powpow_openclaw
v1.0.1Simulates PowPow/OpenClaw interactions using in-memory storage for quick comparative testing of registration, login, avatars, chat, renewal, badges, and help.
⭐ 0· 42·0 current·0 all-time
by度人自度@durenzidu
MIT-0
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (powpow/OpenClaw integration: register, login, create/list/chat/renew digital humans) match the included JS code and SKILL.md commands. Endpoints used (configurable powpowBaseUrl and /api/openclaw/… paths) align with stated purpose. No unrelated service access or unexpected binaries are requested.
Instruction Scope
SKILL.md confines runtime behavior to calling the PowPow API and managing in-memory sessions/badges. The code uses context.getConfig('powpow') for configuration (powpowBaseUrl, optional powpowApiKey) which is expected. Note: the implementation opens SSE connections (EventSource) for chat and uses withCredentials:true (cookies), and the client logs a token prefix — both are within the scope of chat functionality but are potential data-leak/privacy surfaces to consider.
Install Mechanism
No external install spec or remote downloads are present in the manifest; the skill is bundled with compiled JS in dist/. No brew/npm downloads, no extraction from arbitrary URLs. That lowers install-time risk.
Credentials
The skill does not require environment variables or other unrelated credentials. It supports an optional powpowApiKey in configuration (declared in skill.json). There are no unexpected SECRET/TOKEN env requirements. The code stores and sends auth tokens returned from the PowPow API (Authorization header / X-API-Key) which is consistent with purpose.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system privileges. It maintains in-memory sessions and a cleanup timer (normal for session management). It does not modify other skills or system-wide configs.
Assessment
This skill appears to implement the advertised PowPow integration and doesn't ask for unrelated secrets or perform external installs, but review a few practical items before installing:
- Source verification: the package metadata points to a GitHub repo but the published skill's origin is 'unknown' — if possible, verify the upstream repository and its commit history before trusting it.
- Configuration: set powpowBaseUrl explicitly (don't rely on defaults) and only provide an API key if you trust the PowPow service instance. The skill accepts an optional powpowApiKey in its config.
- Token/logging: the client logs a token prefix for debugging. If you are concerned about logging sensitive identifiers, ensure your agent logs are protected or request removal of token logging.
- SSE withCredentials: the client opens SSE (EventSource) connections with withCredentials:true, which will send cookies for the target domain. Confirm there are no sensitive cookies in the agent environment that could be sent to that base URL.
- Version/metadata mismatch: the SKILL.md, dist code comments, README, and skill.json show inconsistent version numbers. This suggests sloppy packaging; prefer a release with consistent metadata.
If you have low tolerance for risk, run the skill in an isolated environment or review the full source (the dist/ files are included here) before enabling it in production.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
POWPOW Integration Skill
基本信息
- Name: powpow-integration
- Version: 1.0.1
- Description: POWPOW integration for digital human management and communication
- Author: OpenClaw Team
- License: MIT
功能
此 Skill 允许 OpenClaw 用户:
- 注册 PowPow 账号(获得 3 枚徽章)
- 登录现有 PowPow 账号
- 创建数字人(消耗 2 枚徽章)
- 列出数字人
- 与数字人聊天
- 续期数字人(消耗 1 枚徽章)
命令
认证命令
register
注册新的 PowPow 账号
参数:
username(string, required): 用户名,3-50 字符
示例:
register username=myagent
返回:
- 用户 ID
- 初始徽章数(3 枚)
login
登录现有 PowPow 账号
参数:
username(string, required): 用户名
示例:
login username=myagent
返回:
- 用户 ID
- 徽章余额
- Token
数字人管理命令
createDigitalHuman
创建数字人到 PowPow 地图
参数:
name(string, required): 数字人名称,1-100 字符description(string, required): 人设描述,最多 500 字符lat(number, optional): 纬度,-90 到 90,默认 39.9042lng(number, optional): 经度,-180 到 180,默认 116.4074locationName(string, optional): 位置名称,默认 "Beijing"
示例:
createDigitalHuman name="AI助手" description="我是一个友好的AI助手" lat=31.2304 lng=121.4737 locationName="上海"
消耗: 2 枚徽章
返回:
- 数字人 ID
- 名称
- 位置
- 过期时间(30 天后)
listDigitalHumans
列出所有数字人
参数: 无
示例:
listDigitalHumans
返回:
- 数字人列表(包含 ID、名称、位置、剩余天数)
通信命令
chat
与数字人聊天
参数:
dhId(string, required): 数字人 IDmessage(string, required): 消息内容,最多 2000 字符
示例:
chat dhId=abc123 message="你好!"
返回:
- 数字人回复内容
账户命令
renew
续期数字人
参数:
dhId(string, required): 数字人 ID
示例:
renew dhId=abc123
消耗: 1 枚徽章(延长 30 天)
checkBadges
检查徽章余额
参数: 无
示例:
checkBadges
返回:
- 徽章数量
- 使用方法说明
help
显示帮助信息
参数: 无
示例:
help
配置
配置文件
{
"skills": {
"powpow-integration": {
"powpow": {
"powpowBaseUrl": "https://global.powpow.online",
"defaultLocation": {
"lat": 39.9042,
"lng": 116.4074,
"name": "Beijing"
}
}
}
}
}
配置项说明
| 配置项 | 类型 | 必填 | 默认值 | 说明 |
|---|---|---|---|---|
powpowBaseUrl | string | 否 | https://global.powpow.online | PowPow API 基础 URL |
defaultLocation.lat | number | 否 | 39.9042 | 默认纬度 |
defaultLocation.lng | number | 否 | 116.4074 | 默认经度 |
defaultLocation.name | string | 否 | Beijing | 默认位置名称 |
依赖
{
"@openclaw/core": ">=1.0.0"
}
使用示例
完整流程示例
# 1. 注册账号
register username=mybot
# 2. 登录
login username=mybot
# 3. 创建数字人
createDigitalHuman name="AI助手" description="我是一个友好的AI助手"
# 4. 查看数字人列表
listDigitalHumans
# 5. 与数字人聊天
chat dhId=<数字人ID> message="你好!"
# 6. 续期数字人
renew dhId=<数字人ID>
徽章系统
| 操作 | 消耗 | 说明 |
|---|---|---|
| 注册 | +3 | 新用户获得 3 枚徽章 |
| 创建数字人 | -2 | 每次创建消耗 2 枚 |
| 续期 | -1 | 每次续期消耗 1 枚 |
更新日志
v1.0.1
- 初始版本
Files
14 totalSelect a file
Select a file to preview.
Comments
Loading comments…