ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Add NewCLI Provider (Claude/GPT/Gemini)

v3.2.0

为 OpenClaw 配置 code.newcli.com 作为模型源,包含四个 provider:newcli(Claude 主线路)、newcli-aws(Claude AWS 特价线路,消耗 1/24)、newcli-codex(GPT 系列)、newcli-gemini(Gemini 系列)。适用于需要接入 Claude 或 GPT 模型的场景。包含 provider 注册、模型定义、别名配置、fallback 链接入和验证的完整流程。当管理员说想"加 Claude"、"加 GPT"、"配 newcli"、"加 fox 源"、"接入 Claude 模型"、"接入 GPT 模型"、"加 codex"、"加 aws 线路"时使用此 skill。

0· 1.1k·1 current·1 all-time
by@jooey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the content: the SKILL.md documents registering multiple providers (Claude/GPT/Gemini) backed by code.newcli.com and shows how to test and add them to ~/.openclaw/openclaw.json. There are no unrelated requirements (no binaries, env vars, or external services demanded).
Instruction Scope
Runtime instructions are limited to: testing endpoints via curl with the user's NewCLI API key, selecting available models, and editing the OpenClaw providers config. The guide does not instruct the agent to read arbitrary files, exfiltrate other credentials, or call unexpected endpoints beyond code.newcli.com. It does include a referral link and a warning from the provider about not sharing the AWS-special endpoint.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or written by the skill itself. This is the lowest-risk install model.
Credentials
No environment variables or primary credentials are requested by the skill. It expects the user to obtain a NewCLI API Key (appropriate and proportionate for configuring a third-party model proxy). No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill is user-invocable, not always-enabled; it directs edits to the user's OpenClaw config (~/.openclaw/openclaw.json), which is appropriate for provider registration. It does not request elevated or persistent system-wide privileges.
Assessment
This skill is internally consistent, but take these precautions before installing: 1) Verify you trust code.newcli.com (a third-party proxy that forwards Anthropic/OpenAI/Google APIs); using such proxies can affect billing, privacy, and terms-of-service with the original providers. 2) Keep your NewCLI API key secret—do not commit ~/.openclaw/openclaw.json to public repositories and avoid pasting keys into logs or chat. 3) Test models with minimal requests first (the SKILL.md shows safe curl examples). 4) The provider claims an "AWS special" low-cost endpoint and asks it not be shared — that may indicate contractual or abuse-risk concerns; confirm with the provider and your organization whether using/obscuring such endpoints is acceptable. 5) The README contains a referral link (monetization bias); this doesn't affect functionality but be aware of possible incentives. If you need greater assurance, ask the skill author for a service homepage, audit the NewCLI service, or perform tests with a throwaway account/API key before adding production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk979x0kxvb2w2cfh27frdarvqh80tq5v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments