ClawHub

Fx Base

v1.1.0

fenxiang-ai 后端公共基础模块:API 认证校验(FX_AI_API_KEY)、请求封装(POST + Bearer Token)、 通用错误处理(missing_api_key / api_unavailable / api_error)。 这是基础依赖 skill,被其他领域 skill(如 fan...

0· 46·0 current·0 all-time
by@fangshan101-coder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description state this is a backend common module for fenxiang-ai and the skill only requests FX_AI_API_KEY and exposes helper functions to POST to the declared FX_BASE_URL. The requested environment variable and exported functions are consistent with the stated purpose.
Instruction Scope
SKILL.md and the provided script instruct dependent domain skills to import the library, validate FX_AI_API_KEY, POST JSON to the specified FX_BASE_URL, and handle errors. The instructions do not read unrelated files, config paths, or other environment variables. They explicitly state that user data will be sent to the fenxianglife endpoint.
Install Mechanism
There is no install spec (instruction-only), and the code file is small and readable. Nothing is downloaded or extracted during install by the skill itself.
Credentials
Only one env var (FX_AI_API_KEY) is required and it is the primary credential used for authenticating requests to the declared external API. The request for a single API key is proportionate to the described HTTP client role.
Persistence & Privilege
The skill is not marked always:true and does not attempt to modify other skills or system configuration. It will be imported by other skills at runtime; autonomous invocation is allowed (platform default) but not elevated here.
Assessment
This skill appears to be what it claims: a small shared HTTP client that validates FX_AI_API_KEY and sends JSON to https://api-ai-brain.fenxianglife.com. Before installing, verify you trust the fenxiang-ai service and the skill publisher (no homepage is provided). Note that any data passed to fxPost is transmitted to the external API and the FX_AI_API_KEY will be included in request headers — avoid using a highly privileged key or sending sensitive secrets you wouldn't want sent to that domain. Also confirm your Node runtime supports fetch if you will run the script. If you need stronger assurance, review the skill owner/repo provenance or request hosted package metadata from the publisher.
scripts/fx-api.mjs:11
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk976pt4h4j2s90tdhc9vg5qjcd845b35

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvFX_AI_API_KEY
Primary envFX_AI_API_KEY

Comments