Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, documentation in ./references, README and scripts all align with an API-integration skill for apigw.125339.com.cn. The files and scripts (get_token/create/search/cancel) are what you'd expect to implement the stated functionality.
Instruction Scope
SKILL.md confines runtime actions to reading the included ./references docs, constructing API calls, and generating examples. The provided Python scripts interact only with the documented API endpoints and prompt interactively for APP_ID/APP_KEY/USER_ID and Access Token. Minor issues: examples and scripts use slightly different Authorization header formats (inconsistent header formats across files) which could cause confusion; app_auth.html loads crypto-js from a CDN (remote script included only in an HTML helper page). No instructions request unrelated files, system secrets, or unknown external endpoints.
Install Mechanism
No install spec; this is an instruction-first skill with bundled example scripts. Nothing is downloaded or installed automatically by the skill itself, so host-side install risk is low.
Credentials
The skill does not declare or require any environment variables. The scripts legitimately request API credentials (APP_ID, APP_KEY, USER_ID, Access Token) needed to call the API — these are proportional to the stated purpose. No unrelated credentials or secrets are requested.
Persistence & Privilege
The skill does not request always:true and does not claim to persist or alter other skills. It appears to be user-invocable only and will not be force-included in every agent run.
Assessment
This package appears to be a straightforward API integration guide with test scripts. Before installing or running scripts: (1) verify you trust the skill source (homepage in SKILL.md points to 125339.com.cn but registry source is unknown), (2) inspect the included .clawhub/config.json (its contents were not shown) to ensure it doesn't store or transmit secrets, (3) note that scripts prompt for APP_ID/APP_KEY/USER_ID and Access Token — treat those as sensitive, avoid pasting them into shared logs, and run scripts in a safe environment, (4) be aware the helper HTML loads crypto-js from a public CDN (only relevant if you open the HTML in a browser), and (5) confirm which Authorization header format your target API expects (there are small inconsistencies among examples and scripts). If you need higher assurance, ask the publisher for provenance or a signed release, or run the scripts in an isolated VM. If anything in .clawhub/config.json or other files looks unexpected, abort and request clarification.Like a lobster shell, security has layers — review code before you run it.
latestvk972x2qkhncyt7w8wxn4s99pgd84h81c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.