qwencloud-ops-auth
v0.1.0[QwenCloud] Configure authentication (API keys, endpoints). TRIGGER when: setting up QWEN_API_KEY, troubleshooting 401/auth errors, when another skill report...
⭐ 0· 63·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name and description match the content: the SKILL.md focuses on configuring and validating QwenCloud API keys, endpoints, and optional OSS credentials. The env vars, endpoint guidance, and coding-plan distinctions are relevant to an auth/config helper.
Instruction Scope
The instructions are narrowly scoped to auth setup and verification (creating .env placeholders, checking key formats, verifying endpoints). They also include filesystem discovery and an optional step to append a skills block to local agent config files (CLAUDE.md / AGENTS.md). That file modification is gated by 'Ask the user before modifying any file.' The skill explicitly forbids outputting plaintext secrets and says to avoid automatically fetching the listed URLs.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes installation risk (nothing is downloaded or executed). The only external dependency mentioned is the optional OSS Python SDK for custom OSS flows, which is reasonable for that feature and is documented.
Credentials
The SKILL.md references multiple secret env vars (DASHSCOPE_API_KEY / QWEN_API_KEY alias, QWEN_TMP_OSS_* and fallback OSS_ACCESS_KEY_*, etc.). Those variables are appropriate for an auth helper. Registry metadata lists no required envs, so there is a small metadata mismatch (the skill uses secrets but doesn't declare them in the registry), and users should understand the skill will ask about/inspect these variables and may advise creating .env files containing them.
Persistence & Privilege
always:false and no persistent installers. The only persistence-related action is appending a registration block to agent config files; the skill instructs to prompt the user before creating or modifying files. Agent autonomous invocation is allowed by default (normal for skills) but not combined with any other high privilege.
Assessment
This skill appears to do what it says: help you configure and validate QwenCloud API keys and optional OSS credentials. Because it deals with secrets, follow these precautions before using it: (1) Do not paste API keys into chat — follow the skill's guidance to add placeholders and let the agent only write real keys to .env if you explicitly instruct it to do so. (2) When asked to allow file changes (creating/appending .env or editing agent config files), confirm exactly which file and review the change before permitting it. (3) Prefer creating and managing keys manually in the console and use least-privilege OSS credentials. (4) Note the registry did not declare required env vars even though the skill references many secret vars — review SKILL.md and referenced files yourself. If you need higher assurance, run the steps manually or inspect the skill files before allowing the agent to modify anything.Like a lobster shell, security has layers — review code before you run it.
latestvk97f3rwj9m63wzxe2sr6ynn8kn83wc7f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.