ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

仙宫云GPU管家

v1.0.1

仙宫云GPU云服务平台API集成工具,支持实例管理、私有镜像管理、账号管理等全量操作;当用户需要查询或管理仙宫云GPU实例、操作私有镜像、查询账户余额或充值时使用

0· 121·0 current·0 all-time
by@chsengni

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for chsengni/xiangongyun-api.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "仙宫云GPU管家" (chsengni/xiangongyun-api) from ClawHub.
Skill page: https://clawhub.ai/chsengni/xiangongyun-api
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install xiangongyun-api

ClawHub CLI

Package manager switcher

npx clawhub@latest install xiangongyun-api
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, SKILL.md, references, and the Python client all consistently implement GPU instance, image, and account management for the stated 仙宫云 API. The operations implemented match the documented API. However, the registry metadata declares no required credentials or config paths while the code requires a local config/config.yaml with an access_token — an incoherence between claimed requirements and the actual need.
Instruction Scope
SKILL.md instructs the agent to run the included script for all actions and documents parameters and examples. The instructions stay within the stated purpose (calls only the provider API). A notable instruction claim — '已在技能配置中完成授权' — is misleading: the bundled config file contains a placeholder token and the script will raise an error if a real token is not provided.
Install Mechanism
No install spec is provided (instruction-only + included script). There is no external download, package install, or extracted archive; risk from install mechanism is low.
!
Credentials
The skill requires an API access token but the registry metadata lists no required env vars or config paths. The implementation expects a plaintext token in config/config.yaml inside the skill bundle. This is disproportionate to the metadata and carries a security/usability concern: embedding or instructing users to place sensitive tokens in a plain file inside the project is risky and should be declared explicitly (prefer platform secret storage or environment variables).
Persistence & Privilege
The skill is not always-enabled and does not request persistent elevated privileges or modify other skills. It runs on demand via the provided script. Autonomous invocation is allowed by default but is not combined with other high-risk factors here.
What to consider before installing
This skill appears to be an API client for 仙宫云 and implements the advertised operations, but there are a few issues to consider before installing: - Credential handling mismatch: the registry metadata does not declare any required credentials or config paths, yet the included script requires config/config.yaml with an access_token. The provided config file contains the placeholder "YOUR_ACCESS_TOKEN_HERE" — you must replace it with a real token for the skill to work. Treat this as sensitive data. - Do not store secrets in repository files if you can avoid it. Prefer injecting the API token through your platform's secret manager or environment variables rather than embedding it in a plaintext config inside the skill bundle. - Verify the API endpoint (https://api.xiangongyun.com) is the legitimate vendor endpoint you expect. If you don't recognize/ trust the skill's source (owner ID unknown, no homepage), exercise extra caution. - Because the script issues network requests using the token, only grant the minimum-scoped token necessary and consider testing the skill from a sandboxed account or environment first. - If you need stricter assurance, ask the publisher for: (1) confirmation of where the token should be stored (platform secret vs. file), (2) a signed/official source or homepage, and (3) justification for any persistent storage of credentials. Given the clear mismatch between declared metadata and actual requirements, treat this as suspicious until you confirm the credential handling and source provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk9770f5dbbwsmhayft09ygyjj983h797
121downloads
0stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
@chsengni
latest
Download

仙宫云API技能

任务目标

  • 本技能用于:集成仙宫云开放平台API,实现对GPU云服务实例的完整生命周期管理
  • 能力包含:实例管理(创建/启停/销毁)、私有镜像管理、账户信息查询与充值
  • 触发条件:用户需要管理仙宫云GPU实例、操作镜像、查询账户信息时

前置准备

依赖说明:脚本依赖 requests 库

requests>=2.28.0
  • 依赖说明:脚本使用Python标准库和requests包,无需额外安装依赖
  • 凭证配置:需要仙宫云API访问令牌,已在技能配置中完成授权

操作步骤

一、实例管理

1. 查询实例

  • 获取实例列表:调用 scripts/xiangongyun_api.py --action list_instances
  • 获取单个实例详情:调用 scripts/xiangongyun_api.py --action get_instance --instance-id <实例ID>
  • 获取实例储存的镜像:调用 scripts/xiangongyun_api.py --action list_instance_images --instance-id <实例ID>

2. 部署实例

  • 部署新实例:调用 scripts/xiangongyun_api.py --action deploy_instance --name <实例名称> --gpu-count <GPU数量> --image <镜像名称> [--data-center <数据中心>] [--ssh-key <SSH密钥>] [--password <密码>]
  • 参数说明详见 references/api_reference.md

3. 实例生命周期操作

  • 开机--action boot_instance --instance-id <实例ID>
  • 关机保留GPU--action shutdown_instance --instance-id <实例ID>
  • 关机释放GPU--action shutdown_release_gpu --instance-id <实例ID>
  • 关机并销毁--action shutdown_destroy --instance-id <实例ID>
  • 销毁实例--action destroy_instance --instance-id <实例ID>

4. 镜像保存

  • 储存镜像--action save_image --instance-id <实例ID> --image-name <镜像名称>
  • 储存镜像并销毁--action save_image_destroy --instance-id <实例ID> --image-name <镜像名称>

二、私有镜像管理

  • 获取镜像列表--action list_images
  • 获取镜像详情--action get_image --image-id <镜像ID>
  • 销毁镜像--action destroy_image --image-id <镜像ID>

三、账号管理

  • 获取用户信息--action get_user_info
  • 获取账户余额--action get_balance
  • 创建充值订单--action create_recharge_order --amount <金额> --payment <alipay|wechat>
  • 查询充值订单--action query_recharge_order --trade-no <订单号>

资源索引

注意事项

  • 所有异步操作(部署、销毁、启停等)请求成功后会立即返回,实际执行状态需通过查询实例信息确认
  • 关机释放GPU后,系统盘按已使用空间计费(¥0.00003/GB/小时)
  • 充值订单的微信支付链接需转换为二维码扫码使用
  • 公共镜像列表、实例状态说明详见API参考文档

示例1:查询账户信息

# 查看用户信息
python scripts/xiangongyun_api.py --action get_user_info

# 查看账户余额
python scripts/xiangongyun_api.py --action get_balance

示例2:管理GPU实例

# 获取所有实例列表
python scripts/xiangongyun_api.py --action list_instances

# 部署新实例(使用PyTorch镜像,2块GPU)
python scripts/xiangongyun_api.py --action deploy_instance --name "my-training" --gpu-count 2 --image "PyTorch 2.0.0"

# 查看实例详情
python scripts/xiangongyun_api.py --action get_instance --instance-id "abc123"

# 关机释放GPU(节省费用)
python scripts/xiangongyun_api.py --action shutdown_release_gpu --instance-id "abc123"

# 开机继续使用
python scripts/xiangongyun_api.py --action boot_instance --instance-id "abc123"

示例3:管理私有镜像

# 保存实例为镜像
python scripts/xiangongyun_api.py --action save_image --instance-id "abc123" --image-name "my-custom-image"

# 查看所有私有镜像
python scripts/xiangongyun_api.py --action list_images

# 删除镜像
python scripts/xiangongyun_api.py --action destroy_image --image-id "img456"

示例4:账户充值

# 创建充值订单(支付宝)
python scripts/xiangongyun_api.py --action create_recharge_order --amount 100 --payment alipay

# 查询订单状态
python scripts/xiangongyun_api.py --action query_recharge_order --trade-no "ORDER123456"

Comments

Loading comments...