ClawHub

Chanjing Credentials Guard

v1.0.7

Guide users to configure local Chanjing credentials safely via local commands only, and validate local token status when needed.

1· 200·1 current·1 all-time
by@binkes
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, manifest, and the three Python scripts all focus on local credential guidance: opening a login page, prompting the user to run local commands, reading/writing ~/.chanjing/credentials.json, and calling the Chanjing token API. There are no unrelated credentials, extra cloud permissions, or surprising binaries requested. (Minor metadata mismatch: registry version 1.0.7 vs manifest version 0.1.0 — likely a release metadata inconsistency, not a functional issue.)
Instruction Scope
Runtime instructions limit actions to local guidance: open login page, show commands, run local scripts to read/write credentials, and call Chanjing's token endpoint when refreshing tokens. The SKILL.md explicitly forbids asking for secrets in chat and the scripts implement only the described local file operations and API call. No instructions reference unrelated system files or exfiltrate data to non-Chanjing endpoints.
Install Mechanism
Instruction-only with bundled Python scripts; no install spec and no remote archive downloads. Lowest-risk install profile.
Credentials
No required environment variables; optional env vars (CHANJING_OPENAPI_CREDENTIALS_DIR, CHANJING_OPENAPI_BASE_URL) are directly relevant and are honored by the scripts (they also accept legacy names for compatibility). The skill persists access_token to disk as documented — this is expected for a token-refresh helper and is declared in manifest.credentials.
Persistence & Privilege
agentPolicy.alwaysSkill is false and the skill does not request elevated or cross-skill privileges. It may open the user's browser and run included Python scripts (allowed in manifest). It writes only to the declared credentials directory. Autonomous invocation is allowed by default but is not combined with any broad or surprising privileges here.
Assessment
This skill appears coherent and does what it says: it helps you open the Chanjing login page, instructs you to run local commands, stores AK/SK and an access token in ~/.chanjing/credentials.json (or a directory you set via CHANJING_OPENAPI_CREDENTIALS_DIR), and refreshes tokens by POSTing to open-api.chanjing.cc. Before installing/using: (1) confirm you trust the Chanjing endpoints (open-api.chanjing.cc and www.chanjing.cc), (2) be aware the token and keys are persisted on disk (file permissions are set to be restrictive where possible), so protect that filesystem location and rotate keys if exposed, (3) note that the base API URL can be changed by CHANJING_OPENAPI_BASE_URL — only set that to a trusted host, and (4) the registry metadata version vs manifest version differs (minor inconsistency worth noticing). The skill explicitly instructs not to request secrets in chat, which aligns with good practice.

Like a lobster shell, security has layers — review code before you run it.

latestvk976yfxpnpphc7k8db4tvvwpzd83pbfe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments