Ruby On Rails Gateway
v1.0.0Configure and operate a Ruby On Rails Agent Gateway integration from the OpenClaw side for briefing pull workflows. Use when setting up OpenClaw to read app...
⭐ 2· 441·0 current·0 all-time
byJesse Waites@jessewaites
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Skill purpose (Rails Agent Gateway briefing pulls) matches the actions described in SKILL.md (curl/helper script + bearer token + path secret). However the registry metadata lists no required environment variables or config paths while the SKILL.md explicitly requires AGENT_GATEWAY_TOKEN and AGENT_GATEWAY_SECRET (and optionally RAILS_GATEWAY_URL/RAILS_GATEWAY_TOKEN). The missing declarations are an incoherence: the skill will need secrets despite metadata claiming none.
Instruction Scope
Instructions direct the agent to perform network fetches against a user-provided Rails endpoint and to run a local helper script at /home/node/.openclaw/workspace/scripts/rails-gateway-briefing when present. The SKILL.md asks to read environment variables and to show exact export commands if env vars are missing. These behaviors are consistent with the stated purpose but reference a specific filesystem path and expect sensitive env vars — neither of which are declared in the registry metadata. The guidance to 'show exact export commands' could lead to accidentally revealing secrets if not handled carefully.
Install Mechanism
No install spec or bundled code is present (instruction-only), which reduces supply-chain risk. However the skill assumes an external Ruby gem is mounted on the Rails app and optionally a helper script exists in the agent workspace; those artifacts are not provided by the skill and must be verified/trusted separately.
Credentials
Requesting a bearer token (AGENT_GATEWAY_TOKEN) and a path secret (AGENT_GATEWAY_SECRET) is proportionate to the skill's function, but the registry metadata does not declare these required env vars. The omission means users may not realize they must supply sensitive credentials. The skill also mentions RAILS_GATEWAY_URL/RAILS_GATEWAY_TOKEN as alternatives — multiple secret-bearing variables increase risk if not documented and handled properly.
Persistence & Privilege
The skill does not request persistent/always-on inclusion and does not modify other skills or global agent settings. It operates at runtime and, as written, performs read-only pulls unless the user explicitly requests write actions.
What to consider before installing
This skill appears to do what it says (pull read-only briefing data from a Rails '/agent-gateway/.../briefing' endpoint), but the SKILL.md requires sensitive env vars (AGENT_GATEWAY_TOKEN, AGENT_GATEWAY_SECRET) and references a local helper script while the registry metadata lists none. Before installing: 1) Verify you actually need to provide the bearer token and path secret and that you understand where they'll be stored; prefer using a scoped, read-only token and rotate it frequently. 2) Confirm the helper script path (/home/node/.openclaw/workspace/scripts/rails-gateway-briefing) and its contents — do not run or trust scripts you haven't inspected. 3) Be cautious when the skill asks to 'show exact export commands' — never paste secrets into public chat or logs; provide values via secure secrets management. 4) Ensure the target RAILS_GATEWAY_URL is your known app (no unexpected third-party endpoints). 5) If metadata/packaging doesn't declare required env vars, ask the publisher for an updated manifest that explicitly lists needed credentials and any filesystem accesses; if you can't verify those, treat the skill as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk9795n22ev9xx75zv78j4x8rd581pftf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.