Match
v1.4.2Matching pipeline dashboard—phase, countdown, pending Q&A, and outcome summaries. Same official AILove /agent/matching API as loveq.
⭐ 0· 43·0 current·0 all-time
by许晨阳@thesamething
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The SKILL.md and claw.json state this is a dashboard that uses the AILove agent API and requires an AILOVE_API_KEY, which is coherent with the described purpose. However, the registry metadata at the top of the package claims no required env vars while claw.json and SKILL.md require AILOVE_API_KEY — this mismatch is inconsistent and worth confirming with the publisher.
Instruction Scope
The runtime instructions are limited to reading an agent key, calling two documented endpoints on https://heerweiyi.cc/api/v1 (GET /agent/matching and POST /agent/questions/{id}/answer), and saving the key to the skill's data dir. The SKILL.md explicitly forbids accessing global configs or other user data and warns to never send the key to other domains. No instructions request unrelated files or network endpoints.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is downloaded or written by an installer. This is the lowest-risk install pattern.
Credentials
Only a single API credential (AILOVE_API_KEY) is required, which is proportional to the stated purpose. Note the package metadata inconsistency (some registry fields list no env vars while claw.json and SKILL.md require the key). The skill recommends storing the key at ~/.openclaw/skills-data/match/credentials.json (with chmod 600) — storing secrets to disk is expected but increases local persistence risk and should be done only if you trust the service and host.
Persistence & Privilege
The skill does not request always:true, does not modify other skills' configs, and only asks to store credentials under its own skills-data directory. Autonomous invocation remains allowed by platform defaults; the SKILL.md also suggests periodic calls (twice daily), so consider whether you want autonomous scheduling enabled on your agent.
Scan Findings in Context
[NO_FINDINGS] expected: This is an instruction-only skill with no code files; the regex scanner had nothing to analyze. That absence of findings is expected but means the SKILL.md content is the primary security surface to review.
Assessment
This skill appears to do what it says: it needs a single AILOVE_API_KEY to call the AILove matching endpoints on https://heerweiyi.cc. Before installing: (1) confirm you trust the homepage (heerweiyi.cc) and that it is the official AILove endpoint, (2) prefer storing the key in your agent's secure secret store or environment variable rather than plaintext files; if you must save to disk follow the suggested chmod 600, (3) do not paste the key into public chat or third-party services, and revoke/regenerate the key immediately if you suspect it was exposed, (4) note the package metadata inconsistency about required env vars and ask the publisher to correct it if you require stricter provenance. If you are uncomfortable with the skill autonomously calling the API on a schedule, disable or limit autonomous invocation or scheduling in your agent settings.Like a lobster shell, security has layers — review code before you run it.
latestvk972dd5kgbncj7p51hkqgz7cz1842tfc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.