ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

carkey

v1.1.0

查询车辆位置和车况信息(车锁、车门、车窗、空调等状态)/ Query vehicle location and condition information.

0· 116·0 current·0 all-time
byzhou_guobao@zhouzidan

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zhouzidan/car-key.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "carkey" (zhouzidan/car-key) from ClawHub.
Skill page: https://clawhub.ai/zhouzidan/car-key
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install car-key

ClawHub CLI

Package manager switcher

npx clawhub@latest install car-key
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description (query vehicle location and condition for Tika/TikaKey) matches the code and SKILL.md: the Python script calls the Tika open API (https://openapi.nokeeu.com/iot/v1/condition) and exposes options for reading position/condition. However, the registry metadata claims no required environment variables or primary credential while SKILL.md and query_vehicle.py explicitly rely on an App-generated API Key (recommended env var TIKA_API_KEY) and other token env vars. That omission in metadata is inconsistent and may mislead users about what sensitive access is required.
!
Instruction Scope
SKILL.md and the included script instruct the agent/user to read environment variables and to read/write a local cache file at ~/.skill_carkey_cache.json. The README even provides an OpenClaw prompt that encourages pasting the API Key for automated configuration. These instructions involve handling and persisting sensitive credentials and accessing the user's home directory; this scope is expected for a local CLI but should be explicit in the skill metadata and clearly presented to users before any automated or remote submission of secrets.
Install Mechanism
There is no installer or remote download; this is an instruction/script-only skill that requires Python 3.6+. No packages are fetched during install and no external archives or unknown URLs are downloaded by an installer. That lowers install-time risk.
!
Credentials
Although the skill logically needs a Tika API key, the registry entry lists zero required env vars/credentials. The SKILL.md and query_vehicle.py reference TIKA_API_KEY and also mention TIKA_VEHICLE_TOKEN/TIKA_ACCESS_TOKEN in code — additional credential-like env vars that are not declared. The README/SKILL.md further suggests writing the API key into a local cache and even provides guidance for letting OpenClaw populate the credential. Requesting or storing high-sensitivity API keys without the metadata reflecting that requirement is disproportionate and may confuse permission/consent decisions.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It does, however, persist credentials to a cache file (~/.skill_carkey_cache.json) and attempts to restrict file permissions per README. Persisting a high-sensitivity API key to disk is a privilege that users should be aware of; this behavior is legitimate for a CLI utility but should be opt-in and clearly communicated (the SKILL.md does describe it).
What to consider before installing
Before installing or running this skill: (1) recognize it requires a Tika API Key (TIKA_API_KEY) even though the registry metadata doesn't declare it — do not paste or upload that key to third parties unless you trust the skill and host; (2) the script will read env vars and can write a cache file (~/.skill_carkey_cache.json) containing your API key — prefer using a short-lived environment variable and avoid saving persistent keys on shared machines; (3) inspect the script (query_vehicle.py) yourself or verify the publisher and API endpoints (openapi.nokeeu.com / tikakey/chengqu sites) before providing credentials; (4) if you plan to let OpenClaw auto-configure credentials, be aware that this will store secrets on the agent host—only do this on a trusted machine; (5) ask the maintainer or registry to update the skill metadata to list required env vars/primary credential explicitly (TIKA_API_KEY) so permission prompts are accurate.

Like a lobster shell, security has layers — review code before you run it.

latestvk9752wvstge37yv92191k1hba984vhxj
116downloads
0stars
2versions
Updated 1w ago
v1.1.0
MIT-0
zhou_guobao@zhouzidan
latest
Download

概述 / Overview

适用于已经加装 Tika 数字钥匙产品并完成 App 绑定的车辆。
Use this skill only after the vehicle has installed the Tika Digital Key product and completed App binding.

官网 / Official website: https://www.tikakey.com/

API Key 获取路径:乘趣 App -> 帮助中心 -> 热门功能 -> Skill。
API Key path: Chengqu App -> Help Center -> Popular Features -> Skill.

