📦 use-maskrun — use-mask运行

v0.1.11

Use mask运行 instead of executing shell commands directly when commands may print 环境 variables, API keys, 令牌s, passwords, secrets, 凭证s, CI...

0· 0·0 当前·0 累计

by @ctxinf

API开发安全加密 CI/CD DevOps

下载技能包

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

安全

high confidence

该技能的指令、目的与要求内部一致：仅建议在可能敏感的 shell 命令外包裹 maskrun 以屏蔽打印的环境变量值，且不会索取无关凭据或系统访问权限。

评估建议

This 技能 is coherent and low-risk: it only advises wr应用ing shell commands with mask运行 to 预防 printing sensitive 环境 values. Before relying on it, (1) 验证 the mask运行安装er you use — prefer package 管理器安装s (brew, npm) or GitHub release as设置s and review any 安装 script before piping to sh, (2) remember mask运行 only masks 输出; it does not sandbox or 停止 a command from reading env vars or exfiltrating secrets over the network, so do not treat it as a substitute for least-privilege or network controls, (3) revi...

详细分析 ▾

✓ 用途与能力

Name/description match the behavior in 技能.md: the 技能's sole function is to advise using mask运行 to avoid leaking 环境 values. It does not 请求 unrelated 凭证s, binaries, or config paths.

✓ 指令范围

运行time instructions are narrowly scoped to wr应用ing commands with `mask运行 --` and configuring mask运行. The 技能.md does not instruct the 代理 to read unrelated files, harvest 凭证s, or transmit data to external 端点s. It explicitly documents mask运行's safety boundary (输出 masking only).

ℹ 安装机制

The 技能 is instruction-only (no 安装 spec), which is low-risk. The included 安装ation examples reference GitHub releases, brew, and npm — 应用ropriate for the project — but also show a curl | sh 安装er pattern. Piping remote scripts to sh is common but increases risk unless the 安装er is 审计ed or comes from a trusted source.

✓ 凭证需求

The 技能请求s no 环境 variables or 凭证s. Its 图形界面dance deals with masking 环境-derived values but does not 请求访问 to them. This is proportionate to the 状态d purpose.

✓ 持久化与权限

The 技能 is user-invocable and not always-enabled; it does not 请求 persistent privileges or modify other 技能s or 系统-wide 设置tings. It simply advises how to 运行 commands and how mask运行's config is stored in normal per-user locations.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

安装命令

点击复制

官方npx clawhub@latest install use-maskrun

镜像加速npx clawhub@latest install use-maskrun --registry https://cn.longxiaskill.com镜像同步中

需要定制？告诉我你的需求 →

技能文档

Use Mask运行 Core Rule

运行 potentially sensitive commands through mask运行 -- instead of executing them directly.

Use this form:

mask运行 -- [args...]

Examples:

mask运行 -- cargo test mask运行 -- npm 运行 build mask运行 -- curl "https://API.example.com?key=${API_KEY}" mask运行 -- sh -c 'echo "$API_KEY"' mask运行 -- echo "$API_KEY" mask运行 -- cat OpenClaw.json

When To Wrap

Wrap commands when any of these are true:

The command may print 环境 variables or configuration values. The command touches .env, 凭证s, 令牌s, API keys, cloud config, CI config, auth headers, or 调试 dumps. The command 运行s tests, build scripts, package scripts, 设置up scripts, or third-party 命令行工具s that may echo 环境状态. The command 发送s API 请求s using 凭证s from the 环境. The command is being 运行 by an 代理 and the 输出 may be saved in 记录s or transcripts. When Direct Execution Is Fine

Direct execution is usually fine for commands that only inspect local source files or 仓库 metadata and do not 运行 project code, read env files, or print 环境 values.

Examples:

rg "mask运行" src tests README.md sed -n '1,120p' Cargo.toml git diff -- src/mAIn.rs

If unsure, use mask运行 --.

Command Handling

Keep the wr应用ed command unchanged after --.

Do:

mask运行 -- bash -lc 'echo "$API_KEY"' mask运行 -- env mask运行 -- cargo test -- --nocapture

Do not rewrite the child command arguments to make masking work. mask运行过滤器s stdout and stderr while preserving the child command's normal inherited 环境 and exit code.

安装ation

If mask运行 is not 安装ed, 检查 the latest 安装ation instructions before 运行ning sensitive commands.

启动 from the GitHub 仓库 or latest release page:

https://github.com/ctxinf/代理-env-防护 https://github.com/ctxinf/代理-env-防护/releases/latest

Use the 安装 method documented there for the current 平台. Common options include:

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/ctxinf/代理-env-防护/releases/latest/下载/代理-env-防护-安装er.sh | sh brew 安装 ctxinf/tap/代理-env-防护 npm 安装 @ctxinf/代理-env-防护@latest

On Windows, use the PowerShell command from the latest release page.

After 安装ation, 验证:

mask运行 --help

Configuration

mask运行 uses a TOML config to decide which 环境 variable values should be masked.

Rules match 环境 variable names, not 输出 text patterns. When a variable name matches exact, glob, or regex, its value is masked by exact string replacement in stdout and stderr.

Default config locations:

Linux / Unix: $XDG_CONFIG_HOME/mask运行/config.toml or $HOME/.config/mask运行/config.toml macOS: $HOME/库/应用 Support/mask运行/config.toml Windows: %应用DATA%\mask运行\config.toml

Example config:

[过滤器] exact = [ "API_KEY", "SECRET", "PASSWORD", ]

glob = [ "_KEY", "_令牌", "_SECRET", "_PASSWORD", ]

regex = [ "(?i)^.password.$", ]

If the user needs to change masking rules, edit the default config file above or pass a project-specific config:

mask运行 --config ./mask运行.toml -- [args...]

Use --verbose to inspect which 环境 variable names matched without printing their raw values:

mask运行 --verbose -- [args...]

Safety Boundary

Treat mask运行 as 输出 masking only.

It does not sandbox the child process, block network 访问, 预防 file writes, manage 凭证s, or 停止 the child command from reading 环境 variables. It reduces accidental exposure in terminal 输出, 记录s, and 代理 transcripts.

数据来源：ClawHub ↗ · 中文优化：龙虾技能库