alapi
v1.0.0ALAPI 接口对接助手。帮助开发者搜索 ALAPI 接口、读取 ALAPI 文档、提取参数、生成 ALAPI 对接代码,并在用户明确提供 token 且确认后调用 ALAPI 接口。当用户提到 "ALAPI"、"alapi.cn"、ALAPI 文档 URL、ALAPI token、ALAPI 接口示例、或希望接...
⭐ 0· 86·0 current·0 all-time
byAlone88@anhao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description describe ALAPI integration; included CLI script and templates implement exactly that. The skill does not request unrelated credentials or tools. Minor note: registry metadata lists no required env vars while the skill supports an optional ALAPI_TOKEN — this is reasonable (token is optional) but slightly inconsistent with a strict 'required' list.
Instruction Scope
SKILL.md accurately describes the CLI usage and limits scope to ALAPI operations (search/openapi/explore/call). It explicitly forbids echoing tokens and limits real calls to cases where the user explicitly requests a live call and provides a token. The instructions do not ask the agent to read unrelated system files or exfiltrate data.
Install Mechanism
There is no install spec — this is an instruction-only skill with included Python script and tests. No downloads or archive extraction are performed by the skill itself, so install risk is low. The README suggests an optional 'npx skills add' install, but that's ordinary package acquisition and not part of the skill's runtime.
Credentials
The only credential surface is ALAPI token usage (ALAPI_TOKEN or explicit --token). That is proportional to the skill's purpose; no unrelated secrets or broad environment access are requested. The SKILL.md/code enforce explicit-token precedence and avoid echoing tokens.
Persistence & Privilege
Skill does not request always:true, does not modify other skills or global agent configuration, and has no persistent privilege escalation behavior. Agent autonomy remains platform-default and is not compounded by special privileges.
Assessment
This skill appears internally consistent and implements exactly what it claims: searching ALAPI, reading OpenAPI/docs, generating example code, and only performing live calls when you explicitly ask and provide a token. Before installing: (1) only provide your ALAPI token when you explicitly ask the agent to perform a live call; avoid pasting tokens into free-form chat messages; (2) review the included scripts (scripts/alapi.py) locally if you want extra assurance — they perform plain HTTPS requests to v3.alapi.cn and honor ALAPI_TOKEN or --token; (3) prefer installing from the official/expected repository URL instead of an unknown source; (4) if you plan to allow autonomous agent actions, remember a live-call will use any ALAPI_TOKEN in the environment or an explicit token you pass — ensure that environment variable is scoped appropriately. Overall: coherent and proportionate, but exercise normal caution with any token you hand to an agent.Like a lobster shell, security has layers — review code before you run it.
latestvk97bpf2448d7sm6b4wbbh9w0n984hn62
License
MIT-0
Free to use, modify, and redistribute. No attribution required.