by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's purpose (pre-generating demo content) matches what the code does, but there are a few inconsistencies and missing declarations (undeclared GEMINI key, undeclared dependencies, and placeholder Turso URL) that you should review before running it with real credentials.
评估建议
This skill generally does what it says: call your LLM/TTS/SFX/image APIs, encode outputs, and save them in Turso. Before installing or running it: (1) Verify and be comfortable with the three declared secrets; provide a Turso token with least privilege and verify the target TURSO_URL is correct (the script currently uses a placeholder). (2) Note that the script optionally uses GEMINI_API_KEY for image generation but that key is not declared — if you don't want image generation enabled, leave GEM...详细分析 ▾
✓ 用途与能力
Name/description align with the behavior: the script generates stories (Mistral), TTS/SFX (ElevenLabs), and stores cached assets in a Turso DB. The required env vars (ELEVENLABS_API_KEY, MISTRAL_API_KEY, TURSO_AUTH_TOKEN) are reasonable for that purpose.
ℹ 指令范围
SKILL.md and script instruct the agent to call external APIs (Mistral, ElevenLabs, optionally Gemini) and to write generated content to Turso. The instructions do not read unrelated local files or attempt to modify other skills. However, the included Python script references GEMINI_API_KEY for image generation even though that key is not declared in the skill metadata.
ℹ 安装机制
No install spec (instruction-only) — lower install risk. The shipped script imports httpx, mistralai, and google.generativeai; these dependencies and a Python runtime are not declared. That means the environment running this script must already have these libraries, or the operator must install them — a missing declaration to be aware of.
⚠ 凭证需求
The declared environment variables (ELEVENLABS_API_KEY, MISTRAL_API_KEY, TURSO_AUTH_TOKEN) are proportional to the stated functionality. However, the script optionally reads GEMINI_API_KEY (via os.environ.get) but GEMINI_API_KEY is not listed as a required env var in the skill metadata. Also, TURSO_AUTH_TOKEN grants write access to a database; ensure you provide a token with minimum required scope and that storing base64-encoded audio/images in your Turso DB is acceptable.
✓ 持久化与权限
always is false and the skill does not request persistent platform privileges. It performs network calls and writes to a user-provided Turso DB only, which is consistent with its stated job.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/3/6
- Added TURSO_AUTH_TOKEN to required environment variables. - Updated metadata formatting and structure. - Included a security note about base64 usage for encoding cached binary content. - Changed the metadata emoji from 🏃 to 🏃 (now specified as a Unicode character, not escaped).
● 无害
安装命令
点击复制官方npx clawhub@latest install demo-precacher
镜像加速npx clawhub@latest install demo-precacher --registry https://cn.longxiaskill.com
技能文档
async def precache_demo():
scenarios = [
{"name": "Sophie", "language": "fr", "prompt": "A story about cloud whales..."},
{"name": "Kai", "language": "ja", "prompt": "A story about bamboo forests..."},
]
for s in scenarios:
# Step 1: Generate content (hits the real API)
story = await generate_story(s["prompt"], s["name"], s["language"])
# Step 2: Cache the result
await cache.set(s, story)
# Step 3: Generate all derived content (audio, images)
for scene in story["scenes"]:
audio = await generate_tts(scene["text"], voice_id)
await cache.set(f"audio_{scene['id']}", audio)
# Step 4: Verify playback
cached = await cache.get(s)
assert cached is not None, f"Cache miss for {s['name']}"
# Step 5: Report coverage
print(f"Cached {len(scenarios)} scenarios, all verified ✅")
scripts/precache_demo.py — 带验证与覆盖率报告的预缓存示例