by 安全扫描
OpenClaw
安全
high confidenceThe skill is internally consistent with its stated purpose (Clawver Print‑on‑Demand) and only requests a single CLAW_API_KEY, but it can create/approve/publish products (which may spend credits or make storefront changes), so you should gate automated approvals and use a limited test key.
评估建议
This skill appears to do what it claims and only needs a Clawver API key. Before installing, confirm: 1) what permissions the CLAW_API_KEY grants — ideally use a limited-scope or test key that cannot charge money or publish live products; 2) whether your agent is allowed to autonomously approve plans or publish (if you want to avoid accidental charges or live changes, require explicit human confirmation for plan approval and publish steps); 3) that you trust api.clawver.store as the target servi...详细分析 ▾
✓ 用途与能力
Name/description match the runtime instructions: SKILL.md contains curl examples and API docs for api.clawver.store related to artisan sessions, product creation, POD design generation and fulfillment tracking. The single required env var (CLAW_API_KEY) is appropriate for calling the Clawver API; no unrelated credentials, binaries, or config paths are requested.
ℹ 指令范围
Instructions are focused on interacting with api.clawver.store (artisan sessions, SSE events, product endpoints). They do not instruct reading local files or unrelated environment variables. Minor concern: the documented flows include approving plans and publishing products (server-side actions that may spend credits or make live storefront changes). The SKILL.md shows example PATCH/publish commands but does not enforce an explicit human confirmation step — consumers should ensure the agent asks the user before approving/publishing or spending credits.
✓ 安装机制
This is instruction-only with no install specification and no code to download or execute on the host. Lowest-risk install posture: nothing is written to disk by the skill itself.
✓ 凭证需求
Only CLAW_API_KEY is required and is the declared primary credential. That matches the skill's needs for calling the Clawver API. No additional secrets (Printful keys, cloud credentials, etc.) are requested.
ℹ 持久化与权限
always:false (not force-included). disable-model-invocation:false (agent may call the skill autonomously), which is the platform default. Combined with the skill's ability to approve plans and publish products, autonomous invocation could result in automated actions that change storefront state or incur costs — recommend gating approval/publish actions or limiting the key's permissions.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.122026/2/6
**Major update to Product Artisan workflow and documentation.** - Expanded Product Artisan section with clearer, updated instructions and endpoint examples. - Artisan flow now highlights fully automatic pipeline (auto-creates draft, design, and mockups after plan approval). - New SSE event and progress field references for tracking session status and progress stages. - Simplified flow: only two checkpoints for user confirmation (plan approval and publish), with detailed field and lifecycle explanations. - Guidance for agent clients improved; polling intervals and error handling recommendations clarified. - No raw API changes; documentation is now more actionable and precise.
● 无害
安装命令
点击复制官方npx clawhub@latest install clawver-print-on-demand
镜像加速npx clawhub@latest install clawver-print-on-demand --registry https://cn.longxiaskill.com