西之月登录
v0.1.1西之月账号扫码登录技能。当用户说“登录西之月”、“西之月扫码登录”、“获取西之月登录二维码”、 “刷新西之月登录态”,或其他技能检测到缺少有效西之月 access_token 时,应立即触发此技能。 执行完整登录流程:获取二维码 -> 向用户展示二维码 -> 轮询扫码状态 -> 保存 access_token、...
⭐ 1· 73·0 current·0 all-time
by@jader
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name, SKILL.md, and code consistently implement a Westmoon QR-login flow and persist tokens under ~/.westmoon-user-login. One minor inconsistency: Config.BASE_URL uses api-x.westmonth.com (note the extra 't' in 'westmonth') while the skill and docs refer to 'westmoon'—verify the intended API host.
Instruction Scope
Runtime instructions (SKILL.md) align with the code: generate QR, decode/save image, poll status, fetch user info, and persist tokens. The code only reads/writes files under the dedicated ~/.westmoon-user-login directory and does network calls to the configured BASE_URL endpoints.
Install Mechanism
No install spec is provided (instruction-only metadata), but the bundle includes Python scripts and requirements.txt (requests). Installing or running the skill will require Python and the requests package; there is no remote download of arbitrary code or installers in the manifest.
Credentials
The skill requests no environment variables or external credentials. It stores tokens locally (tokens.json) which is appropriate for a login manager. File permissions are set to restrict access (directory 700, token temp file 600).
Persistence & Privilege
The skill persists tokens to the user's home directory for reuse and agents/openai.yaml sets allow_implicit_invocation: true so it can be triggered when other skills see a missing token — this is coherent for a login helper but be aware it can be invoked automatically by other skills when they detect a missing/expired token.
Assessment
This skill appears to do exactly what it says: generate a Westmoon QR, poll for confirmation, and save tokens to ~/.westmoon-user-login/tokens.json. Before installing, consider: 1) Verify the API host: the code uses api-x.westmonth.com while the skill name/docs say Westmoon—confirm this is the correct endpoint. 2) The skill writes auth tokens to your home directory (files are created with restrictive perms but still stored on disk); if you share the machine or are concerned about persistence, don't keep tokens or remove them after use. 3) Review the included Python scripts yourself if you can; they are small and readable. 4) The skill requires the requests package (requirements.txt). 5) Because the skill can be invoked implicitly by other skills (allow_implicit_invocation), only enable it if you trust automatic triggering in your agent environment. If anything seems off (unexpected host, unfamiliar owner), do not install and verify the official Westmoon integration source first.Like a lobster shell, security has layers — review code before you run it.
latestvk972pd534svbpfdp64r202mvv184kjwp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.