by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill appears to legitimately add SiliconFlow models to OpenClaw, but pay attention to the following before installing:
- Backup: Perform the recommended backup of ~/.openclaw/openclaw.json and inspect the file before and after applying changes.
- Secrets: SKILL.md asks you to place your SiliconFlow API key (sk-xxx) into openclaw.json. Consider whether you want secrets stored in that file; if possible, prefer the platform's secrets store or environment variables and avoid plaintext files.
...详细分析 ▾
ℹ 用途与能力
The skill's name, description, and instructions align: it guides adding SiliconFlow provider entries and model aliases into OpenClaw. Requesting an API key for SiliconFlow is appropriate for this purpose. However, the registry metadata lists no primary credential or required config paths even though the SKILL.md explicitly instructs adding an API key to ~/.openclaw/openclaw.json — a documentation/metadata mismatch.
⚠ 指令范围
SKILL.md explicitly instructs backing up and patching ~/.openclaw/openclaw.json and placing the SiliconFlow API key directly into the provider config, and includes a curl command to validate the key. Those file-write and secret-storage steps are within the functional scope (configuring a provider) but they reference a local config path and secret handling that are not declared in the skill metadata — this gap increases risk (possible accidental secret exposure) and should be highlighted to administrators.
✓ 安装机制
The skill is instruction-only with no install spec and no bundled code—lowest install risk. There are no downloads or third-party packages referenced in the SKILL.md or README.
⚠ 凭证需求
Functionally the skill needs a single SiliconFlow API key (reasonable). But the manifest declares no required env vars/credentials while the instructions instruct storing an sk-xxx API key directly in openclaw.json. The absence of a declared primary credential is an inconsistency; storing API keys in a plaintext config may expose the secret to other components or people with access to that file.
ℹ 持久化与权限
The skill does not request always:true and does not install persistent code. It does instruct modifying the agent's OpenClaw config file (~/.openclaw/openclaw.json) which is a normal operation for configuring a provider, but administrators should be aware the agent (if invoked) can write that config and thereby persist credentials in plain config files.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/9
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install add-siliconflow-provider
镜像加速npx clawhub@latest install add-siliconflow-provider --registry https://cn.longxiaskill.com