skill-1

The skill's code, docs, and runtime instructions are coherent with an App Store manager for a 1Panel server; it requires a 1Panel base URL and API key and performs only remote API calls to that service.

This skill appears to do what it says: manage 1Panel apps via the 1Panel API. Before installing: - Confirm the mismatch: the registry metadata said no required env vars, but the plugin and docs require a 1Panel base URL and API key (ONEPANEL_* or APPSTORE_* or Gateway-saved config). Expect to provide that credential. - Understand impact of the API key: it allows installing and uninstalling applications on your 1Panel server. Only provide a key with the minimum necessary permissions and only to a trusted server/agent. - Verify where the credential is stored by your OpenClaw/Gateway: SKILL.md says it will be saved to openclaw.json under skills.entries.appstore-skill.config. Ask the platform whether that file is encrypted/ACL-protected, and who can read it. - Review the included dist/*.js files (they are present in the package) and confirm the baseUrl points to a server you control or trust. The code constructs an auth token header locally and only calls the configured baseUrl endpoints — there are no hidden external endpoints. - Be cautious with batch-install/batch-uninstall commands: they can perform many changes; test with a non-production server first and consider rotating the API key after use. If you need higher assurance, ask the publisher to: (1) update registry metadata to list required env vars, and (2) confirm exactly how/where the platform persists the saved config and who can read it.