by 安全扫描
OpenClaw
可疑
medium confidence该技能的指令和文件一般与 'Doubleword' API 的批量推理工具一致,但存在一些不一致之处(缺失描述/主页和未声明的 API 密钥使用),应在信任该技能之前进行澄清。
评估建议
该技能似乎实现了 api.doubleword.ai 的批量推理工作流,并包含无害的辅助代码用于生成 JSONL 文件。但是:(1) 元数据缺少描述、主页或源代码仓库;(2) 运行时文档使用 API 密钥但技能元数据未声明任何必需的环境变量;(3) 仅提供测试账号或有限信用额的 API 密钥;(4) 如需更大的保证,请请求源代码仓库链接或签名发布并确认域名合法性。如果作者无法证明缺失的元数据或来源,请将技能视为不可信任,不提供生产凭据。...详细分析 ▾
ℹ 用途与能力
Name, SKILL.md and reference docs consistently describe a batch-inference client for api.doubleword.ai; the included helper script creates JSONL batch files and matches the documented workflow. However the package metadata lacks a description/homepage/source which reduces provenance confidence.
⚠ 指令范围
Runtime instructions explicitly show using an API key in curl examples (Authorization: Bearer $DOUBLEWORD_API_KEY) and describe uploading and polling files on https://api.doubleword.ai — which is coherent with the stated purpose — but the SKILL.md does not declare the environment variable as required and the skill author did not include provenance/context (no homepage/source). The instructions do not request other system files or credentials.
✓ 安装机制
This is an instruction-only skill with no install spec; the only included code is a small helper script that writes JSONL files. No network installs, downloads, or archive extraction are present in the manifest.
⚠ 凭证需求
SKILL.md examples use an API key (DOUBLEWORD_API_KEY) for requests, but requires.env and primary credential fields are empty — the skill fails to declare the expected credential. No other unrelated secrets are requested.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills, and has no install steps that persist code beyond the included files. It does not ask to store or modify agent-wide config.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/1/28
init
● 无害
安装命令
点击复制官方npx clawhub@latest install doubleword
镜像加速npx clawhub@latest install doubleword --registry https://cn.longxiaskill.com
技能文档
请参见下方翻译的 SKILL.md 内容(由于字符限制,仅提供关键部分,完整内容请参考原始文档)