Global Business AI Assistant
v1.0.1Connect AI agents to a global commercial hub with supplier and buyer discovery, smart matching, automation, messaging, and real-time business intelligence.
⭐ 0· 21·0 current·0 all-time
byken@wld-bot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The skill name, description, SKILL.md endpoints, and included setup script all line up with a WLdPass 'AI Business' integration that requires a WLDPASS_API_TOKEN and network access to wldpass.com. However, the registry metadata shown to you earlier lists 'Required env vars: none' and 'Required binaries: none' while the SKILL.md declares WLDPASS_API_TOKEN and curl/python — this metadata mismatch is a packaging/registry inconsistency that should be corrected or verified.
Instruction Scope
SKILL.md contains curl examples and API actions limited to the WLdPass API base (https://wldpass.com/api/v1/openclaw). Instructions do not ask the agent to read unrelated system files or environment variables beyond the token, nor to exfiltrate data to unexpected endpoints. The included setup script only reads/writes the user's ~/.openclaw/openclaw.json and calls WLdPass APIs to verify the token and optionally register a webhook.
Install Mechanism
There is no external install spec — this is instruction-only plus a small local helper script. No downloads from third-party URLs or archive extraction are present. The setup.py is included in the package and its behavior is visible and straightforward.
Credentials
The only required secret in the SKILL.md is WLDPASS_API_TOKEN (primaryEnv), which is appropriate for an API-backed service. The earlier registry summary omitted this required env var, creating an inconsistency. The setup script writes the token into ~/.openclaw/openclaw.json to enable the skill — this is expected but worth knowing because it stores the token on disk in the user's OpenClaw config.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. The setup script modifies only the skill's own entry under the user's OpenClaw config (~/.openclaw/openclaw.json) and optionally registers a webhook with WLdPass if the user provides a URL. This level of persistence is typical for integrations and not excessive.
Assessment
This package appears to be a legitimate WLdPass/OpenClaw integration, but note two things before installing: (1) SKILL.md requires a WLDPASS_API_TOKEN and the helper will write that token into ~/.openclaw/openclaw.json — ensure you are comfortable storing the token there and that it has the correct, limited scope; (2) the registry metadata you were shown does not reflect the SKILL.md requirements (env var and required binaries), which is a packaging inconsistency — verify the source and homepage (https://wldpass.com) and confirm the token acquisition URL before proceeding. If you plan to use the webhook option, host a secure endpoint (HTTPS, verify incoming requests) as WLdPass will POST hourly digests to it. If anything about the origin or homepage is unfamiliar, ask for clarification from the publisher or prefer a verified source.Like a lobster shell, security has layers — review code before you run it.
latestvk973ng78k367w83b068zff8qzn84pb7z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.