Kim Msg Skill
v1.2.0快手 Kim 即时通讯消息发送。支持 Webhook(群聊)和消息号(指定用户)两种方式,内置智能密钥加载和 fallback 机制。适用于通知、告警、日报等场景。官网:https://kim.kuaishou.com/
⭐ 0· 414·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description, README, SKILL.md and scripts all describe sending Kim messages via webhook or appKey/secret, which matches the code. However the skill metadata declares no required env vars or config paths even though the scripts require KIM_WEBHOOK_TOKEN or KIM_APP_KEY/KIM_SECRET_KEY and will look in ~/.openclaw/.secrets, ~/.kim_credentials, and ./kim_credentials. The omission in metadata is an incoherence that hides what the skill actually needs to access.
Instruction Scope
The runtime instructions and shipped scripts explicitly read environment variables and fall back to reading local credential files in the user's home and current directory. They only contact the Kim endpoints described in SKILL.md and do not call unexpected external endpoints, but the fallback behavior reads a potentially broad 'Unified secrets' file (~/.openclaw/.secrets) which may contain unrelated secrets. The SKILL.md claims the script will not expose file paths, but it does read those files locally — this scope expansion should be called out to users.
Install Mechanism
No install script or remote downloads are present — the skill ships small local scripts and a Node script only. No installers or external archives are fetched, so installation risk is low.
Credentials
The credentials the code needs (KIM_WEBHOOK_TOKEN, KIM_APP_KEY, KIM_SECRET_KEY) are proportionate to the stated purpose. But the skill metadata does not declare these env vars or the config file paths. More importantly, the fallback will open ~/.openclaw/.secrets which is described as 'OpenClaw unified key management' and could contain many unrelated secrets — reading that file for a single-service key is broader access than a user might expect.
Persistence & Privilege
The skill does not request permanent/always-on inclusion, does not modify other skills or system-wide config, and does not persist credentials beyond using environment variables or local files. It runs only when invoked.
What to consider before installing
Before installing, be aware of three things:
1) Metadata mismatch — the registry entry lists no required env vars or config paths but the scripts require KIM_WEBHOOK_TOKEN or KIM_APP_KEY/KIM_SECRET_KEY and will search ~/.openclaw/.secrets, ~/.kim_credentials, and ./kim_credentials. Expect the skill to read those files.
2) Least-privilege recommendation — prefer exporting the specific KIM_* environment variables rather than keeping a broad ~/.openclaw/.secrets file that may contain unrelated credentials. If you must use files, set strict permissions (chmod 600) and verify the file contents only include what you intend to expose.
3) Code review and provenance — the code contacts only Kim endpoints documented in SKILL.md, but the package lacks a homepage and the source is listed as unknown; SKILL.md and README reference a GitHub repo. Inspect that upstream repository (and commit history), verify checksums, and run the scripts in a safe environment (or test account) if you have sensitive secrets in ~/.openclaw/.secrets.
If you cannot inspect the files or prefer not to risk reading shared secrets, reject or sandbox the skill and supply credentials via dedicated environment variables instead.Like a lobster shell, security has layers — review code before you run it.
latestvk97c1c1vycmacpws268rmg0knx82dv7e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.