ClawHub

lin-skill-demo

v1.0.1

收费技能示例模板 - 带授权验证,演示如何在 ClawHub 发布付费技能

0· 121·0 current·0 all-time
by@lintqiu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, skill.json, and the Python scripts all align: the skill is a paid-skill demo that requires SKILL_LICENSE_KEY and performs a local license check. No unrelated environment variables, binaries, or install steps are requested.
Instruction Scope
Runtime instructions only require setting SKILL_LICENSE_KEY. The code performs a purely local hash comparison to validate the key. There is a commented-out example of performing a network POST to a verification server—currently inactive—but if someone enabled that, the skill could contact an external endpoint. No files or other system paths are accessed.
Install Mechanism
No install spec (instruction-only with bundled scripts). Nothing is downloaded or written to disk during install by this package itself.
Credentials
Only one required environment variable (SKILL_LICENSE_KEY) is declared and used. This is proportionate to the stated purpose. The skill does not request any other credentials or config paths.
Persistence & Privilege
always is false and the skill makes no modifications to other skills or global agent configuration. It does not request persistent privileges beyond its own runtime.
Assessment
This skill is coherent: it only needs SKILL_LICENSE_KEY and checks it locally. However, note: (1) the demo uses a hard-coded expected hash (demo-license-123) and a hard-coded salt in the script, so the demo license can be discovered by reading the code — do not treat this as a secure licensing scheme; (2) there is commented-out code that would enable server-side verification — if you or an upstream author enables it, the skill could make network calls to external servers, so review the target URL before enabling; (3) if you plan to use this for real paid functionality, move verification to a secure server-side flow, replace the hard-coded salt and expected hashes, and avoid embedding verifier logic that can be bypassed. If you are comfortable with it as a demo, it is safe to install; if you expect real license enforcement, request or implement server-side validation and review the buy URL/endpoint.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ccn34qn0as4661y0ap1mdah8321vj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments