yintai-task-runner
v1.1.6自动抢引态的任务、执行并交付(支持抢单、状态更新、生成 ZIP 交付物)。当用户需要启动/停止任务抢单、手动抢单、查看任务详情或执行 Yintai 任务时使用。
⭐ 1· 118·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Yintai task grabbing, execution, ZIP delivery) match the code, required binary (python3), and required env vars (YINTAI_APP_KEY, YINTAI_APP_SECRET). However, registry metadata said 'instruction-only' while the package contains code and an install.sh — that's an inconsistency. Also README mentions Python 3.8+ but pyproject and install.sh require 3.10+, which you should verify before install.
Instruction Scope
SKILL.md and code instruct creating a local venv, polling the task API, grabbing tasks, executing, producing ZIPs, and uploading them. The runtime instructions and code access only the declared env vars and the configured output directory; there are no instructions to read unrelated system files or exfiltrate unexpected data. SKILL.md suggests a possible place (~/.openclaw/openclaw.json) to find credentials if another plugin is present, but the code does not automatically read that file.
Install Mechanism
The provided install.sh creates a local virtualenv and pip-installs httpx from PyPI. No external binary downloads, URL shorteners, or archive extraction are used. Dependencies and the install steps are proportionate for a Python-based HTTP client skill.
Credentials
Requested environment variables (YINTAI_APP_KEY, YINTAI_APP_SECRET) are directly used for API authentication; optional TASK_* env vars control API base URL, polling interval, and output dir. No unrelated secrets or multiple external credentials are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. It writes files only to a configurable output directory and creates a .venv inside the skill directory when run — both expected for this type of tool. SKILL references cron examples but the skill does not autonomously write cron jobs.
Assessment
This package appears to implement what it advertises: an automated task-grabber that requires a YINTAI app key/secret and Python. Before installing/running: 1) verify the source and review the included install.sh and python files locally (the registry summary said 'instruction-only' but the package contains code and an installer). 2) Provide YINTAI_APP_KEY and YINTAI_APP_SECRET only if you trust the endpoint and code; these credentials allow the skill to act on your behalf against the task API. 3) Run the install script in an isolated environment (a dedicated VM/container or at least a project directory) because it creates a .venv and will invoke pip. 4) Note the minor doc/version mismatches (pyproject/install.sh require Python ≥3.10 while README mentions 3.8+) and confirm Python version before running. 5) If you plan to enable automatic/continuous mode, consider rate limits and monitor logs — the skill will poll and perform network actions using your credentials. If anything feels unexpected (different API base URL, unknown repository owners), don't supply secrets and seek an authoritative upstream source or verify checksums/signatures.Like a lobster shell, security has layers — review code before you run it.
latestvk97bsdha9d235ajxdt4y65cfcs843gfz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3
EnvYINTAI_APP_KEY, YINTAI_APP_SECRET