ClawHub

xianyu-api-client-skill

v1.0.2

Secure and reliable API client for Xianyu Guanjia Open Platform with authentication, signing, and error handling.

1· 122·1 current·1 all-time
by@crab-xieyujin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, SKILL.md, and code all describe a Python API client for Xianyu (闲鱼管家). The required environment variables (XIAN_YU_APP_KEY, XIAN_YU_APP_SECRET) and the python binary are appropriate and expected for this purpose. The client talks to open.goofish.pro/api host, which matches the declared homepage (goofish.pro).
Instruction Scope
SKILL.md contains usage instructions limited to configuring keys (env or code), calling client methods, and confirmation flows for sensitive operations. The instructions do not ask the agent to read unrelated files, harvest other credentials, or exfiltrate data. Minor note: SKILL.md version (1.0.3) differs from registry version (1.0.2), which is likely benign but worth noting.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. A Python source file is bundled; it uses standard library modules and makes HTTPS calls to open.goofish.pro. No external downloads, obscure URLs, or archive extraction are present.
Credentials
The skill only requires two environment variables: XIAN_YU_APP_KEY and XIAN_YU_APP_SECRET. Those are exactly the credentials needed to authenticate to the described API. No unrelated secrets or broad system credentials are requested.
Persistence & Privilege
The skill does not request permanent/always-on inclusion (always:false). It does not modify other skills or system-wide settings. Model invocation is enabled (platform default), which is normal for a user-invocable skill.
Assessment
This skill appears to be a straightforward Python client for the Xianyu Guanjia API and only needs your app key and secret. Before installing: (1) Verify you trust the vendor/endpoint (https://goofish.pro / open.goofish.pro) because the client sends network requests there; (2) keep credentials in environment variables or a secrets manager and rotate them regularly; (3) review the bundled __init__.py (it is short and only performs signed POSTs) and test with a limited-permission/test account first; (4) note the small version mismatch between registry (1.0.2) and SKILL.md (1.0.3)—not necessarily malicious but worth confirming with the publisher. If you do not want the agent to call this autonomously, disable autonomous invocation in your agent settings.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a4y7bk016v090hax7dccxnx83sp59

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython
EnvXIAN_YU_APP_KEY, XIAN_YU_APP_SECRET
Primary envXIAN_YU_APP_KEY

Comments