Apiosk Publish
v1.1.0Publish and manage Apiosk gateway listings with signed wallet authentication, listing-group aware categorization, and update/delete operations.
⭐ 0· 658·0 current·0 all-time
by@obcraft
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the code and SKILL.md: all scripts call only https://gateway.apiosk.com and implement register/list/update/delete flows. Declared binaries (curl, jq, cast) and the wallet files are reasonable for the stated functionality. No unrelated services, credentials, or binaries are requested.
Instruction Scope
Runtime instructions and scripts stay within the publishing/management scope and only reference wallet files (~/.apiosk/*) and standard utilities. One minor mismatch: README references apiosk-skill/setup-wallet.sh creating ~/.apiosk/wallet.json, but that setup script is not included. Also, SKILL.md and scripts allow supplying the private key via APIOSK_PRIVATE_KEY or --private-key; the scripts then pass that key on the command-line to 'cast', which can expose it to local process listings.
Install Mechanism
No install spec; this is instruction-plus-shell-scripts only. Nothing is downloaded or written outside the repository except expected reads of ~/.apiosk/*. This is the lowest-risk install type.
Credentials
The skill reads wallet address/private_key from ~/.apiosk/wallet.json (or wallet.txt) and accepts APIOSK_PRIVATE_KEY and --private-key. Those are proportional to the task (signing management requests), but handling private keys is sensitive: passing a private key via environment variable or CLI arg may expose it to the environment or other local users/processes. The scripts do not transmit the raw private key to the remote gateway (they send only signatures), which is appropriate.
Persistence & Privilege
always is false and the skill does not modify system-wide configuration or other skills. It reads wallet files under ~/.apiosk/ and writes nothing outside the repo—no elevated persistence requested.
Assessment
This skill appears to do what it says: sign and call Apiosk gateway endpoints. Before use, review and consider the following:
- Private-key handling: avoid putting long-term/large-value private keys in APIOSK_PRIVATE_KEY or passing them on the command line. CLI args can be visible to other local users via process listings; prefer a securely permissioned ~/.apiosk/wallet.json with restricted file permissions or a signing workflow that uses a hardware wallet.
- Verify the skill's origin: source/homepage are listed as unknown/none; the package metadata references a GitHub repo—if you plan to use it, fetch the repository from the official source and inspect it yourself rather than trusting a copy from an unknown origin.
- Missing setup script: README mentions a setup-wallet.sh but it isn't included. Verify how you will create ~/.apiosk/wallet.json and ensure that script (if used) is trustworthy.
- Run in a restricted environment: if you're unsure, run these scripts in an isolated machine/container and test with a wallet that holds minimal funds.
- Confirm 'cast' is the expected local Foundry binary and not a malicious replacement on PATH.
If you want higher assurance, request the canonical upstream repository or a signed release and/or have someone audit how private keys are loaded and invoked.Like a lobster shell, security has layers — review code before you run it.
latestvk973rt6kv7nhan9k17zmqvdgcd81x0dw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.