ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

clash-auto-switch

v1.0.2

自动检测 Clash 代理健康状态,优先区域节点优选,故障时切换到最佳节点,支持手动和区域快速切换。

1· 393·1 current·1 all-time
byAnonymous@adminlove520

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for adminlove520/clash-auto-switch.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "clash-auto-switch" (adminlove520/clash-auto-switch) from ClawHub.
Skill page: https://clawhub.ai/adminlove520/clash-auto-switch
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install adminlove520/clash-auto-switch

ClawHub CLI

Package manager switcher

npx clawhub@latest install clash-auto-switch
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match what the files implement: health checks, latency tests, and switching via the Clash external controller API. However the registry metadata lists no required env vars or primary credential even though the scripts and SKILL.md expect CLASH_API/CLASH_SECRET/CLASH_PROXY—this is an implementation/metadata mismatch.
!
Instruction Scope
Runtime instructions and code perform HTTP requests to multiple external endpoints (Telegram, Google, Anthropic, OpenAI, GitHub) via the user's proxy to test connectivity. That is reasonable for a health check, but the SKILL.md and registry do not declare this network behavior explicitly. The skill also requires the CLASH_SECRET (read from env or config) to call the local Clash API; the registry did not advertise this required secret. The scripts write logs to /var/log and state to /tmp which may expose sensitive data if not protected.
Install Mechanism
There is no install spec (instruction-only in registry), but the bundle contains multiple executable scripts and a Python implementation plus a requirements.txt (requests). That means installation is manual (user must install dependencies) and files will run locally—no remote downloads were used. Low install mechanism risk but user must review and install dependencies themselves.
!
Credentials
The skill needs an API secret (CLASH_SECRET) to control Clash, but the registry declares no required env vars or primary credential. Worse, multiple shell scripts include a hard-coded CLASH_SECRET value (UUID-like) which is unexpected and inappropriate for a networking control secret. The presence of a hard-coded token and missing registry declaration are disproportionate and should be fixed or explained.
Persistence & Privilege
always:false (normal). The skill suggests using cron/heartbeat to run /clash auto periodically; combined with autonomous agent invocation this could make the agent perform periodic switches. This is expected for this utility but the user should be aware and control the schedule. The skill does not modify other skills or system-wide agent settings.
Scan Findings in Context
[hardcoded-secret-in-scripts] unexpected: Multiple bash scripts contain CLASH_SECRET set to "6434ff5a-5b0f-4598-99ec-83ca96c77167". An API secret should not be hard-coded in distributed code or left as a real-looking token in examples.
What to consider before installing
This package mostly does what it says (checks proxy health and uses Clash's API to switch nodes), but take these precautions before installing or enabling it: - Treat CLASH_SECRET as sensitive. Do not keep any real API secret hard-coded in scripts; replace or remove the hard-coded value in the provided shell files before use. Prefer setting CLASH_SECRET via secure agent/secret storage. - Update the registry metadata / skill config to declare CLASH_API and CLASH_SECRET so the platform can surface required secrets to you. Right now the registry lists none, which is misleading. - Review and, if needed, restrict where logs and state files are written (scripts log to /var/log/clash-switch.log and /tmp). Ensure those files are stored with appropriate permissions so secrets are not leaked. - Be aware health checks contact external endpoints (Telegram, Google, Anthropic, OpenAI, GitHub) through your proxy. This is normal for connectivity testing but you may prefer to reduce the set of test targets or confirm that contacting them is acceptable in your environment. - The package requires the Python requests library if you use the Python skill file—install it in a controlled environment. Run the scripts locally first and inspect behavior before integrating into automated Cron/agent schedules. - If you plan to run the skill autonomously (periodic cron/heartbeat), limit frequency and review every action it takes; automatic switching changes network routing and could have operational impact. If the author can (a) remove the hard-coded secret, (b) declare required env vars/primary credential in registry metadata, and (c) document the exact external network calls and log paths, the inconsistencies would be resolved and confidence would increase.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cwd015c8p1vg6pry3f62ww182fvr6
393downloads
1stars
3versions
Updated 20h ago
v1.0.2
MIT-0
Anonymous@adminlove520
latest
Download

clash-auto-switch

Clash 代理自动切换 Skill for OpenClaw

自动检测代理健康状态并在故障时自动切换到最佳节点。

配置

首次使用需要配置 Clash API:

# 设置 API 地址和密钥
/clash config set --api http://127.0.0.1:58871 --secret 你的密钥

或通过环境变量:

  • CLASH_API: Clash API 地址
  • CLASH_SECRET: API 密钥
  • CLASH_PROXY: 代理地址 (默认: http://127.0.0.1:7890)

功能

健康检查

检查当前代理是否正常工作:

/clash health

返回示例:

✓ 代理健康 (3/3)
- Telegram: OK
- Google: OK
- Anthropic: OK

列出节点

查看所有代理组和可用节点:

/clash list

自动切换

自动检测并切换到最佳节点:

/clash auto

逻辑:

  1. 测试 Telegram / Google / Anthropic 连通性
  2. 如果不健康,遍历所有节点
  3. 测试延迟,优先选择新加坡/日本/香港/美国节点
  4. 切换到最佳节点

手动切换

切换到指定节点:

/clash switch ChatGPT 新加坡-优化-Gemini-GPT

区域切换

快速切换到指定区域:

/clash sg    # 切换到新加坡
/clash us    # 切换到美国
/clash jp    # 切换到日本
/clash hk    # 切换到香港

状态查询

查看当前代理状态:

/clash status

在 Cron 中使用

添加到 cron job 实现定时健康检查:

{
  "name": "clash-health-check",
  "schedule": {
    "kind": "every",
    "everyMs": 900000
  },
  "payload": {
    "kind": "agentTurn",
    "message": "/clash auto"
  },
  "sessionTarget": "isolated"
}

在 Heartbeat 中使用

在 heartbeat 中添加健康检查:

# 在 HEARTBEAT.md 中添加
/clash health

支持的代理组

  • ChatGPT
  • Copilot
  • GLOBAL
  • Netflix
  • Steam
  • Telegram
  • TikTok
  • Twitter
  • WhatsApp
  • 境内使用
  • 海外使用
  • 节点选择
  • 谷歌服务
  • 微软服务
  • 苹果服务

示例对话

用户: 检查代理状态
小溪: 调用 /clash health → 返回健康度

用户: 代理好像很慢
小溪: 调用 /clash auto → 自动切换到最佳节点

用户: 切换到新加坡节点
小溪: 调用 /clash sg → 切换完成

实现原理

  1. 调用 Clash API (/proxies) 获取所有代理组
  2. 对每个 Selector 类型的代理组执行健康检查
  3. 如果不健康,测试所有节点延迟
  4. 优先选择优先区域的节点
  5. 调用 Clash API (/proxies/{group}) 切换节点

Comments

Loading comments...