declared requirement: COINANK_API_KEY. Files are OpenAPI JSONs for CoinAnk endpoints. All requested resources (OpenAPI files + API key) align with the stated purpose.
✓ 指令范围
SKILL.md limits actions to: index/read {baseDir}/references/*.json, validate parameters against those OpenAPI files, and make curl requests to https://open-api.coinank.com with apikey header. It does not instruct reading other system files or calling other external endpoints.
✓ 安装机制
No install spec and no code files — instruction-only. Nothing is downloaded or written to disk by the skill itself, minimizing install-time risk.
✓ 凭证需求
Only one env var is required (COINANK_API_KEY) and it is the primary credential used to authenticate to the CoinAnk API, which matches the skill's purpose. No unrelated secrets or config paths are requested.
✓ 持久化与权限
always is false and the skill does not request persistent system privileges or configuration changes. Autonomous invocation is allowed by platform default but is not combined with other concerning privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/1
Initial release of coinank-openapi-skill. - Allows secure access to coinank OpenAPI via https://open-api.coinank.com. - Requires environment variable COINANK_API_KEY for authentication. - Reads relevant OpenAPI JSON files on-demand from the `{baseDir}/references/` directory. - Validates required parameters against OpenAPI definitions before making requests. - Constructs requests using curl, with special handling for timestamps and headers. - Includes clear security and access restrictions for files and network access.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install coinank-openapi-skill
镜像加速npx clawhub@latest install coinank-openapi-skill --registry https://cn.clawhub-mirror.com
技能文档
# SECURITY MANIFEST: # - Allowed 到 读取: {baseDir}/references/*.json # - Allowed 到 使 network requests 到: https://打开-api.coinank.com
工作流 (按需加载模式)
当用户提出请求时,请严格执行以下步骤:
- 目录索引:首先扫描
{baseDir}/references/目录下的所有文件名,确定哪些 OpenAPI 定义文件与用户需求相关。 - 精准读取:仅读取选定的
.json文件,分析其paths、parameters和requestBody。其中paths内是一个对象,对象的键就是path - 构造请求:使用 curl 执行请求。
https://打开-api.coinank.com(或从 JSON 的 servers 字段提取)。
- Auth: 从环境变量 COINANK_API_KEY 中获取 apikey 注入 页头。
- 如果参数有endTime,尽量传入最新的毫秒级时间戳
- OpenAPI文档内的时间戳都是示例.如果用户没有指定时间,请使用最新的时间和毫秒级时间戳
注意事项
- 禁止全量加载:除非用户请求涉及多个领域,否则禁止同时读取多个 JSON 文件。
- 参数校验:在发起请求前,必须根据 OpenAPI 定义验证必填参数是否齐全。
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制