Edith API Keys

v1.0.0

Manage Edith smart glasses API keys with Unkey. Create, revoke, and list API keys via voice commands.

⭐ 0· 78·0 current·0 all-time

by@samdickson22

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The SKILL.md clearly requires UNKEY_ROOT_KEY and UNKEY_API_ID to call Unkey endpoints — that fits the described purpose — but the registry metadata lists no required environment variables or primary credential. The omission is an incoherence: the skill needs sensitive credentials but the manifest doesn't declare them.

✓

Instruction Scope

Runtime instructions are narrow and explicit: use curl against https://api.unkey.dev to create, list, revoke, verify, and update keys, and check those two environment variables. The instructions do not ask the agent to read unrelated files or exfiltrate data to unexpected endpoints.

✓

Install Mechanism

Instruction-only skill with no install spec and no code files — lowest install risk. It relies on curl being available, which is reasonable for the described operations.

Credentials

The skill requires UNKEY_ROOT_KEY (a root-management secret) and UNKEY_API_ID. Those are functionally necessary for key management, but UNKEY_ROOT_KEY is highly sensitive (can create/revoke any keys). The registry metadata failing to declare these increases the chance a user will unknowingly expose powerful credentials.

Persistence & Privilege

The skill is user-invocable and not always-enabled, which is normal. However, because it expects a root-level secret in the agent environment, allowing autonomous invocation or broad inclusion would amplify risk. Confirming that the skill will not be given long-lived or global access to UNKEY_ROOT_KEY is important.

What to consider before installing

This skill genuinely performs Unkey operations and needs two environment variables: UNKEY_ROOT_KEY and UNKEY_API_ID. Before installing, verify the skill's source and owner (the registry metadata here lacks the declared env vars). Treat UNKEY_ROOT_KEY as highly sensitive: if you must use this skill, avoid putting a permanent root key in a broadly accessible agent environment — prefer a scoped or time‑limited key, rotate it after use, or run the skill in an isolated agent instance. Ask the publisher to update the manifest to declare required credentials and provide more provenance (homepage/source) before trusting it with root credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97330zt4t1q1xmeen31158ynx83sv13

78downloads

0stars

1versions

Updated 3w ago

v1.0.0

MIT-0

Edith API Keys

Manage API keys for the Edith smart glasses app using Unkey.

Setup

The user must have UNKEY_ROOT_KEY and UNKEY_API_ID set as environment variables.

UNKEY_ROOT_KEY — root key from the Unkey dashboard (used to create/revoke keys)
UNKEY_API_ID — the Unkey API ID that Edith verifies keys against

Tools

This skill uses curl to call the Unkey REST API. All requests go to https://api.unkey.dev.

Commands

Create a new API key

Create a key for a plugin developer or device. Optionally set a name, expiration, or rate limit.

curl -s -X POST https://api.unkey.dev/v1/keys.createKey \
  -H "Authorization: Bearer $UNKEY_ROOT_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "apiId": "'"$UNKEY_API_ID"'",
    "name": "{{name}}",
    "prefix": "edith",
    "meta": { "purpose": "{{purpose}}" },
    "expires": {{expires_unix_ms_or_null}},
    "ratelimit": {
      "async": true,
      "limit": {{rate_limit_per_second_or_10}},
      "duration": 1000
    }
  }'

Response includes key (give this to the user) and keyId (for management).

List all keys

curl -s "https://api.unkey.dev/v1/apis.listKeys?apiId=$UNKEY_API_ID" \
  -H "Authorization: Bearer $UNKEY_ROOT_KEY"

Revoke a key

Permanently delete a key by its keyId.

curl -s -X POST https://api.unkey.dev/v1/keys.deleteKey \
  -H "Authorization: Bearer $UNKEY_ROOT_KEY" \
  -H "Content-Type: application/json" \
  -d '{"keyId": "{{keyId}}"}'

Verify a key (read-only check)

curl -s -X POST https://api.unkey.dev/v1/keys.verifyKey \
  -H "Content-Type: application/json" \
  -d '{"apiId": "'"$UNKEY_API_ID"'", "key": "{{key}}"}'

Update a key (rename, change rate limit, set expiry)

curl -s -X POST https://api.unkey.dev/v1/keys.updateKey \
  -H "Authorization: Bearer $UNKEY_ROOT_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "keyId": "{{keyId}}",
    "name": "{{new_name}}",
    "ratelimit": {
      "async": true,
      "limit": {{new_limit}},
      "duration": 1000
    }
  }'

Workflow

When the user asks to manage Edith API keys:

Check that UNKEY_ROOT_KEY and UNKEY_API_ID are set in the environment.
If creating a key: ask for a name/purpose, create it, and display the key to the user (it is only shown once).
If listing keys: fetch and display in a table with keyId, name, createdAt, and status.
If revoking: confirm the keyId with the user, then delete.
Plugins connect to the Edith WebSocket relay with ?linkCode=...&apiKey=... — the relay verifies the key via Unkey automatically when UNKEY_API_ID is set on the server.

Example

User: "Create an API key for my demo plugin"

curl -s -X POST https://api.unkey.dev/v1/keys.createKey \
  -H "Authorization: Bearer $UNKEY_ROOT_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "apiId": "'"$UNKEY_API_ID"'",
    "name": "demo-plugin",
    "prefix": "edith",
    "meta": { "purpose": "demo plugin" },
    "ratelimit": { "async": true, "limit": 10, "duration": 1000 }
  }'

Comments

Loading comments...