ClawHub

Kimi Integration

v1.0.0

Step-by-step guide for integrating Moonshot AI (Kimi) and Kimi Code models into Clawdbot. Use when someone asks how to add Kimi models, configure Moonshot AI, or set up Kimi for Coding in Clawdbot.

5· 3.4k·12 current·12 all-time
by@evgyur
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and other files clearly require two provider API keys (MOONSHOT_API_KEY and KIMICODE_API_KEY) and show provider endpoints; however, the skill's registry metadata lists no required environment variables or primary credential. That mismatch (metadata says 'none' but runtime needs secrets) is an incoherence that should be resolved before trusting the skill.
Instruction Scope
Instructions stay within the expected scope (editing clawdbot.json, exporting environment variables, restarting gateway, and testing endpoints with curl). Points to note: it advises echoing keys into ~/.env and also shows storing keys directly in Clawdbot config (the README acknowledges this is less secure). The connection-test script makes direct network calls to external endpoints (expected for this purpose).
Install Mechanism
No install spec — instruction-only with a small test script. Nothing is downloaded or installed automatically, which lowers risk.
!
Credentials
Requiring two API keys (one per provider) is reasonable for adding external model providers, but the declared metadata omitted these env vars. Additionally the docs show patterns that encourage placing keys in files/config (echo to ~/.env, or embedding in Clawdbot config) which is less secure and should be discouraged; the skill should declare required env vars in metadata and avoid recommending insecure storage by default.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges; it does not attempt to modify other skills' configs. It runs a benign test script that performs network calls to the declared provider endpoints.
What to consider before installing
Before installing: (1) Understand that this skill needs two secrets (MOONSHOT_API_KEY and KIMICODE_API_KEY) even though the registry metadata doesn't declare them — verify and set them yourself only after confirming the providers and keys are legitimate. (2) Prefer storing API keys in a secure secret store or environment variables rather than echoing them into ~/.env or embedding them in config files. (3) Verify the provider domains (platform.moonshot.cn and api.kimi.com) are correct and trustworthy for your organization. (4) Inspect and run scripts (scripts/test_kimi_connection.sh) in an isolated environment if you're unsure; the script makes live network calls to the provider endpoints. (5) Ask the skill author or registry maintainer to update metadata to declare required env vars and provide a homepage/owner contact; lack of those increases risk. If you cannot verify the provider domains or the skill author, do not install or run the test script with real API keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk971mc2jtehqrs6cz2d962yzzx800139

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments