powpow_openclaw
v1.0.2Simulates PowPow/OpenClaw interactions using in-memory storage for quick comparative testing of registration, login, avatars, chat, renewal, badges, and help.
⭐ 1· 143·0 current·0 all-time
by度人自度@durenzidu
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The top-line metadata/description (and the evaluation prompt) suggests a simulation/in-memory test harness, but the SKILL.md and the compiled code implement live HTTP calls to https://global.powpow.online (register, login, create digital humans, send chat). That mismatch (simulation vs. real remote integration) is a material incoherence: someone expecting a local/in-memory simulator would not expect their credentials or messages to be transmitted to a remote service.
Instruction Scope
SKILL.md instructs the agent to register/login/create digital humans and send messages; those operations are consistent with the stated integration purpose. However the instructions omit any privacy notice and explicitly direct users to use the remote map URL. The runtime behavior will transmit usernames, passwords, and chat content to the remote PowPow API — this is within the plugin's purpose but is important scope (network) behavior the user must understand.
Install Mechanism
No install spec or external downloads are present. The package is instruction+bundled compiled JS (dist). There are no URLs that perform arbitrary code download at install time; code runs from the bundled files. This is lower install-risk, though the included compiled files contain base64 source-map URIs (expected for built JS).
Credentials
The skill requests no environment variables or host credentials (appropriate), but it does collect user-supplied credentials (username/password) and chat messages via its commands and transmits them to the remote service. Given the mismatch between the advertised 'in-memory/simulation' behavior and the actual remote calls, the lack of declared credentials/env-vars is not sufficient disclosure of where sensitive inputs are sent.
Persistence & Privilege
The skill does not request 'always: true' or other elevated privileges. It keeps auth tokens and state in memory (per code) and does not modify other skills or system-wide configurations.
Scan Findings in Context
[base64-block] expected: A base64-block pattern was detected (sourceMappingURL data:application/json;base64) in compiled JS files. This is common for build artifacts (inlined source maps) and not itself an injection; SKILL.md itself contains no embedded base64 payloads. Treat as a likely false-positive for prompt-injection but verify build provenance if you distrust the author.
What to consider before installing
Key points before installing or using this skill:
- Expect network traffic: contrary to a 'local/in-memory simulator' expectation, this skill performs live HTTP requests to https://global.powpow.online for register/login/create/send operations. Do NOT assume offline behavior.
- Sensitive inputs transmitted: usernames, passwords, and all chat messages you send through the skill will be transmitted to the remote PowPow backend. Only use throwaway/test accounts if you want to try it.
- Provenance is limited: the skill's registry entry has no homepage and the package claims a GitHub repo, but the source origin is 'unknown' in the metadata provided. If you need to trust it, review the upstream repository, author reputation, and server privacy/TOS.
- If you intended a local simulator, do not install or use this skill. If you accept remote integration, review the remote service (global.powpow.online): privacy policy, data retention, and whether the service's AI usage meets your security/privacy needs.
- Recommended actions: inspect the package's source (dist files and skill.json), run it only in an isolated/test environment, test with non-sensitive accounts, and confirm network endpoints and behavior via network monitoring. If you are unsure about the remote service or the author, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latest
POWPOW Integration Skill v1.0.2
基本信息
- Name: powpow-integration
- Version: 4.0.0
- Description: POWPOW 简化版集成 - 用户注册、数字人创建、自动对话
- Author: durenzidu
- License: MIT
功能概述
此 Skill 帮助 OpenClaw 用户完成以下三件事:
| 步骤 | 功能 | 说明 |
|---|---|---|
| 1 | 注册 PowPow 账号 | 获得用户名和密码,可用于登录 PowPow 网站 |
| 2 | 创建数字人 | 设置名字和人设,数字人自动绑定到你的账号 |
| 3 | 自动对话 | PowPow 后端自动处理对话,无需配置 OpenClaw Gateway |
简化版特点
不需要用户提供 OpenClaw Gateway 地址!
PowPow 后端会自动:
- 接收用户消息
- 调用 AI API
- 返回回复
用户只需要:
- 注册账号
- 创建数字人
- 完成!
命令
第一步:注册账号
register
注册 PowPow 账号
参数:
username(string, required): 用户名(3-20字符,支持中文、字母、数字、下划线)email(string, required): 邮箱地址password(string, required): 密码(至少6位)
示例:
register username="我的数字人" email="user@example.com" password="123456"
login
登录已有账号
示例:
login username="我的数字人" password="123456"
第二步:创建数字人
createDigitalHuman
创建数字人(自动绑定到当前账号)
参数:
name(string, required): 数字人名字description(string, required): 数字人描述/人设lat(number, optional): 纬度,默认 39.9042(北京)lng(number, optional): 经度,默认 116.4074(北京)locationName(string, optional): 位置名称,默认"北京"
示例:
createDigitalHuman name="小助手" description="一个友好的AI助手,乐于助人,知识渊博"
createDigitalHuman name="导游小明" description="北京导游,熟悉北京历史文化" lat=39.9 lng=116.4 locationName="北京天安门"
listDigitalHumans
列出我的所有数字人
示例:
listDigitalHumans
第三步:对话
send
发送消息给数字人
参数:
message(string, required): 消息内容
示例:
send message="你好!有什么可以帮助你的吗?"
status
查看当前状态
示例:
status
完整使用流程
# 步骤 1:注册账号
register username="我的AI助手" email="ai@example.com" password="mypassword123"
# 步骤 2:创建数字人
createDigitalHuman name="小助手" description="一个友好的AI助手,乐于助人,知识渊博"
# 步骤 3:访问地图查看数字人
# 打开 https://global.powpow.online/map
# 步骤 4:(可选)发送消息测试
send message="你好!"
与 v3.x 的区别
| 特性 | v3.x | v4.0 (简化版) |
|---|---|---|
| 需要 OpenClaw Gateway | 是 | 否 |
| 需要 webhook URL | 是 | 否 |
| 需要内网穿透 | 是 | 否 |
| 用户门槛 | 高 | 低 |
| 适合人群 | 开发者 | 所有用户 |
云端部署
可以在云端 OpenClaw 中使用,因为:
- 使用 HTTP API,不需要 WebSocket
- 兼容 Serverless 环境(Vercel 等)
- 无需额外服务器
更新日志
v4.0.0 (2026-04-07)
- 重大更新:简化版,不需要用户提供 OpenClaw Gateway
- PowPow 后端自动处理对话
- 降低用户使用门槛
- 适合所有用户
Comments
Loading comments...