hi-light Ear Skill
v1.0.1以用户可执行的工作流方式安装、配置和排查 HiLight OpenClaw 插件。用户想把 OpenClaw 连接到 HiLight、安装 `@art_style666/hi-light` 插件、把 `channels["hi-light"]` 写入 OpenClaw 配置、更新 HiLight API Key...
⭐ 0· 263·0 current·0 all-time
byvalo@gongcong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the actual behavior: the skill collects an API key, installs @art_style666/hi-light via the openclaw CLI, writes channels["hi-light"] entries, validates config, and restarts the gateway. Small inconsistency: the registry metadata lists no required binaries, but the included script requires the 'openclaw' and 'node' commands (it checks for them at runtime). This is expected for the purpose but the manifest should declare those binaries.
Instruction Scope
SKILL.md and user-flow.md provide a narrowly scoped, user-facing workflow (ask for API key, optionally ask wsUrl, allow dry-run). The runtime script only uses OpenClaw CLI and node and updates OpenClaw config keys; it does not attempt to read arbitrary user files or external secrets. It does, however, persist the API key into OpenClaw configuration (channels["hi-light"].authToken), which is within the stated purpose but is sensitive and should be made explicit to the user (the docs do call it out).
Install Mechanism
No install spec in the skill bundle; the script uses the user's existing openclaw CLI to fetch and install the plugin. No external arbitrary downloads or archive extraction are included in the skill itself. The actual plugin install is delegated to openclaw plugins install (expected).
Credentials
The skill does not request environment variables or credentials in its manifest. The script requires the user to provide an API key as a CLI argument and then writes it into OpenClaw's config. That is proportionate to the stated purpose, but it means a secret will be stored in configuration; users should confirm where OpenClaw stores config and whether that file is protected. Also note the default 'allowFrom' is ['*'] which is permissive and may have security implications depending on what allowFrom controls.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request system-wide persistent privileges beyond using the openclaw CLI to update the OpenClaw configuration and restarting the gateway, which are consistent with the advertised setup task.
Assessment
Plain-language checklist before installing: 1) Confirm you trust the plugin author (@art_style666/hi-light) because the openclaw CLI will download and install that plugin. 2) Be aware the script will store your HiLight API key into your OpenClaw config (channels["hi-light"].authToken); verify where OpenClaw keeps that file and that its file permissions are appropriate. 3) The skill bundle did not declare required binaries, but the script requires the 'openclaw' and 'node' commands — ensure those are installed. 4) Use --dry-run first to preview changes and --skip-install if you only want to rotate credentials. 5) The default allowFrom value is ['*'] (potentially permissive); if you need tighter restrictions, provide a more restrictive --allow-from value. 6) If you want a non-default websocket endpoint, provide --ws-url; otherwise the script uses the default wss://open.guangfan.com/.... 7) If you have concerns about where the API key will be stored or who can read it, do not proceed until you inspect OpenClaw's config storage and permissions. 8) If anything looks unexpected in the plugin source or the openclaw install process, stop and audit the plugin before continuing.Like a lobster shell, security has layers — review code before you run it.
latestvk977hzkk0epk4snwrj5r8p7pyh82jrz9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.