触发场景 / Triggers

  • 用户查询车辆位置或询问“车在哪儿” / User asks where the car is
  • 用户请求查询车况信息 / User asks for vehicle condition
  • 用户询问车辆状态,例如车锁、车门、车窗、空调是否开启 / User asks about locks, doors, windows, or A/C
  • 用户需要获取车辆详细信息,例如 SN、VIN、档位、电源状态 / User asks for SN, VIN, gear, or power status
  • 缺少认证信息时,引导用户提供完整 API Key,并优先建议使用环境变量 / If auth is missing, ask for the full API Key and recommend environment variables first

核心配置 / Core Config

配置项
API 地址https://openapi.nokeeu.com/iot/v1/condition
缓存文件~/.skill_carkey_cache.json
认证格式App 生成的完整 API Key

认证流程 / Auth Flow

  1. 首次使用时,引导用户先在 App 中获取完整 API Key / For first-time use, ask the user to obtain the full API Key from the App
  2. 优先建议用户配置环境变量 TIKA_API_KEY / Recommend TIKA_API_KEY as the primary setup method
  3. 如用户希望后续免配置使用,再写入 ~/.skill_carkey_cache.json / If the user wants repeated local use, then save it to ~/.skill_carkey_cache.json
  4. 后续查询优先读取环境变量,其次读取本地缓存 / Query flow should prefer environment variables, then local cache
  5. 需要时可只检查认证状态,不发起网络请求 / Support auth check without network request
  6. 支持通过 --lang zh|en 切换 CLI 输出语言 / Support bilingual CLI output with --lang
  7. 不再使用时可删除本地缓存,减少凭证残留 / Clear local cache when no longer needed

API 调用 / API Usage

使用 Python 脚本查询车况信息:
Use the Python script to query vehicle information:

# 查询全部信息
python3 query_vehicle.py

# 使用单一环境变量直接查询
export TIKA_API_KEY='your_full_api_key'
python3 query_vehicle.py
python3 query_vehicle.py --check-auth

# 首次写入认证信息并查询
python3 query_vehicle.py --apikey 'your_full_api_key'

# 仅写入认证信息,不发起查询
python3 query_vehicle.py --apikey 'your_full_api_key' --save-token-only

# 检查当前认证状态
python3 query_vehicle.py --check-auth

# 删除本地认证缓存
python3 query_vehicle.py --clear-auth

# 仅查询车辆位置
python3 query_vehicle.py -p
python3 query_vehicle.py --position

# 仅查询车况信息
python3 query_vehicle.py -c
python3 query_vehicle.py --condition

# 输出原始 JSON 数据
python3 query_vehicle.py --json
python3 query_vehicle.py -p --json
python3 query_vehicle.py -c --json

# 使用英文输出
python3 query_vehicle.py --lang en

脚本文件:query_vehicle.py

响应字段 / Response Fields

字段路径说明
data.sn数字钥匙 SN
data.vin车架号
data.vehiclePosition.longitude/latitudeGPS 经纬度
data.vehiclePosition.address地址
data.vehiclePosition.positionUpdateTime位置更新时间戳(毫秒)
data.vehicleCondition.power电源状态
data.vehicleCondition.gear档位
data.vehicleCondition.trunk后备箱状态
data.vehicleCondition.door.*车门状态
data.vehicleCondition.lock.*车锁状态
data.vehicleCondition.window.*车窗状态
data.vehicleCondition.airConditionerState.*空调温度设定

脚本能力 / Script Capabilities

参数简写说明
--position-p仅查询车辆位置信息
--condition-c仅查询车况信息
--json输出纯 JSON 数据
--apikey传入完整 API Key,并写入缓存
--save-token-only仅保存 API Key 到缓存
--check-auth仅检查缓存中的认证信息
--clear-auth删除本地认证缓存
--lang输出语言,支持 zhen
无参数查询全部信息

其他特性 / Additional notes:

  • 自动从缓存文件读取认证信息 / Read auth from cache automatically
  • 支持从环境变量读取认证信息,推荐单一变量 TIKA_API_KEY / Support reading auth from environment variables, preferably TIKA_API_KEY
  • 命令行传 API Key 后自动写缓存 / Save the API key automatically when provided by CLI
  • 支持清理本地认证缓存 / Support clearing local auth cache
  • 兼容当前接口返回字段和旧字段名 / Support current API fields and legacy field names
  • 默认输出终端友好的文本结果 / Default to terminal-friendly text output

错误处理 / Error Handling

错误类型处理方式
认证信息缺失引导用户提供完整 API Key
认证格式错误提示正确格式
缓存读写失败返回明确文件错误
API 请求失败返回 HTTP 或接口错误信息

依赖 / Requirements

  • Python 3.6+

Comments

Loading comments...