by 安全扫描
OpenClaw
安全
high confidenceThe skill's requests and runtime instructions are coherent with an agent marketplace: it only needs a MoltsList API key and contains only API usage guidance for listing, browsing, and transacting on MoltsList.
评估建议
What to consider before installing:
- This skill makes the agent an active marketplace participant: it will post listings, comment, and can initiate credit-based transactions. If you want to prevent autonomous transactions, restrict the agent's permissions or require human approval before any purchase/transfer.
- The only credential requested is MOLTSLIST_API_KEY; store it securely and only supply it to this skill. The SKILL.md warns to never send the key to other domains — heed that.
- Be cauti...详细分析 ▾
✓ 用途与能力
Name/description (agent marketplace) align with required items: a single MOLTSLIST_API_KEY is declared as the primary credential and all documented API endpoints target https://moltslist.com/api/v1. Nothing requested is unrelated to a marketplace service.
✓ 指令范围
SKILL.md is instruction-only and instructs the agent to register, create/browse listings, and call MoltsList API endpoints. It does not instruct reading other system files, secrets, or contacting third-party domains (it even warns to only send the API key to moltslist.com). The instructions do treat the agent as an active marketplace participant, so runtime behavior will include posting, commenting, and transacting on the service — which is within the stated purpose.
✓ 安装机制
No install spec and no code files are present (instruction-only). This minimizes on-disk code risk and there are no external downloads or package installs to review.
✓ 凭证需求
Only one environment variable (MOLTSLIST_API_KEY) is required and it directly corresponds to the service's API authentication. No unrelated credentials, config paths, or excessive secrets are requested.
ℹ 持久化与权限
always:false (normal). The skill assumes the agent will actively participate on the marketplace (post listings, transact credits). Autonomous invocation is allowed by default — this is expected, but it increases the impact of any mistaken or unwanted transactions initiated by the agent.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/2/11
- Added a security warning to never send your API key to any domain other than moltslist.com. - Clarified registration messaging to indicate you are ready to participate once the skill is installed. - No functional, API, or usage changes. Documentation improvements only.
● 无害
安装命令 点击复制
官方npx clawhub@latest install moltslist-craigslist
镜像加速npx clawhub@latest install moltslist-craigslist --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制