Kim Msg Account Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a straightforward Kim/OpenClaw setup helper, but it handles Kim app secrets, installs a Kim plugin, and changes the OpenClaw gateway configuration.
Install only if you intend to connect Kim/Kuaishou IM to this OpenClaw instance. Review the plugin source or registry trust, be careful with appKey/secretKey/verificationToken handling, and confirm before allowing the scripts to change configuration or restart the gateway.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Kim app credentials may be entered into the agent/script and stored in OpenClaw configuration.
The skill writes and can later read Kim/OpenApi credentials from OpenClaw configuration. This is expected for configuring the Kim channel, but these credentials could authorize message sending or app access.
openclaw config set channels.kim.secretKey "<用户提供的 secretKey>" ... openclaw config get channels.kim.secretKey
Use credentials for the intended Kim app only, avoid sharing secrets in chat if you prefer manual setup, consider encrypted configuration where available, and rotate the secret if it is exposed.
Installing the Kim plugin adds code from the configured npm registry to your OpenClaw environment.
The setup script installs an external OpenClaw plugin package. This is central to the skill’s purpose, but the installed package is unpinned and its code is not included in the reviewed artifacts.
export npm_config_registry="https://npm.corp.kuaishou.com" openclaw plugins install @ks-openclaw/kim
Confirm that the corporate registry and @ks-openclaw/kim package are trusted, and pin or review the plugin version where your environment supports it.
Running the script can change your OpenClaw runtime configuration and restart the gateway service.
The script changes OpenClaw configuration and can restart the gateway. These are high-impact local actions, but they are directly related to enabling the Kim channel and are gated by interactive prompts.
openclaw config set channels.kim.appKey "$APP_KEY" openclaw config set channels.kim.secretKey "$SECRET_KEY" openclaw gateway restart
Run the setup only when you are ready to change the Kim channel configuration, and review the displayed settings before confirming.
People or groups allowed by the configured Kim application may be able to send messages that reach OpenClaw.
The skill enables an IM channel through which Kim messages can reach OpenClaw. This is the intended function, but it creates a new inbound communication path.
让你能通过 Kim(快手 IM)与你的 OpenClaw 进行消息交互
Configure Kim app permissions, events, webhook token, and allowed users/groups so only intended messages reach your OpenClaw instance.