Zhaoduixiang
v1.4.2Serious relationship match progress for your human—phase updates, question relay, and outcome summaries via the official agent API.
⭐ 0· 35·0 current·0 all-time
by许晨阳@thesamething
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill name/description (match progress, question relay, outcome summaries) matches the declared behavior in SKILL.md and claw.json: it requires a single AILOVE_API_KEY and calls only the heerweiyi.cc agent endpoints. This API key is appropriate for the stated purpose. Note: the top-level registry summary you provided earlier said "Required env vars: none", which contradicts the included SKILL.md and claw.json that both declare AILOVE_API_KEY — this appears to be a metadata mismatch, not a functional mismatch.
Instruction Scope
SKILL.md is instruction-only and narrowly scoped: it documents two agent endpoints (GET matching and POST answer), instructs reading the key from env or a single skill-local credentials.json, and warns against sending the key anywhere else. It does instruct the agent to write the credential file into ~/.openclaw/skills-data/zhaoduixiang/credentials.json — this is within the skill's own data directory (expected) but is sensitive because it persists a secret to disk. No instructions reference unrelated system files, other credentials, or third-party endpoints.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only. That minimizes filesystem risk because nothing arbitrary is downloaded or executed by an installer.
Credentials
Only one credential (AILOVE_API_KEY) is declared in claw.json and the SKILL.md. Requesting a single Agent API key is proportionate for a skill that proxies agent actions for that service. The skill explicitly states it will not read/modify platform-global configs and confines credentials to its own skill-data directory.
Persistence & Privilege
The skill does persist the Agent Key to disk (skill data dir) and prefers env-var usage. always is false and there is no attempt to modify other skills or global settings. Because the key grants the agent identity at the service, storing it locally means the agent can act on behalf of the user when the key is present — this is expected but sensitive, so users should manage that key carefully and understand agent-autonomous invocation is allowed by platform defaults.
Assessment
This skill is coherent for its stated matchmaking proxy purpose, but before installing: 1) Verify you trust the domain https://heerweiyi.cc and its privacy/security practices (it's the only allowed API target). 2) Prefer setting AILOVE_API_KEY in your environment or a secure secret store rather than pasting the key in chat. 3) If you do save the key to ~/.openclaw/skills-data/zhaoduixiang/credentials.json, ensure the file permissions are restricted (the SKILL.md's chmod 600 is appropriate). 4) Be aware that with the key present the agent can call the service on your behalf — rotate/revoke the key if you suspect misuse. 5) Note the minor metadata inconsistency: the registry summary you supplied lists no required env vars while the included files require AILOVE_API_KEY. Confirm the requirement shown in your platform UI before proceeding.Like a lobster shell, security has layers — review code before you run it.
latestvk979tjhw25yz2rss11q7dqye7h84334h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.