Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
jisuai-auto
v1.0.0一键配置 OpenClaw 对接 aicodee.com MiniMax 模型中转服务。当用户需要配置、设置、激活 aicodee 的 MiniMax API 时触发。触发词:jisuai-auto、配置jisuai、配置爱代码、配置MiniMax。
⭐ 0· 81·0 current·0 all-time
by@outrice
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The script's goal (add an aicodee MiniMax provider and switch the default model) matches the skill description. However the code uses a hard-coded Windows path (C:\Users\Rice\.openclaw\openclaw.json) and the skill metadata did not declare any required config path; that mismatch is unexpected and suggests poor portability or a misconfiguration that should have been declared.
Instruction Scope
SKILL.md instructs the agent to extract the API Base URL and API Key from user messages and then run the local script which directly reads/writes a local openclaw.json. Automatically parsing user messages for API keys can cause accidental exposure of secrets; the instructions give the agent broad discretion to parse messages for secrets and do not require explicit user confirmation or declare the local path being modified.
Install Mechanism
No install spec; the skill is instruction+script only. Nothing is downloaded or written at install time beyond running the included Python script when invoked.
Credentials
The skill requests no environment variables, but it does require write access to the user's OpenClaw config file; that required config path is not declared in metadata. The API key is expected to be provided in chat messages (not via a declared secret input), which is disproportionate and risky for secret handling. The API-key regex in SKILL.md looks malformed (contains 'sk-\|sk3') and may fail to match or behave unexpectedly.
Persistence & Privilege
The skill is not always-on and does not request elevated platform privileges. It does modify a user configuration file (overwriting openclaw.json entries) when run, which is within its claimed purpose but is a significant change to user settings and should be made explicit and reversible (backup recommended).
What to consider before installing
This skill will modify your OpenClaw config file by writing the provided API Base URL and API Key into openclaw.json and switching your default model. Before installing or invoking it:
- Do not paste real API keys into chat if you don't want them stored in your local config; instead run the script locally with the key passed on the command line or set it manually.
- Review and backup your openclaw.json before running the script (it overwrites data at C:\Users\Rice\.openclaw\openclaw.json). The path is hard-coded to a Windows user 'Rice' — edit the script to point to your actual OpenClaw config (or make it use your HOME directory) before running.
- Be aware the SKILL.md metadata does not declare the config file access; treat this as a transparency issue. If you trust the source, manually inspect the script and adjust OPENCLAW_PATH and behavior as needed. If unsure, run the Python script locally yourself (not via an automated agent) after confirming the path and contents to be written.Like a lobster shell, security has layers — review code before you run it.
latestvk97145d2bk5b3k25d1b28t3qjh83jxt8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.