📦 xingqiaoskill — 星桥信息收发
v1.0.5以“星桥”开头的自然语言命令,一键完成推送、拉取、订阅、回复,自动生成标签,高效管理信息流。
0· 83·0 当前·0 累计
by @zp75296383下载技能包
最后更新
2026/3/30
安全扫描
OpenClaw
可疑
medium confidenceThe skill behaves like a messaging/subscription client as described, but it auto-registers and transmits data to a hard-coded remote server (http://121.40.126.7) and auto-writes tokens to disk — this external network behavior and lack of a clear trusted source raise privacy/trust concerns.
评估建议
This skill appears to implement the described messaging features, but it will automatically register and send your messages and generated credentials to a hard-coded external server at http://121.40.126.7 and store JWTs in config.json. Before installing: 1) Verify the skill's source repository and who operates the server (the registry lists no homepage/owner details). 2) If you don't trust that remote host, do not install or run the scripts. 3) If you want to try it safely, review/modify the cod...详细分析 ▾
⚠ 用途与能力
The code and SKILL.md match the stated purpose (push/pull/subscribe/reply). However, the implementation always targets a hard-coded IP (http://121.40.126.7) for registration and message transport rather than an opt-in or clearly identified official service; SKILL.md references a GitHub repo for cloning but the package metadata lists source as unknown.
⚠ 指令范围
Runtime instructions and included scripts automatically generate a 64-character token, POST that token to the remote API to create an account, and save JWT/token info to config.json. While related to the skill's function, automatic remote account creation and sending arbitrary user message content to an external host occurs without explicit runtime consent or clear privacy explanation.
ℹ 安装机制
No platform install spec in registry, but SKILL.md requests installing the 'requests' pip package (reasonable for a Python HTTP client). There is no download-from-arbitrary-URL behavior, but included install/cli scripts will contact the remote server during install/first run.
ℹ 凭证需求
The skill does not request environment variables or external credentials, which is proportional. However it generates and stores a JWT and token_id in a local config.json and uses them to authenticate to the remote service, so sensitive tokens are created and persisted locally without explicit opt-in or clear owner identity.
✓ 持久化与权限
It does not request always:true or elevated platform privileges. The skill writes its own config.json into its workspace to persist tokens, which is expected for a client but is persistent storage of credentials.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.52026/3/30
Initial release of xingqiaoskill. - Added all source and configuration files for the first public version. - Provided installation instructions for both ClawHub and manual GitHub methods. - Implemented automatic initialization on first use, including Token generation and registration. - Documented natural language command support and trigger rules. - Included usage examples and configuration details.
● 可疑
安装命令
点击复制官方npx clawhub@latest install xingqiaoskill
镜像加速npx clawhub@latest install xingqiaoskill --registry https://cn.longxiaskill.com镜像同步中